International Association for Cryptologic Research

IACR News Central

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

2013-11-17
04:17 [Pub][ePrint]

This work furthers the exploration of meaningful definitions for security of Functional Encryption. We propose new simulation based definitions for function privacy in addition to data privacy and study their achievability. In addition, we improve efficiency/ underlying assumptions/ security achieved by existing inner product Functional Encryption and Property Preserving Encryption schemes, in both the private and public key setting. Our results can be summarized as follows:

o We present a new simulation based definition, which we call Relax-AD-SIM, that lies between simulation based (SIM) and indistinguishability based (IND) definitions for data privacy, and implies the function privacy definition of [BRS13a]. Our definition relaxes the requirements on the simulator to bypass impossibility of SIM in the standard model. We show that the inner product FE scheme of [KSW08] enjoys Relax-AD-SIM security for function hiding and the inner product FE scheme of [LOS+10] enjoys Relax-AD-SIM security for data hiding.

o We study whether known impossibilities for achieving strong SIM based security imply actual real world attacks. For this, we present a new UC-style SIM based definition of security that captures both data and function hiding, both public key and symmetric key settings and represents the \"dream\" security of FE. While known impossibilities rule out its achievability in the standard model, we show, surprisingly, that it can be achieved in the generic group model for Inner Product FE ([KSW08]). This provides evidence that FE implementations may enjoy extremely strong security against a large class of real world attacks, namely generic attacks. It also implies a program obfuscator for the inner product functionality in the generic group model, which is related to the hyperplane-membership obfuscator of [CRV10].

o We provide several improvements to known constructions of Inner Product FE. In the private key setting, the construction by Shen et al. was based on non-standard assumptions, used composite order groups, and only achieved selective security. We give the first construction of a symmetric key inner product FE which is built using prime order groups, and is fully secure under the standard DLIN assumption. Our scheme is more efficient in the size of key and ciphertext than [SSW09], when the latter is converted to prime-order groups. We also port the public key inner product scheme of [KSW08] to prime order groups.

o We give the first standard model construction of a property preserving encryption (PPE) scheme [PR12] for inner-products. Our scheme is secure under the DLIN assumption and satisfies the strongest definition of security - Left-or-Right security. Note that previously known constructions were only known to be secure in the generic group model.

04:17 [Pub][ePrint]

Secure Multiparty Computation (MPC) is a fundamental problem in distributed cryptography. Although MPC in the synchronous communication setting has received tremendous attention in security research, recent interest in deploying MPC in real-life systems requires going beyond the synchronous setting and working towards MPC in the weaker asynchronous communication setting. The asynchronous setting, however, does not come without a penalty: asynchronous MPC (AMPC) protocols among n parties can only tolerate up to t < n/3 active corruptions in contrast to the synchronous protocols, which can tolerate up to t

04:17 [Pub][ePrint]

We present a general framework that converts certain types of linear collision-resistant hash

functions into one-time signatures. Our generic construction can be instantiated based on both

general and ideal (e.g. cyclic) lattices, and the resulting signature schemes are provably secure

based on the worst-case hardness of approximating the shortest vector (and other standard

lattice problems) in the corresponding class of lattices to within a polynomial factor. When

instantiated with ideal lattices, the time complexity of the signing and verification algorithms,

as well as key and signature size is almost linear (up to poly-logarithmic factors) in the dimension

n of the underlying lattice. Since no sub-exponential (in n) time algorithm is known to solve

lattice problems in the worst case, even when restricted to ideal lattices, our construction gives

a digital signature scheme with an essentially optimal performance/security trade-off.

04:17 [Pub][ePrint]

The article proposes a provably secure authenticated multiple key establishment protocol for Wireless Sensor Network. Security of the protocol is based on the computational infeasiblity of solving Elliptic Curve Discrete Logarithm Problem and Computational Diffie-Hellman Problem on Bilinear Pairing. User authentication is a one of the most challenging security requirement in wireless sensor networks

(WSN). It is required to establish the correct session key between two adjacent nodes of WSNs to achieve this security goal. Here we prove that, the proposed protocol is secure against the attack on data integrity and known key security attack on session key. It also provides perfect forward secrecy.

04:17 [Pub][ePrint]

We conduct an analysis of the RC4 algorithm as it is used in the IEEE WPA/TKIP wireless standard. In that standard, RC4 keys are computed on a per-frame basis, with specific key bytes being set to known values that depend on 2 bytes of the WPA frame counter (called the TSC). We observe very large, TSC-dependent biases in the RC4 keystream when the algorithm is keyed according to the WPA specification. These biases permit us to mount an effective statistical, plaintext-recovering attack in the situation where the same plaintext is encrypted in many different frames (the so-called broadcast attack\'\' setting). We assess the practical impact of these attacks on WPA/TKIP.

04:17 [Pub][ePrint]

In threshold public-key encryption, the decryption key is divided into n

shares, each one of which is given to a different decryption user in order to avoid single points of failure. In this study, we propose a simple and efficient non-interactive threshold public-key encryption scheme by using the hashed Diffie-Hellman assumption in bilinear groups.

Compared with the other related constructions, the proposed scheme is more efficient.

04:17 [Pub][ePrint]

Deniable authentication protocols allow a sender to authenticate a receiver, in a way that the receiver cannot convince a third party that such authentication (or any authentication) ever took place. In this study, we construct a fully deniable mutual authentication protocol based on RSA signature, and then a deniable authenticated key exchange protocol is constructed from the proposed protocol.

04:17 [Pub][ePrint]

Physical authentication brings extra security to software authentication by adding real-world input to conventional authentication protocols.

Existing solutions such as textual and graphical passwords are subject to brute force and shoulder surfing attacks, while users are reluctant to use biometrics for identification, due to its intrusiveness.

This paper uses Hamiltonian tokens as authentication means. The proposed token structure offers many possible configurations ({\\sl i.e.}, passwords) and is small enough to be carried on a physical keychain.

After presenting our general idea, we describe an efficient algorithm to produce these tokens. Our procedure was validated by running a recognition campaign on a wide batch of synthetic samples, and experimented on prototypes manufactured using a commercial 3D-printer.

04:17 [Pub][ePrint]

In the recent years, functional encryption (FE)

has received a lot of attention due to its

versatility and unique challenges it poses.

In FE, a receiver with secret-key $sk_y$ can compute from an

encryption of $x$ the value $F(y,x)$ for some

functionality $F$. The seminal work

of Boneh, Sahai and Waters [TCC\'11] showed

that for functional encryption the indistinguishability

notion of security (IND-Security) is weaker then simulation-based

and, moreover, showed that simulation-based security

is impossible to achieve even in weaker settings.

This has opened up the door to a plethora of papers,

showing feasibility and new impossibility results,

having in common the pursuit of a reasonable

and achievable simulation-based security definition.

With the same aim, in this work, we propose a new

simulation-based security definition that we call

{\\em rewinding simulation-based security} (RSIM-Security).

Rewinding arguments have been used

in all sorts of interactive protocols

and have been shown to be highly useful to argue

security. We exploit this power allowing

the simulator to rewind the adversary

under specific constraints.

Specifically, the simulator will be able to rewind

the adversary an arbitrary number of times

under the constraint that

information about the challenge messages than the

Under our new definition we show that:

(1) IND-Security is equivalent

to RSIM-Security

for {\\em predicate encryption with public-index}

(i.e. Attribute-Based Encryption)

in the {\\em standard model}. Previous results

showed impossibility results in the standard

model.

This {\\em equivalence} is the best one can hope

for general functionalities due to the counterexample of Boneh \\etal.

(2) Notwithstanding, we show that for notable classes of predicates (e.g., Anonymous IBE, inner-product over $\\Z_2$, any

family of circuits in $\\NC_0$, and monotone conjunctive Boolean formulae)

IND-Security is equivalent

to RSIM-Security in the standard

model.

Previous results showed impossibility results in the

standard model and the positive results were set

either in the random oracle or in more restricted security

definitions.

(3) On the negative side,

we show that our security

definition cannot be achieved

by functional encryption schemes for

general functionalities (specifically, functionalities that compute a pseudo-random function) in the adaptive setting. The argument

we use is to some extent the {\\em dual}

of that used by

Agrawal, Gorbunov, Vaikuntanathan, and Wee

(4) We complete the picture showing the achievability of unbounded simulation (USIM) answering positively to a question posed by Agrawal, Gorbunov, Vaikuntanathan and Wee [CRYPTO 2013].

04:17 [Pub][ePrint]

In this paper we perform a comprehensive area, power, and energy analysis of some of the most recently-developed lightweight block ciphers and we compare them to the standard AES algorithm. We do this for several different architectures of the considered block ciphers. Our evaluation method consists of estimating the pre-layout power consumption and the derived energy using Cadence Encounter RTL Compiler and ModelSIM simulations.We show that the area is not always correlated to the power and energy consumption, which is of importance for mobile battery-fed devices. As a result, this paper can be used to make a choice of architecture when the algorithm has already been fixed; or it can help deciding which algorithm to choose based on energy and key/block length requirements.

04:17 [Pub][ePrint]

As recent studies show, the notions of *program obfuscation* and *zero

knowledge* are intimately connected. In this work, we explore this connection further, and prove the following general result. If there exists *differing input obfuscation* (diO) for the class of all polynomial time Turing machines, then there exists a *four message, fully concurrent zero-knowledge* proof system for all languages in NP with negligible soundness error. This result is constructive: given diO, our reduction yields an explicit protocol along with an *explicit* simulator that is straight line\'\' and runs in strict

polynomial time.

Our reduction relies on a new non-black-box simulation technique which does not use the PCP theorem. In addition to assuming diO, our reduction also assumes (standard and polynomial time) cryptographic assumptions such as collision-resistant hash functions.

The round complexity of our protocol also sheds new light on the *exact* round complexity of concurrent zero-knowledge. It shows, for the first time, that in the realm of non-black-box simulation, concurrent zero-knowledge may not necessarily require more rounds than *stand alone* zero-knowledge!