International Association for Cryptologic Research

# IACR News Central

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

2012-11-21
19:17 [Pub][ePrint]

We revisit the concept of public key encryption with delegated keyword search (PKEDS), a concept proposed by Ibraimi et al. A PKEDS scheme allows a receiver to authorize third-party server(s) to search in two ways: either according to a message chosen by the server itself or according to a trapdoor sent by the receiver. We show that the existing formulation has some defects and the proposed scheme is unnecessarily inefficient. Based on our analysis, we present a refined formulation of the primitive with a new security model. We then propose a new PKEDS scheme, which is proven secure and much more efficient than the original scheme by Ibraimi et al.

19:17 [Pub][ePrint]

Predicate encryption (PE) that provides both the access control of ciphertexts and the privacy of ciphertexts is a new paradigm of public-key encryption. An important application of predicate encryption is a searchable encryption system in a cloud storage, where it enables a client to securely outsource its data to an untrusted cloud server and to search over it even without revealing a keyword itself. One practical issue of predicate encryption is to devise an efficient revocation method to revoke a user when the secret key of the user is compromised. Privacy preserving revocable predicate encryption (RPE) can provide not only revocation, but also the privacy of revoked users.

In this paper, we first define two new security models of privacy preserving RPE: the strongly full-hiding security and the weakly full-hiding security. The strongly full-hiding security provides the full privacy of ciphertexts against outside and inside adversaries, but the weakly full-hiding security only provides the full privacy of ciphertexts against an outside adversary who cannot decrypt the challenge ciphertext. Next, we propose two general RPE constructions from any inner product encryption (IPE) schemes, and prove their security. This first RPE scheme provides the strongly full-hiding security, but the size of ciphertexts is proportional to the number of users in the system. The second RPE scheme improves the efficiency of the first RPE scheme such that the size of ciphertexts is sublinear and the decryption algorithm is efficient, but it provides the weakly full-hiding security.

19:17 [Pub][ePrint]

Rakaposhi is a synchronous stream cipher, which uses three main components a non-linear

feedback shift register (NLFSR), a dynamic linear feedback shift register (DLFSR) and a

non-linear filtering function ($NLF$). NLFSR consists of 128 bits and is initialised

by the secret key $K$. DLFSR holds 192 bits and is initialised by an initial vector ($IV$).

$NLF$ takes 8-bit inputs and returns a single output bit.

The work identifies weaknesses and properties of the cipher. The main observation

is that the initialisation procedure has the so-called sliding property.

The property can be used to launch distinguishing and key recovery attacks.

The distinguisher needs four observations of the related $(K,IV)$ pairs. The key recovery algorithm allows to discover the secret key $K$ after observing

$2^{9}$ pairs of $(K,IV)$. In the proposed related-key attack, the number of related $(K,IV)$ pairs is $2^{(128+192)/4}$ pairs.

The key recovery algorithm allows to discover the secret key $K$ after observing

$2^9$ related $(K,IV)$ pairs.

Further the cipher is studied when the registers enter short cycles.

When NLFSR is set to all ones, then the cipher degenerates to a linear feedback

shift register with a non-linear filter.

Consequently, the initial state (and Secret Key and $IV$) can be recovered with complexity

$2^{63.87}$.

If DLFSR is set to all zeros, then $NLF$ reduces to a low non-linearity filter

function. As the result, the cipher is insecure allowing the adversary

to distinguish it from a random cipher after $2^{17}$ observations of

keystream bits. There is also the key recovery algorithm that allows to

find the secret key with complexity $2^{54}$.

16:17 [Pub][ePrint]

In Africacrypt 2009, Galindo-Garcia [11] proposed a lightweight identity-based signature (IBS) scheme based on the Schnorr signature. The construction is simple and claimed to be the most efficient IBS till date. The security is based on the discrete-log assumption and the security argument consists of two reductions: B1 and B2, both of which use the multiple-forking lemma [4] to solve the discrete-log problem (DLP).

In this work, we revisit the security argument given in [11]. Our contributions are two fold: (i) we identify several problems in the original argument and (ii) we provide a detailed new security argument which allows significantly tighter reductions. In particular, we show that the reduction B1 in [11] fails in the standard security model for IBS [1], while the reduction B2 is incomplete. To remedy these problems, we adopt a two-pronged approach. First, we sketch ways to fill the gaps by making minimal changes to the structure of the original security argument; then, we provide a new security argument. The new argument consists of three reductions: R1, R2 and R3 and in each of them, solving the DLP is reduced to breaking the IBS. R1 uses the general forking lemma [2] together with the programming of the random oracles and Coron\'s technique [7]. Reductions R2 and R3, on the other hand, use the multiple-forking lemma along with the programming of the random oracles. We show that the reductions R1 and R2 are significantly tighter than their original counterparts.

16:17 [Pub][ePrint]

In this work we present a modification of a well-established measure of dependence appropriate for the analysis of stopping times for adversarial processes on cryptographic primitives. We apply this measure to construct generic criteria for the ideal behavior of fixed functions in both the random oracle and ideal permutation setting. More significantly, we provide a nontrivial extension of the notion of hash function indifferentiability, transporting the theory from the status of providing security arguments for protocols utilizing ideal primitives into the more realistic setting of protocol assurance with fixed functions. The methodology this measure introduces to indifferentiability analysis connects the security of a hash function with an indifferentiable mode to the security of the underlying compression function in a quantitative way; thus, we prove that dependence results on cryptographic primitives provide a direct means of determining the practical resistance or vulnerability of protocols employing such primitives.

16:17 [Pub][ePrint]

Recently, the concept of Search in Encrypted Data (SED) has become a highlight in cryptography. A SED scheme enables a client to have third-party server(s) to perform certain search functionalities on his encrypted data. In this book chapter, we aim at conducting a systematic study on SED schemes. Firstly, we describe three application scenarios and identify the desirable security requirements. Secondly, we provide two orthogonal categorizations and review the related security models for each category of SED schemes. Thirdly, we analyze the practical issues related to SED schemes and identify some future research directions.

16:17 [Pub][ePrint]

Adding a Schnorr signature to ElGamal encryption is a popular proposal aiming at thwarting chosen-ciphertext attacks by rendering the scheme plaintext-aware. However, there is no known security proof for the resulting scheme, at least not in a weaker model than the one obtained by combining the Random Oracle Model (ROM) and the Generic Group Model (Schnorr and Jakobsson, ASIACRYPT 2000). In this paper, we propose a very simple modification to Schnorr-Signed ElGamal encryption that leaves keys and ciphertexts size unchanged, for which the resulting scheme is semantically secure under adaptive chosen-ciphertext attacks (IND-CCA2-secure) in the ROM under the Decisional Diffie-Hellman assumption. In fact, we even prove that our new scheme is plaintext-aware in the ROM as defined by Bellare et al. (CRYPTO\'98). Interestingly, we also observe that Schnorr-Signed ElGamal is not plaintext-aware (again, for the definition of Bellare et al.) under the Computational Diffie-Hellman assumption. We show that our new scheme additionally achieves anonymity as well as robustness, a notion formalized by Abdalla et al. (TCC 2010) which captures the fact that it is hard to create a ciphertext that is valid under two different public keys. Finally, we study the hybrid variant of our new proposal, and show that it is IND-CCA2-secure in the ROM under the Computational Diffie-Hellman assumption when used with a symmetric encryption scheme satisfying the weakest security notion, namely ciphertext indistinguishability under one-time attacks (IND-OT-security).

15:41 [Event][New]

Submission: 1 May 2013
From September 16 to September 17
Location: Bucharest, Romania

10:28 [Event][New]

Submission: 15 February 2013
From July 15 to July 17
Location: Newark, NJ, USA

2012-11-20
14:47 [Job][New]

The Horst Görtz Institute for IT-Security (HGI) at Ruhr-University Bochum is one of Europe’s leading research centers in IT security. The DFG, or German Research Foundation, awarded more than €4 million to the HGI for the establishment of the interdisciplinary research training group “New Challenges for Cryptography in Ubiquitous Computing”. We are looking for candidates with an outstanding Ph.D. in the fields of computer science, electrical engineering, mathematics or related areas.

The research training group will study problems which are fundamental for securing the Internet of Things. The research is structured in three levels: cryptographic primitives, device and system level. The research topics range from cryptographic foundations such as fully homomorphic encryption for privacy in cloud computing, over security for medical implants to internet security solutions involving new national ID cards.

Beside the own research, the main task of the Post-Doc is to work with the UbiCrypt Ph.D. students, and to encourage collaboration between them. Thus, an interest in working with doctoral students and a broad interest in current research are required.

- Start: 01.04.2013

- Competitive salary

- Application: Send your documents by January 15, 2013, to grako (at) hgi.rub.de

- Required documents: CV, certificates (Bachelor, Master/Diplom, Ph.D.), transcripts , motivation for applying (1 page), names of at least two people who can provide reference letters (email addresses are sufficient)

A group of internationally renowned researchers together with excellent funding provides an extremely interesting scientific environment. The HGI is known for its good working atmosphere.

13:17 [Pub][ePrint]

Coin-tossing protocols are protocols that generate a random bit with uniform distribution. These protocols are used as a building block in many cryptographic protocols. Cleve [STOC 1986] has shown that if at least half of the parties can be malicious, then, in any r-round coin-tossing protocol, the malicious parties can cause a bias of Omega(1/r) to the bit that the honest parties output. However, for more than two decades the best known protocols had bias t/\\sqrt{r}, where t is the number of corrupted parties. Recently, in a surprising result, Moran, Naor, and Segev [TCC 2009] have shown that there is an r-round two-party coin-tossing protocol with the optimal bias of O(1/r). We extend Moran et al. results to the multiparty model when less than 2/3 of the parties are malicious. The bias of our protocol is proportional to 1/r and depends on the gap between the number of malicious parties and the number of honest parties in the protocol. Specifically, for a constant number of parties or when the number of malicious parties is somewhat larger than half, we present an r-round m-party coin-tossing protocol with optimal bias of O(1/r).