A Tweak for a PRF Mode of a Compression Function and Its Applications

We discuss a tweak for the domain extension called Merkle-Damgård with Permutation (MDP), which was presented at ASIACRYPT 2007. We first show that MDP may produce multiple independent pseudorandom functions (PRFs) using a single secret key and multiple permutations if the underlying compression function is a PRF against related-key attacks with respect to the permutations. Using this result, we then construct a hash-function-based MAC function, which we call FMAC, using a compression function as its underlying primitive. We also present a scheme to extend FMAC so as to take as input a vector of strings

A Pairing-Free, One Round Identity Based Authenticated Key Exchange Protocol Secure Against Memory-Scrapers

Security of a key exchange protocol is formally established through an abstract game between a challenger and an adversary. In this game the adversary can get various information which are modeled by giving the adversary access to appropriate oracle queries. Empowered with all these information, the adversary will try to break the protocol. This is modeled by a test query which asks the adversary to distinguish between a session key of a fresh session from a random session key; properly guessing which correctly leads the adversary to win the game. In this traditional model of security the adversary sees nothing apart from the input/ output relationship of the algorithms. However, in recent past an adversary could obtain several additional information beyond what he gets to learn in these black box models of computation, thanks to the availability of powerful malwares. This data exfiltration due to the attacks of Memory Scraper/Ram-Scraper-type malwares is an emerging threat. In order to realistically capture these advanced classes of threats posed by such malwares we propose a new security model for identity-based authenticated key exchange (ID-AKE) which we call the Identity based Strong Extended Canetti Krawzyck (ID-seCK) model. Our security model captures leakages of intermediate values by appropriate oracle queries given to the adversary. Following this, we propose a round optimal (i.e., single round) ID-AKE protocol for two-party settings. Our design assumes a hybrid system equipped with a bare minimal Trusted Platform Module (TPM) that can only perform group exponentiations. One of the major advantages of our construction is that it does not involve any pairing operations, works in prime order group and have a tight security reduction to the Gap Diffie Hellman (GDH) problem under our new ID-seCK model. Our scheme also has the capability to handle active adversaries while most of the previous ID-AKE protocols are secure only against passive adversaries. The security of our protocol is proved in the Random Oracle (RO) model

UC and EUC Weak Bit-Commitments Using Seal-Once Tamper-Evidence

Based on tamper-evident devices, i.e., a type of distinguishable, sealed envelopes, we put forward weak bit-commitment protocols which are UC-secure. These commitments are weak in that it is legitimate that a party could cheat. Unlike in several similar lines of work, in our case, the party is not obliged to cheat, but he has ability to cheat if and when needed. The empowered party is the sender, i.e., the protocols are also sender-strong. We motivate the construction of such primitives at both theoretical and practical levels. Such protocols complete the picture of existent receiver-strong weak bit-commitments based on tamper-evidence. We also show that existent receiver-strong protocols of the kind are not EUC-secure, i.e., they are only UC-secure. Further, we put forward a second formalisation of tamper-evident distinguishable envelopes which renders those protocols and the protocols herein EUC-secure. We finally draw most implication-relations between the tamper-evident devices, our weak sender-strong commitments, the existent weak receiver-strong commitments, as well as standard commitments. The mechanisms at the foundation of these primitives are lightweight and the protocols yielded are end-to-end humanly verifiable

Optimal Proximity Proofs

Provably secure distance-bounding is a rising subject, yet an unsettled one; indeed, very few distance-bounding protocols, with formal security proofs, have been proposed. In fact, so far only two protocols, namely SKI (by Boureanu et al.) and FO (by Fischlin and Onete), offer all-encompassing security guaranties, i.e., resistance to distance-fraud, mafia-fraud, and terrorist-fraud. Matters like security, alongside with soundness, or added tolerance to noise do not always coexist in the (new) distance-bounding designs. Moreover, as we will show in this paper, efficiency and simultaneous protection against all frauds seem to be rather conflicting matters, leading to proposed solutions which were/are sub-optimal. In fact, in this recent quest for provable security, efficiency has been left in the shadow. Notably, the tradeoffs between the security and efficiency have not been studied. In this paper, we will address these limitations, setting the "security vs. efficiency" record straight. Concretely, by combining ideas from SKI and FO, we propose symmetric protocols that are efficient, noise-tolerant and-at the same time-provably secure against all known frauds. Indeed, our new distance-bounding solutions outperform the two aforementioned provably secure distance-bounding protocols. For instance, with a noise level of 5%, we obtain the same level of security as those of the pre-existent protocols, but we reduce the number of rounds needed from 181 to 54

Securing messaging services through efficient signcryption with designated equality test

National Research Foundation (NRF) Singapor

Sound Proof of Proximity of Knowledge

Public-key distance bounding schemes are needed to defeat relay attacks in payment systems. So far, only five such schemes exist, but fail to fully protect against malicious provers. In this paper, we solve this problem. We provide a full formalism to define the proof of proximity of knowledge (PoPoK). Protocols should succeed if and only if a prover holding a secret is within the proximity of the verifier. Like proofs of knowledge, these protocols must satisfy completeness, soundness (protection for the honest verifier), and security (protection for the honest prover). We construct ProProx, the very first sound PoPoK

Proof of Proximity of Knowledge

Public-key distance bounding schemes are needed to defeat relay attacks in payment systems. So far, only two such schemes exist, but fail to fully protect against malicious provers. In this paper, we solve this problem. We provide a full formalism to define the proof of proximity of knowledge (PoPoK). Protocols should succeed if and only if a prover holding a secret is within the proximity of the verifier. Like proofs of knowledge, these protocols must satisfy completeness, soundness (protection for the honest verifier), and security (protection for the honest prover). We construct ProProx, the very first fully secure PoPoK

Cryptanalysis of OCB₂:Attacks on Authenticity and Confidentiality

We present practical attacks on OCB2. This mode of operation of a blockcipher was designed with the aim to provide particularly efficient and provably-secure authenticated encryption services, and since its proposal about 15 years ago it belongs to the top performers in this realm. OCB2 was included in an ISO standard in 2009. An internal building block of OCB2 is the tweakable blockcipher obtained by operating a regular blockcipher in XEX$^\ast$ mode. The latter provides security only when evaluated in accordance with certain technical restrictions that, as we note, are not always respected by OCB2. This leads to devastating attacks against OCB2\u27s security promises: We develop a range of very practical attacks that, amongst others, demonstrate universal forgeries and full plaintext recovery. We complete our report with proposals for (provably) repairing OCB2. To our understanding, as a direct consequence of our findings, OCB2 is currently in a process of removal from ISO standards. Our attacks do not apply to OCB1 and OCB3, and our privacy attacks on OCB2 require an active adversary

An Efficient Certificateless Proxy Re-Encryption Scheme without Pairing

Proxy re-encryption (PRE) is a cryptographic primitive introduced by Blaze, Bleumer and Strauss to provide delegation of decryption rights. PRE allows re-encryption of a ciphertext intended for Alice (delegator) to a ciphertext for Bob (delegatee) via a semi-honest proxy, who should not learn anything about the underlying message. In 2003, Al-Riyami and Patterson introduced the notion of certificateless public key cryptography which offers the advantage of identity-based cryptography without suffering from the key escrow problem. The existing certificateless PRE (CLPRE) schemes rely on costly bilinear pairing operations. In ACM ASIA-CCS SCC 2015, Srinivasan et al. proposed the first construction of a certificateless PRE scheme without resorting to pairing in the random oracle model. However, in this work, we demonstrate a flaw in the CCA-security proof of their scheme. Also, we present the first construction of a CLPRE scheme without pairing which meets CCA security under the computational Diffie-Hellman hardness assumption in the random oracle model