188 research outputs found
Strongly Unforgeable Signatures Resilient to Polynomially Hard-to-Invert Leakage under Standard Assumptions
A signature scheme is said to be weakly unforgeable, if it is hard to forge a signature on a message not signed before. A signature scheme is said to be strongly unforgeable, if it is hard to forge a signature on any message. In some applications, the weak unforgeability is not enough and the strong unforgeability is required, e.g., the Canetti, Halevi and Katz transformation.
Leakage-resilience is a property which guarantees that even if secret information such as the secret-key is partially leaked, the security is maintained. Some security models with leakage-resilience have been proposed. The hard-to-invert leakage model, a.k.a. auxiliary (input) leakage model, proposed by Dodis et al. at STOC\u2709 is especially meaningful one, since the leakage caused by a function which information-theoretically reveals the secret-key, e.g., one-way permutation, is considered.
In this work, we propose a generic construction of digital signature strongly unforgeable and resilient to polynomially hard-to-invert leakage which can be instantiated under standard assumptions such as the decisional linear assumption. We emphasize that our instantiated signature is not only the first one resilient to polynomially hard-to-invert leakage under standard assumptions, but also the first one which is strongly unforgeable and has hard-to-invert leakage-resilience
Theory and application of computationally independent one-way functions: Interactive proof of ability - Revisited
We introduce the concept of computationally independent pair of one-way functions (CI-OWF). We also provide two rich classes of examples of such functions based on standard assumptions. We revisit two-party interactive protocols for proving possession of computational power and existing two-flow challenge-response protocols. We analyze existing protocols for proof of computation power and propose a new two-flow protocol using CI-OWF based on square Diffie-Hellman problem
Indistinguishability Obfuscation from Well-Founded Assumptions
In this work, we show how to construct indistinguishability obfuscation from
subexponential hardness of four well-founded assumptions. We prove:
Let be arbitrary
constants. Assume sub-exponential security of the following assumptions, where
is a security parameter, and the parameters below are
large enough polynomials in :
- The SXDH assumption on asymmetric bilinear groups of a prime order ,
- The LWE assumption over with subexponential
modulus-to-noise ratio , where is the dimension of the LWE
secret,
- The LPN assumption over with polynomially many LPN samples
and error rate , where is the dimension of the LPN
secret,
- The existence of a Boolean PRG in with stretch
,
Then, (subexponentially secure) indistinguishability obfuscation for all
polynomial-size circuits exists
Input-shrinking functions: theory and application
In this thesis, we contribute to the emerging field of the Leakage-Resilient Cryptography by studying the problem of secure data storage on hardware that may
leak information, introducing a new primitive, a leakage-resilient storage, and showing two different constructions of such storage scheme provably secure against a class of
leakage functions that can depend only on some restricted part of the memory and against a class of computationally weak leakage functions, e.g. functions computable by small circuits,
respectively.
Our results come with instantiations and analysis of concrete parameters.
Furthermore, as second contribution, we present our implementation in C programming language, using the cryptographic library of the OpenSSL project, of a two-party Authenticated Key
Exchange (AKE) protocol, which allows a client and a server, who share a huge secret file, to securely compute a shared key, providing client-to-server authentication, also in the presence of active attackers.
Following the work of Cash et al. (TCC 2007), we based our construction on a Weak Key Exchange (WKE) protocol, developed in the BRM, and a Password-based Authenticated Key
Exchange (PAKE) protocol secure in the Universally Composable (UC) framework.
The WKE protocol showed by Cash et al. uses an explicit construction of averaging sampler, which uses less random bits than the random choice but does not seem to be
efficiently implementable in practice.
In this thesis, we propose a WKE protocol similar but simpler than that one of Cash et al.: our protocol uses more randomness than the Cash et al.'s one, as it simply uses random
choice instead of averaging sampler, but we are able to show an efficient implementation of it.
Moreover, we formally adapt the security analysis of the WKE protocol of Cash et al. to our WKE protocol.
To complete our AKE protocol, we implement the PAKE protocol showed secure in the UC framework by Abdalla et al. (CT-RSA 2008), which is more efficient than the Canetti et al.'s UC-PAKE protocol (EuroCrypt 2005) used in Cash et al.'s work.
In our implementation of the WKE protocol, to achieve small constant communication complexity and amount of randomness, we rely on the Random Oracle (RO) model.
However, we would like to note that in our implementation of the AKE protocol we need also a UC-PAKE protocol which already relies on RO, as it is impossible to achieve UC-PAKE in the
standard model.
In our work we focus not only on the theoretical aspects of the area, providing formal models and proofs, but also on the practical ones, analyzing instantiations, concrete parameters
and implementation of the proposed solutions, to contribute to bridge the gap between theory and practice in this field
Witness Maps and Applications
We introduce the notion of Witness Maps as a cryptographic notion of
a proof system. A Unique Witness Map (UWM) deterministically maps all
witnesses for an statement to a single representative witness, resulting
in a computationally sound, deterministic-prover, non-interactive witness
independent proof system. A relaxation of UWM, called Compact Witness Map
(CWM), maps all the witnesses to a small number of witnesses, resulting in a
``lossy\u27\u27 deterministic-prover, non-interactive proof-system. We also define
a Dual Mode Witness Map (DMWM) which adds an ``extractable\u27\u27 mode to
a CWM.
\medskip
Our main construction is a DMWM for all relations, assuming
sub-exponentially secure indistinguishability obfuscation (), along with
standard cryptographic assumptions. The DMWM construction relies on a CWM
and a new primitive called Cumulative All-Lossy-But-One Trapdoor
Functions (C-ALBO-TDF),
both of which are in turn instantiated based on and other primitives.
Our instantiation of a CWM is in fact a UWM; in turn, we show that a UWM
implies Witness Encryption. Along the way to constructing UWM and
C-ALBO-TDF, we also construct, from standard assumptions, Puncturable
Digital Signatures and a new primitive called Cumulative Lossy
Trapdoor Functions (C-LTDF). The former improves up on a construction of
Bellare et al. (Eurocrypt 2016), who relied on sub-exponentially secure
and sub-exponentially secure OWF.
\medskip
As an application of our constructions, we show how to use a DMWM to
construct the first leakage and tamper-resilient signatures
with a deterministic signer, thereby solving a decade old open
problem posed by Katz and Vaikunthanathan (Asiacrypt 2009), by Boyle, Segev
and Wichs (Eurocrypt 2011), as well as by Faonio and Venturi (Asiacrypt
2016). Our construction achieves the optimal leakage rate of
Public-Key Cryptosystems Resilient to Key Leakage
Most of the work in the analysis of cryptographic schemes is concentrated in abstract adversarial models that do not capture {\em side-channel attacks}. Such attacks exploit various forms of unintended information leakage, which is inherent to almost all physical implementations. Inspired by recent side-channel attacks, especially the ``cold boot attacks\u27\u27 of Halderman et al. (USENIX
Security \u2708), Akavia, Goldwasser and Vaikuntanathan (TCC \u2709) formalized a realistic framework for modeling the security of encryption schemes against a wide class of side-channel attacks in which adversarially chosen functions of the secret key are leaked. In the setting of public-key encryption, Akavia et al. showed that Regev\u27s lattice-based scheme (STOC \u2705) is resilient to any leakage of L / \polylog(L) bits, where is the length of the secret key.
In this paper we revisit the above-mentioned framework and our main results are as follows:
-- We present a generic construction of a public-key encryption scheme that is resilient to key leakage from any {\em universal hash proof system}. The construction does not rely on additional computational assumptions, and the resulting scheme is as efficient as the underlying proof system. Existing constructions of such proof systems imply that our construction can be based on a variety of number-theoretic assumptions, including the decisional Diffie-Hellman assumption (and its progressively weaker -Linear variants), the quadratic residuosity assumption, and Paillier\u27s composite residuosity assumption.
-- We construct a new hash proof system based on the decisional Diffie-Hellman assumption (and its -Linear variants), and show that the resulting scheme is resilient to any leakage of bits. In addition, we prove that the recent scheme of Boneh et al. (CRYPTO \u2708), constructed to be a ``circular-secure\u27\u27 encryption scheme, fits our generic approach and is also resilient to any leakage of bits.
-- We extend the framework of key leakage to the setting of chosen-ciphertext attacks. On the theoretical side, we prove that the Naor-Yung paradigm is applicable in this setting as well, and obtain as a corollary encryption schemes that are CCA2-secure with any leakage of bits. On the practical side, we prove that variants of the Cramer-Shoup cryptosystem (along the lines of our generic construction) are CCA1-secure with any leakage of bits, and CCA2-secure with any leakage of bits
Leakage-resilient Identity-based Encryption in Bounded Retrieval Model with Nearly Optimal Leakage-Ratio
We propose new constructions of leakage-resilient public-key encryption (PKE) and identity-based encryption (IBE) schemes in the bounded retrieval model (BRM). In the BRM, adversaries are allowed to obtain at most -bit leakage from a secret key and we can increase only by increasing the size of secret keys without losing efficiency in any other performance measure. We call leakage-ratio where denotes a bit-length of a secret key.
Several PKE/IBE schemes in the BRM are known. However, none of these constructions achieve a constant leakage-ratio under a standard assumption in the standard model. Our PKE/IBE schemes are the first schemes in the BRM that achieve leakage-ratio for any constant under standard assumptions in the standard model.
As previous works, we use identity-based hash proof systems (IB-HPS) to construct IBE schemes in the BRM. It is known that a parameter for IB-HPS called the universality-ratio is translated into the leakage-ratio of the resulting IBE scheme in the BRM. We construct an IB-HPS with universality-ratio for any constant based on any inner-product predicate encryption (IPE) scheme with compact secret keys. Such IPE schemes exist under the -linear, subgroup decision, learning with errors, or computational bilinear Diffie-Hellman assumptions. As a result, we obtain IBE schemes in the BRM with leakage-ratio under any of these assumptions. Our PKE schemes are immediately obtained from our IBE schemes
ISAP – Towards Side-Channel Secure Authenticated Encryption
Side-channel attacks and in particular differential power analysis (DPA) attacks pose a serious threat to cryptographic implementations. One approach to counteract such attacks are cryptographic schemes based on fresh re-keying. In settings of pre-shared secret keys, such schemes render DPA attacks infeasible by deriving session keys and by ensuring that the attacker cannot collect side-channel leakage on the session key during cryptographic operations with different inputs. While these schemes can be applied to secure standard communication settings, current re-keying approaches are unable to provide protection in settings where the same input needs to be processed multiple times. In this work, we therefore adapt the re-keying approach and present a symmetric authenticated encryption scheme that is secure against DPA attacks and that does not have such a usage restriction. This means that our scheme fully complies with the requirements given in the CAESAR call and hence, can be used like other noncebased authenticated encryption schemes without loss of side-channel protection. Its resistance against side-channel analysis is highly relevant for several applications in practice, like bulk storage settings in general and the protection of FPGA bitfiles and firmware images in particular
- …