875 research outputs found
POPE: Partial Order Preserving Encoding
Recently there has been much interest in performing search queries over
encrypted data to enable functionality while protecting sensitive data. One
particularly efficient mechanism for executing such queries is order-preserving
encryption/encoding (OPE) which results in ciphertexts that preserve the
relative order of the underlying plaintexts thus allowing range and comparison
queries to be performed directly on ciphertexts. In this paper, we propose an
alternative approach to range queries over encrypted data that is optimized to
support insert-heavy workloads as are common in "big data" applications while
still maintaining search functionality and achieving stronger security.
Specifically, we propose a new primitive called partial order preserving
encoding (POPE) that achieves ideal OPE security with frequency hiding and also
leaves a sizable fraction of the data pairwise incomparable. Using only O(1)
persistent and non-persistent client storage for
, our POPE scheme provides extremely fast batch insertion
consisting of a single round, and efficient search with O(1) amortized cost for
up to search queries. This improved security and
performance makes our scheme better suited for today's insert-heavy databases.Comment: Appears in ACM CCS 2016 Proceeding
URDP: General Framework for Direct CCA2 Security from any Lattice-Based PKE Scheme
Design efficient lattice-based cryptosystem secure against adaptive chosen
ciphertext attack (IND-CCA2) is a challenge problem. To the date, full
CCA2-security of all proposed lattice-based PKE schemes achieved by using a
generic transformations such as either strongly unforgeable one-time signature
schemes (SU-OT-SS), or a message authentication code (MAC) and weak form of
commitment. The drawback of these schemes is that encryption requires "separate
encryption". Therefore, the resulting encryption scheme is not sufficiently
efficient to be used in practice and it is inappropriate for many applications
such as small ubiquitous computing devices with limited resources such as smart
cards, active RFID tags, wireless sensor networks and other embedded devices.
In this work, for the first time, we introduce an efficient universal random
data padding (URDP) scheme, and show how it can be used to construct a "direct"
CCA2-secure encryption scheme from "any" worst-case hardness problems in
(ideal) lattice in the standard model, resolving a problem that has remained
open till date. This novel approach is a "black-box" construction and leads to
the elimination of separate encryption, as it avoids using general
transformation from CPA-secure scheme to a CCA2-secure one. IND-CCA2 security
of this scheme can be tightly reduced in the standard model to the assumption
that the underlying primitive is an one-way trapdoor function.Comment: arXiv admin note: text overlap with arXiv:1302.0347, arXiv:1211.6984;
and with arXiv:1205.5224 by other author
Non-malleable encryption: simpler, shorter, stronger
In a seminal paper, Dolev et al. [15] introduced the notion of non-malleable encryption (NM-CPA). This notion is very intriguing since it suffices for many applications of chosen-ciphertext secure encryption (IND-CCA), and, yet, can be generically built from semantically secure (IND-CPA) encryption, as was shown in the seminal works by Pass et al. [29] and by Choi et al. [9], the latter of which provided a black-box construction. In this paper we investigate three questions related to NM-CPA security: 1. Can the rate of the construction by Choi et al. of NM-CPA from IND-CPA be improved? 2. Is it possible to achieve multi-bit NM-CPA security more efficiently from a single-bit NM-CPA scheme than from IND-CPA? 3. Is there a notion stronger than NM-CPA that has natural applications and can be achieved from IND-CPA security? We answer all three questions in the positive. First, we improve the rate in the scheme of Choi et al. by a factor O(λ), where λ is the security parameter. Still, encrypting a message of size O(λ) would require ciphertext and keys of size O(λ2) times that of the IND-CPA scheme, even in our improved scheme. Therefore, we show a more efficient domain extension technique for building a λ-bit NM-CPA scheme from a single-bit NM-CPA scheme with keys and ciphertext of size O(λ) times that of the NM-CPA one-bit scheme. To achieve our goal, we define and construct a novel type of continuous non-malleable code (NMC), called secret-state NMC, as we show that standard continuous NMCs are not enough for the natural âencode-then-encrypt-bit-by-bitâ approach to work. Finally, we introduce a new security notion for public-key encryption that we dub non-malleability under (chosen-ciphertext) self-destruct attacks (NM-SDA). After showing that NM-SDA is a strict strengthening of NM-CPA and allows for more applications, we nevertheless show that both of our resultsâ(faster) construction from IND-CPA and domain extension from one-bit schemeâalso hold for our stronger NM-SDA security. In particular, the notions of IND-CPA, NM-CPA, and NM-SDA security are all equivalent, lying (plausibly, strictly?) below IND-CCA securit
A limitation on security evaluation of cryptographic primitives with fixed keys
In this paper, we discuss security of publicâkey cryptographic primitives in the case that the public key is fixed. In the standard argument, security of cryptographic primitives are evaluated by estimating the average probability of being successfully attacked where keys are treated as random variables. In contrast to this, in practice, a user is mostly interested in the security under his specific public key, which has been already fixed. However, it is obvious that such security cannot be mathematically guaranteed because for any given public key, there always potentially exists an adversary, which breaks its security. Therefore, the best what we can do is just to use a public key such that its effective adversary is not likely to be constructed in the real life and, thus, it is desired to provide a method for evaluating this possibility. The motivation of this work is to investigate (in)feasibility of predicting whether for a given fixed public key, its successful adversary will actually appear in the real life or not. As our main result, we prove that for any digital signature scheme or public key encryption scheme, it is impossible to reduce any fixed key adversary in any weaker security notion than the de facto ones (i.e., existential unforgery against adaptive chosen message attacks or indistinguishability against adaptive chosen ciphertext attacks) to fixed key adversaries in the de facto security notion in a blackâbox manner. This result means that, for example, for any digital signature scheme, impossibility of extracting the secret key from a fixed public key will never imply existential unforgery against chosen message attacks under the same key as long as we consider only blackâbox analysis
Partial-indistinguishability obfuscation using braids
An obfuscator is an algorithm that translates circuits into
functionally-equivalent similarly-sized circuits that are hard to understand.
Efficient obfuscators would have many applications in cryptography. Until
recently, theoretical progress has mainly been limited to no-go results. Recent
works have proposed the first efficient obfuscation algorithms for classical
logic circuits, based on a notion of indistinguishability against
polynomial-time adversaries. In this work, we propose a new notion of
obfuscation, which we call partial-indistinguishability. This notion is based
on computationally universal groups with efficiently computable normal forms,
and appears to be incomparable with existing definitions. We describe universal
gate sets for both classical and quantum computation, in which our definition
of obfuscation can be met by polynomial-time algorithms. We also discuss some
potential applications to testing quantum computers. We stress that the
cryptographic security of these obfuscators, especially when composed with
translation from other gate sets, remains an open question.Comment: 21 pages,Proceedings of TQC 201
The Random Oracle Methodology, Revisited
We take a critical look at the relationship between the security of
cryptographic schemes in the Random Oracle Model, and the security of the
schemes that result from implementing the random oracle by so called
"cryptographic hash functions". The main result of this paper is a negative
one: There exist signature and encryption schemes that are secure in the Random
Oracle Model, but for which any implementation of the random oracle results in
insecure schemes.
In the process of devising the above schemes, we consider possible
definitions for the notion of a "good implementation" of a random oracle,
pointing out limitations and challenges.Comment: 31 page
- âŠ