13,678 research outputs found
On the Joint Security of Encryption and Signature, Revisited
Abstract. We revisit the topic of joint security for combined public key schemes, wherein a single keypair is used for both encryption and signature primitives in a secure manner. While breaking the principle of key separation, such schemes have attractive properties and are sometimes used in practice. We give a general construction for a combined public key scheme having joint security that uses IBE as a component and that works in the standard model. We provide a more efficient direct construction, also in the standard model. We then consider the problem of how to build signcryption schemes from jointly secure combined public key schemes. We provide a construction that uses any such scheme to produce a triple of schemes – signature, encryption, and signcryption – that are jointly secure in an appropriate and strong security model.
On the joint security of signature and encryption schemes under randomness reuse: efficiency and security amplification
Lecture Notes in Computer Science, 7341We extend the work of Bellare, Boldyreva and Staddon on the systematic analysis of randomness reuse to construct multi-recipient encryption schemes to the case where randomness is reused across different cryptographic primitives. We find that through the additional binding introduced through randomness reuse, one can actually obtain a security amplification with respect to the standard black-box compositions, and achieve a stronger level of security. We introduce stronger notions of security for encryption and signatures, where challenge messages can depend in a restricted way on the random coins used in encryption, and show that two variants of the KEM/DEM paradigm give rise to encryption schemes that meet this enhanced notion of security. We obtain the most efficient signcryption scheme to date that is secure against insider attackers without random oracles.(undefined
Random Oracles in a Quantum World
The interest in post-quantum cryptography - classical systems that remain
secure in the presence of a quantum adversary - has generated elegant proposals
for new cryptosystems. Some of these systems are set in the random oracle model
and are proven secure relative to adversaries that have classical access to the
random oracle. We argue that to prove post-quantum security one needs to prove
security in the quantum-accessible random oracle model where the adversary can
query the random oracle with quantum states.
We begin by separating the classical and quantum-accessible random oracle
models by presenting a scheme that is secure when the adversary is given
classical access to the random oracle, but is insecure when the adversary can
make quantum oracle queries. We then set out to develop generic conditions
under which a classical random oracle proof implies security in the
quantum-accessible random oracle model. We introduce the concept of a
history-free reduction which is a category of classical random oracle
reductions that basically determine oracle answers independently of the history
of previous queries, and we prove that such reductions imply security in the
quantum model. We then show that certain post-quantum proposals, including ones
based on lattices, can be proven secure using history-free reductions and are
therefore post-quantum secure. We conclude with a rich set of open problems in
this area.Comment: 38 pages, v2: many substantial changes and extensions, merged with a
related paper by Boneh and Zhandr
Hard isogeny problems over RSA moduli and groups with infeasible inversion
We initiate the study of computational problems on elliptic curve isogeny
graphs defined over RSA moduli. We conjecture that several variants of the
neighbor-search problem over these graphs are hard, and provide a comprehensive
list of cryptanalytic attempts on these problems. Moreover, based on the
hardness of these problems, we provide a construction of groups with infeasible
inversion, where the underlying groups are the ideal class groups of imaginary
quadratic orders.
Recall that in a group with infeasible inversion, computing the inverse of a
group element is required to be hard, while performing the group operation is
easy. Motivated by the potential cryptographic application of building a
directed transitive signature scheme, the search for a group with infeasible
inversion was initiated in the theses of Hohenberger and Molnar (2003). Later
it was also shown to provide a broadcast encryption scheme by Irrer et al.
(2004). However, to date the only case of a group with infeasible inversion is
implied by the much stronger primitive of self-bilinear map constructed by
Yamakawa et al. (2014) based on the hardness of factoring and
indistinguishability obfuscation (iO). Our construction gives a candidate
without using iO.Comment: Significant revision of the article previously titled "A Candidate
Group with Infeasible Inversion" (arXiv:1810.00022v1). Cleared up the
constructions by giving toy examples, added "The Parallelogram Attack" (Sec
5.3.2). 54 pages, 8 figure
Authentication of Quantum Messages
Authentication is a well-studied area of classical cryptography: a sender S
and a receiver R sharing a classical private key want to exchange a classical
message with the guarantee that the message has not been modified by any third
party with control of the communication line. In this paper we define and
investigate the authentication of messages composed of quantum states. Assuming
S and R have access to an insecure quantum channel and share a private,
classical random key, we provide a non-interactive scheme that enables S both
to encrypt and to authenticate (with unconditional security) an m qubit message
by encoding it into m+s qubits, where the failure probability decreases
exponentially in the security parameter s. The classical private key is 2m+O(s)
bits. To achieve this, we give a highly efficient protocol for testing the
purity of shared EPR pairs. We also show that any scheme to authenticate
quantum messages must also encrypt them. (In contrast, one can authenticate a
classical message while leaving it publicly readable.) This has two important
consequences: On one hand, it allows us to give a lower bound of 2m key bits
for authenticating m qubits, which makes our protocol asymptotically optimal.
On the other hand, we use it to show that digitally signing quantum states is
impossible, even with only computational security.Comment: 22 pages, LaTeX, uses amssymb, latexsym, time
Roadmap on optical security
Postprint (author's final draft
Quantum signature scheme with single photons
Quantum digital signature combines quantum theory with classical digital
signature. The main goal of this field is to take advantage of quantum effects
to provide unconditionally secure signature. We present a quantum signature
scheme with message recovery without using entangle effect. The most important
property of the proposed scheme is that it is not necessary for the scheme to
use Greenberger-Horne-Zeilinger states. The present scheme utilizes single
photons to achieve the aim of signature and verification. The security of the
scheme relies on the quantum one-time pad and quantum key distribution. The
efficiency analysis shows that the proposed scheme is an efficient scheme
- …