A Tunable Broadcast Encryption Scheme

In this paper, we describe yet another broadcast encryption scheme for stateless receivers. The main difference between our scheme and the classical schemes derived from the complete subtree and its subsequent improvements is that in our scheme the group management is based upon a more adaptable data structure. In these classical schemes, users must be spread on a tree structure where each level of the tree is associated to some distinguishing property of the users. The fact that the underlying data structure is a fixed tree is a strong limitation for some applications where an operator wants to select users very dynamically following criterions with changing levels of priority. Our scheme may be thought as if in the complete subtree it would be possible to exchange the different level of the tree in order to make it very efficient to revoke or select a class of users. It is also very efficient in the cases where there exists very unbalanced groups of users. This scheme allows one to select or revoke users by sending ciphertexts of linear size with respect to the number of groups which is in general far less than the number of users. Moreover, by using a specific group repartition, it is possible to recover a tree structure in order to apply the classical methods which guarantee that our scheme is in general as efficient as a usual ones. We prove that our scheme is fully collusion secure in the generic group with pairing model

Security evaluation of a key management scheme based on bilinear maps on elliptic curves

In recent years, many applications of elliptic curves to cryptography have been developed. Cryptosystems based on groups of rational points on elliptic curves allow more efficient alternatives to finite field cryptography, which usually requires groups with larger cardinality and lower efficiency. The existence of non-degenerate, bilinear maps on elliptic curves, called pairings, allow the construction of many efficient cryptosystems; however, their security must be carefully studied. We will study the security of a key menagement scheme introduced by Boneh, Gentry and Waters in 2005, which is based on the decisional version of the l-BDHE problem. This is a variant of the classical Diffie-Hellman problem, specifically constructed for pairing-based cryptography. Its hardness, is still a research topic and only some theoretical evidence exists. The aim of this work is to investigate the security of this broadcast encryption system, taking in account a model that proves the hardness of the l-BDHE problem, under strong assumptions. Drawbacks of this approach will be discussed: its main weakness is the system's behaviour during attack simulations, which is far from real. The main result of this thesis is a lower bound on the running time of an adversary solving the above problem. Moreover, also the elliptic curve choice, when implementing an encryption scheme, could affect its security. We will review the main criteria for this choice and we will investigate the existence of elliptic curves suitable for the system of our interest

The Random Oracle Model: A Twenty-Year Retrospective

It has been roughly two decades since the random oracle model for security reductions was introduced and one decade since we first discussed the controversy that had arisen concerning its use. In this retrospective we argue that there is no evidence that the need for the random oracle assumption in a proof indicates the presence of a real-world security weakness in the corresponding protocol. We give several examples of attempts to avoid random oracles that have led to protocols that have security weaknesses that were not present in the original ones whose proofs required random oracles. We also argue that the willingness to use random oracles gives one the flexibility to modify certain protocols so as to reduce dependence on potentially vulnerable pseudorandom bit generators. Finally, we discuss a modified version of ECDSA, which we call ECDSA+, that may have better real-world security than standard ECDSA, and compare it with a modified Schnorr signature. If one is willing to use the random oracle model (and the analogous generic group model), then various security reductions are known for these two schemes. If one shuns these models, then no provable security result is known for them

How powerful are the DDH hard groups?

The question whether Identity-Based Encryption (IBE) can be based on the Decisional Diffie-Hellman (DDH) assumption is one of the most prominent questions in Cryptography related to DDH. We study limitations on the use of the DDH assumption in cryptographic constructions, and show that it is impossible to construct a secure Identity-Based Encryption system using, in a black box way, only the DDH (or similar) assumption about a group. Our impossibility result is set in the generic groups model, where we describe an attack on any IBE construction that relies on oracle access to the group operation of randomly labelled group elements -- a model that formalizes naturally DDH hardness. The vast majority of existing separation results typically give separation from general primitives, whereas we separate a primitive from a class of number theoretic hardness assumptions. Accordingly, we face challenges in creating an attack algorithm that will work against constructions which leverage the underlying algebraic structure of the group. In fact, we know that this algebraic structure is powerful enough to provide generic constructions for several powerful primitives including oblivious transfer and chosen ciphertext secure public-key cryptosystems (note that an IBE generalizes such systems). Technically, we explore statistical properties of the group algebra associated with a DDH oracle, which can be of independent interest

Towards a Classification of Non-interactive Computational Assumptions in Cyclic Groups

We study non-interactive computational intractability assumptions in prime-order cyclic groups. We focus on the broad class of computational assumptions which we call target assumptions where the adversary’s goal is to compute concrete group elements. Our analysis identifies two families of intractability assumptions, the q-Generalized Diffie-Hellman Exponent (q-GDHE) assumptions and the q-Simple Fractional (q-SFrac) assumptions (a natural generalization of the q-SDH assumption), that imply all other target assumptions. These two assumptions therefore serve as Uber assumptions that can underpin all the target assumptions where the adversary has to compute specific group elements. We also study the internal hierarchy among members of these two assumption families. We provide heuristic evidence that both families are necessary to cover the full class of target assumptions. We also prove that having (polynomially many times) access to an adversarial 1-GDHE oracle, which returns correct solutions with non-negligible probability, entails one to solve any instance of the Computational Diffie-Hellman (CDH) assumption. This proves equivalence between the CDH and 1-GDHE assumptions. The latter result is of independent interest. We generalize our results to the bilinear group setting. For the base groups, our results translate nicely and a similar structure of non-interactive computational assumptions emerges. We also identify Uber assumptions in the target group but this requires replacing the q-GDHE assumption with a more complicated assumption, which we call the bilinar gap assumption. Our analysis can assist both cryptanalysts and cryptographers. For cryptanalysts, we propose the q-GDHE and the q-SDH assumptions are the most natural and important targets for cryptanalysis in prime-order groups. For cryptographers, we believe our classification can aid the choice of assumptions underpinning cryptographic schemes and be used as a guide to minimize the overall attack surface that different assumptions expose

Functional Encryption and Property Preserving Encryption: New Definitions and Positive Results

Functional Encryption (FE) is an exciting new paradigm that extends the notion of public key encryption. In this work we explore the security of Inner Product Functional Encryption schemes with the goal of achieving the highest security against practically feasible attacks. In addition, we improve efficiency/ underlying assumptions/ security achieved by existing inner product Functional Encryption and Property Preserving Encryption schemes, in both the private and public key setting. Our results can be summarized as follows: - We study whether known impossibilities for achieving strong SIM based security imply actual real world attacks. For this, we present a new UC-style SIM based definition of security that captures both data and function hiding, both public key and symmetric key settings and represents the dream security of FE. While known impossibilities rule out its achievability in the standard model, we show, surprisingly, that it can be achieved in the generic group model for Inner Product FE (Katz et al., Eurocrypt 2008). This provides evidence that FE implementations may enjoy extremely strong security against a large class of real world attacks, namely generic attacks. - We provide several improvements to known constructions of Inner Product FE. In the private key setting, the construction by Shen et al. (TCC 2009) was based on non-standard assumptions, used composite order groups, and only achieved selective security. We give the first construction of a symmetric key inner product FE which is built using prime order groups, and is fully secure under the standard DLIN assumption. Our scheme is more efficient in the size of key and ciphertext than Shen et al.\u27s, when the latter is converted to prime-order groups. - We give the first construction of a property preserving encryption (PPE) scheme for inner-products. Our scheme is secure under the DLIN assumption and satisfies the strongest definition of security -- Left-or-Right security in the standard model. Note that the only previously known construction for PPE by Pandey et al. (Eurocrypt 2012), which was claimed to be secure in the generic group model, was recently attacked Chatterjee and Das, making our construction the first candidate for PPE

A New Approach to Generic Lower Bounds: Classical/Quantum MDL, Quantum Factoring, and More

This paper studies the limitations of the generic approaches to solving cryptographic problems in classical and quantum settings in various models. - In the classical generic group model (GGM), we find simple alternative proofs for the lower bounds of variants of the discrete logarithm (DL) problem: the multiple-instance DL and one-more DL problems (and their mixture). We also re-prove the unknown-order GGM lower bounds, such as the order finding, root extraction, and repeated squaring. - In the quantum generic group model (QGGM), we study the complexity of variants of the discrete logarithm. We prove the logarithm DL lower bound in the QGGM even for the composite order setting. We also prove an asymptotically tight lower bound for the multiple-instance DL problem. Both results resolve the open problems suggested in a recent work by Hhan, Yamakawa, and Yun. - In the quantum generic ring model we newly suggested, we give the logarithmic lower bound for the order-finding algorithms, an important step for Shor\u27s algorithm. We also give a logarithmic lower bound for a certain generic factoring algorithm outputting relatively small integers, which includes a modified version of Regev\u27s algorithm. - Finally, we prove a lower bound for the basic index calculus method for solving the DL problem in a new idealized group model regarding smooth numbers. The quantum lower bounds in both models allow certain (different) types of classical preprocessing. All of the proofs are significantly simpler than the previous proofs and are through a single tool, the so-called compression lemma, along with linear algebra tools. Our use of this lemma may be of independent interest

The Discrete-Logarithm Problem with Preprocessing

This paper studies discrete-log algorithms that use preprocessing. In our model, an adversary may use a very large amount of precomputation to produce an advice string about a specific group (e.g., NIST P-256). In a subsequent online phase, the adversary\u27s task is to use the preprocessed advice to quickly compute discrete logarithms in the group. Motivated by surprising recent preprocessing attacks on the discrete-log problem, we study the power and limits of such algorithms. In particular, we focus on generic algorithms -- these are algorithms that operate in every cyclic group. We show that any generic discrete-log algorithm with preprocessing that uses an $S$-bit advice string, runs in online time $T$, and succeeds with probability $\epsilon$, in a group of prime order $N$, must satisfy $ST^2 = \tilde{\Omega}(\epsilon N)$. Our lower bound, which is tight up to logarithmic factors, uses a synthesis of incompressibility techniques and classic methods for generic-group lower bounds. We apply our techniques to prove related lower bounds for the CDH, DDH, and multiple-discrete-log problems. Finally, we demonstrate two new generic preprocessing attacks: one for the multiple-discrete-log problem and one for certain decisional-type problems in groups. This latter result demonstrates that, for generic algorithms with preprocessing, distinguishing tuples of the form $(g, g^x, g^{(x^2)})$ from random is much easier than the discrete-log problem