International Association for Cryptologic Research

International Association
for Cryptologic Research

CryptoDB

Papers from EPRINT 2007

Year
Venue
Title
2007
EPRINT
`Good' Pseudo-Random Binary Sequences from Elliptic Curves
Some families of binary sequences are constructed from elliptic curves. Such sequences are shown to be of strong pseudorandom properties with `small' well-distribution measure and `small' correlation measure of `small' order, both of which were introduced by Mauduit and S$\acute{a}$rk\"{o}zy to analyze the pseudo-randomness of binary sequences.
2007
EPRINT
(Convertible) Undeniable Signatures without Random Oracles
We propose a convertible undeniable signature scheme without random oracles. Our construction is based on Waters' and Kurosawa and Heng's schemes that were proposed in Eurocrypt 2005. The security of our scheme is based on the CDH and the decision linear assumption. Comparing only the part of undeniable signatures, our scheme uses more standard assumptions than the existing undeniable signatures without random oracles due to Laguillamie and Vergnaud.
2007
EPRINT
1. AES seems weak. 2. Linear time secure cryptography
We describe a new simple but more powerful form of linear cryptanalysis. It appears to break AES (and undoubtably other cryptosystems too, e.g. SKIPJACK). The break is ``nonconstructive,'' i.e. we make it plausible (e.g. prove it in certain approximate probabilistic models) that a small algorithm for quickly determining AES-256 keys from plaintext-ciphertext pairs exists -- but without constructing the algorithm. The attack's runtime is comparable to performing $64^w$ encryptions where $w$ is the (unknown) minimum Hamming weight in certain binary linear error-correcting codes (BLECCs) associated with AES-256. If $w < 43$ then our attack is faster than exhaustive key search; probably $w < 10$. (Also there should be ciphertext-only attacks if the plaintext is natural English.) Even if this break breaks due to the underlying models inadequately approximating the real world, we explain how AES still could contain ``trapdoors'' which would make cryptanalysis unexpectedly easy for anybody who knew the trapdoor. If AES's designers had inserted such a trapdoor, it could be very easy for them to convince us of that. But if none exist, then it is probably infeasibly difficult for them to convince us of \emph{that}. We then discuss how to use the theory of BLECCs to build cryptosystems provably 1. not containing trapdoors of this sort, 2. secure against our strengthened form of linear cryptanalysis, 3. secure against ``differential'' cryptanalysis, 4. secure against D.J.Bernstein's timing attack. Using this technique we prove a fundamental theorem: it is possible to thus-encrypt $n$ bits with security $2^{cn}$, via an circuit $Q_n$ containing $\le c n$ two-input logic gates and operating in $\le c \log n$ gate-delays, where the three $c$s denote (possibly different) positive constants and $Q_n$ is constructible in polynomial$(n)$ time. At the end we give tables of useful binary codes.
2007
EPRINT
A Block Cipher based PRNG Secure Against Side-Channel Key Recovery
We study the security of a block cipher-based pseudorandom number generator (PRNG), both in the black box world and in the physical world, separately. We first show that the construction is a secure PRNG in the black box world, relying on standard computational assumptions. Then, we demonstrate its security against a Bayesian side-channel key recovery adversary. As a main result, we show that our construction guarantees that the success rate of the adversary does not increase with the number of physical bservations, but in a limited and controlled way. Besides, we observe that, under common assumptions on side-channel attack strategies, increasing the security parameter (typically the block cipher key size) by a polynomial factor involves an increase of a side-channel attack complexity by an exponential factor, as usually expected for secure cryptographic primitives. Therefore, we believe this work provides a first interesting example of the way the algorithmic design of a cryptographic scheme influences its side-channel resistance.
2007
EPRINT
A Bound on the Size of Separating Hash Families
The paper provides an upper bound on the size of a (generalised) separating hash family, a notion introduced by Stinson, Wei and Chen. The upper bound generalises and unifies several previously known bounds which apply in special cases, namely bounds on perfect hash families, frameproof codes, secure frameproof codes and separating hash families of small type.
2007
EPRINT
A Coprocessor for the Final Exponentiation of the $\eta_T$ Pairing in Characteristic Three
Since the introduction of pairings over (hyper)elliptic curves in constructive cryptographic applications, an ever increasing number of protocols based on pairings have appeared in the literature. Software implementations being rather slow, the study of hardware architectures became an active research area. Beuchat et al. proposed for instance a coprocessor which computes the characteristic three $\eta_T$ pairing, from which the Tate pairing can easily be derived, in $33$\,$\mu$s on a Cyclone II FPGA. However, a final exponentiation is required to ensure a unique output value and the authors proposed to supplement their $\eta_T$ pairing accelerator with a coprocessor for exponentiation. Thus, the challenge consists in designing the smallest possible piece of hardware able to perform this task in less than $33$\,$\mu$s on a Cyclone~II device. In this paper, we propose a novel arithmetic operator implementing addition, cubing, and multiplication over $\mathbb{F}_{3^{97}}$ and show that a coprocessor based on a single such operator meets this timing constraint.
2007
EPRINT
A Cramer-Shoup Encryption Scheme from the Linear Assumption and from Progressively Weaker Linear Variants
We describe a CCA-secure public-key encryption scheme, in the Cramer-Shoup paradigm, based on the Linear assumption of Boneh, Boyen, and Shacham. Through a comparison to the Kiltz tag-encryption scheme from TCC 2006, our scheme gives evidence that the Cramer-Shoup paradigm yields CCA encryption with shorter ciphertexts than the Canetti-Halevi-Katz paradigm. We present a generalization of the Linear assumption into a family of progressively weaker assumptions and show how to instantiate our Linear Cramer-Shoup encryption using the progressively weaker members of this family.
2007
EPRINT
A Critical Analysis and Improvement of AACS Drive-Host Authentication
This paper presents a critical analysis of the AACS drive-host authentication scheme. A few weaknesses are identified which could lead to various attacks on the scheme. In particular, we observe that the scheme is susceptible to unknown key-share and man-in-the-middle attacks. Modifications of the scheme are suggested in order to provide better security. A proof of security of the modified scheme is also presented. The modified scheme achieves better efficiency than the original scheme.
2007
EPRINT
A Cryptographic Model for Branching Time Security Properties -- the Case of Contract Signing Protocols
Some cryptographic tasks, such as contract signing and other related tasks, need to ensure complex, branching time security properties. When defining such properties one needs to deal with subtle problems regarding the scheduling of non-deterministic decisions, the delivery of messages sent on resilient (non-adversarially controlled) channels, fair executions (executions where no party, both honest and dishonest, is unreasonably precluded to perform its actions), and defining strategies of adversaries against all possible non-deterministic choices of parties and arbitrary delivery of messages via resilient channels. These problems are typically not addressed in cryptographic models and these models therefore do not suffice to formalize branching time properties, such as those required of contract signing protocols. In this paper, we develop a cryptographic model that deals with all of the above problems. One central feature of our model is a general definition of fair scheduling which not only formalizes fair scheduling of resilient channels but also fair scheduling of actions of honest and dishonest principals. Based on this model and the notion of fair scheduling, we provide a definition of a prominent branching time property of contract signing protocols, namely balance, and give the first \emph{cryptographic} proof that the Asokan-Shoup-Waidner two-party contract signing protocol is balanced.
2007
EPRINT
A Fast Protocol for Computationally Private Information Retrieval
We present a new private information retrieval (PIR) protocol. The protocol is based on a single private, non-shared key cryptosystem; the security of this cryptosystem is based on a new hardness (secret base) assumption. We prove security for the secret base assumption in an extended generic group model. We also show parameters that ensure security against a lattice-based attack. We measure performance using the methodology in \cite{sion}; our scheme is orders of magnitude faster than any existing scheme and faster than the trivial protocol for the home user scenario.
2007
EPRINT
A Forward Secure Remote User Authentication Scheme
Remote user authentication schemes allow a valid user to login a remote server. In 2000, Hwang and Li's proposed a new remote user authentication scheme with smart cards. In the recent years,some researchers pointed out the security weaknesses of Hwang and Li's scheme and they also proposed some modified schemes to avoid these weaknesses. This paper analyzes that Hwang and Li's scheme does not satisfy some essential security requirements. Hwang and Li's scheme and all the modified schemes do not support mutual authentication between the remote user and the remote server also there is no session key generation phase for secure communication. In addition, in Hwang and Li's scheme, the remote user is not free to change his password. This paper present an ideal remote user authentication scheme with smart cards that not only resolves all the security problems of Hwang and Li's scheme, but also provides all the essential security requirements and forward secrecy to the remote server.
2007
EPRINT
A Forward-Secure Signature with Backward-Secure Detection
This paper enhances the security of Abdalla and Reyzin's forward-secure signature scheme with backward-secure detection. In the proposed scheme, we embeded the hash-chain into the forward-secure signature scheme. It achieves not only forward-secure but also backward-secure for the digital signature.
2007
EPRINT
A Four-Component Framework for Designing and Analyzing Cryptographic Hash Algorithms
Cryptographic hash algorithms are important building blocks in cryptographic protocols, providing authentication and assurance of integrity. While many different hash algorithms are available including MD5, Tiger, and HAVAL, it is difficult to compare them since they do not necessarily use the same techniques to achieve their security goals. This work informally describes a framework in four parts which allows different hash algorithms to be compared based on their strengths and weaknesses. By breaking down cryptographic hash algorithms into their preprocessing, postprocessing, compression function, and internal structure components, weaknesses in existing algorithms can be mitigated and new algorithms can take advantage of strong individual components.
2007
EPRINT
A Framework for Efficient and Composable Oblivious Transfer
We propose and simple, general, and unified framework for constructing oblivious transfer (OT) protocols that are \emph{efficient}, \emph{universally composable}, and \emph{generally realizable} from a variety of standard number-theoretic assumptions, such as the decisional Diffie-Hellman assumption and the Quadratic Residuosity assumption. Most interestingly, we can also instantiate our framework with \emph{worst-case} complexity assumptions relating to \emph{lattices}. Our OT protocols are round-optimal (one message each way), efficient in the parties' communication and local computation, and use only one reference string for an unbounded number of executions. Furthermore, the protocols can provide \emph{unconditional} security to either the sender or receiver, simply by changing the distribution of the reference string. (For several versions of the protocol, even a common \emph{random} string suffices.) One of our key technical contributions is a simple and novel abstraction that we call a \emph{dual-mode} cryptosystem. We implement dual-mode cryptosystems by taking a unified view of several cryptosystems in the literature that have what we call ``message-lossy'' public keys, whose defining property is that a ciphertext produced under such a key carries \emph{no information} (even statistically) about the encrypted message. As a contribution of independent interest, we also provide a multi-bit version of Regev's lattice-based cryptosystem (STOC 2005) whose time and space efficiency are improved by a linear factor. In particular, the amortized runtime per message bit is only $\tilde{O}(n)$ bit operations, and the ciphertext expansion can be made as small as a constant.
2007
EPRINT
A Framework for Game-Based Security Proofs
Information security is nowadays an important issue. Its essential ingredient is cryptography. A common way to present security proofs is to structure them as sequences of games. The main contribution of this paper is a framework which refines this approach. We make explicit important theorems used implicitly by cryptographers but never explicitly stated. Our aim is to have a framework in which proofs are precise enough to be mechanically checked, and readable enough to be humanly checked. We illustrate the use of our framework by proving in a systematic way the so-called semantic security of the encryption scheme ElGamal and its hashed version. All proofs have been mechanically checked in the proof assistant Coq.
2007
EPRINT
A Framework for Iterative Hash Functions - HAIFA
Since the seminal works of Merkle and Damgard on the iteration of compression functions, hash functions were built from compression functions using the Merkle-Damgard construction. Recently, several flaws in this construction were identified, allowing for pre-image attacks and second pre-image attacks on such hash functions even when the underlying compression functions are secure. In this paper we propose the HAsh Iterative FrAmework (HAIFA). Our framework can fix many of the flaws while supporting several additional properties such as defining families of hash functions and supporting variable hash size. HAIFA allows for an online computation of the hash function in one pass with a fixed amount of memory independently of the size of the message. Besides our proposal, the recent attacks initiated research on the way compression functions are to be iterated. We show that most recent proposals such as randomized hashing, the enveloped Merkle-Damgard, and the RMC and ROX modes can be all be instantiated as part of the HAsh Iterative FrAmework (HAIFA).
2007
EPRINT
A General Construction of Tweakable Block Ciphers and Different Modes of Operations
This work builds on earlier work by Rogaway at Asiacrypt 2004 on tweakable block cipher (TBC) and modes of operations. Our first contribution is to generalize Rogaway's TBC construction by working over a ring {\ring} and by the use of a masking sequence of functions. The ring {\ring} can be instantiated as either $GF(2^n)$ or as $\bbbz_{2^n}$. Further, over $GF(2^n)$, efficient instantiations of the masking sequence of functions can be done using either a binary Linear Feedback Shift Register (LFSR); a powering construction; a cellular automata map; or by using a word oriented LFSR. Rogaway's TBC construction was built from the powering construction over $GF(2^n)$. Our second contribution is to use the general TBC construction to instantiate constructions of various modes of operations including authenticated encryption (AE) and message authentication code (MAC). In particular, this gives rise to a family of efficient one-pass AE mode of operation. Out of these, the mode of operation obtained by the use of word oriented LFSR promises to provide a masking method which is more efficient than the one used in the well known AE protocol called OCB.
2007
EPRINT
A generalization of Secret Sharing Scheme on the Basis of Recovering Algorithm, K-RA
Extensive studies have been made of the Secret Sharing Scheme(SSS). In this paper new classes of SSS, referred to as K-SSS, $\rm{K_I}$-SSS, $\rm{K_{I\hspace{-.1em}I}}$-SSS and $\tilde{{\rm K}}$-SSS are presented on the basis of recovering algorithm, K-RA. As an application, we shall also present a method for the recovering of secret informations learned only by heart, based on a particular class of K-SSS, $\rm{K_I}$-SSS.
2007
EPRINT
A Hybrid Approach to Concurrent Error Detection for a Compact ASIC Implementation of the Advanced Encryption Standard
In this paper, we investigate the application of concurrent error detection circuitry to a compact application-specific integrated circuit (ASIC) implementation of the Advanced Encryption Standard (AES). The specific objective of the design is to develop a method suitable for compact ASIC implementations targeted to embedded systems such that the system is resistant to fault attacks. To provide the error detection, recognizing that previously proposed schemes are not well suited to compact implementations, it is proposed to adopt a hybrid approach consisting of parity codes in combination with partial circuit redundancy. For compact ASIC implementations, taking such an approach gives a better ability to detect faults than simple parity codes, with less area cost than proposed schemes which use full hardware redundancy. The results of the implementation analysis in this paper show that it is possible to implement an error detection scheme that is robust to multiple faults in a compact AES design such that about 39% of the overall system is devoted to the error detection functionality.
2007
EPRINT
A kilobit special number field sieve factorization
We describe how we reached a new factoring milestone by completing the first special number field sieve factorization of a number having more than 1024 bits, namely the Mersenne number $2^{1039}-1$. Although this factorization is orders of magnitude `easier' than a factorization of a 1024-bit RSA modulus is believed to be, the methods we used to obtain our result shed new light on the feasibility of the latter computation.
2007
EPRINT
A Lattice-Based Computationally-Efficient Private Information Retrieval Protocol
A PIR scheme is a scheme that allows an user to get an element of a database without giving any information about what part of the database he is interested in. In this paper we present a lattice-based PIR scheme, using an NTRU-like approach, in which the computational cost is a few thousand bit-operations per bit in the database. This improves the protocol computational performance by two orders of magnitude when compared to existing approaches. Our scheme has worse communication performance than other existing protocols, but we show that practical usability of PIR schemes is not as dependent on communication performance as the literature suggests, and that a trade-off between communication and computation leads to much more versatile schemes.
2007
EPRINT
A Linear Lower Bound on the Communication Complexity of Single-Server Private Information Retrieval
We study the communication complexity of single-server Private Information Retrieval (PIR) protocols that are based on fundamental cryptographic primitives in a black-box manner. In this setting, we establish a tight lower bound on the number of bits communicated by the server in any polynomially-preserving construction that relies on trapdoor permutations. More specifically, our main result states that in such constructions $\Omega(n)$ bits must be communicated by the server, where $n$ is the size of the server's database, and this improves the $\Omega(n / \log n)$ lower bound due to Haitner, Hoch, Reingold and Segev (FOCS '07). Therefore, in the setting under consideration, the naive solution in which the user downloads the entire database turns out to be optimal up to constant multiplicative factors. We note that the lower bound we establish holds for the most generic form of trapdoor permutations, including in particular enhanced trapdoor permutations. Technically speaking, this paper consists of two main contributions from which our lower bound is obtained. First, we derive a tight lower bound on the number of bits communicated by the sender during the commit stage of any black-box construction of a statistically-hiding bit-commitment scheme from a family of trapdoor permutations. This lower bound asymptotically matches the upper bound provided by the scheme of Naor, Ostrovsky, Venkatesan and Yung (CRYPTO '92). Second, we improve the efficiency of the reduction of statistically-hiding commitment schemes to low-communication single-server PIR, due to Beimel, Ishai, Kushilevitz and Malkin (STOC '99). In particular, we present a reduction that essentially preserves the communication complexity of the underlying single-server PIR protocol.
2007
EPRINT
A Major Vulnerability in RSA Implementations due to MicroArchitectural Analysis Threat
Recently, Aciicmez, Koc, and Seifert have introduced new side-channel analysis types,namely Branch Prediction Analysis (BPA) and Simple Branch Prediction Analysis (SBPA), which take advantage of branch mispredictions occur during the operations of cryptosystems [4, 5]. Even more recently, Aciicmez has developed another attack type, I-cache analysis, which exploits the internal functionalities of instruction/trace caches [1]. These MicroArchitectural Analysis (MA) techniques, more specifically SBPA and I-cache Analysis, have the potential of disclosing the entire execution flow of a cryptosystem as stated in [4, 1]. Our focus of interest in this paper is that these attacks can reveal whether an extra reduction step is performed in each Montgomery multiplication operation. First Walter et. al. and then Schindler developed attacks on RSA, which result in total break of the system if the occurrences of extra reduction steps can be determined with a reasonable error rate [39, 30, 29]. These attacks may be viewed as theoretical in the sense that neither Walter et. al. nor Schindler implemented actual attacks on real systems but instead they assumed that side-channel information obtained via power and timing analysis would reveal such occurrences of extra reduction step. In this paper we adjusted the attack from [30] to the current OpenSSL standard and put this attack into practice, proving its practicality via MA. The second part of the attack exploits the previously gathered information on the required extra reductions in an optimal way, using advanced stochastic methods as the formulation and analysis of stochastic processes. Our results show the feasibility of compromising current RSA implementations such as OpenSSL. After we shared our result with OpenSSL development team, they included a patch into the stable branch ([45]), which allows users to compile an OpenSSL version that is resistent against our attack ([46]). In particular, this patch will affect the upcoming version of 0.9.8f. We also contacted the US CERT who informed software vendors. The US CERT assigned the vulnerability explained in this paper CVE name CVE-2007-3108 and CERT vulnerability number VU#724968, and they issued a vulnerability note ([47–49]). We point out that this publication appeared in accordance with the OpenSSL development team. Several countermeasures have been developed and employed in widely used cryptographic libraries like OpenSSL to mitigate such side-channel analysis threats. However the current implementations still do not provide sufficient protection against MicroArchitectural Analysis, despite of all the sophisticated mitigation techniques employed in these implementations. In this paper, we will show that one can completely break the RSA implementation of the current OpenSSL version (v.0.9.8e) even if the most secure configuration, including all of the countermeasures against side-channel and MicroArchitectural analysis, is in place. We have only analyzed OpenSSL, thus we currently do not know the strength of other cryptographic libraries. Other libraries and software products need to be thoroughly analyzed and appropriately modified if it is necessary. At least, developers of the current software applications that rely on OpenSSL RSA implementation need to update their products based on the recent OpenSSL changes. Our results indicate that MicroArchitectural Analysis threatens at least 60% of the internet traffic worldwide and the current systems should be analyzed thoroughly to evaluate their overall strength against MicroArchitectural Analysis ([44]). We will eventually discuss appropriate countermeasures that must be employed in security systems.
2007
EPRINT
A Meet-in-the-Middle Collision Attack Against the New FORK-256
We show that a $2^{112.9}$ collision attack exists against the FORK-256 Hash Function. The attack is surprisingly simple compared to existing published FORK-256 cryptanalysis work, yet is the best known result against the new, tweaked version of the hash. The attack is based on "splitting" the message schedule and compression function into two halves in a meet-in-the-middle attack. This in turn reduces the space of possible hash function results, which leads to significantly faster collision search. The attack strategy is also applicable to the original version of FORK-256 published in FSE 2006.
2007
EPRINT
A New Method for Speeding Up Arithmetic on Elliptic Curves over Binary Fields
Now, It is believed that the best costs of a point doubling and addition on elliptic curves over binary fields are 4M+5S(namely, four finite field multiplications and five field squarings) and 8M+5S, respectively. In this paper we reduce the costs to less than 3M+3S and 8M+1S, respectively, by using a new projective coordinates we call PL-coordinates and rewriting the point doubling formula. Combining some programming skills, the method can speed up a elliptic curve scalar multiplication by about 15?20 percent in practice.
2007
EPRINT
A new paradigm of chosen ciphertext secure public key encryption scheme
For all current adaptive chosen ciphertext(CCA) secure public key encryption schemes in standard model there are two operations in the decryption algorithm, ``validity check" and decryption. The decryption algorithm returns the corresponding plaintext if the ciphertext is valid otherwise it returns a rejection symbol $\perp$. We call this paradigm ``invalid ciphertext rejection". However the ``validity check" is not necessary for an encryption scheme. Also in this case the adversary will get the information that the ciphertext is "invalid" which he may not know before the decryption query. We propose a new paradigm for constructing CCA secure public key encryption schemes which combines ``validity check" and decryption together. The decryption algorithm will execute the same operation regardless of the ciphertext's validity. We call this new paradigm ``uniform decryption". Compared with the "invalid ciphertext rejection" paradigm, the decryption oracle of schemes in the new paradigm will reveal less information. The attacker even can not get whether the queried ciphertext is ``valid" or not. Moreover the combination of ``validity check" and the decryption will yield more efficient schemes. Using the new paradigm we construct an efficient public key encryption scheme. Our scheme is more efficient than CS98 in both computation and bandwidth. Compered with KD04 and HK07 the new scheme is more efficient in bandwidth and the same efficient in computation. The new scheme is as efficient as Kiltz07 both in computation and bandwidth. However the new scheme is CCA secure based on DDH assumption which is more flexible than GHDH assumption that Kiltz07 based on. Kurosawa and Desmedt proposed an efficient hybrid scheme named as KD04\cite{Kurosawa2004}. Although the key encapsulation part of KD04(KD04-KEM) is not CCA secure \cite{Hofheinz2006}, the whole scheme can be proved to be CCA secure. We show that if the key derivation function(KDF) of KD04-KEM is a non-malleable hash function it will be a CCA secure KEM in the new paradigm.
2007
EPRINT
A New Provably Secure Authentication and Key Agreement Mechanism for SIP Using Certificateless Public-key Cryptography
The session initiation protocol (SIP) is considered as the dominant signaling protocol for calls over the internet. However, SIP authentication typically uses HTTP digest authentication, which is vulnerable to many forms of known attacks. This paper proposes a new secure authentication and key agreement mechanism based on certificateless public-key cryptography, named as SAKA, between two previously unknown parties, which provides stronger security assurances for SIP authentication and media stream, and is provably secure in the CK security model. Due to using certificateless public key cryptography, SAKA effectively avoids the requirement of a large Public Key Infrastructure and conquers the key escrow problem in previous schemes.
2007
EPRINT
A New Provably Secure Authentication and Key Agreement Protocol for SIP Using ECC
SIP is playing a key role in the IP based services and has been chosen as the protocol for multimedia application in 3G mobile networks by the Third-Generation Partnership Project. The authentication mechanism proposed in SIP specification is HTTP digest based authentication, which allows malicious parties to impersonate other parties or to charge calls to other parties, furthermore, other security problems, such as off-line password guessing attacks and server spoofing, are also needed to be solved. This paper proposes a new authenticated key exchange protocol NAKE, which can solve the existed problems in the original proposal. The NAKE protocol is provably secure in CK security model, thus it inherits the corresponding security attributes in CK security model.
2007
EPRINT
A New Security Definition for Public Key Encryption Schemes and Its Applications
The strongest security definition for public key encryption (PKE) schemes is indistinguishability against adaptive chosen ciphertext attacks (IND-CCA). A practical IND-CCA secure PKE scheme in the standard model is well-known to be difficult to construct given the fact that there are only a few such kind of PKE schemes available. From another perspective, we observe that for a large class of PKE-based applications, although IND-CCA security is sufficient, it is not a necessary requirement. Examples are Key Encapsulation Mechanism (KEM), MT-authenticator, providing pseudorandomness with a-priori information, and so on. This observation leads us to propose a slightly weaker version of IND-CCA, which requires ciphertexts of two randomly selected messages are indistinguishable under chosen ciphertext attacks. Under this new security notion, we show that highly efficient schemes proven secure in the standard model can be built in a straightforward way. We also demonstrate that such a security definition is already sufficient for the applications above.
2007
EPRINT
A New Security Model for Cross-Realm C2C-PAKE Protocol
Cross realm client-to-client password authenticated key exchange (C2C-PAKE) schemes are designed to enable two clients in different realms to agree on a common session key using different passwords. In 2006, Yin-Bao presented the first provably secure cross-realm C2C-PAKE, which security is proven rigorously within a formally defined security model and based on the hardness of some computationally intractable assumptions. However, soon after, Phan et al. pointed out that the Yin-Bao scheme was flawed. In this paper, we first analyze the necessary security attributes in the cross-realm C2C-PAKE scenario, and then a new security model for cross-realm C2C-PAKE is given. Analogous to the general construction of 3PAKE protocol for single server C2C-PAKE setting, we give a general construction of cross-realm C2C-PAKE protocol, which security is proved in the new security model.
2007
EPRINT
A New Type of Cipher: DICING_CSB
In this paper, we will propose a new type of cipher named DICING_CSB, which come from our previous a synchronous stream cipher DICING. It applies a stream of subkeys and a encryption form of block ciphers, so, it can be viewed a combinative of stream cipher and block cipher. Hence, the new type of cipher has fast speed like a stream cipher and no need MAC.
2007
EPRINT
A Note on Automata-based Dynamic Convolutional Cryptosystems
In [1],the automata-based dynamic convolutional cryptosystem is proposed and analyzed; the author claims that ``finding partial information about the cipher is quite easy, and the main idea of such an attack, described in detail in Section 4.1, is based on Gaussian elimination.'' But the deduction supporting this claim in Section 4.1 of [1] cannot work. It seems that this cipher is not so weak so far.
2007
EPRINT
A Note on Point Multiplication on Supersingular Elliptic Curves over Ternary Fields
Recently, the supersingular elliptic curves over ternary fields are widely used in pairing based crypto-applications since they achieve the best possible ratio between security level and space requirement. We propose new algorithms for projective arithmetic on the curves, where the point tripling is field multiplication free, and point addition and point doubling requires one field multiplication less than the known best algorithms, respectively. The algorithms combined with DBNS can lead to apparently speed up scalar multiplications on the curves.
2007
EPRINT
A Note on Signature Standards
A major security goal for signature schemes is to prevent an adversary from producing new valid signatures even though he can receive valid signatures of any messages from the legitimate signer. On the one hand the security of elliptic curve signature schemes, as ECDSA, ECGDSA, or ECKCDSA, is based on the elliptic curve discrete logarithm problem, respectively on the security of the used hash function. On the other hand some special cases for ephemeral keys and signature components also have to be excluded to guarantee the security of the signature scheme. In this paper we are going to investigate some exceptional cases, which are not covered by current signature generation algorithms, but leak information on the private signature key.
2007
EPRINT
A Note on the Ate Pairing
The Ate pairing has been suggested since it can be computed efficiently on ordinary elliptic curves with small values of the traces of Frobenius $t$. However, not all pairing-friendly elliptic curves have this property. In this paper, we generalize the Ate pairing and find a series of variations of the Ate pairing. We show that the shortest Miller loop of the variations of the Ate pairing can possibly be as small as $r^{1/\varphi(k)}$ on more pairing-friendly curves generated by the method of complex multiplications, and hence speed up the pairing computation significantly.
2007
EPRINT
A Note on the Relay Attacks on e-passports: The Case of Czech e-passports
The threat of relay attacks on authentication protocols is often well recognized, especially for contactless applications like RFID chips. It is, therefore, a bit surprising to meet an implementation that actually encourages rather than eliminates these attacks. We present our experimental observations concerning Czech e-passports. These show clearly an inherent weakness rooted in lower layers of ISO 14443. As the behavior is unavoidable, it induces a question on whether the e-passport should not have used a different communication protocol or authentication scheme.
2007
EPRINT
A Novel Mutual Authentication Scheme Based on Quadratic Residues for RFID Systems
In 2004, Ari Juels [1] proposed a Yoking-Proofs protocol for RFID systems. The aim is to permit tags to generate a proof which is verifiable off-line by a trusted entity even when the readers are potentially untrusted. However, we find that their protocol not only doesn’t possess the anonymity property but also suffers from both of the off-line and replay attacks. In 2006, Kirk H.M. Wong et al. [3] proposed an authentication scheme on RFID passive tags, attempting to as a standard for apparel products. Yet, to our view, their protocol suffers from the known-plaintext attack. In this paper, we first point out the weaknesses in the two above mentioned protocols. Then, we propose a novel efficient scheme which not only can achieve the mutual authentication between the server and tag but also possess the anonymity property needed in a RFID system.
2007
EPRINT
A novel public key crypto system based on semi-modules over quotient semi-rings
In A generalization of the original Diffie-Hellman key exchange in (&#8484;/p&#8484;)* found a new depth when Miller and Koblitz suggested that such a protocol could be used with the group over an elliptic curve. Maze, Monico and Rosenthal extend such a generalization to the setting of a Semi-group action on a finite set, more precisely, linear actions of abelian semi-rings on semi-modules. In this paper, we extend such a generalization to the linear actions of quotient semi-rings on semi-modules. In fact, we show how the action of quotient semi-rings on a semi-module gives rise to a generalized Diffie-Hellman and ElGamal protocol. This leads naturally to a cryptographic protocol whose difficulty is based on the hardness of a particular control problem, namely the problem of steering the state of some dynamical system from an initial vector to some final location.
2007
EPRINT
A Novel Secure Session Key Generation using two-level architecture For Cluster-Based Ad Hoc Networks Based On ID-Based Bilinear Paring
In 1997, Ruppe R. et al [17] first proposed a Near-Term Digital Radio (NTDR) network system which is a cluster-based ad hoc network intended to be used efficiently for military missions. In the same year, Zavgren J. [18] proposed a management protocol for the NTDR network system. But they both lack the security considerations. In 2003, Varadharajan et al [4] proposed a secure cluster-based ad hoc network protocol using public key infrastructure (PKI). However, in 2005, Chang et al pointed out that using PKI would be a heavy burden for the computation of each mobile node. Hence, they proposed a protocol [5] based on Diffie-Hellman method for securing network, in the same year, Liaw et al. proposed a secured key exchange protocol [20] for securing nodes communication in mobile ad hoc networks (MANETs). In 2006, also for security purpose, Chang and Lee [6] proposed the other scheme by using nodes’ identities. But after our analysis, we find that both of their protocols have some mistakes. Accordingly, we propose a new protocol based on ID-based bilinear pairing to get rid of nowadays unsolved security problem in NTDR network. After our analysis, we conclude that our scheme is not only secure but also very efficient.
2007
EPRINT
A Pollard-like pseudorandom number generator over EC
In this short paper we propose a pseudorandom number generator over EC based on Pollard-like method. In contrast to the well known Elliptic Curve Random Number Generator (see e.g. ANSI and NIST draft standards) the generator is based on a random walk over the group of EC-points like in the original Pollard’s rho algorithm and only resembles a little bit the linear congruential generator over elliptic curve. Compared to other approaches, the method allows to decrease the cost of generating pseudorandom numbers. This generator could be used in resource constrained devices like smart cards which have already been equipped with EC-based tools for other cryptographic purposes.
2007
EPRINT
A Proof of Security of a Mesh Security Architecture
The IEEE 802.11s standard is tasked to provide ways of establishing and securing a wireless mesh network. One proposal establishes a Mesh Security Architecture (MSA), with an interesting key hierarchy and full protocol definitions. This paper proves the correctness and security of the MSA proposal and its corresponding protocols. We also propose and prove the security of an additional protocol (an abbreviated handshake) which offers a substantial efficiency improvement in certain instances. To prove the entire architecture secure, we utilize Protocol Composition Logic (PCL) to prove each protocol secure. From that basis, we can show the protocols compose securely to prove the entire architecture. We also contribute some novel concepts to PCL, to allow us to prove the security of the overall architecture.
2007
EPRINT
A Refined Algorithm for the $\eta_T$ Pairing Calculation in Characteristic Three
We describe further improvements of the $\eta_T$ pairing algorithm in characteristic three. Our approach combines the loop unrolling technique introduced by Granger {\em et. al} for the Duursma-Lee algorithm, and a novel algorithm for multiplication over $\mathbb{F}_{3^{6m}}$ proposed by Gorla {\em et al.} at SAC 2007. For $m=97$, the refined algorithm reduces the number of multiplications over $\mathbb{F}_{3^m}$ from $815$ to $692$.
2007
EPRINT
A Security Analysis of the NIST SP 800-90 Elliptic Curve Random Number Generator
An elliptic curve random number generator (ECRNG) has been approved in a NIST standards and proposed for ANSI and SECG draft standards. This paper proves that, if three conjectures are true, then the ECRNG is secure. The three conjectures are hardness of the elliptic curve decisional Diffie-Hellman problem and the hardness of two newer problems, the x-logarithm problem and the truncated point problem. The x-logarithm problem is shown to be hard if the decisional Diffie-Hellman problem is hard, although the reduction is not tight. The truncated point problem is shown to be solvable when the minimum amount of bits allowed in NIST standards are truncated, thereby making it insecure for applications such as stream ciphers. Nevertheless, it is argued that for nonce and key generation this distinguishability is harmless.
2007
EPRINT
A Short Signature Scheme in the Standard Model
In this paper, by elaborately choosing the parameters of Waters Hash function, we propose a new efficient signature scheme. It is shown that the scheme is secure against strongly unforgeable chosen-message attacks in the standard model under Computational Diffie-Hellman (CDH) assumption. Further, among all the known secure signatures in the standard model, our scheme is the shortest one and has the efficient security reduction as well.
2007
EPRINT
A Simple Security Analysis of Hash-CBC and a New Efficient One-Key Online Cipher
In Crypto 2001, Bellare {\em et al.} introduced {\em online cipher} (or online permutation) and proposed two Hash-CBC mode constructions, namely {\bf HCBC} and {\bf HPCBC} along with security proofs. We observe that, the security proofs in their paper are {\em wrong} and it may not be fixed easily. In this paper, we provide a {\em simple} security analysis of these online ciphers. Moreover, we propose two variants of HPCBC, namely {\bf MHCBC-1} and {\bf MHCBC-2}. The first variant, MHCBC-1, is a slight modification of HPCBC so that it is more efficient in performance as well as in memory compare to HPCBC. The other one, MHCBC-2 requires only {\em one-key} (note that, HCBC and HPCBC require at least two and three keys respectively) and does not require any $\varepsilon$-$\mathrm{\Delta}$Universal Hash Family (which is costly in general).
2007
EPRINT
A Survey of Single Database PIR: Techniques and Applications
In this paper we survey the notion of Single-Database Private Information Retrieval (PIR). The first Single-Database PIR was constructed in 1997 by Kushilevitz and Ostrovsky and since then Single-Database PIR has emerged as an important cryptographic primitive. For example, Single-Database PIR turned out to be intimately connected to collision-resistant hash functions, oblivious transfer and public-key encryptions with additional properties. In this survey, we give an overview of many of the constructions for Single-Database PIR (including an abstract construction based upon homomorphic encryption) and describe some of the connections of PIR to other primitives.
2007
EPRINT
A Synthetic Indifferentiability Analysis of Block Cipher based Hash Functions
Nowadays, investigating what construction is better to be a cryptographic hash function is red hot. In TCC'04, Maurer et al. first introduced the notion of indifferentiability as a generalization of the concept of the indistinguishability of two cryptosystems. In AsiaCrypt 06, Chang et al. analyzed the indifferentiability security of some popular block-cipher-based hash functions, such as PGV constructions and MDC-2. In this paper, we investigate Chang et al.'s analysis of PGV constructions and the PBGV double block length constructions. In particular, we point out a more precise adversarial advantage of indifferentiability, by considering the two situations that whether the hash function is either keyed or not. Furthermore, Chang et al. designed attacks on 4 PGV hash functions and PBGV hash function to prove they are differentiable from random oracle with prefix-free padding. We find a limitation in their differentiable attacks and construct our simulations to obtain the controversy results that those schemes are indifferentiable from random oracle with prefix-free padding and some other popular constructions.
2007
EPRINT
A Tight High-Order Entropic Quantum Uncertainty Relation With Applications
We derive a new entropic quantum uncertainty relation involving min-entropy. The relation is tight and can be applied in various quantum-cryptographic settings. Protocols for quantum 1-out-of-2 Oblivious Transfer and quantum Bit Commitment are presented and the uncertainty relation is used to prove the security of these protocols in the bounded-quantum-storage model according to new strong security definitions. As another application, we consider the realistic setting of Quantum Key Distribution (QKD) against quantum-memory-bounded eavesdroppers. The uncertainty relation allows to prove the security of QKD protocols in this setting while tolerating considerably higher error rates compared to the standard model with unbounded adversaries. For instance, for the six-state protocol with one-way communication, a bit-flip error rate of up to 17% can be tolerated (compared to 13% in the standard model). Our uncertainty relation also yields a lower bound on the min-entropy key uncertainty against known-plaintext attacks when quantum ciphers are composed. Previously, the key uncertainty of these ciphers was only known with respect to Shannon entropy.
2007
EPRINT
A Tunable Broadcast Encryption Scheme
In this paper, we describe yet another broadcast encryption scheme for stateless receivers. The main difference between our scheme and the classical schemes derived from the complete subtree and its subsequent improvements is that in our scheme the group management is based upon a more adaptable data structure. In these classical schemes, users must be spread on a tree structure where each level of the tree is associated to some distinguishing property of the users. The fact that the underlying data structure is a fixed tree is a strong limitation for some applications where an operator wants to select users very dynamically following criterions with changing levels of priority. Our scheme may be thought as if in the complete subtree it would be possible to exchange the different level of the tree in order to make it very efficient to revoke or select a class of users. It is also very efficient in the cases where there exists very unbalanced groups of users. This scheme allows one to select or revoke users by sending ciphertexts of linear size with respect to the number of groups which is in general far less than the number of users. Moreover, by using a specific group repartition, it is possible to recover a tree structure in order to apply the classical methods which guarantee that our scheme is in general as efficient as a usual ones. We prove that our scheme is fully collusion secure in the generic group with pairing model.
2007
EPRINT
A Verifiable Voting Protocol based on Farnel
Farnel is a voting system proposed in 2001 in which each voter signs a ballot. It uses two ballot boxes to avoid the association between a voter and a vote. In this paper we first point out a flaw in the ThreeBallot system proposed by Rivest that seems to have gone unnoticed so far: it reveals statistical information about who is winning the election. Then, trying to resolve this and other flaws, we present a new, voter-verifiable version of the Farnel voting system in which voters retain copies of ballot IDs as receipts.
2007
EPRINT
A Zero-Knowledge Identification and Key Agreement Protocol
In this paper, we propose a zero-knowledge authenticated key agreement protocol with key confirmation (AKC) in asymmetric setting. The protocol has several desirable security attributes like some classical AKCs such as STS and MQV. One highlight of our protocol is its zero-knowledge property, which enables succinct proofs of the claimed security attributes, while the overhead in communication and computation resulting from the special design to achieve zero-knowledge is insignificant.
2007
EPRINT
Accelerating SSL using the Vector processors in IBM's Cell Broadband Engine for Sony's Playstation 3
Recently the major performance chip manufacturers have turned to multi-core technology as a more cost effective alternative to ever increasing clock speeds. IBM have introduced the Cell Broadband Engine (Cell) as their next generation CPU to feed the insatiable appetite modern multimedia and number crunching applications have for processing power. The Cell is the technology at the heart of Sonys Playstation 3. The Cell contains a number of specialist synergistic processor units (SPUs) optimised for multimedia processing and offer a rich programming interface to applications that can make use of the vector processing capabilities. Multiprecision number manipulation for use in cryptography is one such application. This paper explores the implementation and performance gains when using these capabilities for SSL.
2007
EPRINT
Affine Precomputation with Sole Inversion in Elliptic Curve Cryptography
This paper presents a new approach to precompute all odd points $[3]P, [5]P,\ldots, [2k-1]P$, $k \geq 2$ on an elliptic curve over $\mathbb{F}_p$. Those points are required for the efficient evaluation of a scalar multiplication, the most important operation in elliptic curve cryptography. The proposed method precomputes the points in affine coordinates and needs only one single field inversion for the computation. The new method is superior to all known methods that also use one field inversion. Compared to methods that require several field inversions for the precomputation, the proposed method is faster for a broad range of ratios of field inversions and field multiplications. The proposed method benefits especially from ratios as they occur on smart cards. %Scalar multiplications are the basic operations in elliptic curve cryptosystems. The evaluation of a scalar multiplication can be sped up by using signed representations of the scalar. In exchange for the speed up, the precomputation of a series of points is required. While a lot of research has been done in the direction of signed representations, little attention has been paid to efficient methods to precompute the required points. Such methods are important since costly field inversions are involved in the precomputation. This paper presents a new method for the precomputation that requires only one single field inversion, independent of the number of points to precompute. The points to precompute are all odd points $[3]P, [5]P,\ldots, [2k-1]P$, $k \geq 2$ on an elliptic curve over $\mathbb{F}_p$. The proposed method benefits especially from a large ratios between inversions and multiplications as they occur on smart cards.
2007
EPRINT
Algebraic and Slide Attacks on KeeLoq
KeeLoq is a block cipher used in wireless devices that unlock doors in cars manufactured by Chrysler, Daewoo, Fiat, GM, Honda, Jaguar, Toyota, Volvo, Volkswagen, etc. It was designed in the 80's by Willem Smit from South Africa and in 1995 was sold to Microchip Technology Inc for more than 10 million USD. Though no attack on this cipher have been found thus far, the 64-bit key size makes it no longer secure. Hackers and car thieves exploit this, to recover the key by brute force with FPGA's. From our point of view however, this cipher is interesting for other reasons. Compared to typical block ciphers that have a few carefully designed rounds, this cipher has 528 extremely simple rounds with extremely few intermediate variables (one per round). This seems a perfect target to study algebraic attacks on block ciphers. The cipher also has a periodic structure with period of 64 rounds, and an unusually small block size of 32 bits. We present several slide-algebraic attacks on KeeLoq, the best of which allows one to recover the full key for the full cipher within 2^48 CPU clocks. Until now algebraic attacks didn't give interesting results on block ciphers and most researchers seriously doubted if any block cipher will EVER be broken by such attacks. In this paper however, we show that, for the first time in history, a full round real-life block cipher is broken by an algebraic attack. Moreover, our attacks are easy to implement, have been tested experimentally, and the full key can be recovered in practice on a PC.
2007
EPRINT
Algebraic Immunity Hierarchy of Boolean Functions
Algebraic immunity of Boolean functions is a very important concept in recently introduced algebraic attacks of stream cipher. For a $n$-variable Boolean function $f$, the algebraic immunity $AI_n(f)$ takes values in $\{0,1,\ldots,\lceil\frac{n}{2}\rceil\}$. For every $k$ in this range, denote $B_{n,k}$ the set of all $n$-variable Boolean functions with algebraic immunity $k$, and we know that $B_{n,k}$ is always non-empty. According to the algebraic immunity, we can form a hierarchy of Boolean functions. Trivially, $|B_{n,0}|=2$. In general, about this integer sequence $|B_{n,k}|,\quad k=0,1,\ldots,\lceil\frac{n}{2}\rceil,$ very few results are known. In this paper, we show an explicit formula for $|B_{n,1}|$. That is, we obtain an exact formula for the number of Boolean functions with algebraic immunity one. This is the first exact formula for the terms in the above integer sequence. We also give a tight upper bound for nonlinearity of Boolean functions with algebraic immunity one.
2007
EPRINT
Algebraic Lower Bounds for Computing on Encrypted Data
In cryptography, there has been tremendous success in building primitives out of homomorphic semantically-secure encryption schemes, using homomorphic properties in a black-box way. A few notable examples of such primitives include items like private information retrieval schemes and collision-resistant hash functions. In this paper, we illustrate a general methodology for determining what types of protocols can be implemented in this way and which cannot. This is accomplished by analyzing the computational power of various algebraic structures which are preserved by existing cryptosystems. More precisely, we demonstrate lower bounds for algebraically generating generalized characteristic vectors over certain algebraic structures, and subsequently we show how to directly apply this abstract algebraic results to put lower bounds on algebraic constructions of a number of cryptographic protocols, including PIR-writing and private keyword search protocols. We hope that this work will provide a simple ``litmus test'' of feasibility for use by other cryptographic researchers attempting to develop new protocols that require computation on encrypted data. Additionally, a precise mathematical language for reasoning about such problems is developed in this work, which may be of independent interest.
2007
EPRINT
Algebraic Structure Defectoscopy
We present a novel instrument of automated cryptanalysis suitable for measuring the number of rounds that can build one PRF round, so that 4 such rounds could be recommended as a Luby-Rackoff cipher secure against adaptive attacks. ASD tests can detect structural flaws in all kinds of cryptographic primitives and their implementations. We present our results for some of the well-known ciphers and hash functions and for some of the eSTREAM candidates. Our tools can distinguish complete Achterbahn, Grain v1 and Grain-128 from random, detect weak keys in the complete IDEA cipher and find fatal structural flaws even in complete ciphers like LILI, KeeLoq or TEA in a matter of seconds. Cryptanalysts can save their valuable time by requiring that all new ciphers must pass not only randomness tests, but also automated cryptanalysis tests like ours before they could be considered interesting for manual cryptanalytic study.
2007
EPRINT
Algorithms and Arithmetic Operators for Computing the $\eta_T$ Pairing in Characteristic Three
Since their introduction in constructive cryptographic applications, pairings over (hyper)elliptic curves are at the heart of an ever increasing number of protocols. Software implementations being rather slow, the study of hardware architectures became an active research area. In this paper, we discuss several algorithms to compute the $\eta_T$ pairing in characteristic three and suggest further improvements. These algorithms involve addition, multiplication, cubing, inversion, and sometimes cube root extraction over $\mathbb{F}_{3^m}$. We propose a hardware accelerator based on a unified arithmetic operator able to perform the operations required by a given algorithm. We describe the implementation of a compact coprocessor for the field $\mathbb{F}_{3^{97}}$ given by $\mathbb{F}_3[x]/(x^{97}+x^{12}+2)$, which compares favorably with other solutions described in the open literature.
2007
EPRINT
Almost Secure (1-Round, n-Channel) Message Transmission Scheme
It is known that perfectly secure ($1$-round, $n$-channel) message transmission (MT) schemes exist if and only if $n \geq 3t+1$, where $t$ is the number of channels that the adversary can corrupt. Then does there exist an {\it almost} secure MT scheme for $n=2t+1$ ? In this paper, we first sum up a number flaws of the previous {\it almost} secure MT scheme presented at Crypto 2004. (The authors already noted in thier presentation at Crypto'2004 that their scheme was flawed.) We next show an equivalence between almost secure MT schemes and secret sharing schemes with cheaters. By using our equivalence, we derive a lower bound on the communication complexity of almost secure MT schemes. Finally, we present a near optimum scheme which meets our bound approximately. This is the first construction of provably secure almost secure ($1$-round, $n$-channel) MT schemes for $n=2t+1$.
2007
EPRINT
Almost-everywhere Secure Computation
Secure multi-party computation (MPC) is a central problem in cryptography. Unfortunately, it is well known that MPC is possible if and only if the underlying communication network has very large connectivity---specifically, $\Omega(t)$, where $t$ is the number of potential corruptions in the network. This impossibility result renders existing MPC results far less applicable in practice, since most deployed networks have in fact a very small degree. In this paper, we show how to circumvent this impossibility result and achieve meaningful security guarantees for graphs with small degree (such as expander graphs and several other topologies). In fact, the notion we introduce, which we call {\em almost-everywhere MPC}, building on the notion of almost-everywhere agreement due to Dwork, Peleg, Pippenger and Upfal, allows the degree of the network to be much smaller than the total number of allowed corruptions. In essence, our definition allows the adversary to {\em implicitly} wiretap some of the good nodes by corrupting sufficiently many nodes in the ``neighborhood'' of those nodes. We show protocols that satisfy our new definition, retaining both correctness and privacy for most nodes despite small connectivity, no matter how the adversary chooses his corruptions. Instrumental in our constructions is a new model and protocol for the {\em secure message transmission} (SMT) problem, which we call {\em SMT by public discussion}, and which we use for the establishment of pairwise secure channels in limited connectivity networks.
2007
EPRINT
An Algorithm for Finding Small Roots of Multivariate Polynomials over the Integers
In this paper we present a new algorithm for finding small roots of a system of multivariate polynomials over the integers based on lattice reduction techniques. Our simpler heuristic method is inspired in algorithms for predicting pseudorandom numbers, and it can be considered as another variant of Coppersmith's method for finding small solutions of integer bivariate polynomials. We also apply the method to the well known problem of factoring an integer when we know the high-order bits of one of the factors.
2007
EPRINT
An (Almost) Constant-Effort Solution-Verification Proof-of-Work Protocol based on Merkle Trees
Proof-of-work schemes are economic measures to deter denial-of-service attacks: service requesters compute moderately hard functions that are easy to check by the provider. We present such a new scheme for solution-verification protocols. Although most schemes to date are probabilistic unbounded iterative processes with high variance of the requester effort, our Merkle tree scheme is deterministic, with an almost constant effort and null variance, and is computation-optimal.
2007
EPRINT
An Algebraic Analysis of Trivium Ciphers based on the Boolean Satisfiability Problem
Trivium is a stream cipher candidate of the eStream project. It has successfully moved into phase three of the selection process under the hardware category. No attacks faster than the exhaustive search have so far been reported on Trivium. Bivium-A and Bivium-B are simplified versions of Trivium that are built on the same design principles but with two registers. The simplified design is useful in investigating Trivium type ciphers with a reduced complexity and provides insight into effective attacks which could be extended to Trivium. This paper focuses on an algebraic analysis which uses the boolean satisfiability problem in propositional logic. For reduced variants of the cipher, this analysis recovers the internal state with a minimal amount of keystream observations.
2007
EPRINT
An Efficient Certificateless Signature Scheme
In this paper we present a certificateless signature (CLS) scheme secure in the Random Oracle Model. This scheme requires no pairing computations for signature generation and only two for signature verification. As far as we know, this is the only CLS scheme to require less than four pairing computations on signature verification.
2007
EPRINT
An Efficient One-move Nominative Signature Scheme
A signer in a Nominative Signature (NS) scheme can arbitrarily choose a nominee, then jointly generate a signature in such a way that the signature can only be verified with the nominee's consent. NS is particularly useful in user certification systems. Currently, the only secure NS scheme available requires multi-round communications between the nominator and the nominee during signature generation. This implies that an NS-based user certification system requires a certification issuer to interact with a user using a complicated multi-round protocol for certificate issuance. It remains an open problem to construct an efficient and non-interactive NS scheme. In this paper, we solve this problem by proposing the first efficient one-move (i.e. non-interactive) NS scheme. In addition, we propose an enhanced security requirement called Strong Invisibility, and prove that our scheme satisfies this strong security requirement.
2007
EPRINT
An Efficient Range-Bounded Commitment Scheme
Checking whether a committed integer lies in a specific interval has many cryptographic applications. In Eurocrypt'98, Chan et al. proposed an instantiation (CFT for short). Based on CFT, Boudot presented an efficient range-bounded commitment scheme in Eurocrypt'2000. Both CFT proof and Boudot proof are based on the encryption $E(x, r)=g^xh^r\ \mbox{mod}\ n$, where $n$ is an RSA modulus whose factorization is \textit{unknown} by the prover. They did not use a single base as usual. Thus an increase in cost occurs. In this paper we show that it suffices to adopt a single base. The cost of the improved Boudot proof is about half of that of the original scheme. Moreover, the key restriction in the original scheme, i.e., both the discrete logarithm of $g$ in base $h$ and the discrete logarithm of $h$ in base $g$ are unknown by the prover, which is a potential menace to the Boudot proof, is definitely removed.
2007
EPRINT
An Enhanced ID-based Deniable Authentication Protocol on Pairings
Deniability is defined as a privacy property which enables protocol principals to deny their involvement after they had taken part in a particular protocol run. Lately, Chou et al. had proposed their ID-based deniable authentication protocol after proving the vulnerability to Key-Compromise Impersonation (KCI) attack in Cao et al.'s protocol. In addition, they claimed that their protocol is not only secure, but also able to achieve both authenticity and deniability properties. However, in this paper, we demonstrate that Chou et al.'s protocol is not flawless as it remains insecure due to its susceptibility to the KCI attack. Based on this, we propose an enhanced scheme which will in fact preserves the authenticity, the deniability and the resistance against the KCI attack.
2007
EPRINT
An Enhanced One-round Pairing-based Tripartite Authenticated Key Agreement Protocol
A tripartite authenticated key agreement protocol is generally designed to accommodate the need of three specific entities in communicating over an open network with a shared secret key, which is used to preserve data confidentiality and integrity. Since Joux proposed the first pairing-based one-round tripartite key agreement protocol in 2000, numerous authenticated protocols have been proposed after then. However, most of them have turned out to be flawed due to their inability in achieving some desirable security attributes. In 2005, Lin-Li had identified the weaknesses of Shim's protocol and subsequently proposed their improved scheme by introducing an extra verification process. In this paper, we prove that Lin-Li's improved scheme remains insecure due to its susceptibility to the insider impersonation attack. Based on this, we propose an enhanced scheme which will not only conquer their defects, but also preserves the desired security attributes of a key agreement protocol.
2007
EPRINT
An improved collision probability for CBC-MAC and PMAC
In this paper we compute the collision probability of CBC-MAC for suitably chosen messages. We show that the probability is $\Omega(\ell q^2/N)$ where $\ell$ is the number of message block, $N$ is the size of the domain and $q$ is the total number of queries. For random oracle the probability is $O(q^2/N)$. This improved collision probability will help us to have an efficient distinguishing attack and MAC-forgery attack. We also show collision probability for PMAC with collision probability $\Omega(q^2/N)$ (strictly more than birth day bound). We have used a purely combinatorial approach to obtain this bound. The similar analysis can be made for other MAC like XCBC, TMAC, OMAC etc. We hope this approach will help us to calculate related probabilities.
2007
EPRINT
An Improved Distinguisher for Dragon
Dragon stream cipher is one of the focus ciphers which have reached Phase 2 of the eSTREAM project. In this paper, we present a new method of building a linear distinguisher for Dragon. The distinguisher is constructed by exploiting the biases of two S-boxes and the modular addition which are basic components of the nonlinear function $F$. The bias of the distinguisher is estimated to be around $2^{-75.32}$ which is better than the bias of the distinguisher presented by Englund and Maximov. We have shown that Dragon is distinguishable from a random cipher by using around $2^{150.6}$ keystream words and $2^{59}$ memory. In addition, we present a very efficient algorithm for computing the bias of linear approximation of modular addition.
2007
EPRINT
An Improved One-Round ID-Based Tripartite Authenticated Key Agreement Protocol
A tripartite authenticated key agreement protocol is generally designed to accommodate the need of three specific entities in communicating over an open network with a shared secret key, which is used to preserve confidentiality and data integrity. Since Joux initiates the development of tripartite key agreement protocol, many prominent tripartite schemes have been proposed subsequently. In 2005, Tso et al. have proposed an ID-based non-interactive tripartite key agreement scheme with k-resilience. Based on this scheme, they have further proposed another one-round tripartite application scheme. Although they claimed that both schemes are efficient and secure, we discover that both schemes are in fact breakable. In this paper, we impose several impersonation attacks on Tso et al.'s schemes in order to highlight their flaws. Subsequently, we propose an enhanced scheme which will not only conquer their defects, but also preserve the desired security attributes of a key agreement protocol.
2007
EPRINT
An Improved Remote User Authentication Scheme using Bilinear Pairings
In 2005 Das et al. [5] proposed a remote user authentication scheme using bilinear pairings. Fang and Huang [7] analyzed the scheme and pointed out some weaknesses. They also proposed an improvement. Recently, Giri and Srivastava [9] observed that the improved scheme is still insecure to off-line attack and an improvement. However, the improved scheme is still insecure. In this paper, we show some weaknesses in the existing scheme and propose an improvement. The proposed scheme also enables users to choose and change the password without the help of the remote server.
2007
EPRINT
An Improved Remote User Authentication Scheme with Smart Cards using Bilinear Pairings
Recently Manik et al. [3] proposed a novel remote user authentication scheme using bilinear pairings. Various attacks were discussed on this scheme. Recently, Fang et al [15] re-analyzed these schemes and pointed out that these further proposed schemes are not secure. They proposed an improvement to previous schemes. Recently, Giri and Srivastava [16] observed that the improved scheme is still insecure to off-line attack and they suggested an improvement on Feng et al's scheme. However, the improved scheme is still insecure. In this paper, we discuss these attacks and propose an improvement of their scheme that provides the better security compared to the schemes previously published
2007
EPRINT
An Interesting Member ID-based Group Signature
We propose an interesting efficient member ID-based group signatures, i.e., verification of output from algorithm OPEN run by the group manager does not have to refer to a registration table (acting as certification list). The proposal is free of GM-frameability, i.e., secret key of member is not escrowed to GM, which is unique among all known member ID-based group signatures as far as we know. The proposal also has two distinguished extra features, one is that the group manager does not have to maintain a registration table to obtain the real identity of the signer in contrast to other schemes, another is that it provides an alternative countermeasure against tampered registration table to applying integrity techniques to the table in case registration table is maintained.
2007
EPRINT
AN OPTIMIZED HARDWARE ARCHITECTURE OF MONTGOMERY MULTIPLICATION ALGORITHM
Montgomery multiplication is one of the fundamental operations used in cryptographic algorithms, such as RSA and Elliptic Curve Cryptosystems. At CHES 1999, Tenca and Koc introduced a now-classical architecture for implementing Montgomery multiplication in hardware. With parameters optimized for minimum latency, this architecture performs a single Montgomery multiplication in approximately 2n clock cycles, where n is the size of operands in bits. In this paper we propose and discuss an optimized hardware architecture performing the same operation in approximately n clock cycles. Our architecture is based on pre-computing partial results using two possible assumptions regarding the most significant bit of the previous word, and is only marginally more demanding in terms of the circuit area. The new radix-2 architecture can be extended for the case of radix-4, while preserving a factor of two speed-up over the corresponding radix-4 design by Tenca, Todorov, and Koc from CHES 2001. Our architecture has been verified by modeling it in Verilog-HDL, implementing it using Xilinx Virtex-II 6000 FPGA, and experimentally testing it using SRC-6 reconfigurable computer.
2007
EPRINT
Analysis and optimization of elliptic-curve single-scalar multiplication
Let $P$ be a point on an elliptic curve over a finite field of large characteristic. Exactly how many points $2P,3P,5P,7P,9P,\ldots,mP$ should be precomputed in a sliding-window computation of $nP$? Should some or all of the points be converted to affine form, and at which moments during the precomputation should these conversions take place? Exactly how many field multiplications are required for the resulting computation of $nP$? The answers depend on the size of $n$, the $\inversions/\mults$ ratio, the choice of curve shape, the choice of coordinate system, and the choice of addition formulas. This paper presents answers that, compared to previous analyses, are more carefully optimized and cover a much wider range of situations.
2007
EPRINT
Analysis of Collusion-Attack Free ID-Based Non-Interactive Key Sharing
Recently, Tanaka proposed an identity based non-interactive key sharing scheme and its corresponding identity based encryption scheme based on the intractability of integer factorization and discrete logarithm. The proposed identity based non-interactive key sharing scheme is similar to the well-known Maurer-Yacobi public key distribution scheme but the computational complexity for private key generation can be significantly reduced. It is also claimed that the proposed identity based non-interactive key sharing scheme is "collusion-attack free", i.e., secure against collusion attacks. In this paper, we analyze the security of the "collusion-attack free" identity based non-interactive key sharing scheme. First, we show that, without colluding with other users, a single user can recover some of the secret information of the private key generator. Then we show that a small group of users can collude to recover all of the secret information held by the private key generator. Thus, the "collusion-attack free" identity based non-interactive key sharing scheme can be completely compromised by collusion attacks.
2007
EPRINT
Analysis of countermeasures against access driven cache attacks on AES
Cache attacks on implementations of cryptographic algorithms have turned out to be very powerful. Progress in processor design, e.g., like hyperthreading, requires to adapt models for tampering or side-channel attacks to cover cache attacks as well. Hence, in this paper we present a rather general model for cache attacks. Our model is stronger than recently used ones. We introduce the notions of information leakage and so called resistance to analyze the security of several implementations of AES. Furthermore, we analyze how to use random permutations to protect against cache attacks. By providing a successful attack on an AES implementation protected by random permutations we show that random permutations used in a straightforward manner are not enough to protect against cache attacks. Hence, to improve upon the security provided by random permutations, we describe the property a permutation must have in order to prevent the leakage of some key bits through cache attacks. Using a permutation having this property forces an adversary to consider several rounds of the cipher. This increases the complexity of any cache attack considerably. We also describe how to implement our countermeasure efficiently. The method to do so is of independent interest, since it alone can also be used to protect against cache attacks. Moreover, combining both countermeasures allows for a trade-off between security and efficiency.
2007
EPRINT
Analysis of Local Optima in Block Ciphers
We present a technique to perform key distinguishing attacks on block ciphers. The method is based on profiling the behaviour of a simple search algorithm when it is applied to recover the key under which a set of known plaintexts has been encrypted. Even though the probability of finding the correct key is negligible, it is observed that the solutions (local optima) yielded by successive searches can be highly dependent on the key, forming patterns that can be unequivocally (in a statistical sense) associated with each particular key. When a cipher suffers from such a weakness, this provides us with an effective procedure to tell apart ciphertexts generated by different and unknown keys. We illustrate the method by applying it to the TEA block cipher, for which attacks of this kind can be successfully mounted against the full version (64 rounds) with extremely simple profiling methods. The technique itself is completely black-box and admits a number of refinements. We suspect it might be applied to many other ciphers by using the same or more complex profiling schemes.
2007
EPRINT
Analysis of Underlying Assumptions in NIST DRBGs
In \cite{NIST}, four different DRBGs are recommended for cryptographic purpose. Each generator is based on some underlying cryptographic concept. The article examines each of the concept to determine what are the necessary and sufficient conditions for the DRBG to be secured in its generation process. In addition, the effects of failure of typical cryptographic requirements of each underlying concept are discussed. From \cite{MC}, permutation based DRBGs are never indistinguishable from a true random source. From \cite{DB}, elliptic based DRBGs are secured given a set of problems regarding elliptic curve remains difficult. This article demostrates that a pseudo-random family is required for both hash based and HMAC based DRBGs.
2007
EPRINT
Another Look at Automated Theorem-Proving
I examine the use of automated theorem-proving for reductionist security arguments in cryptography and discuss three papers that purport to show the potential of computer-assisted proof-writing and proof-checking. I look at the proofs that the authors give to illustrate the "game-hopping" technique -- for Full-Domain Hash signatures, ElGamal encryption, and Cramer-Shoup encryption -- and ask whether there is evidence that automated theorem-proving can contribute anything of value to the security analysis of cryptographic protocols.
2007
EPRINT
Another Look at Non-Standard Discrete Log and Diffie-Hellman Problems
We examine several versions of the one-more-discrete-log and one-more-Diffie-Hellman problems. In attempting to evaluate their intractability, we find conflicting evidence of the relative hardness of the different problems. Much of this evidence comes from natural families of groups associated with curves of genus 2, 3, 4, 5, and 6. This leads to questions about how to interpret reductionist security arguments that rely on these non-standard problems.
2007
EPRINT
Another Look at Square Roots and Traces (and Quadratic Equations) in Fields of Even Characteristic
We discuss irreducible polynomials that can be used to speed up square root extraction in fields of characteristic two. We call such polynomials \textit{square root friendly}. The obvious applications are to point halving methods for elliptic curves and divisor halving methods for hyperelliptic curves. We note the existence of square root friendly trinomials of a given degree when we already know that an irreducible trinomial of the same degree exists, and formulate a conjecture on the degrees of the terms of square root friendly polynomials. We also give a partial result that goes in the direction of the conjecture. Irreducible polynomials $p(X)$ such that the square root $\zeta$ of a zero $x$ of $p(X)$ is a sparse polynomial are considered and those for which $\zeta$ has minimal degree are characterized. In doing this we discover a surprising connection these polynomials and those defining polynomial bases with an extremal number of trace one elements. We also show how to improve the speed of solving quadratic equations and that the increase in the time required to perform modular reduction is marginal and does not affect performance adversely. Experimental results confirm that the new polynomials mantain their promises; These results generalize work by Fong et al.\ to polynomials other than trinomials. Point halving gets a speed-up of $20\%$ and the performance of scalar multiplication based on point halving is improved by at least $11\%$.
2007
EPRINT
Arithmetic Operators for Pairing-Based Cryptography
Since their introduction in constructive cryptographic applications, pairings over (hyper)elliptic curves are at the heart of an ever increasing number of protocols. Software implementations being rather slow, the study of hardware architectures became an active research area. In this paper, we first study an accelerator for the $\eta_T$ pairing over $\mathbb{F}_3[x]/(x^{97}+x^{12}+2)$. Our architecture is based on a unified arithmetic operator which performs addition, multiplication, and cubing over $\mathbb{F}_{3^{97}}$. This design methodology allows us to design a compact coprocessor ($1888$ slices on a Virtex-II Pro~$4$ FPGA) which compares favorably with other solutions described in the open literature. We then describe ways to extend our approach to any characteristic and any extension field.
2007
EPRINT
Aspects of Pairing Inversion
We discuss some applications of the pairing inversion problem and outline some potential approaches for solving it. Our analysis of these approaches gives further evidence that pairing inversion is a hard problem.
2007
EPRINT
Attacking the IPsec Standards in Encryption-only Configurations
At Eurocrypt 2006, Paterson and Yau demonstrated how flaws in the Linux implementation of IPsec could be exploited to break encryption-only configurations of ESP, the IPsec encryption protocol. Their work highlighted the dangers of not using authenticated encryption in fielded systems, but did not constitute an attack on the actual IPsec standards themselves; in fact, the attacks of Paterson and Yau should be prevented by any standards-compliant IPsec implementation. In contrast, this paper describes new attacks which break any RFC-compliant implementation of IPsec making use of encryption-only ESP. The new attacks are both efficient and realistic: they are ciphertext-only and need only the capability to eavesdrop on ESP-encrypted traffic and to inject traffic into the network. The paper also reports our experiences in applying the attacks to a variety of implementations of IPsec, and reflects on what these experiences tell us about how security standards should be written so as to simplify the task of software developers.
2007
EPRINT
Attacks on the WEP protocol
WEP is a protocol for securing wireless networks. In the past years, many attacks on WEP have been published, totally breaking WEP?s security. This thesis summarizes all major attacks on WEP. Additionally a new attack, the PTW attack, is introduced, which was partially developed by the author of this document. Some advanced versions of the PTW attack which are more suiteable in certain environments are described as well. Currently, the PTW attack is fastest publicly known key recovery attack against WEP protected networks.
2007
EPRINT
Attribute Based Group Signature Scheme
Alice needs a document signed by an employee in Bob's company. That employee should be part of the IT staff and is at least a junior manager in the cryptography team or a senior manager in the biometrics team. In such a scenario we need an Attribute Based Group Signature Scheme (ABGS). In this paper we define the first ABGS scheme where verifying includes authenticating a person that belongs to a certain group and owns particular attributes. We define two security notions adopted from group signature which are: traceability and anonymity. We prove our scheme to be secure under those two notions.
2007
EPRINT
Attribute Based Group Signature with Revocation
In real life, one requires signatures to be from people who fulfill certain criteria, implying that they should possess specific attributes. For example, Alice might want a signature from an employee in Bob’s company who is a member in the IT staff, a senior manager within the biometrics team or at least a junior manager in the cryptography team. In such a case an Attribute Based Group Signature scheme (ABGS) could be applied. Group signature schemes are those where each member of a group can sign on behalf of the others. An ABGS scheme is a type of group signature scheme, where the signing member has to have certain attributes. In[12], the authors introduced the first ABGS but it lacked the ability to revoke. In this paper, we introduce a new scheme that will enable us to remove a member from a group or remove some of his attributes, when needed.
2007
EPRINT
Attribute-Based Encryption with Non-Monotonic Access Structures
We construct an Attribute-Based Encryption (ABE) scheme that allows a user's private key to be expressed in terms of any access formula over attributes. Previous ABE schemes were limited to expressing only monotonic access structures. We provide a proof of security for our scheme based on the Decisional Bilinear Diffie-Hellman (BDH) assumption. Furthermore, the performance of our new scheme compares favorably with existing, less-expressive schemes.
2007
EPRINT
Authenticated Key Exchange and Key Encapsulation Without Random Oracles
This paper presents a new paradigm to realize cryptographic primitives such as authenticated key exchange and key encapsulation without random oracles under three assumptions: the decisional Diffie-Hellman (DDH) assumption, target collision resistant (TCR) hash functions and a class of pseudo-random functions (PRFs), {\pi}PRFs, PRFs with pairwise-independent random sources. We propose a (PKI-based) two-pass authenticated key exchange (AKE) protocol that is comparably as efficient as the existing most efficient protocols like MQV and that is secure without random oracles (under these assumptions). Our protocol is shown to be secure in the (currently) strongest security definition, the extended Canetti-Krawczyk (eCK) security definition introduced by LaMacchia, Lauter and Mityagin. We also show that a variant of the Kurosawa-Desmedt key encapsulation mechanism (KEM) using a {\pi}PRF is CCA-secure. This scheme is secure in a stronger security notion, the chosen public-key and ciphertext attack (CPCA) security, with using generalized TCR (GTCR) hash functions. The proposed schemes in this paper are redundancy-free (or validity-check-free) and the implication is that combining them with redundancy-free symmetric encryption (DEM) will yield redundancy-free (e.g., MAC-free) CCA-secure hybrid encryption.
2007
EPRINT
Authorship Proof for Textual Document
In this paper, we investigate the problem of how to prove the authorship of textual documents. First we define the basic functionalities of an authorship proof scheme (APS) based on natural language watermarking, and identify two essential security requirements for an APS to be secure against various attacks. We review existing natural language watermarking schemes, and we propose two new schemes with improved security.
2007
EPRINT
Automatic Search of Differential Path in MD4
In 2004, Wang et al. obtained breakthrough collision attacks on the main hash functions from the MD4 family. The attacks are differential attacks in which one closely follows the inner steps of the underlying compression function, based on a so-called differential path. It is generally assumed that such differential paths were found ``by hand''. In this paper, we present an algorithm which automatically finds suitable differential paths, in the case of MD4. As a first application, we obtain new differential paths for MD4, which improve upon previously known MD4 differential paths. This algorithm could be used to find new differential paths, and to build new attacks against MD4.
2007
EPRINT
Balanced Boolean Function on 13-variables having Nonlinearity strictly greater than the Bent Concatenation Bound
Very recently, Kavut and Yucel identified 9-variable Boolean functions having nonlinearity 242, which is currently the best known. However, any of these functions do not contain any zero in the Walsh spectrum and that is why they cannot be made balanced. We use these functions to construct 13-variable balanced Boolean function having nonlinearity $2^{13-1} - 2^{\frac{13-1}{2}} + 2 = 4034$ which is strictly greater than the bent concatenation bound. This is the first demonstration of balanced Boolean functions on odd number of variables having nonlinearity strictly greater than the bent concatenation bound for number of input variables less than 15.
2007
EPRINT
Balanced Boolean Functions with Nonlinearity > 2^{n-1} - 2^{(n-1)/2}
Recently, balanced 15-variable Boolean functions with nonlinearity 16266 were obtained by suitably modifying unbalanced Patterson-Wiedemann (PW) functions, which possess nonlinearity 2^{n-1}-2^{(n-1)/2}+20 = 16276. In this short paper, we present an idempotent interpreted as rotation symmetric Boolean function) with nonlinearity 16268 having 15 many zeroes in the Walsh spectrum, within the neighborhood of PW functions. Clearly this function can be transformed to balanced functions keeping the nonlinearity and autocorrelation distribution unchanged. The nonlinearity value of 16268 is currently the best known for balanced 15-variable Boolean functions. Furthermore, we have attained several balanced 13-variable Boolean functions with nonlinearity 4036, which improves the recent result of 4034.
2007
EPRINT
Batch Verification of Short Signatures
With computer networks spreading into a variety of new environments, the need to authenticate and secure communication grows. Many of these new environments have particular requirements on the applicable cryptographic primitives. For instance, several applications require that communication overhead be small and that many messages be processed at the same time. In this paper we consider the suitability of public key signatures in the latter scenario. That is, we consider signatures that are 1) short and 2) where many signatures from (possibly) different signers on (possibly) different messages can be verified quickly. Prior work focused almost exclusively on batching signatures from the same signer. We propose the first batch verifier for messages from many (certified) signers without random oracles and with a verification time where the dominant operation is independent of the number of signatures to verify. We further propose a new signature scheme with very short signatures, for which batch verification for many signers is also highly efficient. Combining our new signatures with the best known techniques for batching certificates from the same authority, we get a fast batch verifier for certificates and messages combined. Although our new signature scheme has some restrictions, it is very efficient and still practical for some communication applications.
2007
EPRINT
BEDA: Button-Enabled Device Pairing
Secure initial pairing of electronic gadgets is a challenging problem, especially considering lack of any common security infrastructure. The main security issue is the threat of so-called Man-in-the-Middle (MiTM) attacks, whereby an attacker inserts itself into the pairing protocol by impersonating one of the legitimate parties. A number of interesting techniques have been proposed, all of which involve the user in the pairing process. However, they are inapplicable to many common scenarios where devices to-be-paired do not possess required interfaces, such as displays, speakers, cameras or microphones. In this paper, we introduce BEDA (Button-Enabled Device Association), a protocol suite for secure pairing devices with minimal user interfaces. The most common and minimal interface available on wide variety of devices is a single button. BEDA protocols can accommodate pairing scenarios where one (or even both) devices only have a single button as their "user interface". Our usability study demonstrates that BEDA protocols involve very little human burden and are quite suitable for ordinary users.
2007
EPRINT
Best Quadratic Approximations of Cubic Boolean Functions
The problem of computing best low order approximations of Boolean functions is treated in this paper. We focus on the case of best quadratic approximations of a wide class of cubic functions of arbitrary number of variables, and provide formulas for their efficient calculation. Our methodology is developed upon Shannon's expansion formula and properties of best affine approximations of quadratic functions, for which we prove formulas for their direct computation, without use of the Walsh-Hadamard transform. The notion of nonquadricity is introduced, as the minimum distance from all quadratic functions, and cubic functions that achieve the maximum possible nonquadricity are determined, leading to a lower bound for the covering radius of second order Reed-Muller code $\mthf{R}(2,n)$ in $\mthf{R}(3,n)$.
2007
EPRINT
Bilateral Unknown Key-Share Attacks in Key Agreement Protocols
Unknown Key-Share (UKS) resilience is a basic security attribute in authenticated key agreement protocols, whereby two entities A and B should not be able to be coerced into sharing a key between them when in fact either A or B thinks that s/he is sharing the key with another entity C. In this paper we revisit some definitions of this attribute, the existing UKS attacks and the method of proving this attribute in the Bellare-Rogaway (BR) model in the literature. We propose a new UKS attack, which coerces two entities A and B into sharing a key with each other but in fact A thinks that she is sharing the key with another entity C and B thinks that he is sharing the key with another entity D, where C and D might or might not be the same entity. We call this attack a Bilateral Unknown Key-Share(BUKS) attack and refer to the existing UKS attacks, which are against one entity only, as a Unilateral UKS (UUKS) attack. We demonstrate that a few well-known authenticated key agreement protocols, some of which have been proved holding the UUKS resilience property, are vulnerable to the BUKS attack. We then explore a gap between the traditional BR-type proof of UUKS resilience and a BUKS adversary's behaviour, and extend the BR model to cover the BUKS resilience attribute. Finally we provide a simple countermeasure to prevent a key agreement protocol from BUKS attacks.
2007
EPRINT
Bingo Voting: Secure and coercion-free voting using a trusted random number generator
It is debatable if current direct-recording electronic voting machines can sufficiently be trusted for a use in elections. Reports about malfunctions and possible ways of manipulation abound. Voting schemes have to fulfill seemingly contradictory requirements: On one hand the election process should be verifiable to prevent electoral fraud and on the other hand each vote should be deniable to avoid coercion and vote buying. This work presents a new verifiable and coercion-free voting scheme Bingo Voting, which is based on a trusted random number generator. As a motivation for the new scheme two coercion/vote buying attacks on voting schemes are presented which show that it can be dangerous to let the voter contribute randomness to the voting scheme. A proof-of-concept implementation of the scheme shows the practicality of the scheme: all costly computations can be moved to a non time critical pre-voting phase.
2007
EPRINT
Black-Box Extension Fields and the Inexistence of Field-Homomorphic One-Way Permutations
The black-box field (BBF) extraction problem is, for a given field $\F$, to determine a secret field element hidden in a black-box which allows to add and multiply values in $\F$ in the box and which reports only equalities of elements in the box. This problem is of cryptographic interest for two reasons. First, for $\F=\F_p$ it corresponds to the generic reduction of the discrete logarithm problem to the computational Diffie-Hellman problem in a group of prime order $p$. Second, an efficient solution to the BBF problem proves the inexistence of certain field-homomorphic encryption schemes whose realization is an interesting open problems in algebra-based cryptography. BBFs are also of independent interest in computational algebra. In the previous literature, BBFs had only been considered for the prime field case. In this paper we consider a generalization of the extraction problem to BBFs that are extension fields. More precisely we discuss the representation problem defined as follows: For given generators $g_1,\ldots,g_d$ algebraically generating a BBF and an additional element $x$, all hidden in a black-box, express $x$ algebraically in terms of $g_1,\ldots,g_d$. We give an efficient algorithm for this representation problem and related problems for fields with small characteristic (e.g. $\F=\F_{2^n}$ for some $n$). We also consider extension fields of large characteristic and show how to reduce the representation problem to the extraction problem for the underlying prime field. These results imply the inexistence of field-homomorphic (as opposed to only group-homomorphic, like RSA) one-way permutations for fields of small characteristic.
2007
EPRINT
Blind Identity-Based Encryption and Simulatable Oblivious Transfer
In an identity-based encryption (IBE) scheme, there is a {\em key extraction} protocol where a user submits an identity string to a master authority who then returns the corresponding secret key for that identity. In this work, we describe how this protocol can be performed efficiently and in a {\em blind} fashion for several known IBE schemes; that is, a user can obtain a secret key for an identity without the master authority learning anything about this identity. We formalize this notion as {\em blind IBE} and discuss the many practical applications of such a scheme. In particular, we build upon the recent work of Camenisch, Neven, and shelat in Eurocrypt 2007 to construct oblivious transfer (OT) schemes which achieve full simulatability for both sender and receiver. OT constructions with comparable efficiency prior to Camenisch et al.\ were proven secure in the weaker half-simulation model. Our OT schemes can be constructed generically from any blind IBE, and thus require only static complexity assumptions (e.g., DBDH) whereas prior comparable schemes require dynamic complexity assumptions (e.g., $q$-PDDH).
2007
EPRINT
Breaking 104 bit WEP in less than 60 seconds
We demonstrate an active attack on the WEP protocol that is able to recover a 104-bit WEP key using less than 40.000 frames in 50% of all cases. The IV of these packets can be randomly chosen. This is an improvement in the number of required frames by more than an order of magnitude over the best known key-recovery attacks for WEP. On a IEEE 802.11g network, the number of frames required can be obtained by re-injection in less than a minute. The required computational effort is approximately 2^{20} RC4 key setups, which on current desktop and laptop CPUs is neglegible.
2007
EPRINT
Breaking ONE.FIVIUM by AIDA an Algebraic IV Differential Attack
We show, how to break TRIVIUM with a setup of 576 (instead of 1152) clock cycles, with an effort of 2^6 chosen IV resynchronisations up to cycle 625 for each of the 47 recovered key bits.
2007
EPRINT
Breaking the Symmetry: a Way to Resist the New Differential Attack
Sflash had recently been broken by Dubois, Stern, Shamir, etc., using a differential attack on the public key. The $C^{\ast-}$ signature schemes are hence no longer practical. In this paper, we will study the new attack from the point view of symmetry, then (1) present a simple concept (projection) to modify several multivariate schemes to resist the new attacks; (2) demonstrate with practical examples that this simple method could work well; and (3) show that the same discussion of attack-and-defence applies to other big-field multivariates. The speed of encryption schemes is not affected, and we can still have a big-field multivariate signatures resisting the new differential attacks with speeds comparable to Sflash.
2007
EPRINT
Building a Collision-Resistant Compression Function from Non-Compressing Primitives
We consider how to build an efficient compression function from a small number of random, non-compressing primitives (fixed-key blockciphers were our original motivation). Our main goal is to achieve a level of collision resistance as close as possible to the optimal birthday bound. We present a $2n$-to-$n$ bit compression function based on three independent $n$-to-$n$ bit random functions, each called only once. We show that if the three random functions are treated as black boxes (i.e., modelled as random oracles), finding collisions requires $\Theta(2^{n/2}/n^c)$ queries for $c\approx 1$. We also give a heuristic, backed by experimental results, suggesting that the security loss is at most four bits for block sizes up to 256 bits. We believe this is the best result to date on the matter of building a collision resistant compression function from non-compressing functions. It also relates to an open question from Black et al. (Eurocrypt'05), who showed that compression functions that invoke a single non-compressing random function cannot suffice.
2007
EPRINT
CCA2-Secure Threshold Broadcast Encryption with Shorter Ciphertexts
In a threshold broadcast encryption scheme, a sender chooses (ad-hoc) a set of $n$ receivers and a threshold $t$, and then encrypts a message by using the public keys of all the receivers, in such a way that the original plaintext can be recovered only if at least $t$ receivers cooperate. Previously proposed threshold broadcast encryption schemes have ciphertexts whose length is $\O(n)$. In this paper, we propose new schemes, for both PKI and identity-based scenarios, where the ciphertexts' length is $\O(n-t)$. The construction uses secret sharing techniques and the Canetti-Halevi-Katz transformation to achieve chosen-ciphertext security. The security of our schemes is formally proved under the Decisional Bilinear Diffie-Hellman (DBDH) Assumption.
2007
EPRINT
Ceremony Design and Analysis
The concept of ceremony is introduced as an extension of the concept of network protocol, with human nodes alongside computer nodes and with communication links that include UI, human-to-human communication and transfers of physical objects that carry data. What is out-of-band to a protocol is in-band to a ceremony, and therefore subject to design and analysis using variants of the same mature techniques used for the design and analysis of protocols. Ceremonies include all protocols, as well as all applications with a user interface, all workflow and all provisioning scenarios. A secure ceremony is secure against both normal attacks and social engineering. However, some secure protocols imply ceremonies that cannot be made secure.
2007
EPRINT
Certificateless Encryption Schemes Strongly Secure in the Standard Model
This paper presents the first constructions for certificateless encryption (CLE) schemes that are provably secure against strong adversaries in the standard model. It includes both a generic construction for a strongly secure CLE scheme from any passively secure scheme as well as a concrete construction based on the Waters identity-based encryption scheme.
2007
EPRINT
Certificateless Public Key Encryption Secure against Malicious KGC Attacks in the Standard Model
We introduce the first secure Certificateless Public Key Encryption (CL-PKE) scheme against a malicious Key Generation Center (KGC) in the standard model. Recently, Au \textit{et al.} \cite{AuChLiMuWoYa07} pointed out that the previous security models for CL-PKE schemes cannot guarantee the security against a malicious KGC. They also showed that although some schemes are secure against malicious KGC, they require the random oracle model to prove the security. In this paper, we first show that previous CL-PKE schemes in the standard model are not secure against malicious KGC. And then, we construct a new CL-PKE scheme with rigorous security proof against the attacks of a malicious KGC in the standard model, which is the first in the literature.
2007
EPRINT
Certificateless Ring Signatures
Ring signature scheme is a cryptographic construct that enables a signer to sign on behalf of a group of $n$ different people such that the verifier can only ensure someone in the group signed, but not exactly whom. Ring signatures are utilized in many security applications. It is tricky to deploy multi-user cryptographic construct due to the complexity involved by certificates. Specifically, ring signatures working under traditional public key infrastructure requires the transfer and verification of $n$ certificates, making the scheme both space and time inefficient. On the other hand, the key-escrow problem of identity-based solution makes the authenticity of the ring signature in question. This paper studies ring signature in certificateless cryptography, one with neither certificate nor key-escrow. Designing a certificateless ring signature scheme is not entirely trivial. Many certificateless signatures require public key validity checking. In the context of ring signatures, this means both the signer and the verifier need to deal with the complexity in the verification of $n$ public keys. We propose the first certificateless ring signature scheme, without such public key validity checking.
2007
EPRINT
Choosing the correct elliptic curve in the CM method
We give easy ways to distinguish between the twists of an ordinary elliptic curve $E$ over $\mathbb{F}_p$ in order to identify one with $p+1-2U$ points, when $p=U^2+dV^2$ with $2U, 2V \in \mathbb{Z}$ and $E$ is constructed using the CM method. This is useful for finding elliptic curves with a prescribed number of points, and is a new, faster, and easier way to implement the last step of the CM method. Our algorithms are completely elementary, in most cases consisting of merely reading off simple congruence conditions on $U$ and $V$ modulo $4$, whereas current algorithms rely on elliptic curve arithmetic and computing square roots.
2007
EPRINT
Chosen-Ciphertext Secure Key-Encapsulation Based on Gap Hashed Diffie-Hellman
We propose a practical key encapsulation mechanism with a simple and intuitive design concept. Security against chosen-ciphertext attacks can be proved in the standard model under a new assumption, the Gap Hashed Diffie-Hellman (GHDH) assumption. The security reduction is tight and simple. Secure key encapsulation, combined with an appropriately secure symmetric encryption scheme, yields a hybrid public-key encryption scheme which is secure against chosen-ciphertext attacks. The implied encryption scheme is very efficient: compared to the previously most efficient scheme by Kurosawa and Desmedt [Crypto 2004] it has 128 bits shorter ciphertexts, between 25-50% shorter public/secret keys, and it is slightly more efficient in terms of encryption/decryption speed. Furthermore, our scheme enjoys (the option of) public verifiability of the ciphertexts and it inherits all practical advantages of secure hybrid encryption.
2007
EPRINT
Chosen-Ciphertext Secure Proxy Re-Encryption
In a proxy re-encryption (PRE) scheme, a proxy is given special information that allows it to translate a ciphertext under one key into a ciphertext of the same message under a different key. The proxy cannot, however, learn anything about the messages encrypted under either key. PRE schemes have many practical applications, including distributed storage, email, and DRM. Previously proposed re-encryption schemes achieved only semantic security; in contrast, applications often require security against chosen ciphertext attacks. We propose a definition of security against chosen ciphertext attacks for PRE schemes, and present a scheme that satisfies the definition. Our construction is efficient and based only on the Decisional Bilinear Diffie-Hellman assumption in the standard model. We also formally capture CCA security for PRE schemes via both a game-based definition and simulation-based definitions that guarantee universally composable security. We note that, simultaneously with our work, Green and Ateniese proposed a CCA-secure PRE, discussed herein.
2007
EPRINT
Classes of Quadratic APN Trinomials and Hexanomials and Related Structures
A method for constructing differentially 4-uniform quadratic hexanomials has been recently introduced by J. Dillon. We give various generalizations of this method and we deduce the constructions of new infinite classes of almost perfect nonlinear quadratic trinomials and hexanomials from $\mathbb{F}_{2^{2m}}$ to $\mathbb{F}_{2^{2m}}$. We check for $m=3$ that some of these functions are CCZ-inequivalent to power functions.
2007
EPRINT
Clone Resistant Mutual Authentication for Low-Cost RFID Technology
With Radio Frequency Identification (RFID) tags being used to secure contactless credit cards, great benefits but also serious security and information privacy issues have arisen. Recently many attempts have been made to resolve these issues. In particular, attempts have been made to provide a means for authentication between tag and reader. However, none have yet have been able to provide resistance to cloning attacks. Furthermore, authentication on lowest range of low-cost RFID tags, also remains a challenge. We propose a clone resistant, mutual authentication scheme that requires only 32 bits of read write memory, 90 bits of read only memory and can be deployed using as few as 300 logic gates. We also propose a stream cipher with the same memory constraints and magnitude of logic gates. These systems may also be scaled to provide a high level of security, using relatively little computational resources, on larger hardware platforms.
2007
EPRINT
Collusion-Resistant Group Key Management Using Attribute-Based Encryption
This paper illustrates the use of ciphertext-policy attribute-based encryption (CP-ABE), a recently proposed primitive, in the setting of group key management. Specifically, we use the CP-ABE scheme of Bethencourt, Sahai and Waters to implement flat table group key management. Unlike past implementations of flat table, our proposal is resistant to collusion attacks. We also provide efficient mechanisms to refresh user secret keys (for perfect forward secrecy) and to delegate managerial duties to subgroup controllers (for scalability). Finally, we discuss performance issues and directions for future research.
2007
EPRINT
Comparing Implementation Efficiency of Ordinary and Squared Pairings
In this paper, we will implement a standard probabilistic method of computing bilinear pairings. We will compare its performance to a deterministic algorithm introduced in [5] to compute the squared Tate/Weil pairings which are claimed to be 20 percent faster than the standard method. All pairings will be evaluated over pairing-friendly ordinary elliptic curves of embedding degrees 8 and 10 and a supersingular curve of embedding degree 6. For these curves, we can make the algorithm to compute both the ordinary Weil and Tate pairings deterministic and optimizations to improve the algorithms are applied. We will show that the evaluation of squared Weil pairing is, indeed, faster than the ordinary Weil pairing even with optimizations. However, evaluation of the squared Tate pairing is not faster than the ordinary Tate pairing over the curves that we used when optimizations are applied.
2007
EPRINT
Compiler Assisted Elliptic Curve Cryptography
Although cryptographic implementation tasks are often undertaken by expert programmers, a plethora of performance and security driven options, as well as more mundane software engineering issues, still make this a challenge. In an attempt to transfer expert knowledge into automated tools, we investigate the use of domain specific language and compilation techniques for cryptographic software, focusing on ECC in particular. Specifically, we describe experiments for specialisation of finite field arithmetic from general purpose code, and the description and optimisation of ECC point arithmetic using a cryptography-aware language and compiler. Our main results show that it is possible to allow description of ECC based software in a manner close to the original mathematics, while allowing the automatic production of an executable whose performance is close to that of a hand-optimised implementation.
2007
EPRINT
Compression Functions Suitable for the Multi-Property-Preserving Transform
Since Bellare and Ristenpart showed a multi-property preserving domain extension transform, the problem of the construction for multi-property hash functions has been reduced to that of the construction for multi-property compression functions. However, the Davies-Meyer compression function that is widely used for standard hash functions is not a multi-property compression function. That is, in the ideal cipher model, the Davies-Meyer compression function is collision resistant, but it is not indifferentiable from a random oracle. In this paper, we show that the compression function proposed by Lai and Massey is a multi-property compression function. In addition, we show that the simplified version of the Lai-Massey compression function is also a multi-property compression function. The use of these compression functions enables us to construct multi-property hash functions by the multi-property preserving domain extension transform.
2007
EPRINT
Computational Semantics for Basic Protocol Logic - A Stochastic Approach
This paper is concerned about relating formal and computational models of cryptography in case of active adversaries when formal security analysis is done with first order logic. We first present a criticism of the way Datta et al. defined computational semantics to their Protocol Composition Logic, concluding that problems arise from focusing on occurrences of bit-strings on individual traces instead of occurrences of probability distributions of bit-strings across the distribution of traces. We therefore introduce a new, fully probabilistic method to assign computational semantics to the syntax. We present this via considering a simple example of such a formal model, the Basic Protocol Logic of K. Hasebe and M. Okada, but the technique is suitable for extensions to more complex situations such as PCL. The idea is to make use of the usual mathematical treatment of stochastic processes, hence be able to treat arbitrary probability distributions, non-negligible probability of collision, causal dependence or independence.
2007
EPRINT
Computationally Sound Mechanized Proofs of Correspondence Assertions
We present a new mechanized prover for showing correspondence assertions for cryptographic protocols in the computational model. Correspondence assertions are useful in particular for establishing authentication. Our technique produces proofs by sequences of games, as standard in cryptography. These proofs are valid for a number of sessions polynomial in the security parameter, in the presence of an active adversary. Our technique can handle a wide variety of cryptographic primitives, including shared- and public-key encryption, signatures, message authentication codes, and hash functions. It has been implemented in the tool CryptoVerif and successfully tested on examples from the literature.
2007
EPRINT
Computing endomorphism rings of Jacobians of genus 2 curves over finite fields
We present probabilistic algorithms which, given a genus 2 curve C defined over a finite field and a quartic CM field K, determine whether the endomorphism ring of the Jacobian J of C is the full ring of integers in K. In particular, we present algorithms for computing the field of definition of, and the action of Frobenius on, the subgroups J[l^d] for prime powers l^d. We use these algorithms to create the first implementation of Eisentrager and Lauter's algorithm for computing Igusa class polynomials via the Chinese Remainder Theorem, and we demonstrate the algorithm for a few small examples. We observe that in practice the running time of the CRT algorithm is dominated not by the endomorphism ring computation but rather by the need to compute p^3 curves for many small primes p.
2007
EPRINT
Computing the Ate Pairing on Elliptic Curves with Embedding Degree $k=9$
For AES 128 security level there are several natural choices for pairing-friendly elliptic curves. In particular, as we will explain, one might choose curves with $k=9$ or curves with $k=12$. The case $k=9$ has not been studied in the literature, and so it is not clear how efficiently pairings can be computed in that case. In this paper, we present efficient methods for the $k=9$ case, including generation of elliptic curves with the shorter Miller loop, the denominator elimination and speed up of the final exponentiation. Then we compare the performance of these choices. From the analysis, we conclude that for pairing-based cryptography at the AES 128 security level, the Barreto-Naehrig curves are the most efficient choice, and the performance of the case $k=9$ is comparable to the Barreto-Naehrig curves.
2007
EPRINT
Constant Size Ciphertext HIBE in the Augmented Selective-ID Model and its Extensions
At Eurocrypt 2005, Boneh, Boyen and Goh presented a constant size ciphertext hierarchical identity based encryption (HIBE) protocol. Our main contribution is to present a variant of the BBG-HIBE. The new HIBE is proved to be secure (without any degradation) in an extension of the sID model (denoted the s$^+$-ID model) and the components of the identities are from $\bbbz_p$, where $p$ is a suitable large prime. The BBG-HIBE is proved to be secure in the selective-ID (sID) security model and the components of the identities are from $\bbbz_p^*$. In the s$^+$-ID model the adversary is allowed to vary the length of the challenge identity whereas this is not allowed in the sID model. The new HIBE shares all the good features of the BBG-HIBE. The drawback is that the public parameters and the private key are longer than that of the BBG-HIBE. We also provide two more extensions of the basic constant size ciphertext HIBE. The first is a constant size ciphertext HIBE secure in the generalised selective-ID model $\clsM_2$. The second one is a product construction composed of two HIBEs and a trade-off is possible between the private key size and the ciphertext size.
2007
EPRINT
Constructing Brezing-Weng pairing friendly elliptic curves using elements in the cyclotomic field
We describe a new method for constructing Brezing-Weng-like pairing-friendly elliptic curves. The new construction uses the minimal polynomials of elements in a cyclotomic field. Using this new construction we present new ``record breaking'' families of pairing-friendly curves with embedding degrees of $k \in \{16,18,36,40\}$, and some interesting new constructions for the cases $k \in \{8,32\}$
2007
EPRINT
Constructing new APN functions from known ones
We present a method for constructing new quadratic APN functions from known ones. Applying this method to the Gold power functions we construct an APN function $x^3+\tr(x^9)$ over $\F_{2^n}$. It is proven that in general this function is CCZ-inequivalent to the Gold functions (and therefore EA-inequivalent to power functions), to the inverse and Dobbertin mappings, and in the case $n=7$ it is CCZ-inequivalent to all power mappings.
2007
EPRINT
Constructing pairing-friendly genus 2 curves over prime fields with ordinary Jacobians
We provide the first explicit construction of genus 2 curves over finite fields whose Jacobians are ordinary, have large prime-order subgroups, and have small embedding degree. Our algorithm works for arbitrary embedding degrees $k$ and prime subgroup orders $r$. The resulting abelian surfaces are defined over prime fields $\F_q$ with $q \approx r^4$. We also provide an algorithm for constructing genus 2 curves over prime fields $\F_q$ with ordinary Jacobians $J$ having the property that $J[r] \subset J(\F_{q})$ or $J[r] \subset J(\F_{q^k})$ for any even $k$.
2007
EPRINT
Construction of efficient and secure Pairing Algorithm and its Application
The randomized projective coordinate (RPC) method on pairing computing algorithm is a good solution which leads an efficient countermeasure against side channel attacks. In this paper, we investigate measures for the efficiency of the RPC based countermeasures of the pairing algorithm and construct a method that induce an efficient RPC based countermeasure against side channel attacks. As it application, we apply our construction method to the well-known $\eta_T$ pairing algorithm over binary fields and so we obtain an RPC based countermeasure of $\eta_T$ pairing which is more efficient than the RPC method on the original $\eta_T$ pairing algorithm.
2007
EPRINT
Construction of Pairing-Friendly Elliptic Curves
We explain a method of finding the polynomials representing $\sqrt{-D}$ and $\zeta_k$ over the field containing $\sqrt{-D}$ and $\zeta_k$ and how to construct a pairing friendly elliptic curves over the cyclotomic fields containing ${\mathbb Q} (\zeta_k, \sqrt{-D})$ for arbitrary $k$ and $D$ by CP method. By using the factorization of the cyclotomic polynomial combined some polynomial, we extend the construction over cyclotomic fields to the construction over some extensions of the cyclotomic fields containing ${\mathbb Q} (\zeta_k, \sqrt{-D})$. We explain the limitation of finding more families of pairing friendly elliptic curves with embedding degree 10. For all computation, we use the PARI-GP \cite{GP}.
2007
EPRINT
Construction of Rotation Symmetric Boolean Functions with Maximum Algebraic Immunity on Odd Number of Variables
In this paper we present a theoretical construction of Rotation Symmetric Boolean Functions (RSBFs) on odd number of variables with maximum possible \ai and further these functions are not symmetric. Our RSBFs are of better nonlinearity than the existing theoretical constructions with maximum possible \ai. To get very good nonlinearity, which is important for practical cryptographic design, we generalize our construction to a construction cum search technique in the RSBF class. We find 7, 9, 11 variable RSBFs with maximum possible \ai having nonlinearities 56, 240, 984 respectively with very small amount of search after our basic construction.
2007
EPRINT
Construction of Universal Designated-Verifier Signatures and Identity-Based Signatures from Standard Signatures
We give a generic construction of universal designated-verifier signature schemes from a large class C of signature schemes. Our constructions are comparable in terms of cost and size to their counterparts, while offering the following two main attractive features: Firstly, our constructions are provably non-delegatable beside being DV-unforgeable and non-transferable. Secondly, in our constructions, the signer and the designated verifier can choose different cryptographic settings of their own independently. We also propose a generic construction of identity-based signature schemes from any signature scheme in C and prove the construction secure against adaptive chosen message and identity attacks. We discuss possible extensions of our constructions to universal multi-designated-verifier signatures, hierarchical identity-based signatures, identity-based universal designated verifier signatures, and identity-based ring signatures from any signature in C.
2007
EPRINT
ConSum v0: An Experimental Cipher
We present an experimental block cipher, ConSum, based on a hitherto unstudied design element: the Conway transformation. ConSum features an extremely simple design and the ability to operate with arbitrary key lengths, block sizes and round numbers. We study it empirically and statistically so as to illustrate how it might be secure.
2007
EPRINT
Counting hyperelliptic curves that admit a Koblitz model
Let $k=\mathbb{F}_q$ be a finite field of odd characteristic. We find a closed formula for the number of $k$-isomorphism classes of pointed, and non-pointed, hyperelliptic curves of genus $g$ over $k$, admitting a Koblitz model. These numbers are expressed as a polynomial in $q$ with integer coefficients (for pointed curves) and rational coefficients (for non-pointed curves). The coefficients depend on $g$ and the set of divisors of $q-1$ and $q+1$. These formulas show that the number of hyperelliptic curves of genus $g$ suitable (in principle) of cryptographic applications is asymptotically $(1-e^{-1})2q^{2g-1}$, and not $2q^{2g-1}$ as it was believed. The curves of genus $g=2$ and $g=3$ are more resistant to the attacks to the DLP; for these values of $g$ the number of curves is respectively $(91/72)q^3+O(q^2)$ and $(3641/2880)q^5+O(q^4)$.
2007
EPRINT
CRUST: Cryptographic Remote Untrusted Storage without Public Keys
This paper presents CRUST, a stackable file system layer designed to provide secure file sharing over remote untrusted storage systems. CRUST is intended to be layered over insecure network file systems without changing the existing systems. In our approach, data at rest is kept encrypted, and data integrity and access control are provided by cryptographic means. Our design completely avoids public-key cryptography operations and uses more efficient symmetric-key alternatives to achieve improved performance. As a generic and self-contained system, CRUST includes its own in-band key distribution mechanism and does not rely on any special capabilities of the server or the clients. We have implemented CRUST as a Linux file system and shown that it performs comparably with typical underlying file systems, while providing significantly stronger security.
2007
EPRINT
Cryptanalysis and Improvement of an Elliptic Curve Diffie-Hellman Key Agreement Protocol
In SAC'05, Strangio proposed protocol ECKE-1 as an efficient elliptic curve Diffie-Hellman two-party key agreement protocol using public key authentication. In this letter, we show that despite the author's claims protocol ECKE-1 is vulnerable to key-compromise impersonation attacks. We also present an improved protocol --- ECKE-1N, which can withstand such attacks. The improved protocol's performance is comparable to the well-known MQV protocol and maintains the same remarkable list of security properties.
2007
EPRINT
Cryptanalysis of a class of cryptographic hash functions
We apply new cryptanalytical techniques to perform the generic multi-block multicollision, second preimage and herding attacks on the Damg{\aa}rd-Merkle hash functions with linear-XOR/additive checksums. The computational work required to perform these attacks on the Damg{\aa}rd-Merkle hash functions with linear-XOR/additive checksum of message blocks (GOST), intermediate states (\textbf{3C}, MAELSTROM-0, F-Hash) or both is only a little more than what is required on the Damg{\aa}rd-Merkle hash functions. Our generic attacks on GOST answers the open question of Hoch and Shamir at FSE 2006 on the security of the iterated hash functions with the linear mixing of message blocks.
2007
EPRINT
Cryptanalysis of a Hash Function Proposed at ICISC 2006
A simple method for constructing collisions for Shpilrain’s polynomial-based hash function from ICISC 2006 is presented. The attack relies on elementary linear algebra and can be considered as practical: For the parameters suggested, we give a specific collision, computed by means of a computer algebra system.
2007
EPRINT
Cryptanalysis of An Oblivious Polynomial Evaluation Protocol Based On Polynomial Reconstruction Problem
In 1999, Naor and Pinkas \cite {NP99} presented a useful protocol called oblivious polynomial evaluation(OPE). In this paper, the cryptanalysis of the OPE protocol is presented. It's shown that the receiver can successfully get the sender's secret polynomial $P$ after executing the OPE protocol only once, which means the privacy of the sender can be violated and the security of the OPE protocol will be broken. It's also proven that the complexity of the cryptanalysis is the same with the corresponding protocols cryptanalyzed.
2007
EPRINT
Cryptanalysis of Hwang-Chang’s a Time-Stamp Protocol for Digital Watermarking
In 2005, Hwang et al. [17] proposed a time-stamping protocol for digit watermarking. They claimed that their scheme is secure against attacks. However, in this article, we will show that their scheme is not secure enough for that when the owner of the image sends both the encrypted session key and image to the TSS, the attacker can intercept these transmitted data. Then, he can launch an off-line attack to analyze these intercepted data. We will describe the attacker’s action in this article. After that, we propose an improved scheme to prevent this off-line attack.
2007
EPRINT
Cryptanalysis of LASH
We show that the LASH-$x$ hash function is vulnerable to attacks that trade time for memory, including collision attacks as fast as $2^{\frac{4}{11}x}$ and preimage attacks as fast as $2^{\frac47x}$. Moreover, we describe heuristic lattice based collision attacks that use small memory but require very long messages. Based upon experiments, the lattice attacks are expected to find collisions much faster than $2^{x/2}$. All of these attacks exploit the designers' choice of an all zero IV. We then consider whether LASH can be patched simply by changing the IV. In this case, we show that LASH is vulnerable to a $2^{\frac78x}$ preimage attack. We also show that LASH is trivially not a PRF when any subset of input bytes is used as a secret key. None of our attacks depend upon the particular contents of the LASH matrix -- we only assume that the distribution of elements is more or less uniform. Additionally, we show a generalized birthday attack on the final compression of LASH which requires $O\left(x2^{\frac{x}{2(1+\frac{107}{105})}}\right) \approx O(x2^{x/4})$ time and memory. Our method extends the Wagner algorithm to truncated sums, as is done in the final transform in LASH.
2007
EPRINT
Cryptanalysis of Rational Multivariate Public Key Cryptosystems
In 1989, Tsujii, Fujioka, and Hirayama proposed a family of multivariate public key cryptosystems, where the public key is given as a set of multivariate rational functions of degree 4\cite{Tsujii-Fujioka:89}. These cryptosystems are constructed via composition of two quadratic rational maps. In this paper, we present the cryptanalysis of this family of cryptosystems. The key point of our attack is to transform a problem of decomposition of two rational maps into a problem of decomposition of two polynomial maps. We develop a new improved 2R decomposition method and other new techniques, which allows us to find an equivalent decomposition of the rational maps to break the system completely. For the example suggested for practical applications, it is extremely fast to perform the computation to derive an equivalent private key, and it requires only a few seconds on a standard PC.
2007
EPRINT
Cryptanalysis of Stream Ciphers Based on Arrays and Modular Addition
In modern cryptography, stream ciphers are most useful in applications where information needs to be encrypted/decrypted at high speed (e.g. high resolution streaming video data) or when low footprint (gates/memory) encryption is required. In the literature, there exist plenty of stream ciphers whose internal states are based on arrays and that they use modular additions to generate output streams. The abundance of array-based stream ciphers with modular additions can be attributed to the fact that, when implemented in software skillfully, they are able to produce outputs at a very high speed. The main contribution of this thesis is a unified analysis of stream ciphers based on arrays and modular addition. During the process, we detect cryptographic weaknesses in the designs of 9 widely known stream ciphers or pseudorandom bit generators (PRBGs). At first, we show some theoretical results on solving an important class of equations known as \emph{differential equations of addition} (DEA) that combine modular additions over two different algebraic groups such as GF(2) and GF($2^{32}$). The results include, \bite \item proof of the fact that the satisfiability of an arbitrary set of DEA is in the complexity class \pP,\item deriving all the solutions of an arbitrary set of DEA. \eite Next, we apply these results to attack a practical stream cipher named Helix (designed by Ferguson \emph{et al.}) with both chosen plaintexts and adaptive chosen plaintexts. In the second phase, the thesis closely scrutinizes a number of array-based stream ciphers (or PRBGs) in order to estimate their resistance against distinguishing attacks. We eventually discover, counter-intuitively, that the correlations between the array-indices and their associated array-elements, which apparently seem to be useful from the point of view of implementation purposes, can be exploited to mount distinguishing attacks on such type of ciphers if adequate precautions are not taken. In support of our theoretical findings, we point out distinguishing attacks on 8 practical array-based stream ciphers (or PRBGs), namely RC4 (designed by Rivest), RC4A (designed by Paul and Preneel), Py, Py6 (designed by Biham and Seberry), IA, ISAAC (designed by Jenkins Jr.), GGHN, NGG (by Gong \emph{et al.}); our attacks are based on the dependence of array-elements on array-indices. In all the cases we work under the assumption that the key-setup algorithms of the ciphers produce uniformly distributed internal states. We detect flaws in the mixing of bits in the keystream generation algorithms. Our analysis can be explained as the extension, development, adaptation and deeper characterization of the \ti{fortuitous states attacks} on the RC4 cipher by Fluhrer and McGrew in 2000.
2007
EPRINT
Cryptanalysis of the KeeLoq block cipher
KeeLoq is a block cipher used in numerous widespread passive entry and remote keyless entry systems as well as in various component identification applications. The KeeLoq algorithm has a 64-bit key and operates on 32-bit blocks. It is based on an NLFSR with a nonlinear feedback function of 5 variables. In this paper a key recovery attack with complexity of about $2^{52}$ steps is proposed (one step is equivalent to a single KeeLoq encryption operation). In our attack we use the techniques of guess-and-determine, slide, and distinguishing attacks. Several real-world applications are vulnerable to the attack. To our best knowledge this is the first paper to describe and cryptanalyze the KeeLoq block cipher.
2007
EPRINT
Cryptanalysis of the Random Number Generator of the Windows Operating System
The pseudo-random number generator (PRNG) used by the Windows operating system is the most commonly used PRNG. The pseudo-randomness of the output of this generator is crucial for the security of almost any application running in Windows. Nevertheless, its exact algorithm was never published. We examined the binary code of a distribution of Windows 2000, which is still the second most popular operating system after Windows XP. (This investigation was done without any help from Microsoft.) We reconstructed, for the first time, the algorithm used by the pseudo-random number generator (namely, the function CryptGenRandom). We analyzed the security of the algorithm and found a non-trivial attack: given the internal state of the generator, the previous state can be computed in $O(2^{23})$ work (this is an attack on the forward-security of the generator, an $O(1)$ attack on backward security is trivial). The attack on forward-security demonstrates that the design of the generator is flawed, since it is well known how to prevent such attacks. We also analyzed the way in which the generator is run by the operating system, and found that it amplifies the effect of the attacks: The generator is run in user mode rather than in kernel mode, and therefore it is easy to access its state even without administrator privileges. The initial values of part of the state of the generator are not set explicitly, but rather are defined by whatever values are present on the stack when the generator is called.Furthermore, each process runs a different copy of the generator, and the state of the generator is refreshed with system generated entropy only after generating 128 KBytes of output for the process running it. The result of combining this observation with our attack is that learning a single state may reveal 128 Kbytes of the past and future output of the generator. The implication of these findings is that a buffer overflow attack or a similar attack can be used to learn a single state of the generator, which can then be used to predict all random values, such as SSL keys, used by a process in all its past and future operation. This attack is more severe and more efficient than known attacks, in which an attacker can only learn SSL keys if it is controlling the attacked machine at the time the keys are used.
2007
EPRINT
Cryptanalysis of Two New Instances of TTM Cryptosystem
In 2006, Nie et al proposed an attack to break an instance of TTM cryptosystems. However, the inventor of TTM disputed this attack and he proposed two new instances of TTM to support his viewpoint. At this time, he did not give the detail of key construction --- the construction of the lock polynomials in these instances which would be used in decryption. The two instances are claimed to achieve a security of $2^{109}$ against Nie et al attack. In this paper, we show that these instances are both still insecure, and in fact, they do not achieve a better design in the sense that we can find a ciphertext-only attack utilizing the First Order Linearization Equations while for the previous version of TTM, only Second Order Linearization Equations can be used in the beginning stage of the previous attack. Different from previous attacks, we use an iterated linearization method to break these two instances. For any given valid ciphertext, we can find its corresponding plaintext within $2^{31}$ $\mathbb{F}_{2^8}$-computations after performing once for any public key a computation of complexity less than $2^{44}$. Our experiment result shows we have unlocked the lock polynomials after several iterations, though we do not know the detailed construction of lock polynomials.
2007
EPRINT
Cryptanalysis of white box DES implementations
Obfuscation is a method consisting in hiding information of some parts of a computer program. According to the Kerckhoffs principle, a cryptographical algorithm should be kept public while the whole security should rely on the secrecy of the key. In some contexts, source codes are publicly available, while the key should be kept secret; this is the challenge of code obfuscation. This paper deals with the cryptanalysis of such methods of obfuscation applied to the DES. Such methods, called the ``naked-DES'' and ``nonstandard-DES'', were proposed by Chow et al. in 2002. Some methods for the cryptanalysis of the ``naked-DES'' were proposed by Chow et al., Jacob et al., and Link and Neuman. In their paper, Link and Neuman proposed another method for the obfuscation of the DES. In this paper, we propose a general method that applies to all schemes. Moreover, we provide a theoretical analysis. We implemented our method with a C code and applied it successfully to thousands of obfuscated implementations of DES (both ``naked'' and ``non-standard'' DES). In each case, we recovered enough information to be able to invert the function.
2007
EPRINT
Cryptanalysis of White-Box DES Implementations with Arbitrary External Encodings
At DRM 2002, Chow et al. presented a method for implementing the DES block cipher such that it becomes hard to extract the embedded secret key in a white-box attack context. In such a context, an attacker has full access to the implementation and its execution environment. In order to provide an extra level of security, an implementation shielded with external encodings was introduced by Chow et al. and improved by Link and Neumann. In this paper, we present an algorithm to extract the secret key from such white-box DES implementations. The cryptanalysis is a differential attack on obfuscated rounds, and works regardless of the shielding external encodings that are applied. The cryptanalysis has a average time complexity of $2^{14}$ and a negligible space complexity.
2007
EPRINT
Cryptanalysis on Improved Chou et al.'s ID-Based Deniable Authentication Protocol
A deniable authentication protocol enables the protocol participants to authenticate their respective peers, while able to deny their participation after the protocol execution. This protocol can be extremely useful in some practical applications such as online negotiation, online shopping and electronic voting. Recently, we have improved a deniable authentication scheme proposed by Chou et al. due to its vulnerability to the key compromise impersonation attack in our previous report. However, we have later discovered that our previous enhanced protocol is vulnerable to the insider key compromise impersonation attack and key replicating attack. In this paper, we will again secure this protocol against these attacks and demonstrate its heuristic security analysis.
2007
EPRINT
Cryptanalysis on Improved One-round Lin-Li's Tripartite Key Agreement Protocol
A tripartite authenticated key agreement protocol is designed for three entities to communicate securely over an open network particularly with a shared key. Recently, we have improved a one-round tripartite authenticated key agreement protocol proposed by Lin-Li due to its vulnerability to the forging attack in our previous report. However, we have later discovered that both the original Lin-Li's scheme and our previous enhanced protocol are vulnerable to the insider replay attack. Moreover, we have also realized that both protocols have falsely claimed the forward secrecy attribute. In this paper, we will revise our improvements and again secure this protocol against these cryptanalytic attacks while recovering the precious perfect forward secrecy property.
2007
EPRINT
Cryptanalytic Flaws in Oh et al.'s ID-Based Authenticated Key Agreement Protocol
A key agreement protocol is designed for two or more entities to agree upon a shared secret key, which is used to preserve confidentiality and data integrity over an open network. In 2007, Oh et al. proposed an efficient ID-based authenticated key agreement protocol on elliptic curve pairings, which is believed to be able to generate two session keys securely after a protocol execution. However, we discover that their protocol is in fact susceptible to the basic impersonation attack as well as the key compromise impersonation attack. In this paper, we present the imperfections of Oh et al.'s scheme and subsequently we suggest a slight modification to the scheme which would resolve the problems.
2007
EPRINT
Cryptographic Hardness based on the Decoding of Reed-Solomon Codes
We investigate the decoding problem of Reed-Solomon (RS) Codes, also known as the Polynomial Reconstruction Problem (PR), from a cryptographic hardness perspective. Namely, we deal with PR instances with parameter choices for which decoding is not known to be feasibly solvable and where part of the solution polynomial is the hidden input. We put forth a natural decisional intractability assumption that relates to this decoding problem: distinguishing between a single randomly chosen error-location and a single randomly chosen non-error location for a given corrupted RS codeword with random noise. We prove that under this assumption, PR-instances are entirely pseudorandom, i.e., they are indistinguishable from random vectors over the underlying finite field. Moreover, under the same assumption we show that it is hard to extract any partial information related to the hidden input encoded by the corrupted PR-instance, i.e., PR-instances hide their message polynomial solution in the semantic security sense. The above results lay a framework for the exploitation of PR as an intractability assumption for provable security of cryptographic primitives. Based on this framework, we present provably secure cryptographic constructions for (i) a pseudorandom extender, (ii) a semantically secure version of the Oblivious Polynomial Evaluation Protocol, and (iii) a stateful cipher with a set of interesting properties that include: semantic security, forward secrecy, error-correcting decryption and an array of random self-reducibility properties with respect to the plaintext choice, key choice and partial domain choice.
2007
EPRINT
CTC2 and Fast Algebraic Attacks on Block Ciphers Revisited
The cipher CTC (Courtois Toy Cipher) has been designed to demonstrate that it is possible to break on a PC a block cipher with good diffusion and very small number of known (or chosen) plaintexts. It has however never been designed to withstand all known attacks on block ciphers and Dunkelman and Keller have shown that a few bits of the key can be recovered by Linear Cryptanalysis (LC) - which cannot however compromise the security of a large key. This weakness can easily be avoided: in this paper we give a specification of CTC2, a tweaked version of CTC. The new cipher is MUCH more secure than CTC against LC and the key scheduling of CTC has been extended to use any key size, independently from the block size. Otherwise, there is little difference between CTC and CTC2. We will show that up to 10 rounds of CTC2 can be broken by simple algebraic attacks.
2007
EPRINT
Deniable Authentication on the Internet
Deniable authentication is a technique that allows one party to send messages to another while the latter can not prove to a third party the fact of communication. In this paper, we first formalize a natural notion of deniable security and naturally extend the basic authenticator theorem by Bellare et al. \cite{bck98} to the setting of deniable authentication. Of independent interest, this extension is achieved by defining a deniable MT-authenticator via a game. This game is essentially borrowed from the notion of universal composition \cite{can01} although we do not assume any result or background about it. Then we construct two deniable MT-authenticators: uncontrollable random oracle based and the PKI based, both of which are just 3-round protocols. The second construction assumes the receiver owns a secret key. Such a setup assumption is very popular in the real world. (Without this assumption), all the previous protocols do not have a widely satisfiable performance when applied in the Internet-like environment. Finally, as our application, we obtain key exchange protocols that is deniably secure in the real world.
2007
EPRINT
Deniable Internet Key-Exchange
In this work, we develop a family of protocols for deniable Internet Key-Exchange (IKE) with the following properties: 1. item Highly practical efficiency, and conceptual simplicity and clarity. 2. Forward and concurrent (non-malleable) deniability against adversaries with arbitrary auxiliary inputs, and better privacy protection of players' roles. 3. Provable security in the Canetti-Krawczyk post-specified-peer model, and maintenance of essential security properties not captured by the Canetti-Krawczyk security model. 4. Compatibility with the widely deployed and standardized SIGMA (i.e., the basis of IKEv2) and (H)MQV protocols, when parties possess DL public-keys. Our protocols could potentially serve, in part, as either the underlying basis or a useful alternative for the next generation of IKE (i.e., IKEv3) of IPsec (in particular, when deniability is desired). In view of the wide deployment and use of IKE and increasing awareness of privacy protection (especially for E-commerce over Internet), this work is naturally of practical interest.
2007
EPRINT
Design and Primitive Specification for Shannon
Shannon is a synchronous stream cipher with message authentication functionality, designed according to the ECrypt NoE call for stream cipher primitives, profile 1A (but well after the call). Shannon is named in memory of Claude E. Shannon[20] of Bell Labs and MIT, founder of Information Theory. Shannon is an entirely new design, influenced by members of the SOBER family of stream ciphers, Helix/Phelix, Trivium, Scream, and SHA-256. It consists of a single 32-bit wide, 16-element nonlinear feedback shift register and an extra word, which is supplemented for message authentication with 32 parallel CRC-16 registers. Shannon is free to use for any purpose, and reference source code can be found at http://www.qualcomm.com.au/Shannon.html .
2007
EPRINT
Deterministic History-Independent Strategies for Storing Information on Write-Once Memories
Motivated by the challenging task of designing ``secure'' vote storage mechanisms, we deal with information storage mechanisms that operate in extremely hostile environments. In such environments, the majority of existing techniques for information storage and for security are susceptible to powerful adversarial attacks. In this setting, we propose a mechanism for storing a set of at most $K$ elements from a large universe of size $N$ on write-once memories in a manner that does not reveal the insertion order of the elements. We consider a standard model for write-once memories, in which the memory is initialized to the all $0$'s state, and the only operation allowed is flipping bits from $0$ to $1$. Whereas previously known constructions were either inefficient (required $\Theta(K^2)$ memory), randomized, or employed cryptographic techniques which are unlikely to be available in hostile environments, we eliminate each of these undesirable properties. The total amount of memory used by the mechanism is linear in the number of stored elements and poly-logarithmic in the size of the universe of elements. In addition, we consider one of the classical distributed computing problems: conflict resolution in multiple-access channels. By establishing a tight connection with the basic building block of our mechanism, we construct the first deterministic and non-adaptive conflict resolution algorithm whose running time is optimal up to poly-logarithmic factors.
2007
EPRINT
Differential Cryptanalysis in Stream Ciphers
In this paper we present a general framework for the application of the ideas of differential cryptanalysis to stream ciphers. We demonstrate that some differences in the key (or the initial state or the plaintext) are likely to cause predicted differences in the key stream or in the internal state. These stream differences can then be used to analyze the internal state of the cipher and retrieve it efficiently. We apply our proposed ideas to stream ciphers of various designs, e.g., regularly clocked LFSRs, irregularly clocked LFSRs such as A5/1, and permutation-based stream ciphers such as RC4.
2007
EPRINT
Differential Cryptanalysis of PRESENT
PRESENT is proposed by A.Bogdanov et al. in CHES 2007 for extremely constrained environments such as RFID tags and sensor networks. In this paper, we find out the differential characteristics for r-round($5 \leq r \leq 15$), then give the differential cryptanalysis on reduced-round variants of PRESENT. We attack 16-round PRESENT using $2^{64}$ chosen plaintexts, $2^{32}$ 6-bit counters, and $2^{65}$ memory accesses.
2007
EPRINT
Direct Reduction of String (1,2)-OT to Rabin's OT
It is known that string (1,2)-OT and Rabin's OT are equivalent. However, two steps are required to construct a string $(1,2)$-OT from Rabin's OT. The first step is a construction of a bit (1,2)-OT from Rabin's OT, and the second step is a construction of a string $(1,2)$-OT from the bit (1,2)-OT. No direct reduction is known. In this paper, we show a direct reduction of string (1,2)-OT to Rabin's OT by using a deterministic randomness extractor. Our reduction is much more efficient than the previous two-step reduction.
2007
EPRINT
Domain Extension of Public Random Functions: Beyond the Birthday Barrier
A public random function is a random function that is accessible by all parties, including the adversary. For example, a (public) random oracle is a public random function $\{0,1\}^{*} \to \{0,1\}^n$. The natural problem of constructing a public random oracle from a public random function $\{0,1\}^{m} \to \{0,1\}^n$ (for some $m > n$) was first considered at Crypto 2005 by Coron et al.\ who proved the security of variants of the Merkle-Damg{\aa}rd construction against adversaries issuing up to $O(2^{n/2})$ queries to the construction and to the underlying compression function. This bound is less than the square root of $n2^m$, the number of random bits contained in the underlying random function. In this paper, we investigate domain extenders for public random functions approaching optimal security. In particular, for all $\epsilon \in (0,1)$ and all functions $m$ and $\ell$ (polynomial in $n$), we provide a construction $\mathbf{C}_{\epsilon,m,\ell}(\cdot)$ which extends a public random function $\mathbf{R}: \{0,1\}^{n} \to \{0,1\}^n$ to a function $\mathbf{C}_{\epsilon,m,\ell}(\R): \{0,1\}^{m(n)} \to \{0,1\}^{\ell(n)}$ with time-complexity polynomial in $n$ and $1/\epsilon$ and which is secure against adversaries which make up to $\Theta(2^{n(1-\epsilon)})$ queries. A central tool for achieving high security are special classes of unbalanced bipartite expander graphs with small degree. The achievability of practical (as opposed to complexity-theoretic) efficiency is proved by a non-constructive existence proof. Combined with the iterated constructions of Coron et al., our result leads to the first iterated construction of a hash function $\{0,1\}^{*} \to \{0,1\}^n$ from a component function $\{0,1\}^{n} \to \{0,1\}^n$ that withstands all recently proposed generic attacks against iterated hash functions, like Joux's multi-collision attack, Kelsey and Schneier's second-preimage attack, and Kelsey and Kohno's herding attacks.
2007
EPRINT
Dragon-MAC: Securing Wireless Sensor Networks with Authenticated Encryption
Sensor networks offer economically viable monitoring solutions for a wide variety of applications. In order to combat the security threats that sensor networks are exposed to, a cryptography protocol is implemented at sensor nodes for point-to-point encryption between nodes. Disclosure, disruption and deception threats can be defeated by authenticating data sources as well as encrypting data in transmission. Given that nodes have limited resources, symmetric cryptography that is proven to be efficient for low power devices is implemented. Data protection is integrated into a sensor's packet by the means of symmetric encryption with the Dragon stream cipher and incorporating the newly designed Dragon-MAC Message Authentication Code. The proposed algorithm was designed to employ some of the data already computed by the underlying Dragon stream cipher for the purpose of minimizing the computational cost of the operations required by the MAC algorithm. In view that Dragon is a word based stream cipher with a fast key stream generation, it is very suitable for a constrained environment. Our protocol regarded the entity authentication and message authentication through the implementation of authenticated encryption scheme in Telos B wireless sensor nodes.
2007
EPRINT
Edon--${\cal R}(256,384,512)$ -- an Efficient Implementation of Edon--${\cal R}$ Family of Cryptographic Hash Functions
We have designed three fast implementations of recently proposed family of hash functions Edon--${\cal R}$. They produce message digests of length 256, 384 and 512 bits. We have defined huge quasigroups of orders $2^{256}$, $2^{384}$ and $2^{512}$ by using only bitwise operations on 32 bit values (additions modulo $2^{32}$, XORs and left rotations) and achieved processing speeds of the Reference C code of 16.18 cycles/byte, 24.37 cycles/byte and 32.18 cycles/byte on x86 (Intel and AMD microprocessors). In this paper we give their full description, as well as an initial security analysis.
2007
EPRINT
Efficiency Improvement for NTRU
The NTRU encryption scheme is an interesting alternative to well-established encryption schemes such as RSA, ElGamal, and ECIES. The security of NTRU relies on the hardness of computing short lattice vectors and thus is a promising candidate for being quantum computer resistant. There has been extensive research on efficient implementation of the NTRU encryption scheme. In this paper, we present a new algorithm for enhancing the performance of NTRU. The proposed method is between $11$\% and $23$\% faster on average than the best previously known method. We also present a highly efficient implementation of NTRU within the Java Cryptography Architecture.
2007
EPRINT
Efficient and Provably-Secure Certificateless Short Signature Scheme from Bilinear Pairings
In this paper, we present a certificateless signature (CLS) scheme that is proved to be secure in the random oracle model under the hardness assumptions of k-CAA and Inv-CDHP. Our scheme upholds all desirable properties of previous CLS schemes, and requires general cryptographic hash functions instead of the MapToPoint hash function which is inefficient and probabilistic. Furthermore, our scheme requires less computation cost and significantly more efficient than all known CLS schemes, and the size of signatures generated by our scheme is approximate 160 bits, which is the shortest certificateless signatures so far. So it can be used widely, especially in low-bandwidth communication environments.
2007
EPRINT
Efficient Certificateless Signatures Suitable for Aggregation
This technical report describes a novel certificateless signature scheme suitable for aggregation that requires no pairing computations for signing and only 3 pairing computations for signature verification. We provide proofs for the security of single and aggregate signatures.
2007
EPRINT
Efficient chosen ciphertext secure PKE scheme with short ciphertext
Kurosawa and Matsuo\cite{Kurosawa20042} showed that MAC can be removed from DHIES while the underlying symmetric-key encryption(SKE) scheme is secure against adaptive chosen ciphertext attacks(IND-CCA). We construct a variant of DHIES which eliminate the MAC while the SKE scheme is secure against passive attacks(IND-PA). Since IND-PA is the basic requirement of SKE schemes, the new scheme is more flexible than \cite{Kurosawa20042}. Our new scheme can be seen as a combination of a tag-KEM \cite{Abe2005} and a DEM. Our construction offers the first tag-KEM with single element. When the hash function $H$ in the ODH assumption is a non-malleable hash function we can prove that the new scheme is IND-CCA secure under the ODH assumption.
2007
EPRINT
Efficient Dynamic k-Times Anonymous Authentication
In k-times anonymous authentication (k-TAA) schemes, members of a group can be anonymously authenticated to access applications for a bounded number of times determined by application providers. Dynamic $k$-TAA allows application providers to independently grant or revoke group members from accessing their applications. Dynamic $k$-TAA can be applied in several scenarios, such as $k$-show anonymous credentials, digital rights management, anonymous trial of Internet services, e-voting, e-coupons etc. This paper proposes the first provably secure dynamic $k$-TAA scheme, where authentication costs do not depend on $k$. This efficiency is achieved by using a technique called ``efficient provable e-tag'', proposed in \cite{Nguyen06}, which could be applicable to other e-tag systems.
2007
EPRINT
Efficient GF(3m) Multiplication Algorithm for eta T Pairing
The computation speed of pairing based cryptosystems is slow compared with the other public key cryptosystems even though several efficient computation algorithms have been proposed. Thus more efficient computation of the Tate pairing is an important research goal. GF(3m) multiplication in GF(36m) in the pairing algorithm is the greatest consumer of time. Past research concentrated on reducing the number of GF(3m) multiplications, for instance the Karatsuba method. In this article, we propose a new method to reduce the number of online precomputations( precomputations) in GF(3m) multiplications for the eta T pairing. The proposed algorithm reduces 18 online precomputations in GF(36m) in the eta T pairing to 4 online precomputations by reusing the intermediate products obtained in precomputation.We implement the proposed algorithm and compare the time taken by the proposed algorithm with that of the previous work. Our algorithm offers a 40% performance increase for GF(3m) multiplications in GF(36m) on an AMD 64-bit processor. Additionally, a completely new finding is obtained. The results show that the reducing the number of the multiplications in GF(36m) does not necessarily lead to a speed-up of the eta T pairing calculation.
2007
EPRINT
Efficient Hierarchical Identity Based Signature in the Standard Model
The only known constructions of Hierarchical Identity Based Signatures that are proven secure in the strongest model without random oracles are based on the approach of attaching certificate chains or hierarchical authentication tree with one-time signature. Both construction methods lead to schemes that are somewhat inefficient and leave open the problem of efficient direct construction. In this paper, we propose the first direct construction of Hierarchical Identity Based Signature scheme that is proven under the strongest model without relying on random oracles and using more standard $q$-SDH assumption. It is computationally efficient and the signature size is constant. When the number of hierarchical level is set to be one, our scheme is a normal identity based signature scheme. It enjoys the shortest size in public parameters and signatures when compare with others in the literature, with the same security level.
2007
EPRINT
Efficient Hybrid Encryption from ID-Based Encryption
This paper deals with generic transformations from ID-based key encapsulation mechanisms (IBKEM) to hybrid public-key encryption (PKE). The best generic transformation known until now is by Boneh and Katz and requires roughly 704-bit overhead in the ciphertext. We present two new such generic transformations that are applicable to partitioned IBKEMs. A partitioned IBKEM is an IBKEM that provides some extra structure. Such IBKEMs are quite natural and in fact nearly all known IBKEMs have this additional property. Our first transformation yields chosen-ciphertext secure PKE schemes from selective-ID secure partitioned IBKEMs with a 256-bit overhead in ciphertext size plus one extra exponentiation in encryption/decryption. As the central tool a Chameleon Hash function is used to map the identities. The second transformation transforms adaptive-ID secure partitioned IBKEMs into chosen-ciphertext secure PKE schemes with no additional overhead. Applying our transformations to existing IBKEMs we propose a number of novel PKE schemes with different trade-offs. In some concrete instantiations the Chameleon Hash can be made “implicit” which results in improved efficiency by eliminating the additional exponentiation. Since our transformations preserve the public verifiability property of the IBE schemes it is possible to extend our results to build threshold hybrid PKE schemes. We show an analogue generic transformation in the threshold setting and present a concrete scheme which results in the most efficient threshold PKE scheme in the standard model.
2007
EPRINT
Efficient ID-based Signature Without Trusted PKG
In this paper, we introduce the exact concept of ID-based signature without trusted Private Key Generator (PKG), which solves the key escrow problem through binding two partially public keys with a same identity. In this scheme, PKG is prevented from forging a legal user’s signature because he only generates the partially private key. Using Gap Diffie-Hellman (GDH) groups, we construct an efficient ID-based signature scheme without trusted PKG, which security relies on the hardness of the Computation Diffie-Hellman Problem (CDHP). More precisely, under the random oracle model, our scheme is proved to be secure against existential forgery on adaptively chosen message and ID attack, which is a natural ID-based version of the standard adaptively chosen message attack, assuming CDHP is intractable. Our scheme not only eliminates the inherent key escrow problem but also has a higher efficiency than the existing schemes.
2007
EPRINT
Efficient Identity Based Signature in Standard Model
In this paper, we present an efficient signature scheme without random oracles using Waters private key construction. Our scheme has shorter public parameter size when compared to Kenny and Schuldt signature, the signature space of our basic scheme consists of three group elements, we further show that the signature space can be reduced to two group elements. The security of our signature scheme is proved in the standard model under adaptive identity security notion.
2007
EPRINT
Efficient Implementation of the Pairing on Mobilephones using BREW
Pairing based cryptosystems can accomplish novel security applications such as ID-based cryptosystems, which have not been constructed efficiently without the pairing. The processing speed of the pairing based cryptosystems is relatively slow compared with the other conventional public key cryptosystems. However, several efficient algorithms for computing the pairing have been proposed, namely Duursma-Lee algorithm and its variant $\eta_T$ pairing. In this paper, we present an efficient implementation of the pairing over some mobilephones. The processing speed of our implementation in ARM9 processors on BREW achieves under 100 milliseconds using the supersingular curve over $\mathbb F_{3^{97}}$. It has become efficient enough to implement security applications, such as ID-based cryptosystems and broadcast encryption, using the pairing on BREW mobilephones.
2007
EPRINT
Efficient Methods for Conversion and Solution of Sparse Systems of Low-Degree Multivariate Polynomials over GF(2) via SAT-Solvers
The computational hardness of solving large systems of sparse and low-degree multivariate equations is a necessary condition for the security of most modern symmetric cryptographic schemes. Notably, most cryptosystems can be implemented with inexpensive hardware, and have a low gate counts, resulting in a sparse system of equations, which in turn renders such attacks feasible. On one hand, numerous recent papers on the XL algorithm and more sophisticated Groebner-bases techniques [5, 7, 13, 14] demonstrate that systems of equations are efficiently solvable when they are sufficiently overdetermined or have a hidden internal algebraic structure that implies the existence of some useful algebraic relations. On the other hand, most of this work, as well as most successful algebraic attacks, involve dense, not sparse systems, at least until linearization by XL or a similar algorithm. No polynomial-system-solving algorithm we are aware of, demonstrates that a significant benefit is obtained from the extreme sparsity of some systems of equations. In this paper, we study methods for efficiently converting systems of low-degree sparse multivariate equations into a conjunctive normal form satisfiability (CNF-SAT) problem, for which excellent heuristic algorithms have been developed in recent years. A direct application of this method gives very efficient results: we show that sparse multivariate quadratic systems (especially if over-defined) can be solved much faster than by exhaustive search if beta < 1/100. In particular, our method requires no additional memory beyond that required to store the problem, and so often terminates with an answer for problems that cause Magma and Singular to crash. On the other hand, if Magma or Singular do not crash, then they tend to be faster than our method, but this case includes only the smallest sample problems.
2007
EPRINT
Efficient Non-interactive Proof Systems for Bilinear Groups
Non-interactive zero-knowledge proofs and non-interactive witness-indistinguishable proofs have played a significant role in the theory of cryptography. However, lack of efficiency has prevented them from being used in practice. One of the roots of this inefficiency is that non-interactive zero-knowledge proofs have been constructed for general NP-complete languages such as Circuit Satisfiability, causing an expensive blowup in the size of the statement when reducing it to a circuit. The contribution of this paper is a general methodology for constructing very simple and efficient non-interactive zero-knowledge proofs and non-interactive witness-indistinguishable proofs that work directly for groups with a bilinear map, without needing a reduction to Circuit Satisfiability. Groups with bilinear maps have enjoyed tremendous success in the field of cryptography in recent years and have been used to construct a plethora of protocols. This paper provides non-interactive witness-indistinguishable proofs and non-interactive zero-knowledge proofs that can be used in connection with these protocols. Our goal is to spread the use of non-interactive cryptographic proofs from mainly theoretical purposes to the large class of practical cryptographic protocols based on bilinear groups.
2007
EPRINT
Efficient Pairing Computation on Curves
In this paper, a method for the efficient computation of Tate pairings on curves which is a generalization of Barreto, etc.'s method [2] is presented. It can reduce the number of loops in the computation of the Tate pairing. The method can be applied not only to supersingular curves but to non-supersingular curves. An example shows the cost of the algorithm in this paper can be reduced by 18% than the best known algorithm in some elliptic curves.
2007
EPRINT
Efficient Password-based Authenticated Key Exchange without Public Information
Since the first password-based authenticated key exchange (PAKE) was proposed, it has enjoyed a considerable amount of interest from the cryptographic research community. To our best knowledge, most of proposed PAKEs based on Diffie-Hellman key exchange need some public information, such as generators of a finite cyclic group. However, in a client-server environment, not all servers use the same public information, which demands clients authenticate those public information before beginning PAKE. It is cumbersome for users. What's worse, it may bring some secure problems with PAKE, such as substitution attack. To remove these problems, in this paper, we present an efficient password-based authenticated key exchange protocol without any public information. We also provide a formal security analysis in the non-concurrent setting, including basic security, mutual authentication, and forward secrecy, by using the random oracle model.
2007
EPRINT
Efficient Quintuple Formulas for Elliptic Curves and Efficient Scalar Multiplication Using Multibase Number Representation
In the current work we propose two efficient formulas for computing the $5$-fold ($5P$) of an elliptic curve point $P$. One formula is for curves over finite fields of even characteristic and the other is for curves over prime fields. Double base number systems (DBNS) have been gainfully exploited to compute scalar multiplication efficiently in ECC. Using the proposed point quintupling formulas one can use 2,5 and 3,5 (besides 3,5) as bases of the double base number system. In the current work we propose a scalar multiplication algorithm, which expands the scalar using three bases 2, 3 and 5 and computes the scalar multiplication very efficiently. The proposed scheme is faster than all sequential scalar multiplication algorithms reported in literature.
2007
EPRINT
Embedding Degree of Hyperelliptic Curves with Complex Multiplication
Consider the Jacobian of a genus two curve defined over a finite field and with complex multiplication. In this paper we show that if the l-Sylow subgroup of the Jacobian is not cyclic, then the embedding degree of the Jacobian with respect to l is one.
2007
EPRINT
Encryption Techniques for Secure Database Outsourcing
While the idea of database outsourcing is becoming increasingly popular, the associated security risks still prevent many potential users from deploying it. In particular, the need to give full access to one's data to a third party, the database service provider, remains a major obstacle. A seemingly obvious solution is to encrypt the data in such a way that the service provider retains the ability to perform relational operations on the encrypted database. In this paper we present a model and an encryption scheme that solves this problem at least partially. Our approach represents the provably secure solution to the database outsourcing problem that allows operations exact select, Cartesian product, and projection, and that guarantees the probability of erroneous answers to be negligible. Our scheme is simple and practical, and it allows effective searches on encrypted tables: For a table consisting of n tuples the scheme performs search in O(n) steps.
2007
EPRINT
Enforcing Semantic Integrity on Untrusted Clients in Networked Virtual Environments
During the last years, large-scale simulations of realistic physical environments which support the interaction of multiple participants over the Internet have become increasingly available and economically viable, most notably in the computer gaming industry. Such systems, commonly called networked virtual environments (NVEs), are usually based on a client-server architecture where for performance reasons and bandwidth restrictions, the simulation is partially delegated to the clients. This inevitable architectural choice renders the simulation vulnerable to attacks against the semantic integrity of the simulation: malicious clients may attempt to compromise the physical and logical rules governing the simulation, or to alter the causality of events a posteriori. In this paper, we initiate the systematic study of semantic integrity in NVEs from a security point of view. We argue that naive policies to enforce semantic integrity involve intolerable network load, and are therefore not practically feasible. We present a new provably secure semantic integrity protocol based on cryptographic primitives which enables the server system to audit the local computations of the clients on demand. Our approach facilitates low network and CPU load, incurs reasonable engineering overhead, and maximally decouples the auditing process from the soft real time constraints of the simulation.
2007
EPRINT
Enhanced Privacy ID: A Direct Anonymous Attestation Scheme with Enhanced Revocation Capabilities
Direct Anonymous Attestation (DAA) is a scheme that enables the remote authentication of a Trusted Platform Module (TPM) while preserving the user's privacy. A TPM can prove to a remote party that it is a valid TPM without revealing its identity and without linkability. In the DAA scheme, a TPM can be revoked only if the DAA private key in the hardware has been extracted and published widely so that verifiers obtain the corrupted private key. If the unlinkability requirement is relaxed, a TPM suspected of being compromised can be revoked even if the private key is not known. However, with the full unlinkability requirement intact, if a TPM has been compromised but its private key has not been distributed to verifiers, the TPM cannot be revoked. Furthermore, a TPM cannot be revoked from the issuer, if the TPM is found to be compromised after the DAA issuing has occurred. In this paper, we present a new DAA scheme called Enhanced Privacy ID (EPID) scheme that addresses the above limitations. While still providing unlinkability, our scheme provides a method to revoke a TPM even if the TPM private key is unknown. This expanded revocation property makes the scheme useful for other applications such as for driver's license. Our EPID scheme is efficient and provably secure in the same security model as DAA, i.e. in the random oracle model under the strong RSA assumption and the decisional Diffie-Hellman assumption.
2007
EPRINT
Enhancing Security of a Group Key Exchange Protocol for Users with Individual Passwords
Group key exchange protocols allow a group of parties communicating over a public network to come up with a common secret key called a session key. Due to their critical role in building secure multicast channels, a number of group key exchange protocols have been suggested over the years for a variety of settings. Among these is the so-called EKE-M protocol proposed by Byun and Lee for password-based group key exchange in the different password authentication model, where group members are assumed to hold an individual password rather than a common password. While the announcement of the EKE-M protocol was essential in the light of the practical significance of the different password authentication model, Tang and Chen showed that the EKE-M protocol itself suffers from an undetectable on-line dictionary attack. Given Tang and Chen's attack, Byun et al.~have recently suggested a modification to the EKE-M protocol and claimed that their modification makes EKE-M resistant to the attack. However, the claim turned out to be untrue. In the current paper, we demonstrate this by showing that Byun et al.'s modified EKE-M is still vulnerable to an undetectable on-line dictionary attack. Besides reporting our attack, we also figure out what has gone wrong with Byun et al.'s modification and how to fix it.
2007
EPRINT
Equivocal Blind Signatures and Adaptive UC-Security
We study the design of practical blind signatures in the universal composability (UC) setting against adaptive adversaries. We introduce a new property for blind signature schemes that is fundamental for managing adaptive adversaries: an {\em equivocal blind signature} is a blind signature protocol where a simulator can construct the internal state of the client so that it matches a simulated transcript even after a signature was released. % We present a general construction methodology for building practical adaptively secure blind signatures: the starting point is a 2-move ``lite blind signature'', a lightweight 2-party signature protocol that we formalize and implement both generically as well as number theoretically: formalizing a primitive as ``lite'' means that the adversary is required to show all private tapes of adversarially controlled parties; this enables us to conveniently separate zero-knowledge (ZK) related security requirements from the remaining security properties in the primitive's design methodology. % We then focus on the exact ZK requirements for building blind signatures. To this effect, we formalize two special ZK ideal functionalities, single-verifier-ZK (SVZK) and single-prover-ZK (SPZK) and we investigate the requirements for realizing them in a commit-and-prove fashion as building blocks for adaptively secure UC blind signatures. SVZK can be realized without relying on a multi-session UC commitment; as a result, we realize SVZK in a very efficient manner using number theoretic mixed commitments while employing a constant size common reference string and without the need to satisfy non-malleability. Regarding SPZK we find the rather surprising result that realizing it only for static adversaries is sufficient to obtain adaptive security for UC blind signatures. This important observation simplifies blind signature design substantially as one can realize SPZK very efficiently in a commit-and-prove fashion using merely an extractable commitment. We instantiate all the building blocks of our design methodology efficiently thus presenting the first practical UC blind signature that is secure against adaptive adversaries in the common reference string model. In particular, we present (1) a lite equivocal blind signature protocol that is based on elliptic curves and the 2SDH assumption of Okamoto, (2) efficient implementations of SPZK, SVZK for the required relations. % Our construction also takes advantage of a round optimization method we discuss and it results in a protocol that has an overall communication overhead of as little as 3Kbytes, employing six communication moves and a constant length common reference string. We also present alternative implementations for our equivocal lite blind signature thus demonstrating the generality of our approach. Finally we count the exact cost of realizing blind signatures with our protocol design by presenting the distance between the $\Fbsig$-hybrid world and the $\Fcrs$-hybrid world as a function of environment parameters. The distance calculation is facilitated by a basic lemma we prove about structuring UC proofs that may be of independent interest.
2007
EPRINT
Estimation of keys stored in CMOS cryptographic device after baking by using the charge shift
The threshold voltage VT of EEPROM cells is a very important technological parameter for storing data and keys in a cryptographic device like smartcards. Furthermore, main objective of this paper is to check whether it is possible to get the key stored in the EEPROM cell through measuring the current consumption of the cryptographic device during read key command for encryption before and after baking at a certain temperature. This stress (baking) of the charge in the floating gate of the cells shifts the threshold voltage. Especially this effect will be considered whether the unknown key in the EEPROM cells can be estimated by using the charge shift in the floating gate. The test labs might need to check during an evaluation procedure of the smartcards if parts or whole key can be estimated successfully by stressing the threshold parameter VT. The result of this evaluation is (will be) an input for countermeasures against possible attacks. It is also an additional input for further design structures in order to avoid information gain after baking the EEPROM cells at a certain temperature.
2007
EPRINT
Executing Modular Exponentiation on a Graphics Accelerator
Demand in the consumer market for graphics hardware that accelerates rendering of 3D images has resulted in commodity devices capable of astonishing levels of performance. These results were achieved by specifically tailoring the hardware for the target domain. As graphics accelerators become increasingly programmable this performance makes them an attractive target for other domains. Specifically, they have motivated the transformation of costly algorithms from a general purpose computational model into a form that executes on said graphics hardware. We investigate the implementation and performance of modular exponentiation using a graphics accelerator, with the view of using it to execute operations required in the RSA public key cryptosystem.
2007
EPRINT
Extending Oblivious Transfers Efficiently - How to get Robustness Almost for Free
At Crypto 2003 Ishai et al. gave a protocol which given a small number of (possibly extremely inefficient) oblivious transfers implements an essentially unbounded number of oblivious transfers for an additional overhead, per oblivious transfer, of computing and sending only two hash values. This highly efficient protocol is however only passive secure. To get active security, except with probability $2^{-m}$, the protocol had to suffer an additional overhead of a factor $1+m$. We introduce a new approach to adding robustness. For practical security parameters this approach allows to add robustness while suffering only a small constant overhead over the passive secure protocol. As an example we can generate one million oblivious transfers with security $2^{-42}$ with an amortized cost of just $9$ hash values per oblivious transfer.
2007
EPRINT
Fair Exchange Signature Schemes
In this paper we propose a new class of Fair Exchange Signature Scheme(FESS) that allows two players to exchange digital signatures in a fair way. Our signature scheme is a general idea and has various implementations on most of the existing signature schemes, thus it may also be considered as an interesting extension of concurrent signature presented in EUROCRYPT 2004 that is constructed from ring signatures. In our scheme, two unwakened signatures signed separately by two participants can be verified easily by the other player, but it would not go into effect until an extra piece of commitment keystone is released by one of the players. Once the keystone revealed, two signatures are both aroused and become effective. A key feature of the proposed scheme is that two players can exchange digital signatures simultaneously through a secret commitment keystone without involvement of any Trusted Third Party. Moreover, the efficiency of our signature scheme is higher than that of concurrent signature.
2007
EPRINT
Families of genus 2 curves with small embedding degree
Hyperelliptic curves of small genus have the advantage of providing a group of comparable size as that of elliptic curves, while working over a field of smaller size. Pairing-friendly hyperelliptic curves are those whose order of the Jacobian is divisible by a large prime, whose embedding degree is small enough for computations to be feasible, and whose minimal embedding field is large enough for the discrete logarithm problem in it to be difficult. We give a sequence of $\F_q$-isogeny classes for a family of Jacobians of genus two curves over $\F_{q}$, for $q=2^m$, and their corresponding small embedding degrees. We give examples of the parameters for such curves with embedding degree $k<(\log q)^2$, such as $k=8,13,16,23,26,37,46,52$. For secure and efficient implementation of pairing-based cryptography on genus g curves over $\F_q$, it is desirable that the ratio $\rho=\frac{g\log_2 q}{\log_2N}$ be approximately 1, where $N$ is the order of the subgroup with embedding degree $k$. We show that for our family of curves, $\rho$ is often near 1 and never more than 2. We also give a sequence of $\F_q$-isogeny classes for a family of Jacobians of genus 2 curves over $\F_{q}$ whose minimal embedding field is much smaller than the finite field indicated by the embedding degree $k$. That is, the extension degrees in this example differ by a factor of $m$, where $q=2^m$, demonstrating that the embedding degree can be a far from accurate measure of security. As a result, we use an indicator $k'=\frac{\ord_N2}{m}$ to examine the cryptographic security of our family of curves.
2007
EPRINT
Fast Digital Signature Schemes as Secure as Diffie-Hellman Assumptions
This paper presents two fast digital signature schemes based on Diffie-Hellman assumptions. In the random oracle model, the first scheme S1 has a tight security reduction to the computational Diffie-Hellman (CDH) problem; and the second scheme S2 has a tight security reduction to the decisional Diffie-Hellman (DDH) problem. Comparing with existing signature schemes (whose security is tightly related to CDH problem) like EDL signature schemes, the signature generation of S1 is about 27% faster, and the verification is about 35% faster, if without considering the hash function evaluations. Comparing with existing signature schemes (whose security is tightly related to DDH problem) like KW-DDH signature scheme, the signing of S2 is about 40% faster and the verification is about 35% faster. The high efficiency of the proposed schemes is attributed to a new protocol EDL_mwz which implements the proof of equality of discrete logarithm. The EDL_mwz protocol outperforms its counterpart, the Chaum and Pedersen protocol, as its computation is about 38% faster and its bandwidth is |G| bits shorter. This new protocol may be of independent interests.
2007
EPRINT
Fast Point Multiplication on Elliptic Curves of Even Order
Every elliptic curve of even order over a finite field of characteristic >3 is birationally equivalent to a curve in Jacobi quartic form. This paper presents the fast explicit formulas for group operations on a Jacobi quartic curve. The algorithm for doubling uses only 1M+6S, for the mixed-addition uses only 8M+2S and the unified addition formula only 9M+2S to be the best case. For elliptic curve of even order, these algorithm are more efficient than the other algorithms in the literature.
2007
EPRINT
Faster and Shorter Password-Authenticated Key Exchange
This paper presents an improved password-based authenticated key exchange protocols in the common reference string model. Its security proof requires no idealized assumption (such as random oracles). The protocol is based on the GL framework introduced by Gennaro and Lindell, which generalizes the KOY key exchange protocol of Katz et al.\ Both the KOY and the GL protocols use (one-time) signatures as a non-malleability tool in order to prevent a man-in-the-middle attack against the protocol. The efficiency of the resulting protocol is negatively affected, since if we use regular signatures, they require a large amount of computation (almost as much as the rest of the protocol) and further computational assumptions. If one-time signatures are used, they substantially increase the bandwidth requirement. Our improvement avoids using digital signatures altogether, replacing them with faster and shorter message authentication codes. The crucial idea is to leverage as much as possible the non-malleability of the encryption scheme used in the protocol, by including various values into the ciphertexts as {\em labels}. As in the case of the GL framework, our protocol can be efficiently instantiated using either the DDH, Quadratic Residuosity or N-Residuosity Assumptions. For typical security parameters our solution saves as much as 12 Kbytes of bandwidth if one-time signatures are implemented in \GL with fast symmetric primitives. If we use number-theoretic signatures in the GL framework, our solution saves several large exponentiations (almost a third of the exponentiations computed in the GL protocol). The end result is that we bring provable security in the realm of password-authenticated key exchange one step closer to practical.
2007
EPRINT
Faster Group Operations on Special Elliptic Curves
This paper is on efficient implementation techniques of Elliptic Curve Cryptography. We improve group operation timings for Hessian and Jacobi-intersection forms of elliptic curves. In this study, traditional coordinates of these forms are modified to speed up the addition operations. For the completeness of our study, we also recall the modified Jacobi-quartic coordinates which benefits from similar optimizations. The operation counts on the modified coordinates of these forms are as follows: - Modified Hessian: Doubling 3M+6S, readdition 6M+6S, mixed addition 5M+6S, addition 6M+6S. - Modified Jacobi-intersection: Doubling 2M+5S+1D, readdition 11M+ 1S+2D, mixed addition 10M+1S+2D, addition 11M+1S+2D. - Modified Jacobi-quartic: Doubling 3M+4S, readdition 8M+3S+1D, mixed addition 7M+3S+1D, addition 8M+3S+1D. We compare various elliptic curve representations with respect to their performance evaluations for different point multiplication algorithms. We note that Jacobi-quartics can provide the fastest timings for some S/M and D/M values in fast point multiplication implementations. We also show that Hessian form can provide the fastest timings for some S/M and D/M values when side-channel resistance is required for point multiplication. (M: Field multiplication, S: Field squaring, D: Multiplication by a curve constant.)
2007
EPRINT
Faster Multi-Exponentiation through Caching: Accelerating (EC)DSA Signature Verification
We consider the task of computing power products $\prod_{1 \leq i \leq k} g_i^{e_i}$ ("multi-exponentiation") where base elements $g_2, ..., g_k$ are fixed while $g_1$ is variable between multi-exponentiations but may repeat, and where the exponents are bounded (e.g., in a finite group). We present a new technique that entails two different ways of computing such a result. The first way applies to the first occurrence of any $g_1$ where, besides obtaining the actual result, we create a cache entry based on $g_1$, investing very little memory or time overhead. The second way applies to any multi-exponentiation once such a cache entry exists for the $g_1$ in question: the cache entry provides for a significant speed-up. Our technique is useful for ECDSA or DSA signature verification with common domain parameters and recurring signers.
2007
EPRINT
Filling the Gap between Voters and Cryptography in e-Voting
Cryptography is an important tool in the design and implementation of electronic voting schemes for it provides the property of verifiability, which is not provided in the traditional voting. But in the real life, neither can most voters understand the profound theory of cryptographic e-voting nor can they perform the complicated cryptographic computation. An e-voting system is presented in this paper to leverage the use of cryptography between theory and practice. It combines the advantages of Moran-Naor's voting scheme and voting schemes based on homomorphic encryption. It makes use of cryptographic techniques, but it hides the details of cryptographic computation from voters. Voters can be convinced that the ballot is cast as intended. The tally can be verified in public. Compared with Moran-Naor's voting scheme, the new system has three advantages: the ballots can be recovered when the voting machine breaks down, the costly cut-and-choose zero-knowledge proofs for shuffling votes made by the voting machine are avoided and the partial tally result in each voting machine is kept secret.
2007
EPRINT
Finding Collisions in Interactive Protocols -- A Tight Lower Bound on the Round Complexity of Statistically-Hiding Commitments
We study the round complexity of various cryptographic protocols. Our main result is a tight lower bound on the round complexity of any fully-black-box construction of a statistically-hiding commitment scheme from one-way permutations, and even from trapdoor permutations. This lower bound matches the round complexity of the statistically-hiding commitment scheme due to Naor, Ostrovsky, Venkatesan and Yung (CRYPTO '92). As a corollary, we derive similar tight lower bounds for several other cryptographic protocols, such as single-server private information retrieval, interactive hashing, and oblivious transfer that guarantees statistical security for one of the parties. Our techniques extend the collision-finding oracle due to Simon (EUROCRYPT '98) to the setting of interactive protocols (our extension also implies an alternative proof for the main property of the original oracle). In addition, we substantially extend the reconstruction paradigm of Gennaro and Trevisan (FOCS '00). In both cases, our extensions are quite delicate and may be found useful in proving additional black-box separation results.
2007
EPRINT
Finding Low Weight Polynomial Multiples Using Lattices
The low weight polynomial multiple problem arises in the context of stream ciphers cryptanalysis and of efficient finite field arithmetic, and is believed to be difficult. It can be formulated as follows: given a polynomial $f \in \F_2[X]$ of degree $d$, and a bound $n$, the task is to find a low weight multiple of $f$ of degree at most $n$. The best algorithm known so far to solve this problem is based on a time memory trade-off and runs in time ${\cal O}(n^{ \lceil {(w - 1)}/{2} \rceil})$ using ${\cal O}(n^{ \lceil {(w - 1)}/{4} \rceil})$ of memory, where $w$ is the estimated minimal weight. In this paper, we propose a new technique to find low weight multiples using lattice basis reduction. Our algorithm runs in time ${\cal O}(n(n-d)^5)$ and uses ${\cal O}(nd)$ of memory. This improves the space needed and gives a better theoretical time estimate when $w \geq 12$ or when the \textit{excess degree} $n-d$ is small, say, $(n-d)^5 < n^{\lceil {(w-3)}/{2} \rceil}$. The former situation is plausible when the bound $n$, which represents the available keystream, is small, whereas the latter one occurs in efficient finite field arithmetic. We also propose bounds for the minimal weight of such multiples, supplying in this sense the state-of-the art techniques with a method to check whether their estimated minimal weight is in the correct range. This provides a quantitative cryptographic quality criterion for such polynomials: the fewer low degree low weight multiples a polynomial has, the harder becomes this type of cryptanalysis of the corresponding stream cipher. As an example, the Bluetooth polynomial turns out to be of good quality in this sense. Moreover, we introduce the corresponding number problem and apply a similar strategy to find sparse multiples of a given number with respect to the Hamming weight of their 2-ary representation. Finally, we run our experiments using the NTL library on some known polynomials in cryptanalysis and we confirm our analysis.\\ \textbf{Keywords: } stream ciphers analysis, low weight polynomial multiples, lattices, shortest vector.
2007
EPRINT
Formal Certification of Code-Based Cryptographic Proofs
As cryptographic proofs have become essentially unverifiable, cryptographers have argued in favor of systematically structuring proofs as sequences of games. Code-based techniques form an instance of this approach that takes a code-centric view of games, and that relies on programming language theory to justify steps in the proof-transitions between games. While these techniques contribute to increase confidence in the security of cryptographic systems, code-based proofs involve such a large palette of concepts from different fields that machine-verified proofs seem necessary to achieve the highest degree of confidence. Indeed, Halevi has convincingly argued that a tool assisting in the construction and verification of proofs is necessary to solve the crisis with cryptographic proofs. This article reports a first step towards the completion of Halevi's programme through the implementation of a fully formalized framework, CertiCrypt, for code-based proofs built on top of the Coq proof assistant. The framework has been used to yield machine-checked proofs of the PRP/PRF switching lemma and semantic security of ElGamal and OAEP encryption schemes.
2007
EPRINT
Formal Security Treatments for IBE-to-Signature Transformation: Relations among Security Notions
In a seminal paper of identity based encryption (IBE), Boneh and Franklin [BF01] mentioned an interesting transform from an IBE scheme to a signature scheme, which was observed by Moni Naor. In this paper, we give formal security treatments for this transform and discover several implications and separations among security notions of IBE and transformed signature. For example, we show for such a successful transform, one-wayness of IBE is an essential condition. Additionally, we give a sufficient and necessary condition for converting a semantically secure IBE scheme into an existentially unforgeable signature scheme. Our results help establish strategies on design and automatic security proof of signature schemes from (possibly weak) IBE schemes. We also show some separation results which strongly support that one-wayness, rather than semantic security, of IBE captures an essential condition to achieve secure signature.
2007
EPRINT
Forward-secure Key Evolution in Wireless Sensor Networks
We consider a key distribution scheme for securing node-to-node communication in sensor networks. While most schemes in use are based on random predistribution, we consider a system of dynamic pairwise keys based on design due to Ren, Tanmoy and Zhou. We design and analyze a variation of this scheme, in which capturing a node does not lead to security threats for the past communication. Instead of bit-flipping, we use a cryptographic one-way function. While this immediately guarantees forward-security, it is not clear whether the pseudorandom transformation of the keys does not lead to subtle security risks due to a specific distribution of reachable keys, such as existence of small attractor subspaces. (This problem does not occur for the design of Ren, Tanmoy and Zhou.) We show, in a rigid mathematical way, that this is not the case: after a small number of steps probability distribution of keys leaves no room for potential attacks.
2007
EPRINT
Forward-secure RFID Authentication and Key Exchange
Security and privacy in RFID systems is an important and active research area. A number of challenges arise due to the extremely limited computational, storage and communication abilities of a typical RFID tag. This work describes two families of simple, inexpensive, and untraceable identification protocols for RFID tags. The proposed protocols involve minimal interaction between a tag and a reader and place low computational burden on the tag, requiring only a pseudo-random generator. They also impose low computational load on the back-end server. The paper also describes a universally composable security model tuned for RFID applications. By making specific setup, communication, and concurrency assumptions that are realistic in the RFID application setting, we arrive at a model that guarantees strong security and availability properties, while still permitting the design of practical RFID protocols. We show that our protocols are provably secure within the new security model. The security supports, availability, authentication, forward-secure anonymity and key exchange, and modularity. The last attribute is most appropriate for ubiquitous applications.
2007
EPRINT
Forward-Secure Sequential Aggregate Authentication
Wireless sensors are employed in a wide range of applications. One common feature of most sensor settings is the need to communicate sensed data to some collection point or sink. This communication can be direct (to a mobile collector) or indirect -- via other sensors towards a remote sink. In either case, a sensor might not be able to communicate to a sink at will. Instead it collects data and waits (for a potentially long time) for a signal to upload accumulated data directly. In a hostile setting, a sensor may be compromised and its post-compromise data can be manipulated. One important issue is Forward Security -- how to ensure that pre-compromise data cannot be manipulated? Since a typical sensor is limited in storage and communication facilities, another issue is how to minimize resource consumption due to accumulated data. It turns out that current techniques are insufficient to address both challenges. To this end, we explore the notion of Forward-Secure Sequential Aggregate (FssAgg) Authentication Schemes. We consider FssAgg authentication schemes in the contexts of both conventional and public key cryptography and construct a FssAgg MAC scheme and a FssAgg signature scheme, each suitable under different assumptions. This work represents the initial investigation of Forward-Secure Aggregation and, although the proposed schemes are not optimal, it opens a new direction for follow-on research.
2007
EPRINT
From Selective-ID to Full Security: The Case of the Inversion-Based Boneh-Boyen IBE Scheme
In this note we remark that the inversion-based selective-ID secure identity-based encryption (IBE) scheme from Boneh and Boyen can be bootstrapped to full-ID security using a technique by Waters.
2007
EPRINT
Fully Anonymous Group Signatures without Random Oracles
We construct a new group signature scheme using bilinear groups. The group signature scheme is practical, both keys and group signatures consist of a constant number of group elements, and the scheme permits dynamic enrollment of new members. The scheme satisfies strong security requirements, in particular providing protection against key exposures and not relying on random oracles in the security proof.
2007
EPRINT
Fully Resilient Traitor Tracing Scheme using Key Update
This paper proposes fully resilient traitor tracing schemes which have no restriction about the number of traitors. By using the concept of key update, the schemes can make the pirate decoders useless within some time-period, which will be called life-time of the decoder. There is a trade-off between the size of ciphertext and life-time of pirate decoders.
2007
EPRINT
Fully Secure Proxy Re-Encryption without Random Oracles
In a proxy re-encryption scheme, a semi-trusted proxy, with some additional information, can transform a ciphertext under Alice's public key into a new ciphertext under Bob's public key on the same message, but cannot learn any information about the messages encrypted under the public key of either Alice or Bob. In this paper, we propose two new unidirectional proxy re-encryption schemes, where a proxy can transform a ciphertext for Alice into a new ciphertext for Bob, but not vice versa. Note that, unidirectional proxy re-encryption is more powerful than bidirectional one, since a bidirectional scheme can always be implemented by an unidirectional one. Furthermore, these two schemes can be proved \emph{in the standard model}, chosen-ciphertext secure based on Decisional Bilinear Inverse Diffie-Hellman assumption and master key secure based on Extended Discrete Logarithm assumption. To our best knowledge, our proposals are the first fully secure (CCA-secure and master key secure) proxy re-encryption schemes in the standard model.
2007
EPRINT
Further Musings on the Wang et al. MD5 Collision: Improvements and Corrections on the Work of Hawkes, Paddon, and Rose
The recent successful attack on the widely used hash function, the MD5 Message Digest Algorithm, was a breakthrough in cryptanalysis. The original paper, published in 2004 by Wang et al., described this attack in an obscure and elliptical manner. Hawkes, Paddon, and Rose later presented the attack in more detail, but even their paper contained numerous unproven statements and several significant errors. In a seven-fold process, this paper will prove assertions made by Hawkes, Paddon, and Rose, provide original corrections and illustrations, and explicate their work to make it more accessible to the mathematically literate reader. First, this paper will augment their introductory material by adding original insight to compare their unorthodox description of MD5 to the more conventional notation of Ron Rivest. Second, it will provide original examples for conditions that they present for the Tt. Third, it will elaborate on the description of the first block of the differential by asserting why and how the conditions on the Tt are determined. Fourth, it will develop a step by step analysis of the description of the second block of the differential based only the table that Hawkes, Paddon, and Rose provide. Fifth, it will supply original proofs for the assertions that they make for the conditions for the propagation of the differences through the ft functions for the first block. Sixth, it will give both the assertions and the proofs for the propagation of the differences through the ft functions for the second block. Finally, it will correct two significant errors in the work of Hawkes, Paddon, and Rose, demonstrating that the complexity of the attack is only about half of what they stated it to be and that their Case Two does not succeed in fulfilling the conditions required for the collision differential to hold.
2007
EPRINT
FURTHER PROPERTIES OF SEVERAL CLASSES OF BOOLEAN FUNCTIONS WITH OPTIMUM ALGEBRAIC IMMUNITY
Thanks to a method proposed by Carlet, several classes of balanced Boolean functions with optimum algebraic immunity are obtained. By choosing suitable parameters, for even $n\geq 8$, the balanced $n$-variable functions can have nonlinearity $2^{n-1}-{n-1\choose\frac{n}{2}-1}+2{n-2\choose\frac{n}{2}-2}/(n-2)$, and for odd $n$, the functions can have nonlinearity $2^{n-1}-{n-1\choose\frac{n-1}{2}}+\Delta(n)$, where the function $\Delta(n)$ is describled in Theorem 4.4. The algebraic degree of some constructed functions is also discussed.
2007
EPRINT
Fuzzy Private Matching (Extended Abstract)
In the private matching problem, a client and a server each hold a set of $n$ input elements. The client wants to privately compute the intersection of these two sets: he learns which elements he has in common with the server (and nothing more), while the server gains no information at all. In certain applications it would be useful to have a private matching protocol that reports a match even if two elements are only similar instead of equal. Such a private matching protocol is called \emph{fuzzy}, and is useful, for instance, when elements may be inaccurate or corrupted by errors. We consider the fuzzy private matching problem, in a semi-honest environment. Elements are similar if they match on $t$ out of $T$ attributes. First we show that the original solution proposed by Freedman et al. is incorrect. Subsequently we present two fuzzy private matching protocols. The first, simple, protocol has bit message complexity $O(n \binom{T}{t} (T \log{|D|}+k))$. The second, improved, protocol has a much better bit message complexity of $O(n T (\log{|D|}+k))$, but here the client incurs a $O(n)$ factor time complexity. Additionally, we present protocols based on the computation of the Hamming distance and on oblivious transfer, that have different, sometimes more efficient, performance characteristics.
2007
EPRINT
Generalized Correlation and Higher Order Nonlinearity for Probabilistic Algebraic Attacks Description
Abstract. Algebraic attacks are relatively new and interesting subject in cryptanalysis. The algebraic attacks where introduced in [1], where several possible attack's scenarios where given. The big attention was paid to deterministic scenarios of those. In this paper, probabilistic scenarios are studied. Conception of conditional correlation and partial higher order nonlinearity of Boolean function where introduced (briefly definition of conditional correlation: $C(g,f|f = a): = \Pr (g = f|f = a) - \Pr (g \ne f|f = a)$ ) . It was shown, that the both types of scenarios can be seen as a one unified attack - higher order correlation attack, which uses conditional correlation. The clear criteria of vulnerability of Boolean function to both types of scenarios was given. Accordingly, the notion of the algebraic immunity was extended. There are very vulnerable functions to probabilistic scenario. Calculations show that if a function with a very low partial higher order nonlinearity was used in the cipher like SFINKS [8], the simple attack would require only about $ 2^{42}$ operations and $32Kb$ of keystream. The question about relation between partial higher order nonlinearity and algebraic immunity remains open yet.
2007
EPRINT
Generalized Key Delegation for Hierarchical Identity-Based Encryption
In this paper, we introduce a new primitive called identity-based encryption with wildcard key derivation (WKD-IBE, or "wicked IBE") that enhances the concept of hierarchical identity-based encryption (HIBE) by allowing more general key delegation patterns. A secret key is derived for a vector of identity strings, where entries can be left blank using a wildcard. This key can then be used to derive keys for any pattern that replaces wildcards with concrete identity strings. For example, one may want to allow the university's head system administrator to derive secret keys (and hence the ability to decrypt) for all departmental sysadmin email addresses sysadmin@*.univ.edu, where * is a wildcard that can be replaced with any string. We provide appropriate security notions and provably secure instantiations with different tradeoffs in terms of ciphertext size and efficiency. We also present a generic construction of identity-based broadcast encryption (IBBE) from any WKD-IBE scheme. One of our instantiation yields an IBBE scheme with constant ciphertext size.
2007
EPRINT
Generalized mix functions and orthogonal equitable rectangles
Ristenpart and Rogaway defined "mix" functions, which are used to mix inputs from two sets of equal size, and produce outputs from the same two sets, in an optimal way. These functions have a cryptographic application in the context of extending the domain of a block cipher. It was observed that mix functions could be constructed from orthogonal latin squares. In this paper, we give a simple, scalable construction for mix functions. We also consider a generalization of mix functions, in which the two sets need not be of equal size. These generalized mix functions turn out to be equivalent to an interesting type of combinatorial design which has not previously been studied. We term these "orthogonal equitable rectangles" and we construct them for all possible parameter situations, with a small number of exceptions and possible exceptions.
2007
EPRINT
Generalized Rotation Symmetric and Dihedral Symmetric Boolean Functions - 9 variable Boolean Functions with Nonlinearity 242
Recently, 9-variable Boolean functions having nonlinearity 241, which is strictly greater than the bent concatenation bound of 240, have been discovered in the class of Rotation Symmetric Boolean Functions (RSBFs) by Kavut, Maitra and Yucel. In this paper, we present several 9-variable Boolean functions having nonlinearity of 242, which we obtain by suitably generalizing the classes of RSBFs and Dihedral Symmetric Boolean Functions (DSBFs).
2007
EPRINT
Generators of Jacobians of Hyperelliptic Curves
This paper provides a probabilistic algorithm to determine generators of the m-torsion subgroup of the Jacobian of a hyperelliptic curve of genus two.
2007
EPRINT
Generic Attacks on Unbalanced Feistel Schemes with Expanding Functions
\begin{abstract} Unbalanced Feistel schemes with expanding functions are used to construct pseudo-random permutations from $kn$ bits to $kn$ bits by using random functions from $n$ bits to $(k-1)n$ bits. At each round, all the bits except $n$ bits are changed by using a function that depends only on these $n$ bits. C.S.Jutla \cite{Jut} investigated such schemes, which he denotes by $F^d_k$, where $d$ is the number of rounds. In this paper, we describe novel Known Plaintext Attacks (KPA) and Non Adaptive Chosen Plaintext Attacks (CPA-1) against these schemes. With these attacks we will often be able to improve the result of C.S.Jutla. We also give precise formulas for the complexity of our attacks in $d$, $k$ and $n$. \end{abstract}
2007
EPRINT
Generic Certificateless Encryption in the Standard Model
Despite the large number of certificateless encryption schemes recently proposed, many of them have been found to be insecure under a practical attack called \emph{malicious-but-passive} KGC attack, since they all follow the same key generation procedure as that of the one proposed by Al-Riyami and Paterson in ASIACRYPT 2003. The only provably secure certificateless encryption scheme against this attack is due to Libert and Quisquater (PKC 2006). However, the security can only be shown in the random oracle model. % In this paper, we first show that a scheme which has a different key generation procedure from that of Al-Riyami and Paterson also suffers from the malicious-but-passive KGC attack. Our attacking techniques are different from the previous attacks and may cause greater extent of damage than the previous ones. We also propose a generic construction of certificateless encryption which can be proven secure against this attack \emph{in the standard model}. This generic scheme is not only the first one proven secure in the standard model, but is also very efficient to instantiate. We also describe how to use short signature and hybrid encryption to construct highly efficient instantiations of this generic scheme.
2007
EPRINT
Group Encryption
We present group encryption, a new cryptographic primitive which is the encryption analogue of a group signature. It possesses similar verifiability, security and privacy properties, but whereas a group signature is useful whenever we need to conceal the source (signer) within a group of legitimate users, a group encryption is useful whenever we need to conceal a recipient (decryptor) within a group of legitimate receivers. We introduce and model the new primitive and present sufficient as well as necessary conditions for its generic implementation. We then develop an efficient novel number theoretic construction for group encryption of discrete logarithms whose complexity is independent of the group size. To achieve this we construct a new public-key encryption for discrete logarithms that satisfies CCA2-key-privacy and CCA2-security in the standard model. Applications of group encryption include settings where a user wishes to hide her preferred trusted third party or even impose a hidden hierarchy of trusted parties, or settings where verifiable well-formed ciphertexts are kept in a untrusted storage server that must be prevented from both learning the content of records as well as analyzing the identities of their retrievers.
2007
EPRINT
Group Decryption
Anonymity is one of the main concerns in group-oriented cryptography. However, most efforts, for instance, group signatures and ring signatures, are only made to provide anonymity on the sender's point of view. There is only a few work done to ensure anonymity in a cryptographic sense on the recipient's point of view n group-oriented communications. In this paper, we formalize the notion of group decryptions. It can be viewed as an analogousof group signatures in the context of public key encryptions. In this notion, a sender can encrypt a committed message intended to any member of a group, managed by a group manager, while the recipient of the ciphertext remains anonymous. The sender can convince a verifier about this fact without leaking the plaintext or the identity of the recipient. If required, the group manager can verifiably open the identity of the recipient. We propose an efficient group decryption scheme that is proven secure in the random oracle model. The overhead in both computation and communication is independent of the group size. A full ciphertex is about 0.2K bytes in a typical implementation and the scheme is practical to protect the recipient identity in privacy-sensitive group-oriented communications.
2007
EPRINT
Group Password-Authenticated Key Exchange from Identity-Based Cryptosystem
Password-authenticated key exchange (PAKE) protocols are designed to be secure even when the secret key used for authentication is a human-memorable password. In this paper, we consider PAKE protocols in the group scenario, in which a group of clients, each of them shares a password with an "honest but curious" server, intend to establish a common secret key (i.e., a group key) with the help of the server. In this setting, the key established is known to the clients only and no one else, including the server. Each client needs to remember passwords only while the server keeps passwords in addition to private keys related to his identity. Towards our goal, we present the first compiler that transforms any group key exchange (KE) protocol secure against a passive eavesdropping to a group PAKE which is secure against an active adversary who controls all communication in the network. This compiler is built on any group KE protocol (e.g., the Burmester-Desmedt protocol), any identity-based encryption (IBE) scheme (e.g., Gentry's scheme), and any identity-based signature (IBS) scheme (e.g., Paterson-Schuldt scheme). It adds only two rounds and O(1) communication (per client) to the original group KE protocol. As long as a group PAKE protocol is constructed by our compiler with a group KE protocol, an IBE scheme and an IBS scheme which have provably security without random oracles, it can be proven to be secure without random oracles.
2007
EPRINT
Group-based Proxy Re-encryption scheme
Recently, proxy re-encryption scheme received much attention. In this paper, we propose a proxy re-encryption used for divert ciphertext from one group to another. The scheme is bidirectional and any member can independently decrypt the ciphertexts encrypted to its group. We discuss the security of the proposed scheme and show that our scheme withstands chosen ciphertext attack in standard model.
2007
EPRINT
Group-oriented encryption secure against collude attack
A group oriented encryption scheme is presented in this paper. In this scheme, a sender is allowed to encrypt a message using the group public key and send the ciphertext to the group. Any user in the group can independently decrypt the ciphertext via his private key. The scheme is secure against adaptively chosen ciphertext attack and collude attack.
2007
EPRINT
Guarantees for Customers of Incentive Anonymizing Networks
We raise and propose solutions to the problem of guaranteeing that a user of incentive remailing services for anonymization cannot lose money if he does not get full service, i.e., if his message does not reach its destination. Applications such as voting over the Internet or reviewing of articles require anonymous delivery of messages. An anonymizing technique was proposed several decades ago by Chaum and is based on a group of volunteer agents called {\em mixnet}. However, mixnets are not yet widely known and used today, and one often mentioned reason is the lack of incentives for volunteers. A recently proposed solution is based on adding digital coins to messages, such that each volunteer can extract only the digital coin designated as a payment for her. However, registered volunteers can sabotage the system by extracting and using their coins without performing their task --- which consists of forwarding anonymized messages. The main improvement we propose is to guarantee that no money is lost by the user without getting his message at the destination. This is an essential property for a viable service. Solutions described are based on handshaking mechanisms where each volunteer gets her payment (or key to decrypt the payment) from the agent to which she is expected to forward the message, or from the destination using a public board or a reply message. This ensures that a volunteer gets her financial support only if she fulfills her task. We discuss how techniques for non-repudiation of receipt of a message, together with reputation systems, can address the remaining problems.
2007
EPRINT
HAPADEP: Human Asisted Pure Audio Device Pairing
The number and diversity of electronic gadgets has been steadily increasing and they are becoming indispensable to more and more professionals and non-professionals alike. At the same time, there has been fairly little progress in secure pairing of such devices. The pairing challenge revolves around establishing on-the-fly secure communication without any trusted (on- or off-line) third parties between devices that have no prior association. The main security issue is the danger of so-called Man-in-the-Middle (MiTM) attacks, whereby an adversary impersonates one of the devices by inserting itself into the pairing protocol. One basic approach to countering these MiTM attacks is to involve the user in the pairing process. Therein lies the usability challenge since it is natural to minimize user burden. Previous research yielded some interesting secure pairing techniques, some of which ask too much of the human user, while others assume availability of specialized equipment (e.g., wires, photo or video cameras) on devices. Furthermore, all prior methods assumed the existence of a common digital (humanimperceptible) communication medium, such as Infrared, 802.11 or Bluetooth. In this paper we introduce a very simple technique called HAPADEP (Human-Assisted Pure Audio Device Pairing). It places very little burden on the human user and requires no common means of electronic communication. Instead, HAPADEP uses the audio channel to exchange both data and verification information among devices. It makes secure pairing possible even if devices are equipped only with a microphone and a speaker. Despite its simplicity, a number of interesting issues arise in the design of HAPADEP. We discuss design and implementation highlights as well as usability features and limitations.
2007
EPRINT
Hash Function Design Principles Supporting Variable Output Lengths from One Small Function
In this paper, we introduce new hash function design principles with variable output lengths (multiple of $n$). It is based on a function or a block cipher which has output size $n$. In the random oracle model it has optimal collision resistance which requires $\Theta(2^{(t+1)n/2})$ queries to find $(t+1)n$-bit hash output collisions, where $t$ is any positive integer. Similarly, in the ideal cipher model, $\Theta(2^{(t+1)n/2})$ queries are required to find $(t+1)n$-bit hash output collisions.
2007
EPRINT
Hash Functions in the Dedicated-Key Setting: Design Choices and MPP Transforms
In the dedicated-key setting, one starts with a compression function f:{0,1}^k x {0,1}^{n+d} -> {0,1}^n and builds a family of hash functions H^f:K x M -> {0,1}^n indexed by a key space K. This is different from the more traditional design approach used to build hash functions such as MD5 or SHA-1, in which compression functions and hash functions do not have dedicated key inputs. We explore the benefits and drawbacks of building hash functions in the dedicated-key setting (as compared to the more traditional approach), highlighting several unique features of the former. Should one choose to build hash functions in the dedicated-key setting, we suggest utilizing multi-property-preserving (MPP) domain extension transforms. We analyze seven existing dedicated-key transforms with regard to the MPP goal and propose two simple new MPP transforms.
2007
EPRINT
HCH: A New Tweakable Enciphering Scheme Using the Hash-Counter-Hash Approach
The notion of tweakable block ciphers was formally introduced by Liskov-Rivest-Wagner at Crypto 2002. The extension and the first construction, called CMC, of this notion to tweakable enciphering schemes which can handle variable length messages was given by Halevi-Rogaway at Crypto 2003. In this paper, we present {\hch}, which is a new construction of such a scheme. The construction uses two universal hash computations with a counter mode of encryption in-between. This approach was first proposed by McGrew-Viega to build a scheme called XCB and later used by Wang-Feng-Wu, to obtain a scheme called HCTR. Among the hash-Ctr-hash type constructions, an important advantage of {\hch} compared to the others is that {\hch} has a quadratic security bound; XCB does not provide any security bound while HCTR has a cubic security bound. A unique feature of {\hch} compared to all known tweakable enciphering schemes is that {\hch} uses a single key, can handle arbitrary length messages and has a quadratic security bound. An important application of a tweakable enciphering scheme is disk encryption. {\hch} is well suited for this application. We also describe a variant, which can utilize pre-computation and makes one less block cipher call. This compares favourably to other hash-encrypt-hash type constructions; supports better key agility and requires less key material.
2007
EPRINT
Hidden Identity-Based Signatures
This paper introduces Hidden Identity-based Signatures (Hidden-IBS), a type of digital signatures that provide mediated signer-anonymity on top of Shamir's Identity-based signatures. The motivation of our new signature primitive is to resolve an important issue with the kind of anonymity offered by ``group signatures'' where it is required that either the group membership list is {\em public} or that the opening authority is {\em dependent} on the group manager for its operation. Contrary to this, Hidden-IBS do not require the maintenance of a group membership list and they enable an opening authority that is totally independent of the group manager. As we argue this makes Hidden-IBS much more attractive than group signatures for a number of applications. In this paper, we provide a formal model of Hidden-IBS as well as two efficient constructions that realize the new primitive. Our elliptic curve construction that is based on the SDH/DLDH assumptions produces signatures that are merely half a Kbyte long and can be implemented very efficiently. To demonstrate the power of the new primitive, we apply it to solve a problem of current onion-routing systems focusing on the Tor system in particular. Posting through Tor is currently blocked by sites such as Wikipedia due to the real concern that anonymous channels can be used to vandalize online content. By injecting a Hidden-IBS inside the header of an HTTP POST request and requiring the exit-policy of Tor to forward only properly signed POST requests, we demonstrate how sites like Wikipedia may allow anonymous posting while being ensured that the recovery of (say) the IP address of a vandal would be still possible through a dispute resolution system. Using our new Hidden-IBS primitive in this scenario allows to keep the listing of identities (e.g., IP addresses) of Tor users computationally hidden while maintaining an independent Opening Authority which would not have been possible with previous approaches.
2007
EPRINT
High Efficiency Feedback Shift Register: $\sigma-$LFSR
We introduce a new kind of word-oriented linear feedback shift register called $\sigma-$LFSR which is constructed with the instructions of the modern processor and have fast software implementation. We offer an algorithm to search for good primitive $\sigma-$LFSR. In particular, we give two examples HHZ-1 and HHZ-2 and compare their efficiency and security with those of the LFSRs appearing in stream ciphers such as SNOW, SOBER and Turing. Our results show that replacing the LFSRs in SNOW, SOBER and Turing with HHZ-1 will improve security and the efficiency of fast software implementation.
2007
EPRINT
High Integrity Elections
This paper describes in detail a voting scheme which allows voters to be sure that whatever they see in the booth will be included correctly in the outcome. It presents a rigorous and understandable model of requirements for election systems, states formally the properties of the system, and proves them. As a step towards understanding the full 2D voting system, it also presents a simpler 1D system.
2007
EPRINT
How to Derive Lower Bound on Oblivious Transfer Reduction
Suppose that we are given an ideal oblivious transfer protocol (OT). We wish to construct a larger OT by using the above OT as a blackbox. Then how many instances of the given ideal OT should be invoked ? For this problem, some lower bounds were derived using entropy. In this paper, we show more tight lower bounds by using combinatorial techniques. Roughly speaking, our lower bounds are two times larger than the previous bounds.
2007
EPRINT
How to Enrich the Message Space of a Cipher
Given (deterministic) ciphers $\calE$ and~$E$ that can encipher messages of $\el$ and $n$ bits, respectively, we construct a cipher~$\calE^*=XLS[\calE,E]$ that can encipher messages of $\el+s$ bits for any $s<n$. Enciphering such a string will take one call to~$\calE$ and two calls to~$E$. We prove that~$\calE^*$ is a strong pseudorandom permutation as long as~$\calE$ and~$E$ are. Our construction works even in the tweakable and VIL (variable-input-length) settings. It makes use of a multipermutation (a pair of orthogonal Latin squares), a combinatorial object not previously used to get a provable-security result.
2007
EPRINT
How To Find Many Collisions of 3-Pass HAVAL
The hash function HAVAL is an Australian extension of well known Merkle-Damg\r{a}rd hash functions such as MD4 and MD5. It has three variants, $3$-, $4$- and $5$-pass HAVAL. On $3$-pass HAVAL, the best known attack finds a collision pair with $2^{7}$ computations of the compression function. To find $k$ collision pairs, it requires $2^{7}k$ computations. In this paper, we present a better collision attack on $3$-pass HAVAL, which can find $k$ collision pairs with only $2k+33$ computations. Further, our message differential is different from the previous ones. (It is important to find collisions for different message differentials.)
2007
EPRINT
How to Model Bounded Computation in Long-Lived Systems
In most interesting cases, the security of cryptographic protocols relies on the assumption that adversarial entities have limited computational power, and it is generally accepted that security degrades progressively over time. However, some cryptographic services (e.g., time-stamping services or digital archives) are long-lived in nature; that is, their lifetime need not be bounded by a polynomial. In such cases, it is impossible to guarantee security in the traditional sense: even information theoretically secure protocols can fail if the attacker is given sufficient run time. This work proposes a new paradigm for long-lived computation, where computational restrictions are stated in terms of space and processing rates. In this setting, entities may live for an unbounded amount of real time, subject to the condition that only a polynomial amount of work can be done per unit real time. Moreover, the space used by these entities is allocated dynamically and must be polynomially bounded. We propose a key notion of approximate implementation, which is an adaptation of computational indistinguishability to the long-lived setting. We show that approximate implementation is preserved under polynomial parallel composition, and under exponential sequential composition. This provides core foundations for an exciting new area, namely, the analysis of long-lived cryptographic systems.
2007
EPRINT
Idempotents in the Neighbourhood of Patterson-Wiedemann Functions having Walsh Spectra Zeros
In this paper we study the neighbourhood of $15$-variable Patterson-Wiedemann (PW) functions, i.e., the functions that differ by a small Hamming distance from the PW functions in terms of truth table representation. We exploit the idempotent structure of the PW functions and interpret them as Rotation Symmetric Boolean Functions (RSBFs). We present techniques to modify these RSBFs to introduce zeros in the Walsh spectra of the modified functions with minimum reduction in nonlinearity. Our technique demonstrates 15-variable balanced and $1$-resilient functions with currently best known nonlinearities 16272 and 16264 respectively. In the process, we find functions for which the autocorrelation spectra and algebraic immunity parameters are best known till date.
2007
EPRINT
Identifying Ideal Lattices
Micciancio defined a generalization of cyclic lattices, called ideal lattices. These lattices can be used in cryptosystems to decrease the number of parameters necessary to describe a lattice by a square root, making them more efficient. He proves that the computational intractability of classic lattice problems for these lattices gives rise to provably secure one-way and collision-resistant hash functions. This provable security relies on the assumption that reducing bases of ideal lattices is similar to reducing bases of random lattices. We give an indication that lattice problems in ideal lattices do not represent the general case by providing a distinguisher, which decides in time $O(n^4)$ whether a given basis of rank $n$ spans an ideal lattice or not. Using this algorithm we perform a statistical analysis for several dimensions and show that randomly generated lattices are practically never ideal.
2007
EPRINT
Identity-Based Broadcast Encryption
Broadcast encryption schemes enable senders to efficiently broadcast ciphertexts to a large set of receivers in a way that only non-revoked receivers can decrypt them. Identity-based encryption schemes are public key encryption schemes that can use arbitrary strings as public keys. We propose the first public key broadcast encryption scheme that can use any string as a public key of each receiver. That is, identity-based broadcast encryption scheme. Our scheme has many desirable properties. The scheme is fully collusion resistant, and the size of ciphertexts and that of private key are small constants. The size of public key is proportional to only the maximum number of receiver sets to each of which the ciphertext is sent. Note that its size remains to be so although the number of potential receivers is super-polynomial size. Besides these properties, the achieving the first practical identity-based broadcast encryption scheme itself is the most interesting point of this paper. The security of our scheme is proved in the generic bilinear group model.
2007
EPRINT
Identity-Committable Signatures and Their Extension to Group-Oriented Ring Signatures
The identity of "Deep Throat", a pseudonym of the information source in the Watergate scandal, remained mysterious for more than three decades. In 2005, an ex-FBI official claimed that he was the anonymous source. Nevertheless, some are still inconvinced. In this paper, we introduce a new notion of identity-committable signatures (ICS) to ensure the anonymity of "Deep Throat" inside a group. A member of an organization can sign a message on behalf of himself (regular signature) or the organization (identity-committed signature). In the latter case, the signer's identity is hidden from anyone, and can be opened by himself only. We describe the requirements of ICS and give the formal definition of it. Then we extend the notion of ICS to group-oriented ring signatures (GRS) which further allow the signer to hide his identity behind multiple groups. We believe a GRS scheme is more efficient and practical than a ring signature scheme for leaking secrets. Finally, we provide concrete constructions of ICS and GRS with information-theoretic anonymity, that is, the identity of the signer is fully-protected.
2007
EPRINT
Implementing Cryptographic Pairings over Barreto-Naehrig Curves
In this paper we describe an efficient implementation of the Tate and Ate pairings using Barreto-Naehrig pairing-friendly curves, on both a standard 32-bit PC and on a 32-bit smartcard. First we introduce a sub-family of such curves with a particularly simple representation. Next we consider the issues that arise in the efficient implementation of field arithmetic in $\F_{p^{12}}$, which is crucial to good performance. Various optimisations are suggested, including a novel approach to the `final exponentiation', which is faster and requires less memory than the methods previously recommended.
2007
EPRINT
Implementing Cryptographic Pairings over Curves of Embedding Degrees 8 and 10
In this paper, we will describe efficient implementations of the Tate and Ate pairings over ordinary elliptic curves of embedding degrees 8 and 10. We will discuss the possible curve-dependent optimizations that can be applied to evaluate the pairings. We pay particular attention to the use of elliptic curve twists and the denominator elimination method to make computations more efficient. Our main goal is to draw together the best possible optimizations that can be used to efficiently evaluate the Tate and the Ate pairings in both curves and to give timings and appropriate interpretation on the rate of change on the running time of our programs for both curves. To come up with an adequate conclusion, we will compare the performance of the curves we chose to an already experimented curve of embedding degree 12.
2007
EPRINT
Improved Impossible Differential Cryptanalysis of CLEFIA
This paper presents an improved impossible differential attack on the new block cipher CLEFIA which is proposed by Sony Corporation at FSE 2007. Combining some observations with new tricks, we can filter out the wrong keys more efficiently, and improve the impossible differential attack on 11-round CLEFIA-192/256, which also firstly works for CLEFIA-128. The complexity is about $2^{98.1}$ encryptions and $2^{103.1}$ chosen plaintexts. By putting more constraint conditions on plaintext pairs, we give the first attack on 12-round CLEFIA for all three key lengths with $2^{114.3}$ encryptions and $2^{119.3}$ chosen plaintexts. For CLEFIA-192/256, our attack is applicable to 13-round variant, of which the time complexity is about $2^{181}$, and the data complexity is $2^{120}$. We also extend our attack to 14-round CLEFIA-256, with about $2^{245.4}$ encryptions and $2^{120.4}$ chosen plaintexts. Moreover, a birthday sieve method is introduced to decrease the complexity of the core precomputation.
2007
EPRINT
Improved security analysis of OMAC
We present an improved security analysis of OMAC, the construction is widely used as a candidate of MAC or Pseudo Random Function (or PRF). In this direction, the first result was given in Crypto-05 where an improved security analysis of CBC (for fixed length or for arbitrary length prefix-free messages) had provided. Followed by this work, improved bounds for XCBC, TMAC and PMAC were found. The improved bounds are of the form $\mathrm{O}(\frac{Lq^2}{2^n})$ where the original bounds are $\mathrm{O}(\frac{\sigma^2}{2^n})$ which is roughly $\mathrm{O}(\frac{L^2q^2}{2^n})$. Here, a distinguisher can make at most $q$ queries having at most $\sigma$ many blocks with $L$ as the maximum block size. The original bound for OMAC was roughly $\frac{5L^2q^2}{2^n}$ shown in FSE-03 and the next improved bound was $\frac{4\sigma^2}{2^n}$ shown in Indocrypt-03. In this paper we have provided an improved bound (a similar form as provided for others) for OMAC and the bound we show is roughly $\frac{4q\sigma}{2^n} = \mathrm{O}(\frac{Lq^2}{2^n})$.
2007
EPRINT
Improved Security Analysis of PMAC
In this paper we provide a simple, concrete and improved security analysis of {\bf PMAC}, a Parallelizable Message Authentication Code. We show that the advantage of any distinguisher for {\bf PMAC} based on a random permutation is at most $\mathbf{\frac{5q\sigma - 3.5 q^2}{2^n}}$, where $\sigma$ is the total number of message blocks in all $q$ queries made by the distinguisher. In the original paper by Black and Rogaway in Eurocrypt-2002, the bound was $\frac{(\sigma+1)^2}{2^{n-1}}$. Very recently, Minematsu and Matsushima in FSE-2007, have provided a bound $\frac{10\ell q^2}{2^n}$ where $\ell$ is the maximum block length of all messages queried by the distinguisher. Our new bound is better than both original and recently proposed bound and guarantees much more security of PMAC. We also have provided a complete, independent and simple combinatorial proof. This proof idea may help us to find a similar result for other MAC algorithms.
2007
EPRINT
Improvement on a Digital Signature Scheme without using One-way Hash and Message Redundancy
Digital signature schemes based on public-key cryptosystems generally permit existential forgery, except the schemes are equipped with some message formatting mechanisms, such as using hash functions or padding redundancies. In 2004, Chang et al. proposed a new digital signature scheme, and claimed the scheme without using any hash function or padding any redundancy can resist forgery attacks. However, many attacks on Chang et al.'s scheme were presented. Kang et al. also gave an effective improvement to resist these forgery attacks. In this letter, we gave a further improvement to shorten the signed signature. Our improvement keeps the security of Kang et al.'s scheme and makes it more efficient in computation and communication.
2007
EPRINT
Improving the lower bound on the higher order nonlinearity of Boolean functions with prescribed algebraic immunity
The recent algebraic attacks have received a lot of attention in cryptographic literature. The algebraic immunity of a Boolean function quantifies its resistance to the standard algebraic attacks of the pseudo-random generators using it as a nonlinear filtering or combining function. Very few results have been found concerning its relation with the other cryptographic parameters or with the $r$-th order nonlinearity. As recalled by Carlet at Crypto'06, many papers have illustrated the importance of the $r$th-order nonlinearity profile (which includes the first-order nonlinearity). The role of this parameter relatively to the currently known attacks has been also shown for block ciphers. Recently, two lower bounds involving the algebraic immunity on the $r$th-order nonlinearity have been shown by Carlet et \emph{al}. None of them improves upon the other one in all situations. In this paper, we prove a new lower bound on the $r$th-order nonlinearity profile of Boolean functions, given their algebraic immunity, that improves significantly upon one of these lower bounds for all orders and upon the other one for low orders.
2007
EPRINT
Improving the Round Complexity of 'Round-Optimal' VSS
We revisit the following question: what is the optimal round complexity of verifiable secret sharing~(VSS)? We focus here on the case of perfectly-secure VSS where the number of corrupted parties $t$ satisfies $t < n/3$, with $n$ being the total number of parties. Work of Gennaro et al. (STOC~2001) and Fitzi et al. (TCC~2006) shows that, assuming a broadcast channel, 3~rounds are necessary and sufficient for efficient VSS. The efficient 3-round protocol of Fitzi et al., however, treats the broadcast channel as being available ``for free'' and does not attempt to minimize its usage. As argued previously by the authors, this approach leads to poor round complexity when protocols are compiled for a point-to-point network. We show here a VSS protocol that is simultaneously optimal in terms of both the number of rounds and the number of invocations of broadcast. Our protocol also has a certain ``2-level sharing'' property that makes it useful for constructing protocols for general secure computation.
2007
EPRINT
Improving Upon the TET Mode of Operation
Naor and Reingold had proposed the construction of a strong pseudo-random permutation (SPRP) by using a layer of ECB encryption between two layers of invertible block-wise universal hash functions. At Crypto 2007, Halevi presented constructions of invertible block-wise universal hash functions and a new mode of operation (called TET) based on them. In this paper, we present a new mode of operation called {\heh} using the Naor-Reingold approach. This is built using a new construction of invertible block-wise universal hash function. The new construction improves over Halevi's construction by removing restrictions on the hashing key. This in turn, leads to {\heh} improving over TET by allowing more efficient encryption and decryption of variable length messages as well as supporting better key agility. For the important application of disk encryption, we present a variant called {\hehfp} which has better key agility than TET.
2007
EPRINT
Incorporating Temporal Capabilities in Existing Key Management Schemes
The problem of key management in access hierarchies is how to assign keys to users and classes such that each user, after receiving her secret key(s), is able to {\em independently} compute access keys for (and thus obtain access to) the resources at her class and all descendant classes in the hierarchy. If user privileges additionally are time-based (which is likely to be the case for all of the applications listed above), the key(s) a user receives should permit access to the resources only at the appropriate times. This paper present a new, provably secure, and efficient solution that can be used to add time-based capabilities to existing hierarchical schemes. It achieves the following performance bounds: (i) to be able to obtain access to an arbitrary contiguous set of time intervals, a user is required to store at most 3 keys; (ii) the keys for a user can be computed by the system in constant time; (iii) key derivation by the user within the authorized time intervals involves a small constant number of inexpensive cryptographic operations; and (iv) if the total number of time intervals in the system is $n$, then the increase of the public storage space at the server due to our solution is only by a small asymptotic factor, e.g., $O(\log^* n \log\log n)$ with a small constant.
2007
EPRINT
Inductive Proof Method for Computational Secrecy
We investigate inductive methods for proving secrecy properties of network protocols, in a ``computational" setting applying a probabilistic polynomial-time adversary. As in cryptographic studies, our secrecy properties assert that no probabilistic polynomial-time distinguisher can win a suitable game presented by a challenger. Our method for establishing secrecy properties uses inductive proofs of computational trace-based properties, and axioms and inference rules for relating trace-based properties to non-trace-based properties. We illustrate the method, which is formalized in a logical setting that does not require explicit reasoning about computational complexity, probability, or the possible actions of the attacker, by giving a modular proof of computational authentication and secrecy properties of the Kerberos V5 protocol.
2007
EPRINT
Inferring sequences produced by a linear congruential generator on elliptic curves missing high--order bits
Let $p$ be a prime and let $E(\F_p)$ be an elliptic curve defined over the finite field $\F_p$ of $p$ elements. For a given point $G \in E(\F_p)$ the linear congruential genarator on elliptic curves (EC-LCG) is a sequence $(U_n)$ of pseudorandom numbers defined by the relation $$ U_n=U_{n-1}\oplus G=nG\oplus U_0,\quad n=1,2,\ldots,$$ where $\oplus$ denote the group operation in $E(\F_p)$ and $U_0 \in E(\F_p)$ is the initial value or seed. We show that if $G$ and sufficiently many of the most significants bits of two consecutive values $U_n, U_{n+1}$ of the EC-LCG are given, one can recover the seed $U_0$ (even in the case where the elliptic curve is private) provided that the former value $U_n$ does not lie in a certain small subset of exceptional values. We also estimate limits of a heuristic approach for the case where $G$ is also unknown. This suggests that for cryptographic applications EC-LCG should be used with great care. Our results are somewhat similar to those known for the linear and non-linear pseudorandom number congruential generator.
2007
EPRINT
Interactive and Noninteractive Zero Knowledge are Equivalent in the Help Model
We show that interactive and noninteractive zero-knowledge are equivalent in the `help model' of Ben-Or and Gutfreund ({\em J. Cryptology}, 2003). In this model, the shared reference string is generated by a probabilistic polynomial-time dealer who is given access to the statement to be proven. Our results do not rely on any unproven complexity assumptions and hold for statistical zero knowledge, for computational zero knowledge restricted to AM, and for quantum zero knowledge when the help is a pure quantum state.
2007
EPRINT
Interactive and Noninteractive Zero Knowledge Coincide in the Help Model
We show that a problem in $\AM$ has a interactive zero-knowledge proof system {\em if and only if} it has a noninteractive zero knowledge proof system in the `help model' of Ben-Or and Gutfreund ({\em J. Cryptology}, 2003). In this model, the shared reference string is generated by a probabilistic polynomial-time dealer who is given access to the statement to be proven. Our result holds for both computational zero knowledge and statistical zero knowledge, and does not rely on any unproven complexity assumptions. We also show that help does not add power to interactive computational zero-knowledge proofs, paralleling a result of Ben-Or and Gutfreund for the case of statistical zero knowledge.
2007
EPRINT
Interactive two-channel message authentication based on interactive-collision Resistant hash functions
We propose an interactive message authentication protocol (IMAP) using two channels: an insecure broadband channel and an authenticated narrow-band channel. We consider the problem in the context of ad hoc networks, where it is assumed that there is neither a secret key shared among the two parties, nor a public-key infrastructure in place. The security of our IMAP is based on the existence of Interactive-Collision Resistant (ICR) hash functions, a new notion of hash function security. Our IMAP is based on the computational assumption that ICR hash functions exist. It performs better than message authentication protocols that are based on computational assumptions. That is, while achieving the same level of security, the amount of information sent over the authenticated channel in our IMAP is smaller than the most secure IMAP and Non-interactive Message Authentication Protocol (NIMAP) in the literature. In other words, if we send the same amount of information over the authenticated channel, we can allow much stronger adversaries compared to the existing protocols in the literature. Moreover, our IMAP benefits from a simple structure and works under fewer security assumptions compared to other IMAPs in the literature. The efficient and easy-to-use structure of our IMAP makes it very practical in real world ad hoc network scenarios.
2007
EPRINT
Intrusion-Resilient Secret Sharing
We introduce a new primitive called Intrusion-Resilient Secret Sharing (IRSS), whose security proof exploits the fact that there exist functions which can be efficiently computed interactively using low communication complexity in k, but not in k - 1 rounds. IRSS is a means of sharing a secret message amongst a set of players which comes with a very strong security guarantee. The shares in an IRSS are made artificially large so that it is hard to retrieve them completely, and the reconstruction procedure is interactive requiring the players to exchange k short messages. The adversaries considered can attack the scheme in rounds, where in each round the adversary chooses some player to corrupt and some function, and retrieves the output of that function applied to the share of the corrupted player. This model captures for example computers connected to a network which can occasionally be infected by malicious software like viruses, which can compute any function on the infected machine, but cannot sent out a huge amount of data. Using methods from the Bounded-Retrieval Model, we construct an IRSS scheme which is secure against any computationally unbounded adversary as long as the total amount of information retrieved by the adversary is somewhat less than the length of the shares, and the adversary makes at most k - 1 corruption rounds (as described above, where k rounds are necessary for reconstruction). We extend our basic scheme in several ways in order to allow the shares sent by the dealer to be short (the players then blow them up locally) and to handle even stronger adversaries who can learn some of the shares completely. As mentioned, there is an obvious connection between IRSS schemes and the fact that there exist functions with an exponential gap in their communication complexity for k and k - 1 rounds. Our scheme implies such a separation which is in several aspects stronger than the previously known ones.
2007
EPRINT
Inverted Edwards coordinates
Edwards curves have attracted great interest for several reasons. When curve parameters are chosen properly, the addition formulas use only $10M+1S$. The formulas are {\it strongly unified}, i.e., work without change for doublings; even better, they are {\it complete}, i.e., work without change for all inputs. Dedicated doubling formulas use only $3M+4S$, and dedicated tripling formulas use only $9M+4S$. This paper introduces {\it inverted Edwards coordinates}. Inverted Edwards coordinates $(X_1:Y_1:Z_1)$ represent the affine point $(Z_1/X_1,Z_1/Y_1)$ on an Edwards curve; for comparison, standard Edwards coordinates $(X_1:Y_1:Z_1)$ represent the affine point $(X_1/Z_1,Y_1/Z_1)$. This paper presents addition formulas for inverted Edwards coordinates using only $9M+1S$. The formulas are not complete but still are strongly unified. Dedicated doubling formulas use only $3M+4S$, and dedicated tripling formulas use only $9M+4S$. Inverted Edwards coordinates thus save $1M$ for each addition, without slowing down doubling or tripling.
2007
EPRINT
Invertible Universal Hashing and the TET Encryption Mode
This work describes a mode of operation, TET, that turns a regular block cipher into a length-preserving enciphering scheme for messages of (almost) arbitrary length. When using an n-bit block cipher, the resulting scheme can handle input of any bit-length between n and 2^n and associated data of arbitrary length. The mode TET is a concrete instantiation of the generic mode of operation that was proposed by Naor and Reingold, extended to handle tweaks and inputs of arbitrary bit length. The main technical tool is a construction of invertible ``universal hashing'' on wide blocks, which is as efficient to compute and invert as polynomial-evaluation hash.
2007
EPRINT
Irreducibility to the One-More Evaluation Problems: More May Be Less
For a random-self-reducible function, the evaluation problem is irreducible to the one-more evaluation problem, in the following sense. An irreduction algorithm exists that, given a reduction algorithm from the evaluation to the one-more evaluation problem, solves a separator problem: the evaluation problem itself. Another irreduction shows that if the computational Diffie-Hellman problem is reduced to the gap Diffie-Hellman problem, then the decision Diffie-Hellman problem is easy. Irreductions are primarily of theoretical interest, because they do not actually prove inequivalence between problems. What these irreductions suggest, though, is that one-more variants of the RSA and discrete logarithm problems may be easier than the standard variants, and that the gap Diffie-Hellman problem may be easier than the standard Diffie-Hellman problem.
2007
EPRINT
Isodual Reduction of Lattices
We define a new notion of a reduced lattice, based on a quantity introduced in the LLL paper. We show that lattices reduced in this sense are simultaneously reduced in both their primal and dual. We show that the definition applies naturally to blocks, and therefore gives a new hierarchy of polynomial time algorithms for lattice reduction with fixed blocksize. We compare this hierarchy of algorithms to previous ones. We then explore algorithms to provably minimize the associated measure, and also some more efficient heuristics. Finally we comment on the initial investigations of applying our technique to the NTRU family of lattices.
2007
EPRINT
Isogenies and the Discrete Logarithm Problem on Jacobians of Genus 3 Hyperelliptic Curves
We describe the use of explicit isogenies to reduce Discrete Logarithm Problems (DLPs) on Jacobians of hyperelliptic genus~$3$ curves to Jacobians of non-hyperelliptic genus~$3$ curves, which are vulnerable to faster index calculus attacks. We provide algorithms which compute an isogeny with kernel isomorphic to $(\mathbb{Z}/2\mathbb{Z})^3$ for any hyperelliptic genus~$3$ curve. These algorithms provide a rational isogeny for a positive fraction of all hyperelliptic genus~$3$ curves defined over a finite field of characteristic $p > 3$. Subject to reasonable assumptions, our algorithms provide an explicit and efficient reduction from hyperelliptic DLPs to non-hyperelliptic DLPs for around $18.57\%$ of all hyperelliptic genus~$3$ curves over a given finite field.
2007
EPRINT
Isolated Proofs of Knowledge and Isolated Zero Knowledge
We introduce a new notion called $\ell$-isolated proofs of knowledge ($\ell$-IPoK). These are proofs of knowledge where a cheating prover is allowed to exchange up to $\ell$ bits of communication with some external adversarial environment during the run of the proof. Without any additional setup assumptions, no witness hiding protocol can be an $\ell$-IPoK for \emph{unbounded} values of $\ell$. However, for any \emph{pre-defined} threshold $\ell$, and any relation in NP and we construct an $\ell$-IPoK protocol for that relation. The resulting protocols are zero knowledge (ZK) in the standard sense, i.e., w.r.t. a verifier that communicates only with the prover during the proof. The cost of having a large threshold $\ell$ is a large communication complexity of the constructed protocol. We analyze these costs and present a solution that is asymptotically optimal. If a cheating verifier is allowed to communicate arbitrarily with an external environment, it is not possible to construct an $\ell$-IPoK that is also ZK with respect to such a verifier. As another new notion, we define $\ell$-isolated zero knowledge ($\ell$-IZK) where the verifier is $\ell$-isolated. For every relation in NP and every $\ell$, we construct an $\ell$-IPoK protocol that is also $\ell$-IZK. We describe several applications of $\ell$-IPoK protocols under the physical assumption that one can $\ell$-isolate a prover for the duration of the proof phase. Firstly, we can use a witness indistinguishable (WI) $\ell$-IPoK to prevent ``man-in-the-middle'' attacks on identification schemes. Prior results for this scenario required all verifiers to register keys under a PKI, or the ability to fully isolate the prover. Secondly, a partially isolated prover can register a public key and use a WI $\ell$-IPoK to prove knowledge of the corresponding secret key to another party acting as a verifier. This allows us to set up a PKI where the key registrant does not need to trust the Certificate Authority. The PKI is not perfect since the proof is only witness indistinguishable and not zero knowledge. In a companion paper, we show how to set up such a PKI and use it to implement arbitrary multiparty computation securely in the UC framework without relying on any trusted third parties.
2007
EPRINT
Key Agreement from Signatures: Improved Protocols and Anonymous Extension
We exploit the relationships between signature schemes and key agreement protocols; and propose a high performance identity-based (ID-based) key agreement protocol based on strong pairing challenge-response signatures. The latter is the first of its kind in ID-based cryptography and is of interest in itself. Using the proof technique of signature unforgeability against adaptive chosen-message attack, our protocol fully supports Session-Key Reveal queries and partially supports Session-State Reveal queries (which leaks ephemeral secret and keying material for session key derivation), without gap assumption or any unrealistic restriction. We show how to incorporate KGC forward secrecy so the past session keys are not compromised even the adversary gets the master secret key of the Key Generation Center (and the private keys of all users). Both proposals are efficient and have the strongest security among other unbroken identity-based two-party two-message protocols. Inspired by ring signatures and motivated by the need for a better anonymous roaming mechanism, we extend our basic protocol to support key agreement among spontaneous anonymous groups (SAG). To the best of our knowledge, this is the first ID-based SAG key agreement protocol with bilateral privacy.
2007
EPRINT
Kipnis-Shamir's Attack on HFE Revisited
In this paper, we show that the claims in the original Kipnis-Shamir's attack on the HFE cryptosystems and the improved attack by Courtois that the complexity of the attacks is polynomial in terms of the number of variables are invalid. We present computer experiments and a theoretical argument using basic algebraic geometry to explain why it is so. Furthermore we show that even with the help of the powerful new Gr\"{o}bner basis algorithm like $F_4$, the Kipnis-Shamir's attack still should be exponential not polynomial. This again is supported by our theoretical argument.
2007
EPRINT
Knapsack Public-Key Cryptosystem Using Chinese Remainder Theorem
The realization of the quantum computer will enable to break public-key cryptosystems based on factoring problem and discrete logarithm problem. It is considered that even the quantum computer can not solve NP-hard problem in a polynomial time. The subset sum problem is known to be NP-hard. Merkle and Hellman proposed a knapsack cryptosystem using the subset sum problem. However, it was broken by Shamir or Adleman because there exist the linearity of the modular transformation and the specialty in the secret keys. It is also broken with the low-density attack because the density is not sufficiently high. In this paper, we propose a new class of knapsack scheme without modular transformation. The specialty and the linearity can be avoidable by using the Chinese remainder theorem as the trapdoor. The proposed scheme has a high density and a large dimension to be sufficiently secure against a practical low-density attack.
2007
EPRINT
Knowledge-Binding Commitments with Applications in Time-Stamping (Full Version)
We prove in a non-black-box way that every bounded list and set commitment scheme is knowledge-binding. This is a new and rather strong security condition, which makes the security definitions for time-stamping much more natural compared to the previous definitions, which assume unpredictability of adversaries. As a direct consequence, list and set commitment schemes with partial opening property are sufficient for secure time-stamping if the number of elements has an explicit upper bound N. On the other hand, white-box reductions are in a sense strictly weaker than black-box reductions. Therefore, we also extend and generalize the previously known reductions. The corresponding new reductions are Theta(sqrt(N)) times more efficient, which is important for global-scale time-stamping schemes where N is very large.
2007
EPRINT
Lai-Massey Scheme and Quasi-Feistel Networks
We introduce the notion of quasi-Feistel network, which is generalization of the Feistel network, and contains the Lai-Massey scheme as an instance. We show that some of the works on the Feistel network, including the works of Luby-Rackoff, Patarin, Naor-Reingold and Piret, can be naturally extended to our setting. This gives a new proof for theorems of Vaudenay on the security of the Lai-Massey scheme, and also introduces for Lai-Massey a new construction of pseudorandom permutation, analoguous to the construction of Naor-Reingold using pairwise independent permutations. Also, we prove the birthday security of $(2b-1)$- and $(3b-2)$-round unbalanced quasi-Feistel networks with b branches against CPA and CPCA attacks, respectively. This answers an unsolved problem pointed out by Patarin et al.
2007
EPRINT
Large Cyclic Subgroups of Jacobians of Hyperelliptic Curves
In this paper we obtain conditions on the divisors of the group order of the Jacobian of a hyperelliptic genus 2 curve, generated by the complex multiplication method described by Weng (2003) and Gaudry (2005). Examples, where these conditions imply that the Jacobian has a large cyclic subgroup, are given.
2007
EPRINT
Linearization Attacks Against Syndrome Based Hashes
In MyCrypt 2005, Augot, Finiasz, and Sendrier proposed FSB, a family of cryptographic hash functions. The security claim of the FSB hashes is based on a coding theory problem with hard average-case complexity. In the ECRYPT 2007 Hash Function Workshop, new versions with essentially the same compression function but radically different security parameters and an additional final transformation were presented. We show that hardness of average-case complexity of the underlying problem is irrelevant in collision search by presenting a linearization method that can be used to produce collisions in a matter of seconds on a desktop PC for the variant of FSB with claimed $2^128$ security.
2007
EPRINT
Locally Invertible Boolean Mappings
The aim of this paper is to study a novel property of Boolean mappings called local intertibility. We focus on local invertibility of Boolean mappings which model filtering generators and study the case when filtering function is linear in the last variable.
2007
EPRINT
Long-lived digital integrity using short-lived hash functions
New collision-finding attacks on widely used cryptographic hash functions raise questions about systems that depend on certain properties of these functions for their security. Even after new and presumably better hash functions are deployed, users may have digital signatures and digital time-stamp certificates that were computed with recently deprecated hash functions. Is there any way to use a new and currently unassailable hash function to buttress the security of an old signature or time-stamp certificate? The main purpose of this note is to remind the technical community of a simple solution to this problem that was published more than a decade ago.
2007
EPRINT
Lossy Trapdoor Functions and Their Applications
We propose a new general primitive called lossy trapdoor functions (lossy TDFs), and realize it under a variety of different number theoretic assumptions, including hardness of the decisional Diffie-Hellman (DDH) problem and the worst-case hardness of standard lattice problems. Using lossy TDFs, we develop a new approach for constructing many important cryptographic primitives, including standard trapdoor functions, CCA-secure cryptosystems, collision-resistant hash functions, and more. All of our constructions are simple, efficient, and black-box. Taken all together, these results resolve some long-standing open problems in cryptography. They give the first known (injective) trapdoor functions based on problems not directly related to integer factorization, and provide the first known CCA-secure cryptosystem based solely on worst-case lattice assumptions.
2007
EPRINT
Low-Density Attack Revisited
The low-density attack proposed by Lagarias and Odlyzko is a powerful algorithm against the subset sum problem. The improvement algorithm due to Coster et al. would solve almost all the problems of density < 0.9408... in the asymptotical sense. On the other hand, the subset sum problem itself is known as an NP-hard problem, and a lot of efforts have been paid to establish public-key cryptosystems based on the problem. In these cryptosystems, densities of the subset sum problems should be higher than 0.9408... in order to avoid the low-density attack. For example, the Chor-Rivest cryptosystem adopted subset sum problems with relatively high densities. In this paper, we further improve the low-density attack by incorporating an idea that integral lattice points can be covered with polynomially many spheres of shorter radius and of lower dimension. As a result, the success probability of our attack can be higher than that of Coster et al.'s attack for fixed dimensions. The density bound is also improved for fixed dimensions. Moreover, we numerically show that our improved low-density attack makes the success probability higher in case of low Hamming weight solution, such as the Chor-Rivest cryptosystem, if we assume SVP oracle calls.
2007
EPRINT
Making Large Hash Functions From Small Compression Functions
We explore the idea of creating a hash function that produces an $s$-bit digest from a compression function with an $n$-bit output, where $s > n$. % where $s\le 2^{n/2}n$.This is accomplished by truncating a hash function with a digest size of $\ell n$-bits. Our work answers the question of how large $\ell$ can be while creating a digest of $sn$-bits securely. We prove that our construction is secure with respect to preimage resistance and collision resistance for $s \le 2^{n/2}n$.
2007
EPRINT
Matrix Power S-Box Construction
The new symmetric cipher S-box construction based on matrix power function is presented. The matrix consisting of plain data bit strings is combined with three round key matrices using arithmetical addition and exponent operations. The matrix power means the matrix powered by other matrix. The left and right side matrix powers are introduced. This operation is linked with two sound one-way functions: the discrete logarithm problem and decomposition problem. The latter is used in the infinite non-commutative group based public key cryptosystems. It is shown that generic S-box equations are not transferable to the multivariate polynomial equations in respect of input and key variables and hence the algebraic attack to determine the key variables cannot be applied in this case. The mathematical description of proposed S-box in its nature possesses a good ``confusion and diffusion'' properties and contains variables ``of a complex type'' as was formulated by Shannon. Some comparative simulation results are presented.
2007
EPRINT
Merging Pret-a-Voter and PunchScan
We describe a variation of the Pret-a-Voter voting protocol that keeps the same ballot layout but borrows and slightly modifies the underlying cryptographic primitives from Punchscan, which is based on bit commitments. By using unconditionally hiding bit commitments, our protocol obtains unconditional privacy. We suggest a way to make cheating on the computational binding bit commitments impossible under assumptions that seem plausible for large-scale elections. Also we show ways to have several races on the Pret-a-Voter ballot, showing that with respect to ballot layout the protocols are almost identical.
2007
EPRINT
Mesh Signatures : How to Leak a Secret with Unwitting and Unwilling Participants
We introduce the mesh signature primitive as an anonymous signature that borrows from ring signatures, but with added modularity and a much richer language for expressing signer ambiguity. The language can represent complex access structures, and in particular allows individual signature components to be replaced with modular certificate chains. As a result, withholding one's public key from view is no longer a shield against being named as a possible cosignatory; and hence, a mesh signature may be used as a ring signature substitute with compulsory enrollment. We give an efficient construction based on bilinear maps in the common random string model. Our mesh signatures have linear size, achieve everlasting perfect anonymity, and as a special case induce the most efficient and first unconditionally anonymous ring signatures without random oracles or trusted setup authorities. We prove non-repudiation from a mild extension of the SDH assumption, which we introduce and justify meticulously.
2007
EPRINT
Mobile Phones as Secure Gateways for Message-Based Ubiquitous Communication (Revised)
For ubiquitous communication self-organising ad-hoc networks become more and more important. We consider mobile phones as appropriate secure gateways to provide access to the Internet for external machines with low communication needs. A message-based approach is best in such a scenario with moving mobile phones and machines. In this paper we propose a security model for access control to the communication infrastructure, which is also message oriented. To meet the requirements of ubiquitously communicating machines, all algorithms on the sender's side are based on symmetric cryptography resulting in low computation requirements. Our sophisticated symmetric key infrastructure for access control is based on unique combinations of keys and is completed with an effective key management. This results in a carrier grade security level although many parties share the same keys. Adopting the Subscriber Identity Module as a secure storage and computing module achieves the trustworthiness of the mobile phone. This makes it possible to use the mobile phone not only as a user terminal but also as a trusted infrastructure component of the mobile network. This document is an update of earlier work [BWS07] presented at the Workshop in Information Security Theory and Practices 2007 in Crete, Greece.
2007
EPRINT
MPC vs. SFE: Perfect Security in a Unified Corruption Model
Secure function evaluation (SFE) allows a set of players to compute an arbitrary agreed function of their private inputs, even if an adversary may corrupt some of the players. Secure multi-party computation (MPC) is a generalization allowing to perform an arbitrary on-going (also called reactive or stateful) computation during which players can receive outputs and provide new inputs at intermediate stages. At Crypto~2006, Ishai \emph{et al.} considered mixed threshold adversaries that either passively corrupt some fixed number of players, or, alternatively, actively corrupt some (smaller) fixed number of players, and showed that for certain thresholds, cryptographic SFE is possible, whereas cryptographic MPC is not. However, this separation does not occur when one considers \emph{perfect} security. Actually, past work suggests that no such separation exists, as all known general protocols for perfectly secure SFE can also be used for MPC. Also, such a separation does not show up with \emph{general adversaries}, characterized by a collection of corruptible subsets of the players, when considering passive and active corruption. In this paper, we study the most general corruption model where the adversary is characterized by a collection of adversary classes, each specifying the subset of players that can be actively, passively, or fail-corrupted, respectively, and show that in this model, perfectly secure MPC separates from perfectly secure SFE. Furthermore, we derive the exact conditions on the adversary structure for the existence of perfectly secure SFE resp.~MPC, and provide efficient protocols for both cases.
2007
EPRINT
Multi-Party Indirect Indexing and Applications
We develop a new multi-party generalization of Naor-Nissim indirect indexing, making it possible for many participants to simulate a RAM machine with only poly-logarithmic blow-up. Our most efficient instantiation (built from length-flexible additively homomorphic public key encryption) improves the communication complexity of secure multi-party computation for a number of problems in the literature. Underlying our approach is a new multi-party variant of oblivious transfer which may be of independent interest.
2007
EPRINT
MultiCollision Attack on the Compression Functions of MD4 and 3-Pass HAVAL
In this paper, we present a new type of MultiCollision attack on the compression functions both of MD4 and 3-Pass HAVAL. For MD4, we utilize two feasible different collision differential paths to find a 4-collision with 2^{19} MD4 computations. For 3-Pass HAVAL, we present three near-collision differential paths to find a 8 NearCollision with 2^{9} HAVAL computations.
2007
EPRINT
Multiparty Computation to Generate Secret Permutations
We make use of a universal re-encryption mixnet to efficiently perform a secure multiparty computation to generate a secret permutation. When complete, the permutation is shared among the players in such a way that each player knows his share of the permutation but no others. Such a permutation is useful in dining cryptographers networks (DC-nets) to determine in which slot each player should transmit. We also see this primitive as being useful in online gaming for either shuffling cards or ordering players without the need for a trusted dealer or other third party.
2007
EPRINT
Multiparty Key Agreement Using Bilinear Map
A key agreement protocol is a cryptographical primitive which allows participants to share a common secret key via insecure channel. In particular, a multiparty key agreement protocol is a key agreement protocol that can manage arbitrary number of participants at once. In the security point of view, authentication and forward secrecy are the most important requirements in such protocols. One interesting problem in key agreement protocols is to construct a multiparty key agreement protocol satisfying the above security requirements with minimal number of communication rounds (i.e. one-round). In literature, there has been no one-round multiparty key agreement protocol that satisfies both of authentication and forward secrecy. In this paper, we present a new multiparty key agreement protocol using bilinear map and adopting the key generation center. The protocol demands only one round for arbitrary number of participants to share a group key and satisfies both authentication and (partial) forward secrecy.
2007
EPRINT
Multiple Modular Additions and Crossword Puzzle Attack on NLSv2
NLS is a stream cipher which was submitted to the eSTREAM project. A linear distinguishing attack against NLS was presented by Cho and Pieprzyk, which was called Crossword Puzzle (CP) attack. NLSv2 is the tweak version of NLS which aims mainly at avoiding the CP attack. In this paper, a new distinguishing attack against NLSv2 is presented. The attack exploits high correlation amongst neighboring bits of the cipher. The paper first shows that the modular addition preserves pairwise correlations as demonstrated by existence of linear approximations with large biases. Next it shows how to combine these results with the existence of high correlation between bits 29 and 30 of the S-box to obtain a distinguisher whose bias is around $2^{-37}$. Consequently, we claim that NLSv2 is distinguishable from a random process after observing around $2^{74}$ keystream words.
2007
EPRINT
Multivariates Polynomials for Hashing
We propose the idea of building a secure hash using quadratic or higher degree multivariate polynomials over a finite field as the compression function, whose security relies on simple hard questions. We analyze some security properties and potential feasibility, where the compression functions are randomly chosen high-degree polynomials. Next, we propose to improve on the efficiency of the system by using some specially designed polynomials using composition of maps and certain sparsity property, where the security of the system would then relies on stronger assumptions.
2007
EPRINT
Mutual Information Analysis -- A Universal Differential Side-Channel Attack
In this paper, we develop an information theoretic differential side-channel attack. An embedded device containing a secret key is modeled as a black box with a leakage function whose output is captured by an adversary through the noisy measurement of a physical observable e.g. the power consumed by the device. We assume only that the measured values depend somehow on the leakage and thus on the word being processed by the device. Without any knowledge on the particular dependency, this fact is exploited to mount a side-channel attack. We build a distinguisher which uses the Mutual Information between the observed and the leaked values as a statistical test. The Mutual Information is maximal when the hypothetical key guessed by the attacker equals the key in the device. Our approach is confirmed by experimental results. We perform power analysis on an embedded device using our Mutual Information based distinguisher and show that the correct key is clearly distinguishable. Finally, our approach allows to compute a good estimate of the minimal number of traces required to perform a successful attack and gives an upper bound on the information leakage in a single observation.
2007
EPRINT
New Attacks on the Stream Cipher TPy6 and Design of New Ciphers the TPy6-A and the TPy6-B
The stream ciphers Py, Pypy and Py6 were designed by Biham and Seberry for the ECRYPT-eSTREAM project in 2005. The ciphers were promoted to the `Focus' ciphers of the Phase II of the eSTREAM project. However, due to some cryptanalytic results on the ciphers, strengthened versions of the ciphers, namely TPy, TPypy and TPy6 were built. So far there exists no attacks on TPy6. In this paper, we find hitherto unknown weaknesses in the keystream generation algorithms of the Py6 and of its stronger variant TPy6. Exploiting these weaknesses, a large number of distinguishing attacks are mounted on the ciphers, the best of which works with $2^{224.6}$ data and comparable time. In the second part, we present two new ciphers derived from the TPy6, namely TPy6-A and TPy6-B, whose performances are 2.65 cycles/byte and 4.4 cycles/byte on Pentium III. As a result, to the best of our knowledge, on Pentium platforms TPy6-A becomes the fastest stream cipher in the literature. Based on our security analysis, we conjecture that no attacks better than brute force are possible on the ciphers TPy6-A and TPy6-B.
2007
EPRINT
New Branch Prediction Vulnerabilities in OpenSSL and Necessary Software Countermeasures
Software based side-channel attacks allow an unprivileged spy process to extract secret information from a victim (cryptosystem) process by exploiting some indirect leakage of ``side-channel'' information. It has been realized that some components of modern computer microarchitectures leak certain side-channel information and can create unforeseen security risks. An example of such MicroArchitectural Side-Channel Analysis is the Cache Attack --- a group of attacks that exploit information leaks from cache latencies. Public awareness of Cache Attack vulnerabilities lead software writers of OpenSSL (version 0.9.8a and subsequent versions) to incorporate countermeasures for preventing these attacks. In this paper, we present a new and yet unforeseen side channel attack that is enabled by the recently published Simple Branch Prediction Analysis (SBPA) which is another type of MicroArchitectural Analysis. We show that modular inversion --- a critical primitive in public key cryptography --- is a natural target of SBPA attacks because it typically uses the Binary Extended Euclidean algorithm whose nature is an input-centric sequence of conditional branches. Our results show that SBPA can be used to extract secret parameters during the execution of the Binary Extended Euclidean algorithm. This poses a new potential risk to crypto-applications such as OpenSSL, which already employs Cache Attack countermeasures. Thus, it is necessary to develop new software mitigation techniques for BPA and incorporate them with cache analysis countermeasures in security applications. To mitigate this new risk in full generality, we apply a security-aware algorithm design methodology and propose some changes to the CRT-RSA algorithm flow. These changes either avoid some of the steps that require modular inversion, or remove the critical information leak from this procedure. In addition, we also show by example that, independently of the required changes in the algorithms, careful software analysis is also required in order to assure that the software implementation does not inadvertently introduce branches that may expose the application to SBPA attacks. These offer several simple ways for modifying OpenSSL in order to mitigate Branch Prediction Attacks.
2007
EPRINT
New Communication-Efficient Oblivious Transfer Protocols Based on Pairings
We construct two simple families of two-message $(n,1)$-oblivious transfer protocols based on degree-$t$ homomorphic cryptosystems with the communication of respectively $1+\lceil n/t\rceil$ and $3+\lceil n/(t+1)\rceil$ ciphertexts. The construction of both families relies on efficient cryptocomputable conditional disclosure of secret protocols; the way this is done may be of independent interest. The currently most interesting case $t=2$ can be based on the Boneh-Goh-Nissim cryptosystem. We show how to reduce the communication of virtually any existing oblivious transfer protocols by proposing a new related communication-efficient generic transformation from computationally-private information retrieval protocols to oblivious transfer protocols.
2007
EPRINT
New Constructions for UC Secure Computation using Tamper-proof Hardware
The Universal Composability framework was introduced by Canetti to study the security of protocols which are concurrently executed with other protocols in a network environment. Unfortunately it was shown that in the so called plain model, a large class of functionalities cannot be securely realized. These severe impossibility results motivated the study of other models involving some sort of setup assumptions, where general positive results can be obtained. Until recently, all the setup assumptions which were proposed required some trusted third party (or parties). Katz recently proposed using a \emph{physical setup} to avoid such trusted setup assumptions. In his model, the physical setup phase includes the parties exchanging tamper proof hardware tokens implementing some functionality. The tamper proof hardware is modeled so as to assume that the receiver of the token can do nothing more than observe its input/output characteristics. It is further assumed that the sender \emph{knows} the program code of the hardware token which it distributed. Based on the DDH assumption, Katz gave general positive results for universally composable multi-party computation tolerating any number of dishonest parties making this model quite attractive. In this paper, we present new constructions for UC secure computation using tamper proof hardware (in a stronger model). Our results represent an improvement over the results of Katz in several directions using substantially different techniques. Interestingly, our security proofs do not rely on being able to rewind the hardware tokens created by malicious parties. This means that we are able to relax the assumptions that the parties \emph{know} the code of the hardware token which they distributed. This allows us to model real life attacks where, for example, a party may simply pass on the token obtained from one party to the other without actually knowing its functionality. Furthermore, our construction models the interaction with the tamper-resistant hardware as a simple request-reply protocol. Thus, we show that the hardware tokens used in our construction can be \emph{resettable}. In fact, it suffices to use token which are completely stateless (and thus cannot execute a multi-round protocol). Our protocol is also based on general assumptions (namely enhanced trapdoor permutations).
2007
EPRINT
New Constructions of Fuzzy Identity-Based Encryption
In this paper we construct two new fuzzy identity-based encryption (IBE) schemes in the random oracle model. Not only do our schemes provide public parameters whose size is independent of the number of attributes in each identity (used as public key) but they also have useful structures which result in more e±cient key extraction and/or encryption than the random oracle version of Sahai and Water's fuzzy IBE scheme, considered recently by Pirretti et al. We prove that the confidentiality of the proposed schemes is relative to the Bilinear Decisional Bilinear Diffie-Hellman problem.
2007
EPRINT
New Fast Algorithms for Arithmetic on Elliptic Curves over Fields of Characteristic Three
In previous works on ECC(Elliptic Curve Cryptography), the case of characteristic three has been considered relatively less than cases of fields of even characteristic and large prime fields. To the best of our knowledge, for point multiplication on ordinary elliptic curves over fields of characteristic three the most efficient way is known as one shown by N.P. Smart et al.(cf. [2]). In first portion of this paper we propose new fast algorithms for arithmetic on Hessian elliptic curves over finite field of characteristic three, which reduce costs of a doubling and a mixed point addition from 3M+3C and 10M (cf. [2]) to 3M+2C and 9M+1C, respectively. These algorithms can realize fast point multiplication nearly comparable with the case of even characteristic, on ordinary elliptic curves over finite field of characteristic three. In next portion we propose a kind of projective coordinates we call ML coordinates and new algorithms for arithmetic on Weierstrass elliptic curve in it, which reduce costs of a tripling and a mixed point addition from 7M+4C and 10M+2C (cf. [2]) to 6M+6C and 8M+2C, respectively. In conclusion, we can say that ternary elliptic curves are another alternative to existing technology for elliptic curve cryptosystems.
2007
EPRINT
New Features of Latin Dances: Analysis of Salsa, ChaCha, and Rumba
The stream cipher Salsa20 was introduced by Bernstein in 2005 as a candidate in the eSTREAM project, accompanied by the reduced versions Salsa20/8 and Salsa20/12. ChaCha is a variant of Salsa20 aiming at bringing better diffusion for similar performance. Variants of Salsa20 with up to 7 rounds (instead of 20) have been broken by differential cryptanalysis, while ChaCha has not been analyzed yet. In this paper, we introduce a novel method for differential cryptanalysis of Salsa20 and ChaCha, inspired by correlation attacks and related to the notion of neutral bits. This is the first application of neutral bits in stream cipher cryptanalysis, and it allows us to present the first break of Salsa20/8, to bring faster attacks on the 7-round variant, and to break 6- and 7-round ChaCha. In a second part, we analyze the compression function Rumba, constructed as the XOR of four Salsa20 instances, and returning a 512-bit output. We find collision and preimage attacks for two simplified variants, then we discuss differential attacks on the original version, and exploit a high-probability differential to reduce complexity of collision search from 2^(256) to 2^(79) for 3-round Rumba. We give examples of collisions over three rounds for a version without feedforward, and near-collisions of weight 16 for three rounds of the original compression function, and of weight 129 for four rounds.
2007
EPRINT
New FORK-256
The hash function FORK-256 was published at the ¯rst NIST hash workshop and FSE 2006. It consists of simple operations so that its performance is better than that of SHA-256. However, recent papers show some weaknesses of FORK-256. In this paper, we propose newly modi¯ed FORK-256 which has no microcoliisions and so is resistant against existing attacks. Furthermore, it is faster than the old one.
2007
EPRINT
New Form of Permutation Bias and Secret Key Leakage in Keystream Bytes of RC4
Consider the permutation $S$ in RC4. Roos pointed out in 1995 that after the Key Scheduling Algorithm (KSA) of RC4, the initial bytes of the permutation, i.e., $S[y]$ for small values of $y$ are biased towards some linear combination of secret key bytes. In this paper, for the first time we show that the bias can be observed in $S[S[y]]$ too. Based on this new form of permuatation bias after the KSA and other related results, a complete framework is presented to show that many keystream output bytes of RC4 are significantly biased towards several linear combinations of the secret key bytes. The results do not assume any condition on the secret key. We find new biases in the initial as well as in the 256-th and 257-th keystream output bytes. For the first time biases at such later stages are discovered without any knowledge of secret key bytes. We also identify that these biases propagate further once the information for the index $j$ is revealed.
2007
EPRINT
New Local Collisions for the SHA-2 Hash Family
The starting point for collision attacks on practical hash functions is a local collision. In this paper, we make a systematic study of local collisions for the SHA-2 family. The possible linear approximations of the constituent Boolean functions are considered and certain impossible conditions for such approximations are identified. Based on appropriate approximations, we describe a general method for finding local collisions. Applying this method, we obtain several local collisions and compute the probabilities of the various differential paths. Previously, only one local collision due to Gilbert-Handschuh was known. We point out two impossible conditions in the GH local collision and provide an example of an impossible differential path for linearized SHA-2 using this local collision. Sixteen new local collisions are obtained none of which have any impossible conditions. The probabilities of these local collisions are a little less than the GH local collision. On the other hand, the absence of impossible conditions may make them more suitable for (reduced round) collision search attacks on the SHA-2 family.
2007
EPRINT
New Public Key Cryptosystems Using Polynomials over Non-commutative Rings
In this paper, we propose a new method for designing public key cryptosystems based on general non-commutative rings. The key idea of our proposal is that for a given non-commutative ring, we can define polynomials and take them as the underlying work structure. By doing so, it is easy to implement Diffie-Helman-like key exchange protocol. And consequently, ElGamal-like cryptosystems can be derived immediately. Moreover, we show how to extend our method to non-commutative groups (or semi-groups).
2007
EPRINT
New Weaknesses in the Keystream Generation Algorithms of the Stream Ciphers TPy and Py
The stream ciphers Py, Py6 designed by Biham and Seberry were promising candidates in the ECRYPT-eSTREAM project because of their impressive speed. Since their publication in April 2005, a number of cryptanalytic weaknesses of the ciphers have been discovered. As a result, a strengthened version Pypy was developed to repair these weaknesses; it was included in the category of `Focus ciphers' of the Phase II of the eSTREAM competition. However, even the new cipher Pypy was not free from flaws, resulting in a second redesign. This led to the generation of three new ciphers TPypy, TPy and TPy6. The designers claimed that TPy would be secure with a key size up to 256 bytes, i.e., 2048 bits. In February 2007, Sekar \emph{et al.\ }published an attack on TPy with $2^{281}$ data and comparable time. This paper shows how to build a distinguisher with $2^{275}$ key/IVs and one outputword for each key (i.e., the distinguisher can be constructed within the design specifications); it uses a different set of weak states of the TPy. Our results show that distinguishing attacks with complexity lower than the brute force exist if the key size of TPy is longer than 275 bits. Therefore, for such keys, our attack constitutes an academic break of the cipher. Furthermore, we discover a large number of similar bias-producing states of TPy and provide a general framework to compute them. The attacks on TPy are also shown to be effective on Py.
2007
EPRINT
Nominative Signature: Application, Security Model and Construction
Since the introduction of nominative signature in 1996, there have been only a few schemes proposed and all of them have already been found flawed. In addition, there is no formal security model defined. Even more problematic, there is no convincing application proposed. Due to these problems, the research of nominative signature has almost stalled and it is unknown if a secure nominative signature scheme can be built or there exists an application for it. In this paper, we give positive answers to these problems. First, we illustrate that nominative signature is a better tool for building user certification systems which are originally believed to be best implemented using a universal designated-verifier signature. Second, we propose a formal definition and a rigorous set of adversarial models for nominative signature. Third, we show that Chaum's undeniable signature can be transformed efficiently to a nominative signature and prove its security.
2007
EPRINT
Non-Interactive Anonymous Credentials
In this paper, we introduce P-signatures. A P-signature scheme consists of a signature scheme, a commitment scheme, and (1) an interactive protocol for obtaining a signature on a committed value; (2) a non-interactive proof system for proving that the contents of a commitment has been signed; (3) a non-interactive proof system for proving that a pair of commitments are commitments to the same value. We give a definition of security for P-signatures and show how they can be realized under appropriate assumptions about groups with bilinear map. Namely, we make extensive use of the powerful suite of non-interactive proof techniques due to Groth and Sahai. Our P-signatures enable, for the first time, the design of a practical non-interactive anonymous credential system whose security does not rely on the random oracle model. In addition, they may serve as a useful building block for other privacy-preserving authentication mechanisms.
2007
EPRINT
Non-Interactive Proofs for Integer Multiplication
We present two universally composable and practical protocols by which a dealer can, verifiably and non-interactively, secret-share an integer among a set of players. Moreover, at small extra cost and using a distributed verifier proof, it can be shown in zero-knowledge that three shared integers $a,b,c$ satisfy $ab =c$. This implies by known reductions non-interactive zero-knowledge proofs that a shared integer is in a given interval, or that one secret integer is larger than another. Such primitives are useful, e.g., for supplying inputs to a multiparty computation protocol, such as an auction or an election. The protocols use various set-up assumptions, but do not require the random oracle model.
2007
EPRINT
Noninteractive Manual Channel Message Authentication Based On eTCR Hash Functions
We present a new non-interactive message authentication protocol in manual channel model (NIMAP, for short) using the weakest assumption on the manual channel (i.e. assuming the strongest adversary). Our protocol uses enhanced target collision resistant (eTCR) hash family and is provably secure in the standard model. We compare our protocol with protocols with similar properties and show that the new NIMAP has the same security level as the best previously known NIMAP whilst it is more practical. In particular, to authenticate a message such as a 1024-bit public key, we require an eTCR hash family that can be constructed from any off-the-shelf Merkle-Damg{\aa}rd hash function using randomized hashing mode. The underlying compression function must be {\em evaluated second preimage resistant} (eSPR), which is a strictly weaker security property than collision resistance. We also revisit some closely related security notions for hash functions and study their relationships to help understanding our protocol.
2007
EPRINT
Notes on the Wang et al. $2^{63}$ SHA-1 Differential Path
Although advances in SHA-1 cryptanalysis have been made since the 2005 announcement of a $2^{63}$ attack by Wang et al., the details of the attack have not yet been presented or verified. This note does just that. Working from Adi Shamir's 2005 CRYPTO rump session presentation of Wang et al.'s work, this note verifies and presents the differential path and associated conditions. Although the error analysis for the advanced condition correction technique is not verified, a method is presented which yields a two-block collision attack on SHA-1 requiring an estimated $2^{62}$ SHA-1 computations if the original error analysis by Wang et al. is correct. The differential path is presented for only the first block of the two-block attack, but the second block path likely differs from the first in only the first 10 steps and could be derived from the information presented here.
2007
EPRINT
Notions of Efficiency in Simulation Paradigm
Abstract. There are some well-known conceptional and technical issues related to a common setting of simulation paradigm, i.e., EPT (expected polynomial time) simulator versus SPT (strict polynomial time) adversary. In fact, it has been shown that this setting is essential for achieving constant-round black-box zero-knowledge protocols. Many suggestions and results have been proposed to deal with these issues. In this paper, we propose an alternative solution. We study a new class of machines, MPT (Markov polynomial time), which is a cryptographic adaption of Levin's average polynomial-time. Since MPT has good compatibility to SPT and intuitive composition properties, we can use it as a drop-in replacement of SPT. Moreover, it is easy to construct simulators in MPT.
2007
EPRINT
Novel Approaches for Improving the Power Consumption Models in Correlation Analysis
Differential Power Analysis (DPA) is a powerful technique for revealing secret data of cryptographic algorithms such as DES, AES and RSA implemented on a specific platform. In recent years, Correlation Power Analysis (CPA) allowed to better formalize the differential approaches of DPA with the use of a power model. We propose here two methods in order to optimize the power model for the targeted bits of the analysed algorithm. We will consider that all the targeted bits do not give the same contribution to the power consumption. Our first method consists in finding out the optimal ratio among the bits of a specific device. The second method is based on a statistical analysis of attack results while applying different possible ratios among the bits. The experimental electromagnetic radiation signals intercepted from an ASIC during DES operations show that our proposed methods allow to improve significantly the attack performance.
2007
EPRINT
Oblivious Transfer via McEliece's PKC and Permuted Kernels
We present two efficient protocols for two flavors of oblivious transfer (OT): the Rabin and 1-out-of-2 OT using the McEliece cryptosystem and Shamir's zero-knowledge identification scheme based on permuted kernels. This is a step towards diversifying computational assumptions on which OT -- the primitive of central importance -- can be based. Although we obtain a weak version of Rabin OT (where the malicious receiver may decrease his erasure probability), it can nevertheless be reduced to secure 1-out-of-2 OT. Elaborating on the first protocol, we provide a practical construction for 1-out-of-2 OT.
2007
EPRINT
Obtaining a secure and efficient key agreement protocol from (H)MQV and NAXOS
LaMacchia, Lauter and Mityagin recently presented a strong security definition for authenticated key agreement strengthening the well-known Canetti-Krawczyk definition. They also described a protocol, called NAXOS, that enjoys a simple security proof in the new model. Compared to MQV and HMQV, NAXOS is less efficient and cannot be readily modified to obtain a one-pass protocol. On the other hand MQV does not have a security proof, and the HMQV security proof is extremely complicated. This paper proposes a new authenticated key agreement protocol, called CMQV (`Combined' MQV), which incorporates design principles from MQV, HMQV and NAXOS. The new protocol achieves the efficiency of HMQV and admits a natural one-pass variant. Moreover, we present a simple and intuitive proof that CMQV is secure in the LaMacchia-Lauter-Mityagin model.
2007
EPRINT
Obtaining Universally Composable Security: Towards the Bare Bones of Trust
A desirable goal for cryptographic protocols is to guarantee security when the protocol is composed with other protocol instances. Universally Composable (UC) security provides this guarantee in a strong sense: A UC-secure protocol maintains its security properties even when composed concurrently with an unbounded number of instances of arbitrary protocols. However, many interesting cryptographic tasks are provably impossible to realize with UC security in the standard, ``plain'' model of computation. Impossibility holds even if ideally authenticated communication channels are provided. In contrast, it has been demonstrated that general secure computation can be obtained in a number of idealized models. Each one of these models represents a form of trust that is put in some of the system's components. This survey examines and compares some of these trust models, both from the point of view of their sufficiency for building UC secure protocols, and from the point of view of their practical realizability. We start with the common reference string (CRS) model, and then describe several relaxations and alternatives including the Defective CRS model, the key registration models, the hardware token model, the global and augmented CRS models, and a timing assumption. Finally, we briefly touch upon trust models for obtaining authenticated communication.
2007
EPRINT
Offline/Online Mixing
We introduce an offline precomputation technique for mix-nets that drastically reduces the amount of online computation needed. Our method can be based on any additively homomorphic cryptosystem and is applicable when the number of senders and the maximal bit-size of messages are relatively small.
2007
EPRINT
On an Improved Correlation Analysis of Stream Ciphers Using Muti-Output Boolean Functions and the Related Generalized Notion of Nonlinearity
We investigate the security of $n$-bit to $m$-bit vectorial Boolean functions in stream ciphers. Such stream ciphers have higher throughput than those using single-bit output Boolean functions. However, as shown by Zhang and Chan at Crypto 2000, linear approximations based on composing the vector output with any Boolean functions have higher bias than those based on the usual correlation attack. In this paper, we introduce a new approach for analyzing vector Boolean functions called generalized correlation analysis. It is based on approximate equations which are linear in the input $x$ but of free degree in the output $z=F(x)$. The complexity for computing the generalized nonlinearity for this new attack is reduced from $2^{2^m \times n+n}$ to $2^{2n}$. Based on experimental results, we show that the new generalized correlation attack gives linear approximation with much higher bias than the Zhang-Chan and usual correlation attack. We confirm this with a theoretical upper bound for generalized nonlinearity, which is much lower than for the unrestricted nonlinearity (for Zhang-Chan's attack) and {\em a fortiori} for usual nonlinearity. We also prove a lower bound for generalized nonlinearity which allows us to construct vector Boolean functions with high generalized nonlinearity from bent and almost bent functions. We derive the generalized nonlinearity of some known secondary constructions for secure vector Boolean functions. Finally, we prove that if a vector Boolean function has high nonlinearity or even a high unrestricted nonlinearity, it cannot ensure that it will have high generalized nonlinearity.
2007
EPRINT
On Asymptotic Behavior of the Ratio Between the Numbers of Binary Primitive and Irreducible Polynomials
In this paper we study the ratio $\theta(n) = \frac{\lambda_2(n)}{\psi_2(n)}$, where ${\lambda_2(n)}$ is the number of primitive polynomials and ${\psi_2(n)}$ is the number of irreducible polynomials in $GF(2)[x]$ of degree $n$. %and $2n$, for an arbitrary odd number $n$. Let $n=\prod_{i=1}^{\ell} p_i^{r_i}$ be the prime factorization of $n$, where $p_i$ are odd primes. We show that $\theta(n)$ tends to 1 and $\theta(2n)$ is asymptotically not less than 2/3 when $r_i$ are fixed and $p_i$ tend to infinity. We also, describe an infinite series of values $n_{s}$ such that $\theta(n_{s})$ is strictly less than $\frac{1}{2}$.
2007
EPRINT
On bent functions with zero second derivatives
It is proved that a bent function has zero second derivative with respect to $a$, $b$, $a \ne b$, if and only if it is affine on all the flats parallel to the two dimensional subspace $V = \langle a, b \rangle$.
2007
EPRINT
On Ciphertext Undetectability
We propose a novel security notion for public-key encryption schemes -- ciphertext undetectability. Informally, an encryption scheme has the property of ciphertext undetectability, if the attacker is unable to distinguish between valid and invalid ciphertexts. We compare this notion with the established ones, such as indistinguishability of ciphertexts and plaintext awareness. We analyze the possibilities of constructing schemes with the property of ciphertext undetectability. Moreover, we prove that the Damgard ElGamal, the Cramer-Shoup scheme and its lite variant achieve ciphertext undetectability under standard assumptions.
2007
EPRINT
On compressible pairings and their computation
In this paper we provide explicit formulae to compute bilinear pairings in compressed form, and indicate families of curves where particularly generalised versions of the Eta and Ate pairings due to Zhao \emph{et al.} are especially efficient. With the new formulae it is possible to entirely avoid $\F_{p^k}$ arithmetic during pairing computation on elliptic curves over $\F_p$ with even embedding degree $k$. Using our new method all intermediate results in the Miller loop are represented by just one $\F_{p^{k/2}}$ element and manipulated in compressed form. For certain families of ordinary curves with embedding degree $k = 6m$ all arithmetic can be done in a subfield of size $p^m$ and the representation can be further compressed to two $\F_{p^m}$ elements.
2007
EPRINT
On Factoring Arbitrary Integers with Known Bits
We study the {\em factoring with known bits problem}, where we are given a composite integer $N=p_1p_2\dots p_r$ and oracle access to the bits of the prime factors $p_i$, $i=1, \dots, r$. Our goal is to find the full factorization of $N$ in polynomial time with a minimal number of calls to the oracle. We present a rigorous algorithm that efficiently factors $N$ given $(1-\frac{1}{r}H_r)\log N$ bits, where $H_r$ denotes the $r^{th}$ harmonic number.
2007
EPRINT
On Non-Randomness of the Permutation after RC4 Key Scheduling
Here we study a weakness of the RC4 Key Scheduling Algorithm (KSA) that has already been noted by Mantin and Mironov. Consider the RC4 permutation $S$ of $N$ (usually 256) bytes and denote it by $S_N$ after the KSA. Under reasonable assumptions we present a simple proof that each permutation byte after the KSA is significantly biased (either positive or negative) towards many values in the range $0, \ldots, N-1$. These biases are independent of the secret key and thus present an evidence that the permutation after the KSA can be distinguished from random permutation without any assumption on the secret key. We also present a detailed empirical study over Mantin's work when the theoretical formulae vary significantly from experimental results due to repetition of short keys in RC4. Further, it is explained how these results can be used to identify new distinguishers for RC4 keystream.
2007
EPRINT
On Perfectly Balanced Boolean Functions
Perfectly balanced functions were introduced by Sumarokov. A well known class of such functions are those linear either in the first or in the last variable. We present a novel technique to construct perfectly balanced functions not in the above class.
2007
EPRINT
On prime-order elliptic curves with embedding degrees k=3,4 and 6
We further analyze the solutions to the Diophantine equations from which prime-order elliptic curves of embedding degrees $k=3,4$ or $6$ (MNT curves) may be obtained. We give an explicit algorithm to generate such curves. We derive a heuristic lower bound for the number $E(z)$ of MNT curves with $k=6$ and discriminant $D\le z$, and compare this lower bound with experimental data.
2007
EPRINT
On Simulatability Soundness and Mapping Soundness of Symbolic Cryptography
The abstraction of cryptographic operations by term algebras, called Dolev-Yao models or symbolic cryptography, is essential in almost all tool-supported methods for proving security protocols. Recently significant progress was made -- using two conceptually different approaches -- in proving that Dolev-Yao models can be sound with respect to actual cryptographic realizations and security definitions. One such approach is grounded on the notion of simulatability, which constitutes a salient technique of Modern Cryptography with a longstanding history for a variety of different tasks. The other approach strives for the so-called mapping soundness -- a more recent technique that is tailored to the soundness of specific security properties in Dolev-Yao models, and that can be established using more compact proofs. Typically, both notions of soundness for similar Dolev-Yao models are established separately in independent papers. In this paper, the two approaches are related for the first time. Our main result is that simulatability soundness entails mapping soundness provided that both approaches use the same cryptographic implementation. Interestingly, this result does not dependent on details of the simulator, which translates between cryptographic implementations and their Dolev-Yao abstractions in simulatability soundness. Hence, future research may well concentrate on simulatability soundness whenever applicable, and resort to mapping soundness in those cases where simulatability soundness is too strong a notion.
2007
EPRINT
On solving sparse algebraic equations over finite fields II
A system of algebraic equations over a finite field is called sparse if each equation depends on a small number of variables. Finding efficiently solutions to the system is an underlying hard problem in the cryptanalysis of modern ciphers. In this paper deterministic Agreeing-Gluing algorithm introduced earlier by Raddum and Semaev for solving such equations is studied. Its expected running time on uniformly random instances of the problem is rigorously estimated. This estimate is at present the best theoretical bound on the complexity of solving average instances of the above problem. In particular, it significantly overcomes our previous results. In characteristic 2 we observe an exciting difference with the worst case complexity provided by SAT solving algorithms.
2007
EPRINT
On the Authentication of One Popular Signcryption Scheme
Whether a recipient \textit{can prove} a signature to others is of great importance. The function is just one reason that we call a signature ``signature" rather than others. In this paper, we point out that one popular signcryption signature convinces \textit{only} the designated document's recipient that the signer deliberately signed the document. The \textit{designated recipient} can \textit{check} the validity of a given signcryptext but \textit{cannot prove} it to others. We also improve it using the efficient technique developed in Schnorr's signature instead of a zero-knowledge proof such that the receiver can \textit{check} the validity of a given signcryptext and \textit{can prove} it to a third party.
2007
EPRINT
On the Big Gap Between $|p|$ and $|q|$ in DSA
We introduce a message attack against DSA and show that the security of DSA is indeed reduced to the following problem, i.e., find $\theta\in \mathbb{Z}_q^*$ such that\\ \centerline{$z=(\hat g^{\theta} \,\mbox{mod}\, p)\, \mbox{mod}\, q $}\\ where $\mbox{Ord}_p(\hat g)=q$ and $z\in \mathbb{Z}_q^*$ is randomly chosen by the adversary. Compared with the common key-only attack, i.e., find $x\in \mathbb{Z}_q^*$ such that\\ \centerline{$ y= g^x \,\mbox{mod}\, p$}\\ the message attack is more effective because of the big gap between $|p|$ (1024-bit) and $|q|$ (160-bit).
2007
EPRINT
On the complexity of side-channel attacks on AES-256 -- methodology and quantitative results on cache attacks
Larger key lengths translate into an exponential increase in the complexity of an exhaustive search. Side-channel attacks, however, use a divide-and-conquer approach and hence it is generally assumed that increasing the key length cannot be used as mitigation. Yet, the internal round structure of AES-256 and its key-scheduling seem to hinder a direct extension of the existing attacks on AES-128 and thus challenge the proposition above. Indeed two consecutives round keys are required to infer the secret key and the MixColumns operation, not present in the last round, apparently increases the key search complexity from to 2^8 to 2^32. Additionally, it is unclear what the impact of the different round structures is on the number of required measurements. In this paper, we explore this question and show how to attack AES-256 with a key search complexity of O(2^8). This work confirms with practical experiments that AES-256 only offers a marginal increase in resistance against the attacks –both in the required number of measurements and in the required processing time. As an example, we quantify this increase for the case of cache-based side-channel attacks: AES-256 only provides an increase in complexity of 6 to 7 compared to cache-based attacks on AES-128.
2007
EPRINT
On the Decomposition of an Element of Jacobian of a Hyperelliptic Curve
In this manuscript, if a reduced divisor $D_0$ of hyperelliptic curve of genus $g$ over an extension field $F_{q^n}$ is written by a linear sum of $ng$ lements of $F_{q^n}$-rational points of the hyperelliptic curve whose $x$-coordinates are in the base field $F_q$, $D_0$ is noted by a decomposed divisor and the set of such $F_{q^n}$-rational points is noted by the decomposed factor of $D_0$. We propose an algorithm which checks whether a reduced divisor is decomposed or not, and compute the decomposed factor, if it is decomposed. This algorithm needs a process for solving equations system of degree $2$, $(n^2-n)g$ variables, and $(n^2-n)g$ equations over $F_q$. Further, for the cases $(g,n)=(1,3),(2,2),$ and $(3,2)$, the concrete computations of decomposed factors are done by computer experiments.
2007
EPRINT
On the Forgeability of Wang-Tang-Li's ID-Based Restrictive Partially Blind Signature
Restrictive partially blind signature (RPBS) plays an important role in designing secure electronic cash system. Very recently, Wang, Tang and Li proposed a new ID-based restrictive partially blind signature (ID-RPBS) and gave the security proof. In this paper, we present a cryptanalysis of the scheme and show that the signature scheme does not satisfy the property of {\bf unforgeability} as claimed. More precisely, a user can forge a valid message-signature pair $(ID, msg, {\bf info'}, \sigma')$ instead of the original one $(ID, msg, {\bf info}, \sigma)$, where {\bf info} is the original common agreed information and ${\bf info}'\neq {\bf info}$. Therefore, it will be much dangerous if Wang-Tang-Li's ID-RPBS scheme is applied to the off-line electronic cash system. For example, a bank is supposed to issue an electronic coin (or bill) of \$100 to a user, while the user can change the denomination of the coin (bill) to any value, say \$100, 000, 000, at his will.
2007
EPRINT
On the hash function of ODH
M. Abdalla, M. Bellare and P. Rogaway proposed a variation of Diffie-Hellman assumption named as oracle Diffie-Hellman(ODH) assumption. They recommend to use a one-way cryptographic hash function for the ODH assumption. We notice that if the hash function is just one-way then there will be an attack. We show that if the the hash function is non-malleable then the computational version of ODH assumption can be reduced to the computational Diffie-Hellman(CDH) assumption. But we can not reduce the ODH assumption to the decisional Diffie-Hellman(DDH) even if the hash function is non-malleable. It seems that we need a random oracle hash function to reduce the ODH assumption to the DDH assumption.
2007
EPRINT
On the Impossibility of Highly-Efficient Blockcipher-Based Hash Functions
Fix a small, non-empty set of blockcipher keys $K$. We say a blockcipher-based hash function is highly-efficient if it makes exactly one blockcipher call for each message block hashed, and all blockcipher calls use a key from $K$. Although a few highly-efficient constructions have been proposed, no one has been able to prove their security. In this paper we prove, in the ideal-cipher model, that it is impossible to construct a highly-efficient iterated blockcipher-based hash function that is provably secure. Our result implies, in particular, that the Tweakable Chain Hash (TCH) construction suggested by Liskov, Rivest, and Wagner is not correct under an instantiation suggested for this construction, nor can TCH be correctly instantiated by any other efficient means.
2007
EPRINT
On The Inequivalence Of Ness-Helleseth APN Functions
In this paper, the Ness-Helleseth functions over $F_{p^n}$ defined by the form $f(x)=ux^{\frac{p^n-1}{2}-1}+x^{p^n-2}$ are proven to be a new class of almost perfect nonlinear (APN) functions and they are CCZ-inequivalent with all other known APN functions when $p\geq 7$. The original method of Ness and Helleseth showing the functions are APN for $p=3$ and odd $n\geq 3$ is also suitable for showing their APN property for any prime $p\geq 7$ with $p\equiv 3\,({\rm mod}\,4)$ and odd $n$.
2007
EPRINT
On the insecurity of interchanged use of OFB and CBC modes of operation
The security of interchanged use of modes of operation of block ciphers have not been discussed in the public literature. So far, the modes of operation of block ciphers have been treated as completely independent and uncorrelated. In this paper we represent both CBC and OFB as quasigroup string transformations, and then show that OFB mode is a special case of the CBC mode of operation. That raise possibilities for construction of several devastating attack scenarios against that interchanged use of CBC and OFB. These attacks have not been addressed in NIST Special Publication 800-38A 2001, ``Recommendation for Block Cipher Modes of Operation''. More specifically, in the chosen plaintext attack scenario with interchanged use of CBC and OFB mode, we give a concrete list of openssl commands that extract the complete plaintext without knowing the secret key.
2007
EPRINT
On the Relations Between Non-Interactive Key Distribution, Identity-Based Encryption and Trapdoor Discrete Log Groups
We investigate the relationships between identity-based non-interactive key distribution and identity-based encryption. We provide constructions for these schemes that make use of general trapdoor discrete log groups. We then investigate the schemes that result in two concrete settings, obtaining new, provably secure, near-practical identity-based encryption schemes.
2007
EPRINT
On the Role of Scheduling in Simulation-Based Security
In a series of papers, K\"usters et al. investigated the relationships between various notions of simulation-based security. Two main factors, the placement of a ``master process'' and the existence of ``forwarder processes'', were found to affect the relationship between different definitions. In this extended abstract, we add a new dimension to the analysis of simulation-based security, namely, the scheduling of concurrent processes. We show that, when we move from sequential scheduling (as used in previous studies) to task-based nondeterministic scheduling, the same syntactic definition of security gives rise to incomparable semantic notions of security. Under task-based scheduling, the hierarchy based on placement of ``master process'' is no longer relevant, because no such designation is necessary to obtain meaningful runs of a system. On the other hand, the existence of ``forwarder processes'' remains an important factor.
2007
EPRINT
On the security defects of an image encryption scheme
This paper studies the security of a recently-proposed chaos-based image encryption scheme, and points out the following problems: 1) there exist a number of invalid keys and weak keys, and some keys are partially equivalent for encryption/decryption; 2) given one chosen plain-image, a subkey $K_{10}$ can be guessed with a smaller computational complexity than that of the simple brute-force attack; 3) given at most 128 chosen plain-images, a chosen-plaintext attack can possibly break the following part of the secret key: $\{K_i\bmod 128\}_{i=4}^{10}$, which works very well when $K_{10}$ is not too large; 4) when $K_{10}$ is relatively small, a known-plaintext attack can be carried out with only one known plain-image to recover some visual information of any other plain-images encrypted by the same key.
2007
EPRINT
On the Security of a Class of Image Encryption Scheme
Recently four chaos-based image encryption schemes were proposed. Essentially, the four schemes can be classified as one class, which is composed of two basic parts: position permutation and diffusion of pixel value with the same cipher-text feedback function. The operations involved in the two basic parts are determined by a random number sequence generated by iterating a chaotic dynamic system. According to the security requirement, the two basic parts are performed alternatively for some rounds. Although the original authors claimed that the schemes are of high quality, we found the following security problems: 1) the schemes are not sensitive to the change of plain-image; 2) the schemes are not sensitive to the change of secret key; 3) there exist a serious flaw of the diffusion function; 4) the schemes can be broken with no more than $\lceil\log_L(MN)\rceil+3$ chosen-images when the iteration number is equal to one, where $MN$ is the size of the plain-image and $L$ is the number of different pixel values.
2007
EPRINT
On the security of an image encryption scheme
This paper studies the security of a recently-proposed image encryption scheme based on chaos, and points out the following problems: 1) there exist a number of invalid keys and weak keys, and some keys are partially equivalent for the encryption/decryption processes; 2) given one chosen plain-image, a sub-key $K_{10}$ can be guessed with a smaller computational complexity than that of the simple brute-force attack; 3) given $O(10)$ (at most 128) chosen plain-images, a chosen-plaintext attack may be able to break the following part of the secret key: $(\{K_i\bmod 128\}_{i=4}^{10})$, which works very well when $K_{10}$ is not too large; 4) when $K_{10}$ is relatively small, a known-plaintext attack can be mounted with only one known plain-image to recover some visual information of other plain-images encrypted by the same key.
2007
EPRINT
On the Security of Protocols with Logarithmic Communication Complexity
We investigate the security of protocols with logarithmic communication complexity. We show that for the security definitions with environment, i.e., Reactive Simulatability and Universal Composability, computational security of logarithmic protocols implies statistical security. The same holds for advantage-based security definitions as commonly used for individual primitives. While this matches the folklore that logarithmic protocols cannot be computationally secure unless they are already statistically secure, we show that under realistic complexity assumptions, this folklore does surprisingly not hold for the stand-alone model without auxiliary input, i.e., there are logarithmic protocols that are statistically insecure but computationally secure in this model. The proof is conducted by showing how to transform an instance of an NP-complete problem into a protocol with two properties: There exists an adversary such that the protocol is statistically insecure in the stand-alone model, and given such an adversary we can find a witness for the problem instance, hence yielding a computationally secure protocol assuming the hardness of finding a witness. The proof relies on a novel technique that establishes a link between cryptographic definitions and foundations of computational geometry, which we consider of independent interest.
2007
EPRINT
On the Security of three Versions of the WAI Protocol in Chinese WLAN Implementation Plan
In this paper we investigate the security properties of three versions of the WAI protocol in Chinese WLAN implementation plan. We first revisit the security analysis that has been done to the version 1 and 2. we show that the security proof given by Li, Moon, and Ma is incorrect and the alternative protocol EWAP of Zhang and Ma is insecure. We further analyse the third version of the WAI protocol and prove its security in the Canetti-Krawczyk model. In addition, we also provide some practical security analysis of this version.
2007
EPRINT
On Tweaking Luby-Rackoff Blockciphers
Tweakable blockciphers, first formalized by Liskov, Rivest, and Wagner, are blockciphers with an additional input, the tweak, which allows for variability. An open problem proposed by Liskov et al. is how to construct tweakable blockciphers without using a pre-existing blockcipher. This problem has yet to receive any significant study. There are many natural questions in this area: is it significantly more effcient to incorporate a tweak directly? How do direct constructions compare to existing techniques? Are these direct constructions optimal and for what levels of security? How large of a tweak can be securely added? In this work, we address these questions for Luby-Rackoff blockciphers. We show that tweakable blockciphers can be created directly from Feistel ciphers, and in some cases show that direct constructions of tweakable blockciphers are more e±cient than previously known constructions.
2007
EPRINT
On-Line Ciphers and the Hash-CBC Constructions
We initiate a study of on-line ciphers. These are ciphers that can take input plaintexts of large and varying lengths and will output the i-th block of the ciphertext after having processed only the first i blocks of the plaintext. Such ciphers permit length-preserving encryption of a data stream with only a single pass through the data. We provide security definitions for this primitive and study its basic properties. We then provide attacks on some possible candidates, including CBC with fixed IV. We then provide two constructions, HCBC1 and HCBC2, based on a given block cipher E and a family of computationally AXU functions. HCBC1 is proven secure against chosen-plaintext attacks assuming that E is a PRP secure against chosen-plaintext attacks, while HCBC2 is proven secure against chosen-ciphertext attacks assuming that E is a PRP secure against chosen-ciphertext attacks.
2007
EPRINT
One-Round ID-Based Blind Signature Scheme without ROS Assumption
In this paper, we propose a new ID-based blind signature scheme based on bilinear pairings from scratch (i.e. without using existing ID-based signature schemes, and without using existing computational assumptions). First, the round complexity of our ID-based blind signature scheme is optimal. Namely, each interactive signature generation requires the requesting user and the signer to transmit only one message each. Second, the proposed scheme is provably secure against generic parallel attack without using the ROS assumption. Indeed, the security of the proposed scheme is based on a new formalized assumption called one-more bilinear Diffie-Hellman Inversion (1m-BDHI) assumption.
2007
EPRINT
Optimal Irreducible Polynomials for GF(2^m) Arithmetic
The irreducible polynomials recommended for use by multiple standards documents are in fact far from optimal on many platforms. Specifically they are suboptimal in terms of performance, for the computation of field square roots and in the application of the ``almost inverse'' field inversion algorithm. In this paper we question the need for the standardisation of irreducible polynomials in the first place, and derive the ``best'' polynomials to use depending on the underlying processor architecture. Surprisingly it turns out that a trinomial polynomial is in many cases not necessarily the best choice. Finally we make some specific recommendations for some particular types of architecture.
2007
EPRINT
Optimised versions of the Ate and Twisted Ate Pairings
The Ate pairing and the twisted Ate pairing for ordinary elliptic curves which are generalizations of the $\eta_T$ pairing for supersingular curves have previously been proposed. It is not necessarily the case that both pairings are faster than the Tate pairing. In this paper we propose optimized versions of the Ate and twisted Ate pairings with the loop reduction method and show that both pairings are always at least as fast as the Tate pairing. We also provide suitable families of elliptic curves that our optimized Ate and optimized twisted Ate pairings can be computed with half the loop length compared to the Tate pairing.
2007
EPRINT
Optimistic Fair Exchange in a Multi-user Setting
This paper addresses the security of optimistic fair exchange in a multi-user setting. While the security of public key encryption and public key signature schemes in a single-user setting guarantees the security in a multi-user setting, we show that the situation is different in the optimistic fair exchange. First, we show how to break, in the multi-user setting, an optimistic fair exchange scheme provably secure in the single-user setting. This example separates the security of optimistic fair exchange between the single-user setting and the multi-user setting. We then define the formal security model of optimistic fair exchange in the multi-user setting, which is the first complete security model of optimistic fair exchange in the multi-user setting. We prove the existence of a generic construction meeting our multi-user security based on one-way functions in the random oracle model and trapdoor one-way permutations in the standard model. Finally, we revisit two well-known methodologies of optimistic fair exchange, which are based on the verifiably encrypted signature and the sequential two-party multisignature, respectively. Our result shows that these paradigms remain valid in the multi-user setting.
2007
EPRINT
Optimizing double-base elliptic-curve single-scalar multiplication
This paper analyzes the best speeds that can be obtained for single-scalar multiplication with variable base point by combining a huge range of options: ? many choices of coordinate systems and formulas for individual group operations, including new formulas for tripling on Edwards curves; ? double-base chains with many different doubling/tripling ratios, including standard base-2 chains as an extreme case; ? many precomputation strategies, going beyond Dimitrov, Imbert, Mishra (Asiacrypt 2005) and Doche and Imbert (Indocrypt 2006). The analysis takes account of speedups such as S-M tradeoffs and includes recent advances such as inverted Edwards coordinates. The main conclusions are as follows. Optimized precomputations and triplings save time for single-scalar multiplication in Jacobian coordinates, Hessian curves, and tripling-oriented Doche/Icart/Kohel curves. However, even faster single-scalar multiplication is possible in Jacobi intersections, Edwards curves, extended Jacobi-quartic coordinates, and inverted Edwards coordinates, thanks to extremely fast doublings and additions; there is no evidence that double-base chains are worthwhile for the fastest curves. Inverted Edwards coordinates are the speed leader.
2007
EPRINT
Optimizing Multiprecision Multiplication for Public Key Cryptography
In this paper we recall the hybrid method of Gura et al. for multi-precision multiplication which is an improvement on the basic Comba method and which exploits the increased number of registers available on modern architectures in order to avoid duplicated loads from memory. We then show how to improve and generalise the method for application across a wide range of processor types, setting some new records in the process.
2007
EPRINT
Ordered Multisignatures and Identity-Based Sequential Aggregate Signatures, with Applications to Secure Routing
We construct two new multiparty digital signature schemes that allow multiple signers to sequentially produce a compact, fixed-length signature. First, we introduce a new primitive that we call \emph{ordered multisignatures} (OMS), which allows signers to attest to a common message as well as the order in which they signed. Our OMS construction substantially improves computational efficiency and scalability over any existing scheme with suitable functionality. Second, we design a new identity-based sequential aggregate signature scheme, where signers can attest to different messages and signature verification does not require knowledge of traditional public keys. The latter property permits savings on bandwidth and storage as compared to public-key solutions. In contrast to the only prior scheme to provide this functionality, ours offers improved security that does not rely on synchronized clocks or a trusted first signer. We provide formal security definitions and support the proposed schemes with security proofs under appropriate computational assumptions. We focus on potential applications of our schemes to secure network routing, but we believe they will find many other applications as well.
2007
EPRINT
Overlap-free Karatsuba-Ofman Polynomial Multiplication Algorithm
We describe how a recently proposed way to split input operands allows for fast VLSI implementations of GF(2)[x] Karatsuba-Ofman multipliers. The XOR gate delay of the proposed multiplier is better than that of previous Karatsuba-Ofman multipliers. For example, it is reduced by about 33% and 25% for n = 2^i and n = 3^i (i > 1), respectively.
2007
EPRINT
Pairings on Jacobians of Hyperelliptic Curves
Consider the jacobian of a hyperelliptic genus two curve defined over a finite field. Under certain restrictions on the endomorphism ring of the jacobian we give an explicit description all non-degenerate, bilinear, anti-symmetric and Galois-invariant pairings on the jacobian. From this description it follows that no such pairing can be computed more efficiently than the Weil pairing. To establish this result, we need an explicit description of the representation of the Frobenius endomorphism on the l-torsion subgroup of the jacobian. This description is given. In particular, we show that if the characteristic polynomial of the Frobenius endomorphism splits into linear factors modulo l, then the Frobenius is diagonalizable. Finally, under the restriction that the Frobenius element is an element of a certain subring of the endomorphism ring, we prove that if the characteristic polynomial of the Frobenius endomorphism splits into linear factors modulo l, then the embedding degree and the total embedding degree of the jacobian with respect to l are the same number.
2007
EPRINT
Perfect Forward Secure Identity-Based Authenticated Key Agreement Protocol in the Escrow Mode
There are several essential features in key agreement protocols such as key escrow (essential when confidentiality, audit trail and legal interception are required) and perfect forward secrecy (i.e., the security of a session key established between two or more entities is guaranteed even when the private keys of the entities are compromised). Majority of the existing escrowable identity-based key agreement protocols, however, only provide partial forward secrecy. Therefore, such protocols are unsuitable for real-word applications that require a stronger sense of forward secrecy --- perfect forward secrecy. In this paper, we propose an efficient perfect forward secure identity-based key agreement protocol in the escrow mode. We prove the security of our protocol in the random oracle model, assuming the intractability of the Gap Bilinear Diffie-Hellman (GBDH) problem. Security proofs are invaluable tools in assuring protocol implementers about the security properties of protocols. We note, however, that many existing security proofs of previously published identity-based protocols entail lengthy and complicated mathematical proofs. In this paper, our proof adopts a modular approach and, hence, simpler to follow.
2007
EPRINT
PORs: Proofs of Retrievability for Large Files
In this paper, we define and explore the notion of a _proof of retrievability_ (POR). A POR enables an archive or back-up service (prover) to demonstrate to a user (verifier) that it has ``possession'' of a file F, that is, that the archive retains data sufficient for the user to retrieve F in its entirety. A POR may be viewed as a kind of cryptographic proof of knowledge (POK), but one specially designed to handle a _large_ file (or bitstring) F. We explore POR protocols here in which the communication costs, number of memory accesses for the prover, and storage requirements of the user (verifier) are small parameters essentially independent of the length of $F$. In addition, in a POR, unlike a POK, neither the prover nor the verifier need actually have knowledge of F. PORs give rise to a new and unusual security definition. We view PORs as an important tool for the management of semi-trusted online archives. Existing cryptographic tools help users ensure the privacy and integrity of their files once they are retrieved. It is also natural, however, for users to want to verify that archives do not delete or modify files while they are stored. The goal of a POR is to accomplish these checks {\em without users having to download the files themselves}. A POR can also provide quality-of-service guarantees, i.e., show that a file is retrievable within a certain time bound.
2007
EPRINT
Practical Anonymous Divisible E-Cash From Bounded Accumulators
We present an efficient off-line divisible e-cash scheme which is \emph{truly anonymous} without a trusted third party. This is the second scheme in the literature which achieves full unlinkability and anonymity, after the seminal work proposed by Canard and Gouget. The main trick of our scheme is the use of a bounded accumulator in combination with the classical binary tree approach. The aims of this paper are twofold. Firstly, we analyze Canard and Gouget's seminal work on the efficient off-line divisible e-cash. We point out some subtleties on the parameters generation of their scheme. Moreover, spending a coin of small value requires computation of several hundreds of multi-based exponentiations, which is very costly. In short, although this seminal work provides a new approach of achieving a truly anonymous divisible e-cash, unfortunately it is rather impractical. Secondly, we present our scheme that uses a novel approach of incorporating a bounded accumulator. In terms of time and space complexities, our scheme is $50$ to $100$ times more efficient than Canard and Gouget's work in the spend protocol at the cost of an $10$ to $500$ (the large range is due to whether pre-processing is taken into account and the probabilistic nature of our withdrawal protocol) times less efficient withdrawal protocol. We believe this trade-off between the withdrawal protocol and the spend protocol is reasonable as the former protocol is to be executed much less frequent than the latter. Nonetheless, while their scheme provides an affirmative answer to whether divisible e-cash can be \emph{truly anonymous}, our result puts it a step further and we show that truly anonymous divisible e-cash can be \emph{practical}.
2007
EPRINT
Practical Compact E-Cash
Compact e-cash schemes allow a user to withdraw a wallet containing $k$ coins in a single operation, each of which the user can spend unlinkably. One big open problem for compact e-cash is to allow multiple denominations of coins to be spent efficiently without executing the spend protocol a number of times. In this paper, we give a (\emph{partial}) solution to this open problem by introducing two additional protocols, namely, compact spending and batch spending. Compact spending allows spending all the $k$ coins in one operation while batch spending allows spending any number of coins in the wallet in a single execution. We modify the security model of compact e-cash to accommodate these added protocols and present a generic construction. While the spending and compact spending protocol are of constant time and space complexities, complexities of batch spending is linear in the number of coins to be spent together. Thus, we regard our solution to the open problem as {\it partial}. We provide two instantiations under the $q$-SDH assumption and the LRSW assumption respectively and present security arguments for both instantiations in the random oracle model.
2007
EPRINT
Practical Cryptanalysis of SFLASH
In this paper, we present a practical attack on the signature scheme SFLASH proposed by Patarin, Goubin and Courtois in 2001 following a design they had introduced in 1998. The attack only needs the public key and requires about one second to forge a signature for any message, after a one-time computation of several minutes. It can be applied to both SFLASHv2 which was accepted by NESSIE, as well as to SFLASHv3 which is a higher security version.
2007
EPRINT
Practical Identity-Based Encryption (IBE) in Multiple PKG Environments and Its Applications
Identity-based encryption (IBE) schemes are usually used in multiple-PKG environments --- on the one hand, each administrative domain (e.g., a relatively small and close organization) maintains its own private key generator (PKG); on the other hand, encryption across domains becomes a prevalent requirement. In this paper, we present a new IBE scheme using bilinear pairings. Compared with the famous IBE scheme of Boneh and Franklin, we show that ours is more practical in the multiple-PKG environment. We prove that our scheme meets chosen ciphertext security in the random oracle model, assuming the intractability of the standard Bilinear Diffie-Hellman (BDH) problem. As an application of our IBE scheme, we also propose an escrowed ElGamal scheme which possesses certain good properties in practice.
2007
EPRINT
Practical Password Recovery on an MD5 Challenge and Response
This paper shows an attack against APOP protocol which is a challenge-and-response protocol. We utilize the Wang's attack to make collisions in MD5, and apply it to APOP protocol. We confirmed that the first 3 octets of secret key can be recovered by several hundred queries under the man-in-the-middle environment.
2007
EPRINT
Precise Concurrent Zero Knowledge
\emph{Precise zero knowledge} introduced by Micali and Pass (STOC'06) guarantees that the view of any verifier $V$ can be simulated in time closely related to the \emph{actual} (as opposed to worst-case) time spent by $V$ in the generated view. We provide the first constructions of precise concurrent zero-knowledge protocols. Our constructions have essentially optimal precision; consequently this improves also upon the previously tightest non-precise concurrent zero-knowledge protocols by Kilian and Petrank (STOC'01) and Prabhakaran, Rosen and Sahai (FOCS'02) whose simulators have a quadratic worst-case overhead. Additionally, we achieve a statistically-precise concurrent zero-knowledge property---which requires simulation of unbounded verifiers participating in an unbounded number of concurrent executions; as such we obtain the first (even non-precise) concurrent zero-knowledge protocols which handle verifiers participating in a super-polynomial number of concurrent executions.
2007
EPRINT
Precise Zero-Knowledge in Concurrent Setting
We present a stronger notion of zero-knowledge: precise concurrent zero-knowledge. Our notion captures the idea that the view of any verifier in concurrent interaction can be reconstructed in the almost same time (within a constant/polynomial factor). Precise zero-knowledge in stand-alone setting was introduced by Micali and Pass in STOC'06 (The original work used the term "local zero-knowledge".). Their notion shows that the view of any verifier can be reconstructed in the almost same time in stand-alone setting. Hence our notion is the generalization of their notion in concurrent setting. Furthermore, we propose a $\omega (\log ^2 n)$-round concurrent zero-knowledge argument for ${\rm{NP}}$ with linear precision, which shows that the view of any verifier in concurrent interaction can be reconstructed by the simulator with linear-time overhead. Our argument is Feige-Lapidot-Shamir type which consists of a proof-preamble and a proof-body for a modified NP statement. Our result assumes the restriction of adversarial scheduling the communication that the concurrent interaction of preambles of all sessions will be scheduled before any proof-body by the adversarial verifier.
2007
EPRINT
Predicate Encryption Supporting Disjunctions, Polynomial Equations, and Inner Products
Predicate encryption is a new paradigm generalizing, among other things, identity-based encryption. In a predicate encryption scheme, secret keys correspond to predicates and ciphertexts are associated with attributes; the secret key SK_f corresponding to the predicate f can be used to decrypt a ciphertext associated with attribute I if and only if f(I)=1. Constructions of such schemes are currently known for relatively few classes of predicates. We construct such a scheme for predicates corresponding to the evaluation of inner products over N (for some large integer N). This, in turn, enables constructions in which predicates correspond to the evaluation of disjunctions, polynomials, CNF/DNF formulae, or threshold predicates (among others). Besides serving as what we feel is a significant step forward in the theory of predicate encryption, our results lead to a number of applications that are interesting in their own right.
2007
EPRINT
PRIME POINTS ON ELLIPTIC CURVES AND ITS IMPACT ON ECDLP
In this paper we present that some statistical properties of points on elliptic curve can be used to form new equivalence classes. This can have an impact on solving discrete logarithm (ECDLP) owing to the reduction of the number of points among which a logarithm is searched to points of particular features. It should lead to an improvement of the Pollard-rho algorithm.
2007
EPRINT
Privacy-Preserving Distributed Set Intersection
With the growing demand of databases outsourcing and its security concerns, we investigate privacy-preserving set intersection in a distributed scenario. We propose a one-round protocol for privacy-preserving set intersection based on a combination of secret sharing scheme and homomorphic encryption. We then show that, with an extra permutation performed by each of contacted servers, the cardinality of set intersection can be computed efficiently. All protocols constructed in this paper are provably secure against a semi-honest adversary under the Decisional Diffie-Hellman assumption.
2007
EPRINT
Privacy-Protecting Coupon System Revisited
At FC’05, Chen et al. introduced an elegant privacy protecting coupon (PPC) system, CESSS05, in which users can purchase multi-coupons and redeem them unlinkably while being prevented from overspending or sharing the coupons. However, the costs for issuing and redeeming coupons are linear to the redeeming limit. Security of the system is not proved and only some arguments on system properties are provided. Coupons last indefinitely and can not be terminated. In this paper, we propose the first PPC system with constant costs for communication and computation. Coupons are revokable and the system is provably secure.
2007
EPRINT
Private Locally Decodable Codes
We consider the problem of constructing efficient locally decodable codes in the presence of a computationally bounded adversary. Assuming the existence of one-way functions, we construct {\em efficient} locally decodable codes with positive information rate and \emph{low} (almost optimal) query complexity which can correctly decode any given bit of the message from constant channel error rate $\rho$. This compares favorably to our state of knowledge locally-decodable codes without cryptographic assumptions. For all our constructions, the probability for any polynomial-time adversary, that the decoding algorithm incorrectly decodes any bit of the message is negligible in the security parameter.
2007
EPRINT
Prolific Codes with the Identifiable Parent Property
Let C be a code of length n over an alphabet of size q. A word d is a descendant of a pair of codewords x,y if d_i lies in \{x_i ,y_i \} for 1 <= i <= n. A code C is an identifiable parent property (IPP) code if the following property holds. Whenever we are given C and a descendant d of a pair of codewords in C, it is possible to determine at least one of these codewords. The paper introduces the notion of a prolific IPP code. An IPP code is prolific if all q^n words are descendants. It is shown that linear prolific IPP codes fall into three infinite (`trivial') families, together with a single sporadic example which is ternary of length 4. There are no known examples of prolific IPP codes which are not equivalent to a linear example: the paper shows that for most parameters there are no prolific IPP codes, leaving a relatively small number of parameters unsolved. In the process the paper obtains upper bounds on the size of a (not necessarily prolific) IPP code which are better than previously known bounds.
2007
EPRINT
Proposal of a new efficient public key system for encryption and digital signatures
In this paper a new efficient public key cryptosystem usable for both encryption and digital signatures is presented. Due to its simple structure this public key cipher can be implemented easily in every software or hardware device, making the cryptosystem available for circumstances where the implementation of an alternative like RSA, El Gamal / Diffie - Hellmann, etc. is too complicated. Furthermore the construction on the closest and shortest vector problem using a new homomorph "almost" linear one-way function gives not only strong evidence of the ciphers security, but may be also the base for a new class of "errorprone" cryptographic primitives based on lattice problems. Therefore this cipher and its construction is a good alternative to cryptosystems based on the integer factoriziation problem or the discrete logarithm and might be a base for secure "errorprone" application like biometrics or image watermarking.
2007
EPRINT
Proposing a Master One-Way Function
Making an arbitrary binary string fit as a fixed size cipher key (via hashing) one could use an arbitrary string x as both plaintext and key to generate a ciphertext, y defined as "the crypto square of x", while x is the crypto square root of y. Extended to higher powers, this formalism allows for polynomial morphology that combines all one-way functions candidates into a single master function which is at least as intractable as its best ingredient one-way function. The master list has some interesting and useful attributes: at will size for both input and output, controlled forward computational burden, milestone computing, and of course the best practical chance for being one-way.
2007
EPRINT
ProSiBIR: Proactive Signer-Base Intrusion Resilient Signatures
The notion of Signer-Base Intrusion-Resilient (SiBIR) signatures was introduced in [IR02] as a scheme that can withstand an arbitrary number of key-exposures, as long as both of its modules are not compromised simultaneously. This was achieved by dividing time into predefined time periods, each corresponding to a different time-evolving secret key, while maintaining a constant public key. The two modules of this scheme consist of a signer that can generate signatures on its own, and a base that is used to update the signer's key as it evolves through time. The purpose of this paper is to provide a model for multi-signer, multi-base intrusion-resilient signatures. This proactive SiBIR scheme essentially breaks the preexisting notions of signer and base, to an arbitrary number of signer and base modules. This tends to implementations where multiple parties need to agree for a document to be signed. An attacker needs to break into all the signers at the same time in order to forge a signature for that period. Moreover, he needs to break into all the bases as well, at that same time period, in order to "break" the scheme and generate future signatures. Thereby, by assuming a large number of bases, the risk of our scheme being compromised becomes arbitrarily small. We provide an implementation that's provably secure in the random oracle model, based on the strong RSA assumption. We also yield a modest improvement in the upperbound of our scheme's insecurity function, as opposed to the one presented in [IR02].
2007
EPRINT
Provable Data Possession at Untrusted Stores
We introduce a model for {\em provable data possession} ($\pdp$) that allows a client that has stored data at an untrusted server to verify that the server possesses the original data without retrieving it. The model generates probabilistic proofs of possession by sampling random sets of blocks from the server, which drastically reduces I/O costs. The client maintains a constant amount of metadata to verify the proof. The challenge/response protocol transmits a small, constant amount of data, which minimizes network communication. Thus, the $\pdp$ model for remote data checking supports large data sets in widely-distributed storage systems. Previous work offers guarantees weaker than data possession, or requires prohibitive overhead at the server. We present two provably-secure $\pdp$ schemes that are more efficient than previous solutions, even when compared with schemes that achieve weaker guarantees. In particular, the overhead at the server is low (or even constant), as opposed to linear in the size of the data. Experiments using our implementation verify the practicality of $\pdp$ and reveal that the performance of $\pdp$ is bounded by disk I/O and not by cryptographic computation.
2007
EPRINT
Provable password-based tripartite key agreement protocol
A password-based tripartite key agreement protocol is presented in this paper. The three entities involved in this protocol can negotiate a common session key via a shared password over insecure networks. Proofs are given to show that the proposed protocol is secure against forging and chosen message attacks in the case of without actually running a dictionary attack.
2007
EPRINT
Provable Secure Generalized Signcryption
Generalized Signcryption is a new cryptographic primitive which can work as an encryption scheme, a signature scheme or a signcryption scheme. We give security notions of Generalized Signcryption and improve a Generalized Signcryption scheme proposed by Han et al.We give the formal attacking model of this new cryptographic primitive in the framework of theory of provable security. At last, we give formal proofs for this new improved Generalized Signcryption in our attacking model.
2007
EPRINT
Provable-Security Analysis of Authenticated Encryption in Kerberos
Kerberos is a widely-deployed network authentication protocol that is being considered for standardization. Many works have analyzed its security, identifying flaws and often suggesting fixes, thus helping the protocol's evolution. Several recent results present successful formal-methods-based verification of a significant portion of the current version 5, and some even imply security in the computational setting. For these results to hold, encryption in Kerberos should satisfy strong cryptographic security notions. However, neither currently deployed as part of Kerberos encryption schemes nor their proposed revisions are known to provably satisfy such notions. We take a close look at Kerberos' encryption and confirm that most of the options in the current version provably provide privacy and authenticity, some with slight modification that we suggest. Our results complement the formal-methods-based analysis of Kerberos that justifies its current design.
2007
EPRINT
Provably Secure Ciphertext Policy ABE
In ciphertext policy attribute-based encryption (CP-ABE), every secret key is associated with a set of attributes, and every ciphertext is associated with an access structure on attributes. Decryption is enabled if and only if the user's attribute set satisfies the ciphertext access structure. This provides fine-grained access control on shared data in many practical settings, including secure databases and secure multicast. In this paper, we study CP-ABE schemes in which access structures are AND gates on positive and negative attributes. Our basic scheme is proven to be chosen plaintext (CPA) secure under the decisional bilinear Diffie-Hellman (DBDH) assumption. We then apply the Canetti-Halevi-Katz technique to obtain a chosen ciphertext (CCA) secure extension using one-time signatures. The security proof is a reduction to the DBDH assumption and the strong existential unforgeability of the signature primitive. In addition, we introduce hierarchical attributes to optimize our basic scheme, reducing both ciphertext size and encryption/decryption time while maintaining CPA security. Finally, we propose an extension in which access policies are arbitrary threshold trees, and we conclude with a discussion of practical applications of CP-ABE.
2007
EPRINT
Provably Secure Framework for Information Aggregation is Sensor Networks
Information aggregation is an important operation in wireless sensor networks executed for the purpose of monitoring and reporting of the environmental data. Due to the performance constraints of sensor nodes the in-network form of the aggregation is especially attractive since it allows to save expensive resources during the frequent network queries. Easy accessibility of networks and nodes and almost no physical protection against corruptions arise high challenges on the security of the aggregation process. Especially, protection against attacks aiming to falsify the aggregated result is considered to be of prime importance. In this paper we propose a novel security model for the aggregation process based on the well-established cryptographic techniques, focusing on the scenario with the single aggregator node. In order to show soundness and feasibility of our definitions we describe a generic practical approach that achieves security against node corruptions during the aggregation process in a provable cryptographic way based solely on the symmetric cryptographic primitives. To the best of our knowledge this is the first paper which aims to combine the paradigm of provable security in the cryptographic sense with the task of information aggregation in WSNs.
2007
EPRINT
Provably Secure Grouping-proofs for RFID tags
We investigate an application of RFIDs referred to in the literature as the group scanning problem, in which several tags are ``simultaneously'' scanned by a reader. The security context of this application was first discussed by Ari Juels, who presented a protocol that allows pairs of RFID tags to provide evidence of having been simultaneous scanned---a yoking proof. Our goal is to study group scanning proofs in strong adversarial models. We describe a security model for RFID group scanning proofs, and consider versions of the problem that require privacy (anonymity) of the grouped tags, and/ or forward-security properties. Our security model is based on the Universal Composability framework and supports reusability (through modularity of security guarantees). We also introduce novel protocols that realize the security models, focusing on efficient solutions based on off-the-shelf components, such as highly optimized pseudo-random function designs that require fewer than 2000 Gate-Equivalents.
2007
EPRINT
Proxy Re-encryption Systems for Identity-based Encryption
A proxy re-encryption system allows the proxy to transform ciphertexts encrypted under Alice's public key into the different ciphertexts that can be decrypted by Bob's secret key. In this paper, we propose new proxy re-encryption systems; one for the transformation from ciphertexts encrypted under a traditional certificate-based public key into the ciphertexts that can be decrypted by an secret key for Identity-Based Encryption, and the other one for the transformation from ciphertexts encrypted in IBE manner into the different ciphertexts that can be decrypted by the other secret key for the IBE.
2007
EPRINT
Proxy Re-Signature Schemes without Random Oracles
To construct a suitable and secure proxy re-signature scheme is not an easy job, up to now, there exist only three schemes, one is proposed by Blaze et al. at EUROCRYPT 1998, and the others are proposed by Ateniese and Hohenbergerat ACM CCS 2005. However, none of these schemes is proved in the standard model (i.e., do not rely on the random oracle heuristic). In this paper, based on Waters' approach, we first propose a multi-use bidirectional proxy re-signature scheme, denoted as $S_{mb}$, which is existentially unforgeable in the standard model. And then, we extend $S_{mb}$ to be a multi-use bidirectional ID-based proxy re-signature scheme, denoted by $S_{id-mb}$, which is also existentially unforgeable in the standard model. Both of these two proposed schemes are computationally efficient, and their security bases on the Computational Diffie-Hellman (CDH) assumption.
2007
EPRINT
Public Key Broadcast Encryption with Low Number of Keys and Constant Decryption Time
In this paper we propose two public-key BE schemes that have efficient complexity measures. The first scheme, called the BE-PI scheme, has $O(r)$ header size, $O(1)$ public keys and $O(\log N)$ private keys, where $r$ is the number of revoked users. This is the first public-key BE scheme that has both public and private keys under $O(\log N)$ while the header size is $O(r)$. These complexity measures of the header size and private keys also match those of efficient secret-key broadcast encryption schemes. \par Our second scheme, called the PK-SD-PI scheme, has $O(r)$ header size, $O(1)$ public key and $O(\log^2 N)$ private keys. They are the same as those of the SD scheme. % Nevertheless, the decryption time is remarkably $O(1)$. % This is the first public-key BE scheme that has $O(1)$ decryption time while other complexity measures are kept low. The PK-LSD-PI scheme can be constructed in the same way. % It has $O(r/\epsilon)$ ciphertext size and $O(\log^{1+\epsilon} N)$ private keys, where $0<\epsilon<1$. The decryption time is also $O(1)$. \par Our basic schemes are one-way secure against {\em full collusion of revoked users}. With a slight modification, we make both schemes indistinguishably secure against the adaptive chosen ciphertext attack. The BE-PI scheme has the capability of {\em tracing traitors}. It is able to find out what private keys are used in a confiscated decoding box.
2007
EPRINT
Public Key Encryption that Allows PIR Queries
Consider the following problem: Alice wishes to maintain her email using a storage-provider Bob (such as a Yahoo! or hotmail e-mail account). This storage-provider should provide for Alice the ability to collect, retrieve, search and delete emails but, at the same time, should learn neither the content of messages sent from the senders to Alice (with Bob as an intermediary), nor the search criteria used by Alice. A trivial solution is that messages will be sent to Bob in encrypted form and Alice, whenever she wants to search for some message, will ask Bob to send her a copy of the entire database of encrypted emails. This however is highly inefficient. We will be interested in solutions that are communication-efficient and, at the same time, respect the privacy of Alice. In this paper, we show how to create a public-key encryption scheme for Alice that allows PIR searching over encrypted documents. Our solution provides a theoretical solution to an open problem posed by Boneh, DiCrescenzo, Ostrovsky and Persiano on ``Public-key Encryption with Keyword Search'', providing the first scheme that does not reveal any partial information regarding user's search (including the access pattern) in the public-key setting and with non-trivially small communication complexity. The main technique of our solution also allows for Single-Database PIR writing with sub-linear communication complexity, which we consider of independent interest.
2007
EPRINT
Public Key Encryption Which is Simultaneously a Locally-Decodable Error-Correcting Code
In this paper, we introduce the notion of a Public-Key Encryption (PKE) Scheme that is also a Locally-Decodable Error-Correcting Code. In particular, our construction simultaneously satisfies all of the following properties: \begin{itemize} \item Our Public-Key Encryption is semantically secure under a certain number-theoretic hardness assumption (a specific variant of the $\Phi$-hiding assumption). \item Our Public-Key Encryption function has \emph{constant expansion}: it maps plaintexts of length $n$ (for any $n$ polynomial in $k$, where $k$ is a security parameter) to ciphertexts of size $\O(n+k)$. The size of our Public Key is also linear in $n$ and $k$. \item Our Public-Key Encryption is also a \emph{constant rate} binary error-correcting code against any polynomial-time Adversary. That is, we allow a polynomial-time Adversary to read the entire ciphertext, perform any polynomial-time computation and change an arbitrary (i.e. adversarially chosen) constant fraction of {\em all}\ bits of the ciphertext. The goal of the Adversary is to cause error in decoding any bit of the plaintext. Nevertheless, the decoding algorithm can decode {\bf all} bits of the plaintext (given the corrupted ciphertext) while making a mistake on \emph{any} bit of the plaintext with only a negligible in $k$ error probability. \item Our Decoding algorithm has a {\bf Local Decodability} property. That is, given a corrupted ciphertext of $E(x)$ the decryption algorithm, for any $1 \le i \le n$ can recover the $i$'th bit of $x$ (i.e., $x_i$) with overwhelming probability reading at most $\O(k^2)$ bits of the corrupted ciphertext and performing computation polynomial in $k$. Thus, for large plaintext messages, out Public Key Decryption algorithm can decode and error-correct any $x_i$ with sublinear (in $|x|$) computation. \end{itemize} We believe that the tools and techniques developed in this paper will be of independent interest in other settings.
2007
EPRINT
Quadratic Almost Perfect Nonlinear Functions With Many Terms
We introduce a new infinite family of multiterm functions that are APN on $GF(2^{2k})$ for odd $k$.
2007
EPRINT
Random Oracles and Auxiliary Input
We introduce a variant of the random oracle model where oracle-dependent auxiliary input is allowed. In this setting, the adversary gets an auxiliary input that can contain information about the random oracle. Using simple examples we show that this model should be preferred over the classical variant where the auxiliary input is independent of the random oracle. In the presence of oracle-dependent auxiliary input, the most important proof technique in the random oracle model - lazy sampling - does not apply directly. We present a theorem and a variant of the lazy sampling technique that allows one to perform proofs in the new model almost as easily as in the old one. As an application of our approach and to illustrate how existing proofs can be adapted, we prove that RSA-OAEP is IND-CCA2 secure in the random oracle model with oracle-dependent auxiliary input.
2007
EPRINT
Randomness Extraction via Delta-Biased Masking in the Presence of a Quantum Attacker
Randomness extraction is of fundamental importance for information-theoretic cryptography. It allows to transform a raw key about which an attacker has some limited knowledge into a fully secure random key, on which the attacker has essentially no information. We show a new randomness-extraction technique which works also in case where the attacker has quantum information on the raw key. Randomness extraction is done by XORing a so-called delta-biased mask to the raw key. Up to date, only very few techniques are known to work against a quantum attacker, much in contrast to the classical (non-quantum) setting, which is much better understood and for which a vast amount of different techniques for randomness extraction are known. We show two applications of the new result. We first show how to encrypt a long message with a short key, information-theoretically secure against a quantum attacker, provided that the attacker has enough quantum uncertainty on the message. This generalizes the concept of entropically-secure encryption to the case of a quantum attacker. As a second application, we show how the new randomness-extraction technique allows to do error-correction without leaking partial information to a quantum attacker. Such a technique is useful in settings where the raw key may contain errors, since standard error-correction techniques may provide the attacker with information on, say, a secret key that was used to obtain the raw key.
2007
EPRINT
RC4 State Information at Any Stage Reveals the Secret Key
A theoretical analysis of the RC4 Key Scheduling Algorithm (KSA) is presented in this paper, where the nonlinear operation is swapping among the permutation bytes. Explicit formulae are provided for the probabilities with which the permutation bytes at any stage of the KSA are biased to the secret key. Theoretical proofs of these formulae have been left open since Roos's work (1995). Based on this analysis, an algorithm is devised to recover the $l$ bytes (i.e., $8l$ bits, typically $5 \leq l \leq 16)$ secret key from the permutation after any round of the KSA with constant probability of success. The search requires $O(2^{4l})$ many operations which is the square root of the exhaustive key search complexity $2^{8l}$. Moreover, given the state information, i.e., (a) the permutation, (b) the number of bytes generated (which is related to the index $i$) and (c) the value of the index $j$, after any number of rounds in Pseudo-Random Generation Algorithm (PRGA) of RC4, one can deterministically get back to the permutation after the KSA and thereby extract the keys efficiently with a constant probability of success. Finally, a generalization of the RC4 KSA is analyzed corresponding to a class of update functions of the indices involved in the swaps. This reveals an inherent weakness of shuffle-exchange kind of key scheduling.
2007
EPRINT
Rebuttal of overtaking VEST
VEST is a set of four stream cipher families targeted to semiconductor applications. All VEST family members support efficient encryption, single pass authenticated encryption, and collision resistant hashing in the one low area module. VEST was submitted by Synaptic Laboratories to the ECRYPT NoE eSTREAM project in 2005. Recently, a single digit typographical error was identified in the VEST counter diffuser description. Shortly afterwards Antoine Joux and Jean-René Reinhard published collisions in the counter-diffuser based upon the erroneous description. By extending these collisions across the entire cipher state, they were able to explore various attack scenarios. We prove that the correction of the typographical error removes all the exploitable collisions in the counter diffuser during key and IV loading operations; thereby establishing that the Joux-Reinhard attacks are an artefact of the erroneous description. Complete test vectors are included.
2007
EPRINT
Reconfigurable Hardware Implementations of Tweakable Enciphering Schemes
Tweakable enciphering schemes are length preserving block cipher modes of operation that provide a strong pseudo-random permutation. It has been suggested that these schemes can be used as the main building blocks for achieving in-place disk encryption. In the past few years there has been an intense research activity towards constructing secure and efficient tweakable enciphering schemes. But, actual experimental performance data of these newly proposed schemes are yet to be reported. Accordingly, in this paper we present optimized FPGA implementations of five tweakable enciphering schemes, namely, HCH, HCTR, XCB, EME and TET, using a 128-bit AES core as the underlying block cipher. We report performance timings of these modes when using both, pipelined and sequential AES structures. The universal polynomial hash function included in the specification of HCH, HCHfp (a variant of HCH), HCTR, XCB and TET, was implemented using a Karatsuba-Ofman multiplier as the main building block. We provide detailed analyses of each of the schemes and their experimental performances achieved in various scenarios. Our experiments show that a sequential AES core is not an attractive option for the design of these modes as it leads to rather poor throughputs. In contrast, by using an encryption/decryption pipelined AES core we get a throughput of 3.67 Gbps for HCTR and by using a encryption only pipeline AES core we get a throughput of 5.71 Gbps for EME. The performance results reported in this paper provide experimental evidence that hardware implementations of tweakable enciphering schemes can actually match and even outperform the data rates achieved by state-of-the-technology disk controllers, thus showing that they might be used for achieving provably secure in-place hard disk encryption.
2007
EPRINT
Reducing Trust in the PKG in Identity Based Cryptosystems
One day, you suddenly find that a private key corresponding to your Identity is up for sale at e-Bay. Since you do not suspect a key compromise, perhaps it must be the PKG who is acting dishonestly and trying to make money by selling your key. How do you find out for sure and even prove it in a court of law? This paper introduces the concept of Accountable Authority Identity based Encryption (A-IBE). A-IBE is a new approach to mitigate the (inherent) key escrow problem in identity based encryption schemes. Our main goal is to restrict the ways in which the PKG can misbehave. In our system, if the PKG ever maliciously generates and distributes a decryption key for an Identity, it runs the risk of being caught and prosecuted. In contrast to other mitigation approaches, our approach does not require multiple key generation authorities.
2007
EPRINT
Reflection Attacks on Product Ciphers
In this paper we describe a novel attack method on product ciphers, the {\em reflection attack}. The attack method exploits certain similarities among round functions which have not been utilized in previous self similarity attacks. We give practical examples illustrating the power of the reflection attack on several ciphers such as GOST, DEAL and some variants of DES and Magenta. Many interesting and exceptional properties of the attack are also presented in these examples. In addition, we discuss new design criteria that make product ciphers resistant to self similarity attacks and introduce a definition of similarity degree.
2007
EPRINT
Related-Key Statistical Cryptanalysis
This paper presents the Cryptanalytic Channel Model (CCM). The model treats statistical key recovery as communication over a low capacity channel, where the channel and the encoding are determined by the cipher and the specific attack. A new attack, related-key recovery -- the use of $n$ related keys generated from $k$ independent ones -- is defined for all ciphers vulnerable to single-key recovery. It is shown to correspond to the use of a concatenated code over the channel, where the relationship among the keys determines the outer code, and the cipher and the attack the inner code. It is shown that there exists a relationship among keys for which the communication complexity per bit of independent key is finite, for any probability of key recovery error. This may be compared to the unbounded communication complexity per bit of the single-key-recovery attack. The practical implications of this result are demonstrated through experiments on reduced-round DES.
2007
EPRINT
Relations Among Notions of Plaintext Awareness
We introduce a new simplified notion of plaintext awareness, which we term PA2I, and show that this is equivalent to the standard definition of PA2 plaintext awareness for encryption schemes that satisfy certain weak security and randomness requirements. We also show that PA2 plaintext awareness is equivalent to PA2+ plaintext awareness under similar security and randomness requirements. This proves a conjecture of Dent that, for suitably random public-key encryption schemes, PA2 plaintext awareness implies PA1+ plaintext awareness.
2007
EPRINT
REMARKS ON IBE SCHEME OF WANG AND CAO
In this paper we analyze and find an anomaly in the security proof of the identity-based encryption (IBE) scheme fullM-IBE of Wang and Cao [9], which is based on mBDHP. Here we give another proof for fullM-IBE which is based on Bilinear Diffie-Hellman Problem (BDHP). We also obtain a tightness improvement using a stronger assumption, namely, the Bilinear Inverse Dicision Diffie-Hellman problem (BIDDHP).
2007
EPRINT
Remote Power Analysis of {RFID} Tags
We describe the first power analysis attack on passive RFID tags. Compared to standard power analysis attacks, this attack is unique in that it requires no physical contact with the device under attack. The power analysis can be carried out even if both the tag and the attacker are passive and transmit no data, making the attack very hard to detect. As a proof of concept, we use power analysis to extract the kill passwords from Class 1 EPC tags operating in the UHF frequency range. Tags from several major vendors were successfully attacked. Our attack can be extended to HF tags and to remote fault analysis. The main significance of our attack is not in the discovery of kill passwords but in its implications on future tag design -- any cryptographic functionality built into tags needs to be designed to be resistant to power analysis, and achieving this resistance is an undertaking which has an effect both on the price and on the performance of tags. (this is my Master's thesis, carried out under the supervision of Prof. Adi Shamir. It may be considered as the extended version of the article "Remote Password Extraction from RFID Tags", recently published in IEEE Transactions on Computers and indexed as http://dx.doi.org/10.1109/TC.2007.1050 or as http://ieeexplore.ieee.org/iel5/12/4288079/04288095.pdf)
2007
EPRINT
Rerandomizable RCCA Encryption
We give the first perfectly rerandomizable, Replayable-CCA (RCCA) secure encryption scheme, positively answering an open problem of Canetti et al. [CRYPTO 2003]. Our encryption scheme, which we call the Double-strand Cramer-Shoup scheme, is a non-trivial extension of the popular Cramer-Shoup encryption. Its security is based on the standard DDH assumption. To justify our definitions, we define a powerful "Replayable Message Posting" functionality in the Universally Composable (UC) framework, and show that any encryption scheme that satisfies our definitions of rerandomizability and RCCA security is a UC-secure implementation of this functionality. Finally, we enhance the notion of rerandomizable RCCA security by adding a receiver-anonymity (or key-privacy) requirement, and show that it results in a correspondingly enhanced UC functionality. We leave open the problem of constructing a scheme that achieves this enhancement.
2007
EPRINT
Revisiting an Efficient Elliptic Curve Key Agreement Protocol
A recent paper by Wang \emph{et al.} has revealed a vulnerability in the ECKE-1 key agreement protocol. In particular, contrary to the author's claims, protocol ECKE-1 is shown to be susceptible to a key-compromise impersonation attack. This attack was also independently pointed out by the author in another recent paper published in the EURASIP Journal on Embedded Systems. Here we present a revised version of the protocol, ECKE-1R, that is key-compromise impersonation resilient at the expense of a higher computational workload and communication complexity with respect to the original protocol ECKE-1.
2007
EPRINT
Robust, Anonymous RFID Authentication with Constant Key-Lookup
A considerable number of anonymous RFID authentication schemes have been proposed. However, current proposals either do not provide robust security guarantees, or suffer from scalability issues when the number of tags issued by the system is very large. In this paper, we focus on approaches that reconcile these important requirements. In particular, we seek to reduce the complexity of identifying tags by the back-end server in anonymous RFID authentication protocols---what we term the key-lookup problem. We propose a compiler that transforms a generic RFID authentication protocol (supporting anonymity) into one that achieves the same guarantees with constant key-lookup cost even when the number of tags is very large (billions of tags and beyond). This approach uses a lightweight one-way trapdoor function and produces protocols that are suitable for deployment into current tag architectures. We then explore the issue of minimal assumptions required, and show that one-way trapdoor functions are necessary to achieve highly scalable, robustly secure solutions. We then relax the requirement of unlinkable anonymity, and consider scalable solutions that are provably secure and for which the loss of privacy is minimal.
2007
EPRINT
Saving Private Randomness in One-Way Functions and Pseudorandom Generators
Can a one-way function f on n input bits be used with fewer than $n$ bits while retaining comparable hardness of inversion? We show that the answer to this fundamental question is negative, if one is limited black-box reductions. Instead, we ask whether one can save on secret random bits at the expense of more public random bits. Using a shorter secret input is highly desirable, not only because it saves resources, but also because it can yield tighter reductions from higher-level primitives to one-way functions. Our first main result shows that if the number of output elements of f is at most $2^k$, then a simple construction using pairwise-independent hash functions results in a new one-way function that uses only k secret bits. We also demonstrate that it is not the knowledge of security of f, but rather of its structure, that enables the savings: a black-box reduction cannot, for a general f, reduce the secret-input length, even given the knowledge that security of f is only $2^{-k}$; nor can a black-box reduction use fewer than k secret input bits when f has $2^k$ distinct outputs. Our second main result is an application of the public-randomness approach: we show a construction of a pseudorandom generator based on any regular one-way function with output range of known size $2^k$. The construction requires a seed of only 2n+O(k\log k) bits (as opposed to O(n \log n) in previous constructions); the savings come from the reusability of public randomness. The secret part of the seed is of length only k (as opposed to n in previous constructions), less than the length of the one-way function input.
2007
EPRINT
Scalable Storage Scheme from Forward Key Rotation
Kallahalla et al. presented a RSA-based Forward Key Rotation mechanism in secure storage scheme PLUTUS to ensure that the key used for encrypting updated files is related to the keys for all files in the file group. The encryption scheme based on Forward Key Rotation is such a scheme that only the authorized person is allowed access to the designated files and the previous versions. In this paper, we present a Forward Key Rotation storage scheme based on discrete logarithm and prove its security under random oracle model. Moreover, we propose another improved Forward Key storage scheme from pairing on elliptic curves. Compared to the scheme presented by Kallahalla et al., our scheme uses relatively short keys to provide equivalent security. In addition, the re-generated keys can be verified to ensure that the keys are valid in the improved scheme.
2007
EPRINT
Second Preimage Attacks on Dithered Hash Functions
The goal of this paper is to analyze the security of dithered variants of the Merkle-Damgard mode of operation that use a third input to indicate the position of a block in the message to be hashed. These modes of operation for hash functions have been proposed to avoid some structural weaknesses of the Merkle-Damgard paradigm, e.g. that second preimages can be constructed in much less than $2^n$ work, as pointed out by Kelsey and Schneier. Among the modes of operation that use such a third input are Rivest's dithered hashing and Biham and Dunkelman's HAIFA proposal. We propose several new second preimage attacks on the Merkle-Damgard mode of operation, which can also attack Rivest's dithered hash with almost the same complexity. When applied to Shoup's UOWHF, these attacks can be shown to be optimal since their complexity matches Shoup's security bound.
2007
EPRINT
Secret sharing on infinite graphs
We extend the notion of perfect secret sharing scheme for access structures with infinitely many participants. In particular we investigate cases when the participants are the vertices of an (infinite) graph, and the minimal qualified sets are the edges. The (worst case) {\it information ratio} of an access structure is the largest lower bound on the amount of information some participant must remember for each bit in the secret -- just the inverse of the information rate. We determine this value for several infinite graphs: infinite path, two-dimensional square and honeycomb lattices; and give upper and lower bounds on the ratio for the triangular lattice. It is also shown that the information ratio is not necessarily {\em local}, i.e.~all finite spanned subgraphs have strictly smaller ratio than the whole graph. We conclude the paper by posing several open problems.
2007
EPRINT
Secret sharing on the infinite ladder
The notion of perfect secret sharing scheme has been extended to encompass infinite access structures, in particular infinite graphs. The participants are the vertices of the graph $G$ and the edges are the minimal qualified subsets. The information ratio (the inverse of the information rate) of $G$ is the largest lower bound on the amount of information by secret bits some vertex must receive in each scheme realizing this access structure. We show that this value is 7/4 for the infinite ladder, solving an open problem from. We give bounds for other infinite graphs as well.
2007
EPRINT
Secure computation on incomplete networks
Secure multiparty computation of a multivariate function is a central problem in cryptography. It is known that secure multiparty computation can be realized by a set of $n$ parties iff the connectivity of the underlying (authenticated) communication network is more than twice the number of corrupted parties. This impossibility result makes secure multiparty computation far less applicable in practice, as most deployed networks have a much lower degree than $O(n)$ and ideally one would like to tolerate $\theta(n)$ corrupted parties. This work proposes a new model for secure multiparty computation for settings where authenticated channels are not assumed to be available between every pair of parties, and infact may be available between very few pairs of parties (i.e., networks of low degrees). For such settings, it is clear that not all honest parties can achieve traditional security guarantees of MPC. Such honest parties which neither receive their correct outputs, nor maintain the privacy of their inputs are called {\it sacrificed} parties. The new formulation of MPC, which allows some honest parties to be "sacrificed", in the manner described above, is called almost everywhere secure computation. We show how to adapt standard protocols for unconditional secure MPC, that assume authentication channels between all pairs of parties, so that they can execute on incomplete networks, with special properties. Instrumental to our adaptation is a protocol for establishing secure channels between distant nodes of an incomplete network, using some infrastructure support from the incomplete network. The challange of designing such a multiparty protocol, can be abstracted as a two party secret key agreement problem using public broadcast channel.
2007
EPRINT
Secure Computation Without Authentication
Research on secure multiparty computation has mainly concentrated on the case where the parties can authenticate each other and the communication between them. This work addresses the question of what security can be guaranteed when authentication is not available. We consider a completely unauthenticated setting, where all messages sent by the parties may be tampered with and modified by the adversary without the honest parties being able to detect this fact. In this model, it is not possible to achieve the same level of security as in the authenticated-channel setting. Nevertheless, we show that meaningful security guarantees can be provided: Essentially, all the adversary can do is to partition the network into disjoint sets, where in each set the computation is secure in itself, and also independent of the computation in the other sets. In the basic setting our construction provides, for the first time, non-trivial security guarantees in a model with no set-up assumptions whatsoever. We also obtain similar results while guaranteeing universal composability, in some variants of the common reference string model. Finally, our protocols can be used to provide conceptually simple and unified solutions to a number of problems that were studied separately in the past, including password-based authenticated key exchange and non-malleable commitments. As an application of our results, we study the question of constructing secure protocols in partially-authenticated networks, where some of the links are authenticated and some are not (as is the case in most networks today).
2007
EPRINT
Secure Deniable Authenticated Key Establishment for Internet Protocols
In 2005, Boyd et al.'s deniable authenticated key establishment protocols for Internet Key Exchange (IKE) have been infiltrated by Chou et al. with the key-compromise impersonation (KCI) attack. In order to conquer their defects, we propose two protocol variants based on Boyd et al.'s deniable schemes for IKE in order to protect against the KCI attack and the man-in-the-middle (MITM) attack, while preserving the deniability and authenticity.
2007
EPRINT
Secure Hybrid Encryption from Weakened Key Encapsulation
We put forward a new paradigm for building hybrid encryption schemes from constrained chosen-ciphertext secure (CCCA) key-encapsulation mechanisms (KEMs) plus authenticated symmetric encryption. Constrained chosen-ciphertext security is a new security notion for KEMs that we propose. CCCA has less demanding security requirements than standard chosen-ciphertext (CCA) security (since it requires the adversary to have a certain plaintext-knowledge when making a decapsulation query) yet we can prove that CCCA is sufficient for secure hybrid encryption. Our notion is not only useful to express the Kurosawa-Desmedt public-key encryption scheme and its generalizations to hash-proof systems in an abstract KEM/DEM security framework. It also has a very constructive appeal, which we demonstrate with a new encryption scheme whose security relies on a class of intractability assumptions that we show (in the generic group model) strictly weaker than the Decision Diffie-Hellman (DDH) assumption. This appears to be the first practical public-key encryption scheme in the literature from an algebraic assumption strictly weaker than DDH.
2007
EPRINT
Secure Identification and QKD in the Bounded-Quantum-Storage Model
We consider the problem of secure identification: user U proves to server S that he knows an agreed (possibly low-entropy) password w, while giving away as little information on w as possible, namely the adversary can exclude at most one possible password for each execution of the scheme. We propose a solution in the bounded-quantum-storage model, where U and S may exchange qubits, and a dishonest party is assumed to have limited quantum memory. No other restriction is posed upon the adversary. An improved version of the proposed identification scheme is also secure against a man-in-the-middle attack, but requires U and S to additionally share a high-entropy key k. However, security is still guaranteed if one party loses k to the attacker but notices the loss. In both versions of the scheme, the honest participants need no quantum memory, and noise and imperfect quantum sources can be tolerated. The schemes compose sequentially, and w and k can securely be re-used. A small modification to the identification scheme results in a quantum-key-distribution (QKD) scheme, secure in the bounded-quantum-storage model, with the same re-usability properties of the keys, and without assuming authenticated channels. This is in sharp contrast to known QKD schemes (with unbounded adversary) without authenticated channels, where authentication keys must be updated, and unsuccessful executions can cause the parties to run out of keys.
2007
EPRINT
Secure PRNGs from Specialized Polynomial Maps over Any $F_q$
We prove that a random map drawn from any class ${\frak C}$ of polynomial maps from $F_q^n$ to $F_q^{n+r}$ that is (i) totally random in the affine terms, and (ii) has a negligible chance of being not strongly one-way, provides a secure PRNG (hence a secure stream cipher) for any q. Plausible choices for ${\frak C}$ are semi-sparse (i.e., the affine terms are truly random) systems and other systems that are easy to evaluate from a small (compared to a generic map) number of parameters. To our knowledge, there are no other positive results for provable security of specialized polynomial systems, in particular sparse ones (which are natural candidates to investigate for speed). We can build a family of provably secure stream ciphers a rough implementation of which at the same security level can be more than twice faster than an optimized QUAD (and any other provably secure stream ciphers proposed so far), and uses much less storage. This may also help build faster provably secure hashes. We also examine the effects of recent results on specialization on security, e.g., Aumasson-Meier (ICISC 2007), which precludes Merkle-Damgaard compression using polynomials systems {uniformly very sparse in every degree} from being universally collision-free. We conclude that our ideas are consistent with and complements these new results. We think that we can build secure primitives based on specialized (versus generic) polynomial maps which are more efficient.
2007
EPRINT
Secure Similarity Search
One of the most substantial ways to protect users' sensitive information is encryption. This paper is about the keyword index search system on encrypted documents. It has been thought that the search with errors over encrypted data is impossible because 1 bit difference over plaintexts may reduce to enormous bits difference over cyphertexts. We propose a novel idea to deal with the search with errors over encrypted data. We develop two similarity search schemes, implement the prototypes and provide substantial analysis. We define security requirements for the similarity search over encrypted data. The first scheme can achieve perfect privacy in similarity search but the second scheme is more efficient.
2007
EPRINT
Secure Two-Party k-Means Clustering
The k-Means Clustering problem is one of the most-explored problems in data mining to date. With the advent of protocols that have proven to be successful in performing single database clustering, the focus has changed in recent years to the question of how to extend the single database protocols to a multiple database setting. To date there have been numerous attempts to create specific multiparty k-means clustering protocols that protect the privacy of each database, but according to the standard cryptographic definitions of ``privacy-protection,'' so far all such attempts have fallen short of providing adequate privacy. In this paper we describe a Two-Party k-Means Clustering Protocol that guarantees privacy, and is more efficient than utilizing a general multiparty ``compiler'' to achieve the same task. In particular, a main contribution of our result is a way to compute efficiently multiple iterations of k-means clustering without revealing the intermediate values. To achieve this, we use novel techniques to perform two-party division and sample uniformly at random from an unknown domain size. Our techniques are quite general and can be realized based on the existence of any semantically secure homomorphic encryption scheme. For concreteness, we describe our protocol based on Paillier Homomorphic Encryption scheme (see [Pa]). We will also demonstrate that our protocol is efficient in terms of communication, remaining competitive with existing protocols (such as [JW]) that fail to protect privacy.
2007
EPRINT
Security Against Covert Adversaries: Efficient Protocols for Realistic Adversaries
In the setting of secure multiparty computation, a set of mutually distrustful parties wish to securely compute some joint function of their private inputs. The computation should be carried out in a secure way, meaning that no coalition of corrupted parties should be able to learn more than specified or somehow cause the result to be ``incorrect''. Typically, corrupted parties are either assumed to be semi-honest (meaning that they follow the protocol specification) or malicious (meaning that they may deviate arbitrarily from the protocol). However, in many settings, the assumption regarding semi-honest behavior does not suffice and security in the presence of malicious adversaries is excessive and expensive to achieve. In this paper, we introduce the notion of {\em covert adversaries}, which we believe faithfully models the adversarial behavior in many commercial, political, and social settings. Covert adversaries have the property that they may deviate arbitrarily from the protocol specification in an attempt to cheat, but do not wish to be ``caught'' doing so. We provide a definition of security for covert adversaries and show that it is possible to obtain highly efficient protocols that are secure against such adversaries. We stress that in our definition, we quantify over all (possibly malicious) adversaries and do not assume that the adversary behaves in any particular way. Rather, we guarantee that if an adversary deviates from the protocol in a way that would enable it to ``cheat'' (meaning that it can achieve something that is impossible in an ideal model where a trusted party is used to compute the function), then the honest parties are guaranteed to detect this cheating with good probability. We argue that this level of security is sufficient in many settings.
2007
EPRINT
Security analysis of the variant of the self-shrinking generator proposed at ICISC 2006
In this paper, we revisit the variant of the self-shrinking generator(SSG) proposed by Chang et al. at ICISC 2006. This variant, which we call SSG-XOR was claimed to have better cryptographic properties than SSG in a practical setting. But we show that SSG-XOR has no advantage over SSG from the viewpoint of practical cryptanalysis.
2007
EPRINT
Security Analysis of WAPI Authentication and Key Exchange Protocol
We first do an in-depth security analysis of the authenticated key exchange protocol WAI in WAPI (WALN Authentication Privacy Infrastructure), point out its flaws and improve it. Next, we give the security proof of this new protocol WAI' in CK security model, which indicates that WAI' has the corresponding security attributes in CK security model, and satisfies the requirements of WAPI.
2007
EPRINT
Security Arguments for a Class of ID-based Signatures
Provable security based on complexity theory provides an efficient way for providing the convincing evidences of security. In this paper, we present a definition of generic ID-based signature schemes (GIBSS) by extending the definition of generic signature schemes, and prove the Forking lemma for GIBSS. That is, we provide the Forking lemma for ID-based signature schemes. The theoretical result can be viewed as an extension of the Forking Lemma due to Pointcheval and Stern for ID-based signature schemes, and can help to understand and simplify the security proofs. Then we propose a new and efficient ID-based signature scheme built upon bilinear maps. We prove its security under k-CAA computational assumption in the random oracle model.
2007
EPRINT
SECURITY PROOF FOR SHENGBAO WANG’S IDENTITY-BASED ENCRYPTION SCHEME
This paper analyzes the security of an IBE scheme proposed by Wang in 2007. It is shown that under BDHP (which is polynomially time equivalent to BIDHP) assumption the scheme is secure in random oracle model.
2007
EPRINT
Security under Key-Dependent Inputs
In this work we re-visit the question of building cryptographic primitives that remain secure even when queried on inputs that depend on the secret key. This was investigated by Black, Rogaway, and Shrimpton in the context of randomized encryption schemes and in the random oracle model. We extend the investigation to deterministic symmetric schemes (such as PRFs and block ciphers) and to the standard model. We term this notion "security against key-dependent-input attack", or KDI-security for short. Our motivation for studying KDI security is the existence of significant real-world implementations of deterministic encryption (in the context of storage encryption) that actually rely on their building blocks to be KDI secure. We consider many natural constructions for PRFs, ciphers, tweakable ciphers and randomized encryption, and examine them with respect to their KDI security. We exhibit inherent limitations of this notion and show many natural constructions that fail to be KDI secure in the standard model, including some schemes that have been proven in the random oracle model. On the positive side, we demonstrate examples where some measure of KDI security can be provably achieved (in particular, we show such examples in the standard model).
2007
EPRINT
Seven-Property-Preserving Iterated Hashing: ROX
Nearly all modern hash functions are constructed by iterating a compression function. At FSE'04, Rogaway and Shrimpton [RS04] formalized seven security notions for hash functions: collision resistance (Coll) and three variants of second-preimage resistance (Sec, aSec, eSec) and preimage resistance (Pre, aPre, ePre). The main contribution of this paper is in determining, by proof or counterexample, which of these seven notions is preserved by each of eleven existing iterations. Our study points out that none of them preserves more than three notions from [RSh04]. In particular, only a single iteration preserves Pre, and none preserves Sec, aSec, or aPre. The latter two notions are particularly relevant for practice, because they do not rely on the problematic assumption that practical compression functions be chosen uniformly from a family. In view of this poor state of affairs, even the mere existence of seven-property-preserving iterations seems uncertain. As a second contribution, we propose the new Random-Oracle XOR(ROX) iteration that is the first to provably preserve all seven notions, but that, quite controversially, uses a random oracle in the iteration. The compression function itself is not modeled as a random oracle though. Rather, ROX uses an auxiliary small-input random oracle (typically 170 bits) that is called only a logarithmic number of times.
2007
EPRINT
Short Group Signature without Random Oracles
We construct a short group signature which is proven secure without random oracles. By making certain reasonable assumptions and applying the technique of non-interactive proof system, we prove that our scheme is full anonymity and full traceability. Compared with other related works, such as BW06, BW07, ours is more practical due to the short size of both public key and group signature.
2007
EPRINT
Smooth Projective Hashing and Two-Message Oblivious Transfer
We present a general framework for constructing two-message oblivious transfer protocols using a modification of Cramer and Shoup's notion of smooth projective hashing (2002). This framework is an abstraction of the two-message oblivious transfer protocols of Naor and Pinkas (2001) and Aiello et al. (2001), whose security is based on the Decisional Diffie Hellman Assumption. In particular, we give two new oblivious transfer protocols. The security of one is based on the Quadratic Residuosity Assumption, and the security of the other is based on the $N$'th Residuosity Assumption. Our security guarantees are not simulation based, but are similar to the guarantees of the aforementioned two constructions. Compared to other applications of smooth projective hashing, in our context we must deal also with maliciously chosen parameters, which raises new technical difficulties. We also improve on prior constructions of factoring-based smooth universal hashing, in that our constructions *do not require that the underlying RSA-composite is a product of safe primes*. In fact, we observe that the safe-prime requirement is unnecessary for many prior constructions. In particular, we observe that the factoring-based CCA secure encryption schemes due to Cramer-Shoup, Gennaro-Lindell and Camenisch-Shoup remain secure even if the underlying RSA-composite is not a product of safe primes. (This holds for the schemes based on the Quadratic Residuosity Assumption as well as the ones based on the $N$'th Residuosity Assumption.)
2007
EPRINT
Solving MRHS linear equations
A new method for solving algebraic equation systems common in cryptanalysis is proposed. Our method differs from the others in that the equations are not represented as multivariate polynomials, but as a system of Multiple Right Hand Sides linear equations. The method was tested on scaled versions of the AES. The results overcome significantly what was previously achieved with Gr\"{o}bner Basis related algorithms.
2007
EPRINT
Some General Results on Chosen-ciphertext Anonymity in Public-key Encryption
In applications of public-key encryption schemes, anonymity(key-privacy) as well as security(data-privacy) is useful and widely desired. In this paper some new and general concepts in public-key encryption, i.e., “master-key anonymity”, “relevant master-key anonymity” and “key-integrity”, are introduced(the former two are defined for IBE schemes and the latter one is for any public-key encryption scheme). By the concept of master-key anonymity, we prove that chosen-plaintext master-key anonymity is a sufficient condition for chosen-ciphertext anonymity in the recent elegant Canetti-Halevi-Katz and Boneh-Katz construction. By the concept of key-integrity, we prove it is(together with chosen-plaintext anonymity)a sufficient/necessary condition for chosen-ciphertext anonymity. In addition to these general consequences, some practical examples are also investigated to show such concepts’ easy-to-use in practice.
2007
EPRINT
Some Identity Based Strong Bi-Designated Verifier Signature Schemes
The problem of generalization of (single) designated verifier schemes to several designated verifiers was proposed by Desmedt in 2003. The paper proposes eight new Identity Based Strong Bi-Designated Verifier Signature Schemes in which the two designated verifiers may not know each other. The security and the computational efficiency of the schemes are also analyzed.
2007
EPRINT
Some Results on Anonymity in Hybrid Encryption
Anonymity(key-privacy) as well as security(data-privacy) are all important features in public-key encryption applications. In this paper two new and general concepts, named “relevant anonymity” and “relevant security”, are defined. Based-upon these concepts some general results on anonymity in public-key encryption are proved, which fall in three categories. The first results are two general relationships between anonymity and security; the second are a sufficient and necessary condition for chosen-plaintext anonymity in Fujisaki-Okamoto hybrid construction and a sufficient condition for its chosen-ciphertext anonymity; the third is a sufficient condition for chosen-ciphertext anonymity in Okamoto-Pointcheval hybrid construction (REACT). All these conditions are also easy-to-use criteria in practice. By examples such general consequences are applied to some specific schemes and as a result anonymity of some well-known schemes are re-established in a simpler way. Furthermore, NISSIE scheme PSEC-/1/2/3’s chosen-ciphertext anonymity are proved.
2007
EPRINT
Somos Sequence Near-Addition Formulas and Modular Theta Functions
We have discovered conjectural near-addition formulas for Somos sequences. We have preliminary evidence suggesting the existence of modular theta functions.
2007
EPRINT
Space-Efficient Identity Based Encryption Without Pairings
Identity Based Encryption (IBE) systems are often constructed using bilinear maps (a.k.a. pairings) on elliptic curves. One exception is an elegant system due to Cocks which builds an IBE based on the quadratic residuosity problem modulo an RSA composite N. The Cocks system, however, produces long ciphertexts. Since the introduction of the Cocks system in 2001 it has been an open problem to construct a space efficient IBE system without pairings. In this paper we present an IBE system in which ciphertext size is short: an encryption of an L-bit message consists of a single element in Z_N plus L+1 additional bits. Security, as in the Cocks system, relies on the quadratic residuosity problem. The system is based on the theory of ternary quadratic forms and as a result, encryption and decryption are slower than in the Cocks system.
2007
EPRINT
Special block cipher family DN and new generation SNMAC-type hash function family HDN
Special block cipher is a new cryptographic primitive designed to be a building block of the new generation hash functions SNMAC [Kl06]. Contrary to classical block ciphers it is knowingly designed focusing to those properties which are expected to be just a “side effect” on usual cipher constructions. Its design anticipates that an attacker could exploit or know its key, or even he/she could discretionarily tamper with the key. The design criteria of SNMAC hash functions are publicly known. Limitly, these functions approach a random oracle, they are computationally resistant against pre-image and collision attacks, and different special block cipher instances can be used in their design. In this paper, we present special block cipher family Double Net DN(n,k)-rho with n-bit block, k-bit key and rho rounds, their building blocks construction principles and design criteria. Based on DN, we define hash functions family HDN(n,k)-rho with n-bit hash code working on blocks of k-n bits. We introduce and propose to use DN(512,8192)-10 and HDN(512,8192)-10 as example instances. It turns out these are not just theoretical concepts, but practically employable functions with speeds only 2-3 times lower than SHA-512 and Whirlpool. Basic idea behind the special block cipher DN is simple – contrary to classical block cipher approach, the same attention is paid to key and plaintext processing. One SP network ensures key mixing, while the second one mixes the plaintext with the key. Once the special block cipher concept is examined and accepted in hash functions, it can be used in advance in its original purpose – data encryption. We suggest the transition from the classical block ciphers to more secure special block ciphers in the future. Its advantage is its readiness for various attacks on the secret key; the attacks which have recently started to emerge in classical block cipher cryptanalysis. Among others, these include side-channel attacks, related keys attacks and rectangular attacks (see e.g. [Bi93], [Bi03], [Ki04], [Ho05], [Ki05], [Bi05], and [Bi06]). With the expansion of the cryptographic instruments and cryptanalytic methods, these attacks will appear more and more frequently. Their common traits are the various attempts to exploit the original assumption on the attacker’s limited power over the secret key or its knowledge. The defence against these attacks is illustrated by the evolution of the functions processing the secret key, starting with simple copy-type functions used in DES and TripleDES to weak non-linear functions in AES. We believe that this trend will continue to strong non-linear functions (similar to the ones used in DN). The employment of these stronger functions in the encryption might not seem as a must in the present, but it probably will be in the future. In the hash functions, it is a necessity today already.
2007
EPRINT
Statistical Testing for Disk Encryption Modes of Operations
In this paper we present a group of statistical tests that explore the random behavior of encryption modes of operations, when used in disk encryption applications. The results of these tests help us to better understand how these modes work. We tested ten modes of operations with the presented statistical tests, five of the narrow-block type and the other five of the wide-block type. Our analysis shows some weakness in some of these modes.
2007
EPRINT
Statistically Hiding Sets
Abstract: Zero-knowledge set, a primitive introduced by Micali, Rabin, and Kilian (FOCS 2003), enables a prover to commit a set to a verifier, without revealing even the size of the set. Later the prover can give zero-knowledge proofs to convince the verifier of membership/non-membership of elements in/not in the committed set. We present a new primitive called {\em Statistically Hiding Sets} (SHS), similar to zero-knowledge sets, but providing an information theoretic hiding guarantee. This is comparable to relaxing zero-knowledge proofs to {\em witness independent proofs}. More precisely, we continue to use the simulation paradigm for our definition, but do not require the simulator (nor the distinguisher) to be efficient. We present a new scheme for statistically hiding sets, which does not fit into the ``Merkle-tree/mercurial-commitment'' paradigm used for {\em all} zero-knowledge set constructions so far. This not only provides some efficiency gains compared to the best possible schemes in that paradigm, but also lets us provide {\em statistical} hiding, without the prover having to maintain growing amounts of state with each new proof; this is not known to be possible with the previous approach. Our construction is based on an algebraic tool called {\em trapdoor DDH groups} (TDG), introduced recently by Dent and Galbraith (ANTS 2006). Ours is perhaps the first non-trivial application of this tool. However the specific hardness assumptions we associate with TDG are different, and of a strong nature --- strong RSA and a knowledge-of-exponent assumption. Our new knowledge-of-exponent assumption may be of independent interest.
2007
EPRINT
Strengthening the Tree-Based Hash Protocols against Compromise of some Tags
In 2004, Molnar and Wagner introduced in [6] a very appealing scheme dedicated to the identification of RFID tags. Their protocol relies on a binary tree of secrets which are shared -- for all nodes except the leaves -- amongst the tags. Hence the compromise of one tag also has implications on the other tags with whom it shares keys. We introduce a modification of the initial scheme to allow us to strengthen RFID tags by implementing secrets with Physical Obfuscated Keys (POK). This doing, we augment tags and tree resistance against physical threats.
2007
EPRINT
Structural Identity-Based Encryption
In this paper, we introduce the concept of structural identity-based encryption (SIBE). Similar to hierarchical identity-based encryption (HIBE), entities in the system are organized into hierarchy. An entity in SIBE can decrypt ciphertext for all its ancestors. It can be seen as an opposite of HIBE, where an entity can decrypt the ciphertext for all its descendants. We formalize the notion and security requirements, propose an efficient construction and show that our construction is secure under appropriate assumptions in the random oracle model.
2007
EPRINT
Sufficient Conditions for Computational Intractability Regarding Generic Algorithms
The generic group model is a valuable methodology for analyzing the computational hardness of the number-theoretic problems used in cryptography. Although generic hardness proofs exhibit many similarities, still the computational intractability of every newly introduced problem needs to be proven from scratch, a task that can easily become complicated and cumbersome when done rigorously. In this paper we make the first steps towards overcoming this problem by identifying verifiable criteria which if met by a cryptographic problem guarantee its hardness with respect to generic algorithms. As useful means for formalization of definitions and proofs we relate the concepts of generic algorithms and straight-line programs that have only been used independently in cryptography so far. The class of problems we cover includes a significant number of the cryptographic problems currently known, and is general enough to also include many future problems. Moreover, we strengthen the conventional generic model by incorporating a broader class of possible oracles (operations) since the underlying algebraic groups may possibly be related through mappings such as isomorphisms, homomorphisms or multilinear maps. Our approach could serve as an appropriate basis for tool-aided hardness verification in the generic model.
2007
EPRINT
Symmetric Tardos fingerprinting codes for arbitrary alphabet sizes
Fingerprinting provides a means of tracing unauthorized redistribution of digital data by individually marking each authorized copy with a personalized serial number. In order to prevent a group of users from collectively escaping identification, collusion-secure fingerprinting codes have been proposed. In this paper, we introduce a new construction of a collusion-secure fingerprinting code which is similar to a recent construction by Tardos but achieves shorter code lengths and allows for codes over arbitrary alphabets. For binary alphabets, $n$ users and a false accusation probability of $\eta$, a code length of $m\approx \pi^2 c_0^2\ln(n/\eta)$ is provably sufficient to withstand collusion attacks of at most $c_0$ colluders. This improves Tardos' construction by a factor of $10$. Furthermore, invoking the Central Limit Theorem we show that even a code length of $m\approx \half\pi^2 c_0^2\ln(n/\eta)$ is sufficient in most cases. For $q$-ary alphabets, assuming the restricted digit model, the code size can be further reduced. Numerical results show that a reduction of 35\% is achievable for $q=3$ and 80\% for~$q=10$.
2007
EPRINT
Template Attacks with a Power Model
This article analyses some properties of the \emph{template attack}. Examples come from attacks against an unprotected ASIC implementation of DES. The principal components analysis (PCA) is used to represent the templates in two dimensions. We give a physical interpretation of the templates PCA eigenvalues and eigenvectors. We show that the S-boxes are \emph{not} the target of template attacks. We point out that the efficiency of template attacks on unprotected implementations can be unleashed by using a power model. The most suitable power-model happens to be linked to the key schedule. This casts a new light on key schedule requirements for SCA resistance against a ``template'' attacker. The results are tailored for DES, because this symmetric block cipher is emblematic and is still promised a long life. Its key schedule is also remarkably simple, with cryptanalytic weaknesses,that paradoxically turn out to be a strength against SCA.
2007
EPRINT
The BBG HIBE Has Limited Delegation
At Eurocrypt 2005, Boneh, Boyen, and Goh presented a hierarchical IBE for which they claimed a novel property, called limited delegation: it is possible to give an entity a private key that restricts it from generating descendant private keys beyond some depth d; in particular, with d equal to the entity's depth, such a key allows decryption only. In this paper, we argue that this claim is nonobvious and requires proof, provide a precise model for arguing about limited delegation, and prove that the Boneh-Boyen-Goh system does, in fact, have limited delegation. Whereas Boneh, Boyen, and Goh prove their system semantically secure under the BDHI assumption, our proof of limited delegation requires the stronger BDHE assumption.
2007
EPRINT
The constructing of $3$-resilient Boolean functions of $9$ variables with nonlinearity $240$
In this work we present a new way to construct $3$-resilient Boolean functions of $9$ variables with nonlinearity $240$. Such function have been discovered very recently by heuristic search. We find these functions by exhaustive search in the class of functions symmetric under cyclic shifts of the first seven variables. The exhaustive search was reduced significantly by using of special techniques and algorithms which can be helpful in other similar problems. Also we construct some new functions that attain the upper bound on nonlinearity of higher number of variables.
2007
EPRINT
The Delivery and Evidences Layer
Evidences of delivery are essential for resolving (and avoiding) disputes on delivery of messages, in classical as well as electronic commerce. We present the first rigorous specifications and provably-secure implementation, for a communication layer providing time-stamped evidences for the message delivery process. This improves on existing standards for evidences (‘non-repudiation’) services, based on informal specifications and unproven designs. Our work also improves on the large body of analytical works on tasks related to evidences of delivery, such as certified mail/delivery protocols and fair exchange (of signatures). We improve by addressing practical needs and scenarios, using realistic synchronization and communication assumptions, supporting time-outs and failures, and providing well-defined interface to the higher-layer protocols (application). Furthermore, we use the layered specifications framework, allowing provably-secure use of our protocol, with lower and higher layer protocols, with complete re-use of our analysis (theorems).
2007
EPRINT
The Effectiveness of Receipt-Based Attacks on ThreeBallot
The ThreeBallot voting system is an end-to-end (E2E) voter-verifiable voting system. Each voter fills out three ballots according to a few simple rules and takes a copy of one of them home as a receipt for verification purposes. All ballots are posted on a public bulletin board so that any voter may verify the result. In this paper we investigate the effectiveness of attacks using the voter's receipt and the bulletin board. We determine thresholds for when the voter's vote can be reconstructed from a receipt, and when a coercer can effectively verify if a voter followed instructions by looking for prespecified patterns on the bulletin board. Combining these two results allows us to determine safe ballot sizes that resist known attacks. We also generalize a previous observation that an individual receipt can leak information about a voter's choices.
2007
EPRINT
The Energy Cost of Cryptographic Key Establishment in Wireless Sensor Networks
Wireless sensor nodes generally face serious limitations in terms of computational power, energy supply, and network bandwidth. Therefore, the implementation of effective and secure techniques for setting up a shared secret key between sensor nodes is a challenging task. In this paper we analyze and compare the energy cost of two different protocols for authenticated key establishment. The first protocol employs a ``light-weight'' variant of the Kerberos key distribution scheme with 128-bit AES encryption. The second protocol is based on ECMQV, an authenticated version of the elliptic curve Diffie-Hellman key exchange, and uses a 256-bit prime field GF($p$) as underlying algebraic structure. We evaluate the energy cost of both protocols on a Rockwell WINS node equipped with a 133 MHz StrongARM processor and a 100 kbit/s radio module. The evaluation considers both the processor's energy consumption for calculating cryptographic primitives and the energy cost of radio communication for different transmit power levels. Our simulation results show that the ECMQV key exchange consumes up to twice as much energy as the Kerberos key distribution. However, in large-scale networks, ECMQV is more energy-efficient than Kerberos.
2007
EPRINT
The Power of Proofs-of-Possession: Securing Multiparty Signatures against Rogue-Key Attacks
Multiparty signature protocols need protection against rogue-key attacks, made possible whenever an adversary can choose its public key(s) arbitrarily. For many schemes, provable security has only been established under the knowledge of secret key (KOSK) assumption where the adversary is required to reveal the secret keys it utilizes. In practice, certifying authorities rarely require the strong proofs of knowledge of secret keys required to substantiate the KOSK assumption. Instead, proofs of possession (POPs) are required and can be as simple as just a signature over the certificate request message. We propose a general registered key model, within which we can model both the KOSK assumption and in-use POP protocols. We show that simple POP protocols yield provable security of Boldyreva's multisignature scheme [11], the LOSSW multisignature scheme [28], and a 2-user ring signature scheme due to Bender, Katz, and Morselli [10]. Our results are the first to provide formal evidence that POPs can stop rogue-key attacks.
2007
EPRINT
The role of help in Classical and Quantum Zero-Knowledge
We study the role of help in Non-Interactive Zero-Knowledge protocols and its relation to the standard interactive model. In the classical case, we show that help and interaction are equivalent, answering an open question of Ben-Or and Gutfreund (\cite{BG03}). This implies a new complete problem for the class SZK, the Image Intersection Density. For this problem, we also prove a polarization lemma which is stronger than the previously known one. In the quantum setting, we define the notion of quantum help and show in a more direct way that help and interaction are again equivalent. Moreover, we define quantum Non-Interactive Zero-Knowledge with classical help and prove that it is equal to the class of languages that have classical honest-Verifier Zero Knowledge protocols secure against quantum Verifiers (\cite{Wat06, HKSZ07}). Last, we provide new complete problems for all these quantum classes. Similar results were independently discovered by Dragos Florin Ciocan and Salil Vadhan.
2007
EPRINT
The Security of the Extended Codebook (XCB) Mode of Operation
The XCB mode of operation was outlined in 2004 as a contribution to the IEEE Security in Storage effort, but no security analysis was provided. In this paper, we provide a proof of security for XCB, and show that it is a secure tweakable (super) pseudorandom permutation. Our analysis makes several new contributions: it uses an algebraic property of XCB's internal universal hash function to simplify the proof, and it defines a nonce mode in which XCB can be securely used even when the plaintext is shorter than twice the width of the underlying block cipher. We also show minor modifications that improve the performance of XCB and make it easier to analyze. XCB is interesting because it is highly efficient in both hardware and software, it has no alignment restrictions on input lengths, it can be used in nonce mode, and it uses the internal functions of the Galois/Counter Mode (GCM) of operation, which facilitates design re-use and admits multi-purpose implementations.
2007
EPRINT
The simplest method for constructing APN polynomials EA-inequivalent to power functions
The first APN polynomials EA-inequivalent to power functions have been constructed in [1,2] by applying CCZ-equivalence to the Gold APN functions. It is a natural question whether it is possible to construct APN polynomials EA-inequivalent to power functions by using only EA-equivalence and inverse transformation on a power APN function: this would be the simplest method to construct APN polynomials EA-inequivalent to power functions. In the present paper we prove that the answer to this question is positive. By this method we construct a class of APN polynomials EA-inequivalent to power functions. On the other hand it is shown that the APN polynomials from [1,2] cannot be obtained by the introduced method. [1] L. Budaghyan, C. Carlet, A. Pott. New Classes of Almost Bent and Almost Perfect Nonlinear Functions. IEEE Trans. Inform. Theory, vol. 52, no. 3, pp. 1141-1152, March 2006. [2] L. Budaghyan, C. Carlet, A. Pott. New Constructions of Almost Bent and Almost Perfect Nonlinear Functions. Proceedings of the Workshop on Coding and Cryptography 2005, pp. 306-315, 2005.
2007
EPRINT
Tight bounds between algebraic immunity and nonlinearities of high orders
Among cryptographically significant characteristics of Boolean functions used in symmetric ciphers the algebraic immunity and the nonlinearities of high orders play the important role. Some bounds on the nonlinearities of high orders of Boolean functions via its algebraic immunity were obtained in recent papers. In this paper we improve these results and obtain new tight bounds. We prove new universal tight lower bound that reduces the problem of an estimation of high order nonlinearities to the problem of the finding of dimensions of some linear spaces of Boolean functions. As simple consequences we obtain all previously known bounds in this field. For polynomials with disjoint terms we reduce the finding of dimensions of linear spaces of Boolean functions mentioned above to a simple combinatorial analysis. Finally, we prove the tight lower bound on the nonlinearity of the second order via its algebraic immunity.
2007
EPRINT
Time Capsule Signature: Efficient and Provably Secure Constructions
Time Capsule Signature, first formalized by Dodis and Yum in Financial Cryptography 2005, is a digital signature scheme which allows a signature to bear a (future) time t so that the signature will only be valid at time t or later, when a trusted third party called time server releases time-dependent information for checking the validity of a time capsule signature. Also, the actual signer of a time capsule signature has the privilege to make the signature valid before time t. In this paper, we provide a new security model of time capsule signature such that time server is not required to be fully trusted. Moreover, we provide two e±cient constructions in random oracle model and standard model. Our improved security model and proven secure constructions have the potential to build some new E-Commerce applications.
2007
EPRINT
Time-Memory-Data Trade-off Attack on Stream Ciphers based on Maiorana-McFarland Functions
In this paper, we present the time-memory-data (TMD) trade-off attack on stream ciphers filtered by Maiorana-McFarland functions. This can be considered as a generalization of the time-memory-data trade-off attack of Mihaljevic and Imai on Toyocrypt. First, we substitute the filter function in Toyocrypt (which has the same size as the LFSR) with a general Maiorana-McFarland function. This allows us to apply the attack to a wider class of stream ciphers. Second, we highlight how the choice of different Maiorana-McFarland functions can affect the effectiveness of our attack. Third, we show that the attack can be modified to apply on filter functions which are smaller than the LFSR and on filter-combiner stream ciphers. This allows us to cryptanalyze other configurations commonly found in practice. Finally, filter functions with vector output are sometimes used in stream ciphers to improve the throughput. Therefore the case when the Maiorana-McFarland functions have vector output is investigated. We found that the extra speed comes at the price of additional weaknesses which make the attacks easier.
2007
EPRINT
TinyTate: Identity-Based Encryption for Sensor Networks
In spite of several years of intense research, the area of security and cryptography in Wireless Sensor Networks (WSNs) still has a number of open problems. On the other hand, the advent of Identity-Based Encryption (IBE) has enabled a wide range of new cryptographic solutions. In this work, we argue that IBE is ideal for WSNs and vice versa. We discuss the synergy between the systems, describe how WSNs can take advantage of IBE, and present results for computation of the Tate pairing over resource constrained nodes.
2007
EPRINT
Towards Generating Secure Keys for Braid Cryptography
Braid cryptosystem was proposed in CRYPTO 2000 as an alternate public-key cryptosystem. The security of this system is based upon the conjugacy problem in braid groups. Since then, there have been several attempts to break the braid cryptosystem by solving the conjugacy problem in braid groups. In this paper, we first survey all the major attacks on the braid cryptosystem and conclude that the attacks were successful because the current ways of random key generation almost always result in weaker instances of the conjugacy problem. We then propose several alternate ways of generating hard instances of the conjugacy problem for use braid cryptography.
2007
EPRINT
Towards Key-Dependent Message Security in the Standard Model
Standard security notions for encryption schemes do not guarantee any security if the encrypted messages depend on the secret key. Yet it is exactly the stronger notion of security in the presence of *key-dependent* messages (KDM security) that is required in a number of applications: most prominently, KDM security plays an important role in analyzing cryptographic multi-party protocols in a formal calculus. But although often assumed, the mere existence of KDM secure schemes is an open problem. The only previously known construction was proven secure in the random oracle model. We present symmetric encryption schemes that are KDM secure in the standard model (i.e., without random oracles). The price we pay is that we achieve only a relaxed (but still useful) notion of key-dependent message security. Our work answers (at least partially) an open problem posed by Black, Rogaway, and Shrimpton. More concretely, our contributions are as follows: - We present a (stateless) symmetric encryption scheme that is information-theoretically secure in face of a *bounded* number and length of encryptions for which the messages depend in an arbitrary way on the secret key. - We present a stateful symmetric encryption scheme that is computationally secure in face of an arbitrary number of encryptions for which the messages depend only on the respective *current* secret state/key of the scheme. The underlying computational assumption is minimal: we assume the existence of one-way functions. - We give evidence that the only previously known KDM secure encryption scheme cannot be proven secure in the standard model (i.e., without random oracles).
2007
EPRINT
Towards Provable Security for Routing Protocols in Mobile ad Hoc Networks
Mobile ad hoc networks (MANETs) are collections of wireless mobile devices with restricted broadcast range and resources, and no fixed infrastructure. Communication is achieved by relaying data along appropriate routes. Discovering such routes however is a major task, both from an efficiency point of view and from a security point of view. In particular, it is important that the route discovered is not controlled by the adversary. Several route discovery protocols have been proposed in the literature that address the particular requirements of a MANET, but as we demonstrate in this paper their security is still analyzed in weak models and cannot tolerate certain classes of attack. Recently, a security framework tailored to the specific requirements of MANETs was presented and a route discovery algorithm, endairA, was proposed that was ``proven'' secure in this framework. In this paper we show that the security proof for endairA is flawed, and that the proposed route discovery algorithm is vulnerable to a {\em hidden channel} attack. We then analyze the security framework used for route discovery and argue that composability is an essential feature for ubiquitous applications. We conclude by discussing some of the main issues that must be addressed for secure route discovery.
2007
EPRINT
Towards Security Limits in Side-Channel Attacks
In this paper, we consider a recently introduced framework that investigates physically observable implementations from a theoretical point of view. The model allows quantifying the effect of practically relevant leakage functions with a combination of security and information theoretic metrics. More specifically, we apply our evaluation methodology to an exemplary block cipher. We first consider a Hamming weight leakage function and evaluate the efficiency of two commonly investigated countermeasures, namely noise addition and masking. Then, we show that the proposed methodology allows capturing certain non-trivial intuitions, e.g. about the respective effectiveness of these countermeasures. Finally, we justify the need of combined metrics for the evaluation, comparison and understanding of side-channel attacks.
2007
EPRINT
Trapdoors for Hard Lattices and New Cryptographic Constructions
We show how to construct a variety of ``trapdoor'' cryptographic tools assuming the worst-case hardness of standard lattice problems (such as approximating the shortest nonzero vector to within small factors). The applications include trapdoor functions with \emph{preimage sampling}, simple and efficient ``hash-and-sign'' digital signature schemes, universally composable oblivious transfer, and identity-based encryption. A core technical component of our constructions is an efficient algorithm that, given a basis of an arbitrary lattice, samples lattice points from a Gaussian-like probability distribution whose standard deviation is essentially the length of the longest vector in the basis. In particular, the crucial security property is that the output distribution of the algorithm is oblivious to the particular geometry of the given basis.
2007
EPRINT
Turbo SHA-2
In this paper we describe the construction of Turbo SHA-2 family of cryptographic hash functions. They are built with design components from the SHA-2 family, but the new hash function has three times more chaining variables, it is more robust and resistant against generic multi-block collision attacks, its design is resistant against generic length extension attacks and it is 2 - 8 times faster than the original SHA-2. It uses two novel design principles in the design of hash functions: {\em 1. Computations in the iterative part of the compression function start by using variables produced in the message expansion part that have the complexity level of a random Boolean function, 2. Variables produced in the message expansion part are not discarded after the processing of the current message block, but are used for the construction of the three times wider chain for the next message block.} These two novel principles combined with the already robust design principles present in SHA-2 (such as the nonlinear message expansion part), enabled us to build the compression function of Turbo SHA-2 that has just 16 new variables in the message expansion part (compared to 48 for SHA-256 and 64 for SHA-512) and just 8 rounds in the iterative part (compared to 64 for SHA-256 and 80 for SHA-512).
2007
EPRINT
Two Linear Distinguishing Attacks on VMPC and RC4A and Weakness of RC4 Family of Stream Ciphers (Corrected)
At FSE 2004 two new stream ciphers VMPC and RC4A have been proposed. VMPC is a generalisation of the stream cipher RC4, whereas RC4A is an attempt to increase the security of RC4 by introducing an additional permuter in the design. This paper is the first work presenting attacks on VMPC and RC4A. We propose two linear distinguishing attacks, one on VMPC of complexity $2^{39.97}$, and one on RC4A of complexity $2^{58}$. We investigate the RC4 family of stream ciphers and show some theoretical weaknesses of such constructions.
2007
EPRINT
Two New Examples of TTM
We will review the past history of the attacks and defenses of TTM. The main tool of the past attacks is linear algebra, while the defenses rely on algebraic geometry and commutative algebra. It is hard for attackers to completely succeed against the formidable castle of modern mathematics. It is out of the common sense that problems of algebraic geometry can always be solved by linear algebra. It repeatly happens that the attackers find some points which could be exploited by linear algebra using complicated computations, usually the attackers overexaggerate the power of linear algebra and illusional believe that they succeed totally, then the points are disappearing by a simple twist in algebraic geometry and commutative algebra. All attacks in the past simply strengthen the structures of TTM. For these facts we are very grateful to the attackers. Last year there is a paper entitled "{\it Breaking a New Instance of TTM Cryptosystem}" by Xuyun Nie, Lei Hu, Jianyu Li, Crystal Updegrove and Jintai Ding [11] claiming a successive attack on the scheme of TTM presented in [7]. In our previous article [8], we show that their claim is a {\bf misunderstanding}. The discussions of [11] and [8] center on if in [11] the authors really just use the {\it public keys}. Right aft er we post [8], to settle the discrepancy of [11] and [8], we have sent the public keys of a new example (which is attached as the {\bf Appendix I} of this article) to the authors of [11] to test their claim in the {\it abstract} of [11], i.e., they will be able to crack TTM using only the public keys (in 20 minutes as stated in the abstract of [11]). After two weeks, Mr Nie asks the private keys of the new example for his {\it theoretical analysis} and we will consider his request only if he concedes that he is unable to crack the new example by the method of [11]. Since there is no definite answer from them after 4 months, we will publish the example in this article to give other people chances to attack. Furthermore, we publish a second example as {\bf Appendix II}.
2007
EPRINT
Two Trivial Attacks on Trivium
Trivium is a stream cipher designed in 2005 by C. De Canni\`ere and B. Preneel for the European project eSTREAM. It has successfully passed the first phase of the project and has been selected for a special focus in the second phase for the hardware portfolio of the project. Trivium has an internal state of size 288 bits and the key of length 80 bits. Although the design has a simple and elegant structure, no attack on it has been found yet. In this paper we study a class of Trivium-like designs. We propose a set of techniques that one can apply in cryptanalysis of such constructions. The first group of methods is for recovering the internal state and the secret key of the cipher, given a piece of a known keystream. Our attack is more than $2^{30}$ faster than the best known attack. Another group of techniques allows to gather statistics on the keystream, and to build a distinguisher. We study two designs: the original design of Trivium and a truncated version Bivium, which follows the same design principles as the original. We show that the internal state of the full Trivium can be recovered in time around $c\cdot 2^{83.5}$, and for Bivium this complexity is $c\cdot 2^{36.1}$. These are the best known results for these ciphers. Moreover, a distinguisher for Bivium with working time $2^{32}$ is presented, the correctness of which has been verified by simulations.
2007
EPRINT
Two-Tier Signatures, Strongly Unforgeable Signatures, and Fiat-Shamir without Random Oracles
We provide a positive result about the Fiat-Shamir (FS) transform in the standard model, showing how to use it to convert three-move identification protocols into two-tier signature schemes with a proof of security that makes a standard assumption on the hash function rather than modeling it as a random oracle. The result requires security of the starting protocol against concurrent attacks. We can show that numerous protocols have the required properties and so obtain numerous efficient two-tier schemes. Our first application is a two-tier scheme based efficient transform of any unforgeable signature scheme into a strongly unforgeable one. (This extends Boneh, Shen and Waters [BSW06] whose transform only applies to a limited class of schemes.) The second application is new one-time signature schemes that, compared to one-way function based ones of the same computational cost, have smaller key and signature sizes.
2007
EPRINT
UICE: A High-Performance Cryptographic Module for SoC and RFID Applications
In order to overcome proprietary algorithms with respect to the system manufacturers, a free cryptographic module, the Universal Immobilizer Crypto Engine (UICE), will be proposed. This UICE algorithm is tailored to 8-bit microprocessor architectures and is therefore very fast in software and hardware. The dedicated hardware implementation leads to a small gate count, because the registers for input and output are shared. The important non-linear function, here an 8 x 8 S-Box, may be built as a gate array or small ROM with the advantage of flexibility. Several tests – statistical and random-number tests - have been performed in order to analyze the strength properties of the algorithm. So far no weakness was found after ten rounds of encryption. Although this cryptographic module was intentionally developed for Radio-Frequency Identification (RFID) systems, it is a proper choice for all systems needing embedded cryptography such as SoC with bus encryption or firmware to be secured. RFID-Systems have become commonplace in access control and security applications, the usage and importance of cryptographic co-processors in RFID transponder devices has grown significantly. Improved vehicle security systems, also known as immobilizers, are required due to increased vehicle theft worldwide. Such devices provide high security at low cost and low power.
2007
EPRINT
Universally Composable Key-evolving Signature
The standard digital signature scheme can be easily subject to key exposure problem In order to overcome this problem; a feasible and effective approach is employed by key-evolving signature scheme. In this paper, we study key- evolving signature within the UC framework and propose an appropriate ideal functionality that captures the basic security requirements of key-evolving signature. Then, we present a generic way to transform a key-evolving signature scheme into a real-life protocol. Finally, we show that UC definition of security is equivalent to previous definition of security which is termed as EU-CMA security.
2007
EPRINT
Universally Composable Multi-Party Computation with an Unreliable Common Reference String
Universally composable multi-party computation has been studied in two settings: \begin{itemize} \item When a majority of participants are honest, universally composable multi-party computation is known to be possible without any assumptions. \item When honest participants are \emph{not} in the majority, universally composable multi-party computation is known to be impossible (under any cryptographic assumption) in the bare model. On the other hand, feasibility results have been obtained (under standard cryptographic assumptions) in various augmented models, the most popular of which posits the existence of a \emph{common references string} (CRS) available to all parties who are executing the protocol. \end{itemize} In either of the above settings, some \emph{assumption} regarding the protocol execution is made (i.e., that many parties are honest in the first case, or that a legitimately-chosen string is available in the second), and if this assumption is incorrect then all security is lost. A natural question is whether it is possible to design protocols giving \emph{some} assurance of security in case \emph{either one} of these assumptions holds, i.e., a single protocol (that uses a CRS) which is secure if \emph{either} at most $s$ players are dishonest \emph{or} if up to $t$ players are dishonest (with $t > s$) but the CRS is chosen in the proscribed manner. We show that such protocols exist if and only if $s+t < n$.
2007
EPRINT
Universally Composable Multiparty Computation with Partially Isolated Parties
It is well known that universally composable multiparty computation cannot, in general, be achieved in the standard model without setup assumptions when the adversary can corrupt an arbitrary number of players. One way to get around this problem is by having a trusted third party generate some global setup such as a common reference string (CRS) or a public key infrastructure (PKI). Recently, an alternative solution was proposed by Katz in \cite{Katz}, suggesting that one may rely on physical assumptions rather than trusted third parties. Concretely, the solution assumed it physically possible to construct tamper proof hardware tokens which can be run in complete isolation from the surrounding environment. Here we improve upon the work of \cite{Katz} by constructing a scheme in which the tokens only need to be partially isolated and may have some {\em limited communication with the environment}. In addition we improve on Katz's work by presenting a scheme which is secure against \emph{adaptive adversaries} and is based on \emph{general cryptographic assumptions}. We also consider an alternative scenario, in which there are some trusted third parties but no single such party is trusted by all of the players. This compromise allows us to limit the use of the physical set-up and hence might be preferred in practice.
2007
EPRINT
Unlinkable Divisible Digital Cash without Trusted Third Party
We present an efficient divisible digital cash scheme which is unlinkable and does not require Trusted Third Party. The size of the coin is proportional to the size of the primes we use, i.e., hundreds of bytes. The computational and communication complexity of the protocol is proportional to a polynomial of the size of the primes and polylogarithm of the maximum number of pieces to which a coin can be subdivided.
2007
EPRINT
Unlinkable Randomizable Signature and Its Application in Group Signature
We formalize a generic method of constructing efficient group signatures, specifically, we define new notions of unlinkable randomizable signature, indirectly signable signature and $\Sigma$-protocol friendly signature. We conclude that designing efficient secure group signatures can be boiled down to designing ordinary signatures satisfying the above three properties, which is supported by observations that almost all currently known secure efficient group signatures have alternative constructions in this line without deteriorating the efficiency.
2007
EPRINT
Updated standards for validating elliptic curves
We give a concise statement of a test for security of elliptic curves that should be inserted into the standards for elliptic curve cryptography. In particular, current validation for parameters related to the MOV condition that appears in the latest draft of the IEEE P1363 standard \cite[Section A.12.1, Section A.16.8]{P1363} should be replaced with our subfield-adjusted MOV condition. Similarly, the Standards for Efficient Cryptography Group's document SEC 1 \cite{sec_1} should make adjustments accordingly.
2007
EPRINT
Using decision problems in public key cryptography
There are several public key establishment protocols as well as complete public key cryptosystems based on allegedly hard problems from combinatorial (semi)group theory known by now. Most of these problems are search problems, i.e., they are of the following nature: given a property P and the information that there are objects with the property P, find at least one particular object with the property P. So far, no cryptographic protocol based on a search problem in a non-commutative (semi)group has been recognized as secure enough to be a viable alternative to established protocols (such as RSA) based on commutative (semi)groups, although most of these protocols are more efficient than RSA is. In this paper, we suggest to use decision problems from combinatorial group theory as the core of a public key establishment protocol or a public key cryptosystem. By using a popular decision problem, the word problem, we design a cryptosystem with the following features: (1) Bob transmits to Alice an encrypted binary sequence which Alice decrypts correctly with probability "very close" to 1; (2) the adversary, Eve, who is granted arbitrarily high (but fixed) computational speed, cannot positively identify (at least, in theory), by using a "brute force attack", the "1" or "0" bits in Bob's binary sequence. In other words: no matter what computational speed we grant Eve at the outset, there is no guarantee that her "brute force attack" program will give a conclusive answer (or an answer which is correct with overwhelming probability) about any bit in Bob's sequence.
2007
EPRINT
Utility Sampling for Trust Metrics in PKI
We propose a new trust metric for a network of public key certificates, e.g. as in PKI, which allows a user to buy insurance at a fair price on the possibility of failure of the certifications provided while transacting with an arbitrary party in the network. Our metric builds on a metric and model of insurance provided by Reiter and Stubblebine~\cite{RS}, while addressing various limitations and drawbacks of the latter. It conserves all the beneficial properties of the latter over other schemes, including protecting the user from unintentional or malicious dependencies in the network of certifications. Our metric is built on top of a simple and intuitive model of trust and risk based on ``utility sampling'', which maybe of interest for non-monetary applications as well.
2007
EPRINT
Verifiable Attribute-based Encryption
In this paper, we construct two verifiable attribute-based encryption schemes. One is for a single authority ABE, and the other is for a multi authority ABE. Not only our schemes are proved secure as the formal schemes, they also provide a verifiable property which allows the user to check the correctness of the keys immediately he got them without decrypting out a wrong message.
2007
EPRINT
Verifying Data Integrity with Few Queries to Untrusted Memory
We present a novel technique for verifying the integrity of data stored in an untrusted memory with a small number of memory accesses. Memory integrity verification, which enables detection of tampering of data stored in untrusted memory, is an essential requirement of secure processors that provide private and tamper-proof computation. Limited on-chip storage in a secure processor makes it necessary for it to store data (including program code) in an untrusted external memory where it is easily susceptible to adversarial tampering. Thus, to ensure validity of computation, it is extremely important to have techniques that can verify integrity of data stored in untrusted memory. Existing memory integrity verification techniques, like Merkle trees, impose very high communication overhead, i.e., large number of queries from processor to memory, in order to perform data integrity verification. Given that memory latency is very high compared to execution speed of the processor, this imposes a significant running time penalty for applications executing on the processor. Our proposed technique, which is based on Chinese remaindering theorem, performs integrity verification with low communication overhead while incurring a modest increase in on-chip storage requirement. We present the details of the proposed technique and provide corresponding proofs of security and correctness.
2007
EPRINT
Verifying Statistical Zero Knowledge with Approximate Implementations
Statistical zero-knowledge (SZK) properties play an important role in designing cryptographic protocols that enforce honest behavior while maintaining privacy. This paper presents a novel approach for verifying SZK properties, using recently developed techniques based on approximate simulation relations. We formulate statistical indistinguishability as an implementation relation in the Task-PIOA framework, which allows us to express computational restrictions. The implementation relation is then proven using approximate simulation relations. This technique separates proof obligations into two categories: those requiring probabilistic reasoning, as well as those that do not. The latter is a good candidate for mechanization. We illustrate the general method by verifying the SZK property of the well-known identification protocol of Girault, Poupard and Stern.
2007
EPRINT
VEST Ciphers
VEST (Very Efficient Substitution-Transposition) is a set of families of counter-assisted substitution-transposition ciphers designed and optimised specifically for ASIC and FPGA hardware. VEST ciphers provide fast scalable keystream generation, authenticated encryption and collision-resistant hashing at a very low cost in area and power consumption. All VEST ciphers support variable-length keys and IVs and are naturally very slow in software. Cores of VEST ciphers can be viewed as light-weight T-functions or large bijective nonlinear feedback shift registers (NLFSRs) with massively parallel feedback, assisted by a nonlinear residue number system (RNS) based counter with a very long period. Four VEST cipher family trees are introduced: 80 bit secure VEST4-80, 128 bit secure VEST8-128, 160 bit secure VEST16-160 and 256 bit secure VEST32-256, returning 4 to 32 bits of output per clock cycle while occupying ~3K to ~28K ASIC gates.
2007
EPRINT
VHASH Security
VHASH is an almost-delta-universal hash family, designed for exceptional performance on computers that multiply 64-bit quantities efficiently. Changes to the algorithm detailed in this note improve both security and performance over the original 2006 version. Speed is improved through a newly analyzed hash construction which allows the use of lower-degree polynomials. Claimed security is higher due primarily to improved analysis and a change in prime modulus. The result is a hash family capable of hashing cache-resident one kilobyte messages on the Intel Core 2 architecture at a rate of about one-half processor cycle per byte of message with a collision probability of less than $1/2^{61}$.
2007
EPRINT
Weak adaptive chosen ciphertext secure hybrid encryption scheme
We propose a security notion named as weak adaptive chosen ciphertext security(IND-WCCA) for hybrid encryption schemes. Although it is weaker than adaptive chosen ciphertext security(IND-CCA), a IND-WCCA secure hybrid encryption scheme can be used in any situations that a IND-CCA secure hybrid encryption scheme used in. We show that IND-WCCA secure hybrid encryption scheme can be constructed from IND-CCA secure KEM and IND-PA secure DEM. Since IND-PA is the basic requirement of symmetric key encryption schemes, IND-WCCA hybrid encryption scheme is very flexible and can use most of the stream ciphers and block ciphers as the DEM part of the scheme. Use the new secure notion we can refine current IND-CCA secure hybrid encryption schemes and get more efficient IND-WCCA secure hybrid encryption schemes.
2007
EPRINT
Weakly only Unforgeable Signature and Its Application in Group Signature
If a signature scheme is secure in the sense that no forgery on any new message (i.e., a message that has never been signed) is available for any computation restricted adversary, it is said weakly unforgeable (wUF), in contrast to strongly unforgeable (sUF) meaning no new signature on any old message (i.e., a valid signature on the message is already known) is available to such adversaries. sUF signatures are generally considered advantageous over wUF ones because of preference for high level security. But the case may be different when they are employed to construct group signatures. wUF but not sUF signatures, called WoUF signatures in this paper, are investigated in this paper. It is found that by applying a generic construction to WoUF signatures with indirectly-signability and perfectly-unlinkability (also defined in this paper), we can regenerate many efficient group signatures in literature. We also propose improvements to the group signature schemes of CL04, NSN04, KY05, in line with our generic construction.
2007
EPRINT
Weaknesses in the Pseudorandom Bit Generation Algorithms of the Stream Ciphers TPypy and TPy
The stream ciphers Py, Py6 were designed by Biham and Seberry for the ECRYPT-eSTREAM project in 2005. However, due to several recent cryptanalytic attacks on them, a strengthened version Pypy was proposed to rule out those attacks. The ciphers have been promoted to the `Focus' ciphers of the Phase II of the eSTREAM project. The impressive speed of the ciphers make them the forerunners in the competition. Unfortunately, even the new cipher Pypy was found to retain weaknesses, forcing the designers to again go for modifications. As a result, three new ciphers TPypy, TPy and TPy6 were built. Among all the members of the Py-family of ciphers, the TPypy is conjectured to be the strongest. So far, there is no known attack on the TPypy. This paper shows that the security of TPypy does not grow exponentially with the key-size. The main achievement of the paper is the detection of input-output correlations of TPypy that allow us to build a distinguisher with $2^{281}$ randomly chosen key/IVs and as many outputwords (each key generating one outputword). The cipher TPypy was claimed by the designers to be secure with keysize up to 256 bytes, i.e., 2048 bits. Our results establish that the TPypy fails to provide adequate security if the keysize is longer than 35 bytes, i.e., 280 bits. Note that the distinguisher is built within the design specifications of the cipher. Because of remarkable similarities between the TPypy and the TPy, our attacks are shown to be effective for TPy also. The paper also points out how the other members of the Py-family (i.e., Pypy and Py) are also weak against the current attacks.
2007
EPRINT
When e-th Roots Become Easier Than Factoring
We show that computing $e$-th roots modulo $n$ is easier than factoring $n$ with currently known methods, given subexponential access to an oracle outputting the roots of numbers of the form $x_i + c$. Here $c$ is fixed and $x_i$ denotes small integers of the attacker's choosing. Several variants of the attack are presented, with varying assumptions on the oracle, and goals ranging from selective to universal forgeries. The computational complexity of the attack is $L_n(\frac{1}{3}, \sqrt[3]{\frac{32}{9}})$ in most significant situations, which matches the {\sl special} number field sieve's ({\sc snfs}) complexity. This sheds additional light on {\sc rsa}'s malleability in general and on {\sc rsa}'s resistance to affine forgeries in particular -- a problem known to be polynomial for $x_i > \sqrt[3]{n}$, but for which no algorithm faster than factoring was known before this work.
2007
EPRINT
Which Languages Have 4-Round Zero-Knowledge Proofs?
We show, unconditionally, that if a language $L$ has a 4-round, black-box, computational zero-knowledge proof system with negligible soundness error, then $\bar L \in MA$. Assuming the polynomial hierarchy does not collapse, this means, in particular, that $NP$-complete languages do not have 4-round zero-knowledge proofs (at least with respect to black-box simulation).
2007
EPRINT
X-FCSR: a new software oriented stream cipher based upon FCSRs
Feedback with Carry Shift Registers (FCSRs) are a promising alternative to LFSRs in the design of stream cipher. The previous constructions based on FCSRs were dedicated to hardware applications. In this paper, we will describe X-FCSR a family of software oriented stream cipher using FCSRs. The core of the system is composed of two 256-bits FCSRs. We propose two versions: X-FCSR-128 and X-FCSR-256 which output respectively 128 and 256 bits at each iteration. We study the resistance of our design against several cryptanalyses. In this way, we achieve a high throughput and secure stream ciphers suitable for software applications (6.3 cycles/byte).
2007
EPRINT
Yet Another MicroArchitectural Attack: Exploiting I-cache
MicroArchitectural Attacks (MA), which can be considered as a special form of Side-Channel Analysis, exploit microarchitectural functionalities of processor implementations and can compromise the security of computational environments even in the presence of sophisticated protection mechanisms like virtualization and sandboxing. This newly evolving research area has attracted significant interest due to the broad application range and the potentials of these attacks. Cache Analysis and Branch Prediction Analysis were the only types of MA that had been known publicly. In this paper, we introduce Instruction Cache (I-Cache) as yet another source of MA and present our experimental results which clearly prove the practicality and danger of I-Cache Attacks.
2007
EPRINT
Zero-Knowledge in the Applied Pi-calculus and Automated Verification of the Direct Anonymous Attestation Protocol
We devise an abstraction of zero-knowledge protocols that is accessible to a fully mechanized analysis. The abstraction is formalized within the applied pi-calculus using a novel equational theory that abstractly characterizes the cryptographic semantics of zero-knowledge proofs. We present an encoding from the equational theory into a convergent rewriting system that is suitable for the automated protocol verifier ProVerif. The encoding is sound and fully automated. We successfully used ProVerif to obtain the first mechanized analysis of the Direct Anonymous Attestation (DAA) protocol. The analysis in particular required us to devise novel abstractions of sophisticated cryptographic security definitions based on interactive games.