International Association for Cryptologic Research

# IACR News Central

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

2012-05-29
21:17 [Pub][ePrint]

In this work, we re-examine some fundamental group key-exchange and identity-based key-exchange protocols, specifically the Burmester-Desmedet group key-exchange protocol [7] (re-ferred to as the BD-protocol) and the Chen-Kudla identity-based key-exchange protocol [9]

(referred to as the CK-protocol). We identify some new attacks on these protocols, showing in particular that these protocols are not computationally fair. Specifically, with our attacks, an

adversary can do the following damages:

(1) It can compute the session-key output with much lesser computational complexity than that of the victim honest player, and can maliciously nullify the contributions from the victim honest players.

(2) It can set the session-key output to be some pre-determined value, which can be efficiently and publicly computed without knowing any secrecy supposed to be held by the attacker.

We remark these attacks are beyond the traditional security models for group key-exchange and identity-based key-exchange.

Then, based on the computationally fair Diffie-Hellman key-

exchange in [21], we present some fixing approaches, and prove that the fixed protocols are computationally fair.

21:17 [Pub][ePrint]

We propose a protocol to exchange Boneh-Boyen short signatures in a fair way, without relying on a trusted third party. Our protocol is quite practical and is the first of the sort to the bestof our knowledge.

Our construction uses a new non-interactive zero-knowledge (NIZK) argument to prove that a commitment is the encryption of a bit vector.

We also design a NIZK argument to prove that a commitment to a bit vector $v=(b_1,b_2,...,b_\\secparam)$ is such that $\\sum_{i \\in [\\secparam]}b_i2^{i-1}=\\Blinding$ where $\\Blinding$

is the discrete logarithm of some public value $\\BasicCommitment=g^\\Blinding$.These arguments may be of independent interest.

21:17 [Pub][ePrint]

In many applications of group signatures, not only a signer\'s

identity but also which group the signer belongs to is sensitive

information regarding signer privacy. In this paper, we study these

applications and combine a group signature with a ring signature to

create a ring group signature, which specifies a set of possible

groups without revealing which member of which group produced the

signature. The main contributions of this paper are a formal

definition of a ring group signature scheme and its security model,

a generic construction and a concrete example of such a scheme. Both

the construction and concrete scheme are provably secure if the

underlying group signature and ring signature schemes are

secure.

21:17 [Pub][ePrint]

We define and construct fully homomorphic message authenticators. In such a scheme, anybody can perform arbitrary computations over authenticated data and produce a short tag that authenticates the result of the computation. The user verifies this tag with her private key to ensure that the claimed result is indeed the correct output of the specified computation over previously authenticated data, without needing to know the underlying data itself. For example, a user can outsource the storage of large amounts of authenticated data to a remote server, and the server can later non-interactively certify the outputs of various computations over this data with only a short tag. Our construction uses fully homomorphic encryption in a novel way.

21:17 [Pub][ePrint]

The emergence and wide availability of remote storage service providers prompted work in

the security community that allows a client to verify integrity and availability of the data that

she outsourced to an untrusted remove storage server at a relatively low cost. Most recent

solutions to this problem allow the client to read and update (i.e., insert, modify, or delete)

stored data blocks while trying to lower the overhead associated with verifying the integrity

of the stored data. In this work we develop a novel scheme, performance of which favorably

compares with the existing solutions. Our solution enjoys a number of new features such as a

natural support for operations on ranges of blocks, revision control, and support for multiple

user access to shared content. The performance guarantees that we achieve stem from a novel

data structure termed a balanced update tree and removing the need to verify update operations.

21:17 [Pub][ePrint]

Certain block cipher confidentiality modes are susceptible to an adaptive chosen-ciphertext attack against the underlying format of the plaintext. When the application decrypts altered ciphertext and attempts to process the manipulated plaintext, it may disclose information about intermediate values resulting in an oracle. In this paper we describe how to recognize and exploit such an oracle to decrypt ciphertext and control the decryption to result in arbitrary plaintext. We also discuss ways to mitigate and remedy the issue.

05:57 [PhD][Update]

Name: Olivier Markowitch
Topic: Non-repudiation protocols
Category:cryptographic protocols

2012-05-28
08:29 [Event][New]

Submission: 10 June 2012
From August 17 to August 19
Location: Kollam, India

08:27 [Event][New]

Submission: 17 June 2012
From September 20 to September 21
Location: Sofia, Bulgaria

08:26 [Event][New]

Submission: 3 September 2012
From February 25 to March 1
Location: San Francisco, USA

2012-05-25
17:39 [PhD][New]

Name: Peter Birkner
Topic: Efficient Arithmetic on Low-Genus Curves
Category: public-key cryptography

Description: Public key cryptosystems are almost always based on two problems in number theory, the discrete-logarithm problem and the factorisation of integers. In this\r\nthesis we treat certain aspects of both of these problems.\r\n
\r\nThe most crucial parts of a cryptosystem that is based on the discrete-logarithm problem are the group and the efficiency of the arithmetic in this group. In this work we have investigated divisor class groups of hyperelliptic curves of genus 2 and 3 over binary fields. We suggest certain curves such that the appropriate group is considered secure, and provide efficient arithmetic on these curves.\r\n
\r\nThe most important operation in curve-based cryptosystems is single-scalar multiplication of divisor classes. Therefore a very time-efficient arithmetic is necessary. Since scalar multiplication is almost always computed using double and-add algorithms (or variants of these), it stands to reason to develop efficient doubling and addition formulas. In case of elliptic curves it turned out that point halving is very efficient, and hence halve-and-add algorithms proved very successful and could even replace the double-and-add methods in some situations.\r\n
\r\nSo it is natural to ask if similar results can be obtained for hyperelliptic curves as well. For genus-2 curves we have developed explicit halving formulas which can in some settings even beat the doubling counterparts. For the high-speed case\r\non the genus-2 curves we also give a complete case study, that covers all special cases, depending on the polynomial representation of the divisor class.\r\n
\r\nWe have generalised this also to the genus-3 case and investigated several types of curves and developed explicit halving formulas. For some curves of a rather\r\ngeneral form we could even beat the doubling formulas by 10 to 20 field multiplications which is a speedup of about 30-40%. For the most common setting in\r\ngenus 3 we give (like in genus 2) a complete case study [...]