*01:17*[Pub][ePrint] EMV Key Agreement, by Christina Brzuska and Nigel P. Smart and Bogdan Warinschi and Gaven J. Watson

We present an analysis of the recently proposed key agreement protocol for use by EMV cards (a.k.a. chip-and-pin cards).

Get an update on changes of the IACR web-page here. For questions, contact *newsletter (at) iacr.org*.
You can also get this service via

- eMail subscription
- RSS (select channels below)
- Web (all channels)

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

We present an analysis of the recently proposed key agreement protocol for use by EMV cards (a.k.a. chip-and-pin cards).

In this paper, we consider both theoretical and practical aspects of

robust NI-PE (non-interactive polynomial evaluation with detection of

cheaters). First, we give a necessary condition of adversary structures for which perfectly robust NI-PE with small communication complexity exists. More precisely, we show that for any positive integers $n$, $m$ and $d>1$, an $n$-player access structure $U$, and an $n$-player adversary structure $T$, there exists a $U$-participating NI-PE scheme for $m$-variate polynomials over a finite field $F$ with $T$-private inputs such that (1) perfectly robust (i.e., successful cheating probability $\\epsilon=0$), (2) any polynomial of degree $d$ can be evaluated, and (3) the total size of shares of the output for some participating set is $o(m)\\times \\log |F|$, {\\em only if} $T$ is of type $Q_{d+1}$ for $U$, meaning that no $d+1$ sets in $T$ cover any set in $U$. Second, we give constructions of perfectly robust NI-PE schemes against threshold adversary and general adversary, respectively. All the proposed schemes ensure perfect robustness against $Q_{d+1}$ adversary, and computability of arbitrary polynomial of degree $d$. Third, we show that efficient robust NI-PE schemes against general adversary can be constructed by allowing cheaters very small chance of successful cheating. Namely, we construct two robust NI-PE schemes with $\\epsilon=1/|F|$ and the total size for shares of the output is only three times larger compared to the perfectly robust NI-PE scheme against threshold adversary.

In this paper, we introduce a general paradigm called identity-based extractable hash proof system (IB-EHPS), which is an extension of extractable hash proof system (EHPS) proposed by Wee (CRYPTO \'10). We show how to construct identity-based key encapsulation mechanism

(IB-KEM) from IB-EHPS in a simple and modular fashion. Our construction provides a generic method of building and interpreting CCA-secure IB-KEMs based on computational assumptions.

As instantiations, we realize IB-EHPS from the bilinear Diffie-Hellman assumption and the modified bilinear Diffie-Hellman assumption, respectively.

Password-Authenticated Key Exchange (PAKE) has received deep

attention in the last few years, with a recent strong improvement by

Katz-Vaikuntanathan, and their one-round protocol: the two players just have to send simultaneous flows to each other, that depend on their own passwords only, to agree on a shared high entropy secret key. We follow their work with a further study of their new Smooth-Projective Hash Function framework, and namely we introduce new efficient instantiations on IND-CCA ciphertexts.

It allows us to design the most efficient PAKE known so far: a

one-round PAKE with two simultaneous flows consisting of 6 group elements each only, in any DDH-group.

Our scheme resists off-line dictionary attacks in the

Bellare-Pointcheval-Rogaway model, under the DDH assumption with a CRS.

We thereafter show how our new instantiations can prove more complex equations.

We then apply them to propose quite efficient instantiations in

the standard model of the more general family of protocols, termed

Langage-Authenticated Key Exchange.

They include quite concrete key exchange protocols, such as PAKE,

Verifier-based PAKE and Secret Handshakes.

In Verifier-based PAKE, the server knows a transformation of the password only, which limits impact of the corruption of the server, since exhaustive search would still have to be performed to recover the actual passwords.

In Secret Handshakes, two members of the same group want to identify each other secretly, in the sense that each party reveals his affiliation to the other only if they are members of the same group. Outsiders do not learn anything about the outcome of the protocol.

A protocol for NFC mobile authentication and transaction is recently proposed by W. Chen et al. This protocol is used for micropayments, where the Mobile Network Operator (MNO) pays for its customers. The main advantage of this protocol is its compatibility with the existing GSM network. This paper suggests some improvements in this protocol from security point of view. As this protocol is used for monetary transactions, it should be as secure as possible. This paper presents an improved version of the existing protocol with a detailed analysis at the end. The user interaction with the system is improved making

it more user friendly. An additional layer of security has been added by introducing PIN authentication by the user. Mutual authentication is improved by adding freshness by the mobile device in order to resist replay attack. We also add digital signatures with the transaction messages for data integrity and non-repudiation.

We extend the fully homomorphic encryption scheme over the integers of van Dijk et al. (DGHV) to batch fully homomorphic encryption, i.e. to a scheme that supports encrypting and homomorphically processing a vector of plaintext bits as a single ciphertext. Our variant remains semantically secure under the (error-free) approximate GCD problem. We also show how to perform arbitrary permutations on the underlying plaintext vector given the ciphertext and the public key. Our scheme offers competitive performance: we describe an implementation of the fully homomorphic evaluation of AES encryption, with an amortized cost of about 12 minutes per AES ciphertext on a standard desktop computer; this is comparable to the timings presented by Gentry et al. at Crypto 2012 for their implementation of a Ring-LWE based fully homomorphic encryption scheme.

This article proposes a provably secure aggregate signcryption scheme in random oracles. Security of the scheme is based on computational infesibility of solving Decisional Bilinear Diffie-Hellman Problem and Discrete Logarithm Problems. Confidentiality

and authenticity are two fundamental security requirement of Public key Cryptography. These are achieved by encryption scheme and digital signatures respectively. Signcryption scheme is a cryptographic primitive that performs signature and encryption simultaneously in a single logical steps. An aggregate signcryption scheme can be constructed of the aggregation of individual signcryption. The aggreagtion is done taking n distinct signcryptions

on n messages signed by n distinct users.

In a {verifiable data streaming} protocol, the client streams a long

string to the server who stores it in its database. The stream is verifiable

in the sense that the server can neither change the order of the elements

nor manipulate them. The client may also retrieve data

from the database and update them. The content of the database is

publicly verifiable such

that any party in possession of some value $s$ and a proof $\\pi$

can check that $s$ is indeed in the database.

We introduce the notion of verifiable data streaming

and present an efficient instantiation that supports an exponential number of values

based on general assumptions. Our main

technique is an authentication tree in which the leaves are not fixed in

advanced such that the user, knowing some trapdoor, can authenticate

a new element on demand \\emph{without} pre- or re-computing all other

leaves. We call this data structure \\emph{chameleon authentication tree} (CAT).

We instantiate our scheme with primitives that are secure under the

discrete logarithm assumption. The algebraic properties of this

assumption allow us to obtain a very efficient verification algorithm.

As a second application of CATs, we present a new transformation

from any one-time to many-time signature scheme

that is more efficient than previously known solutions.

Lattice-based cryptography is one of the candidates in the area of post-quantum cryptography. Cryptographic schemes with security reductions to hard lattice problems (like the Shortest Vector Problem SVP) offer an alternative to recent number theory-based schemes. In order to guarantee asymptotic efficiency, most lattice-based schemes are instantiated using polynomial rings over integers. These lattices are called \'ideal lattices\'. It is assumed that the hardness of lattice problems in lattices over integer rings remains the same as in regular lattices. In order to prove or disprove this assumption, we instantiate random ideal lattices that allow to test algorithms that solve SVP and its approximate version. The Ideal Lattice Challenge allows online submission of short vectors to enter a hall of fame for full comparison. We adjoin a set of first experiments and a first comparison of ideal and regular lattices.

Recently, a few CCA2-secure (IND-CCA2) variant of the McEliece cryptosystem in the standard model were introduced. All these

schemes are based on Rosrn-Segev approach and lossy trapdoor function

and utilize k-repetition paradigm. The main drawback of these chemes is that they are need additional encryption and have large key size compared to the original scheme, which intricate the public-key size problem in the code-based cryptosystem. Furthermore, full CCA2-security of these schemes achieved by using a strongly unforgeable one-time signature scheme, and so, the resulting scheme need separate encryption. Therefore, the proposed schemes are not efficient.

In this manuscript, we propose a new and efficient IND-CCA2 variant of the McEliece cryptosystem in the standard model. The main novelty is that, unlike previous approaches, our approach is a generic ransformation and can be applied to any code-based one-way cryptosystem (both the McEliece and the Niederreiter cryptosystems). Our approach also leads to the elimination of the encryption repetition and using strongly unforgeable one-time signature scheme. This novel approach is more efficient, the publick/secret keys are as in the original scheme and the encryption/decryption complexity are comparable to the original scheme. CCA2-security of the proposed scheme can be reduced in the standard model to the McEliece assumptions. To the best of our knowledge, this is the first variant of the code-based cryptosystem that is IND-CCA2 in the standard model without using k-repetition paradigm and strongly

unforgeable one-time signature scheme.

Efficient computation of $r$-th root in $\\mathbb F_q$ has many

applications in computational number theory and many other related

areas. We present a new $r$-th root formula which generalizes

M\\\"{u}ller\'s result on square root, and which provides a possible

improvement of the Cipolla-Lehmer algorithm for general case. More

precisely, for given $r$-th power $c\\in \\mathbb F_q$, we show that

there exists $\\alpha \\in \\mathbb F_{q^r}$ such that

$Tr\\left(\\alpha^\\frac{(\\sum_{i=0}^{r-1}q^i)-r}{r^2}\\right)^r=c$

where $Tr(\\alpha)=\\alpha+\\alpha^q+\\alpha^{q^2}+\\cdots

+\\alpha^{q^{r-1}}$ and $\\alpha$ is a root of certain irreducible

polynomial of degree $r$ over $\\mathbb F_q$.