4,753 research outputs found
A Practical Set-Membership Proof for Privacy-Preserving NFC Mobile Ticketing
To ensure the privacy of users in transport systems, researchers are working
on new protocols providing the best security guarantees while respecting
functional requirements of transport operators. In this paper, we design a
secure NFC m-ticketing protocol for public transport that preserves users'
anonymity and prevents transport operators from tracing their customers' trips.
To this end, we introduce a new practical set-membership proof that does not
require provers nor verifiers (but in a specific scenario for verifiers) to
perform pairing computations. It is therefore particularly suitable for our
(ticketing) setting where provers hold SIM/UICC cards that do not support such
costly computations. We also propose several optimizations of Boneh-Boyen type
signature schemes, which are of independent interest, increasing their
performance and efficiency during NFC transactions. Our m-ticketing protocol
offers greater flexibility compared to previous solutions as it enables the
post-payment and the off-line validation of m-tickets. By implementing a
prototype using a standard NFC SIM card, we show that it fulfils the stringent
functional requirement imposed by transport operators whilst using strong
security parameters. In particular, a validation can be completed in 184.25 ms
when the mobile is switched on, and in 266.52 ms when the mobile is switched
off or its battery is flat
Security of signed ELGamal encryption
Assuming a cryptographically strong cyclic group G of prime order q and a random hash function H, we show that ElGamal encryption with an added Schnorr signature is secure against the adaptive chosen ciphertext attack, in which an attacker can freely use a decryption oracle except for the target ciphertext. We also prove security against the novel one-more-decyption attack. Our security proofs are in a new model, corresponding to a combination of two previously introduced models, the Random Oracle model and the Generic model. The security extends to the distributed threshold version of the scheme. Moreover, we propose a very practical scheme for private information retrieval that is based on blind decryption of ElGamal ciphertexts
Signcryption schemes with threshold unsigncryption, and applications
The final publication is available at link.springer.comThe goal of a signcryption scheme is to achieve the same functionalities as encryption and signature together, but in a more efficient way than encrypting and signing separately. To increase security and reliability in some applications, the unsigncryption phase can be distributed among a group of users, through a (t, n)-threshold process. In this work we consider this task of threshold unsigncryption, which has received very few attention from the cryptographic literature up to now (maybe surprisingly, due to its potential applications). First we describe in detail the security requirements that a scheme for such a task should satisfy: existential unforgeability and indistinguishability, under insider chosen message/ciphertext attacks, in a multi-user setting. Then we show that generic constructions of signcryption schemes (by combining encryption and signature schemes) do not offer this level of security in the scenario of threshold unsigncryption. For this reason, we propose two new protocols for threshold unsigncryption, which we prove to be secure, one in the random oracle model and one in the standard model. The two proposed schemes enjoy an additional property that can be very useful. Namely, the unsigncryption protocol can be divided in two phases: a first one where the authenticity of the ciphertext is verified, maybe by a single party; and a second one where the ciphertext is decrypted by a subset of t receivers, without using the identity of the sender. As a consequence, the schemes can be used in applications requiring some level of anonymity, such as electronic auctions.Peer ReviewedPostprint (author's final draft
Security of discrete log cryptosystems in the random oracle and the generic model
We introduce novel security proofs that use combinatorial counting arguments rather than reductions to the discrete logarithm or to the Diffie-Hellman problem. Our security results are sharp and clean with no polynomial reduction times involved. We consider a combination of the random oracle model and the generic model. This corresponds to assuming an ideal hash function H given by an oracle and an ideal group of prime order q, where the binary encoding of the group elements is useless for cryptographic attacks In this model, we first show that Schnorr signatures are secure against the one-more signature forgery : A generic adversary performing t generic steps including l sequential interactions with the signer cannot produce l+1 signatures with a better probability than (t 2)/q. We also characterize the different power of sequential and of parallel attacks. Secondly, we prove signed ElGamal encryption is secure against the adaptive chosen ciphertext attack, in which an attacker can arbitrarily use a decryption oracle except for the challenge ciphertext. Moreover, signed ElGamal encryption is secure against the one-more decryption attack: A generic adversary performing t generic steps including l interactions with the decryption oracle cannot distinguish the plaintexts of l + 1 ciphertexts from random strings with a probability exceeding (t 2)/q
Making Existential-Unforgeable Signatures Strongly Unforgeable in the Quantum Random-Oracle Model
Strongly unforgeable signature schemes provide a more stringent security
guarantee than the standard existential unforgeability. It requires that not
only forging a signature on a new message is hard, it is infeasible as well to
produce a new signature on a message for which the adversary has seen valid
signatures before. Strongly unforgeable signatures are useful both in practice
and as a building block in many cryptographic constructions.
This work investigates a generic transformation that compiles any
existential-unforgeable scheme into a strongly unforgeable one, which was
proposed by Teranishi et al. and was proven in the classical random-oracle
model. Our main contribution is showing that the transformation also works
against quantum adversaries in the quantum random-oracle model. We develop
proof techniques such as adaptively programming a quantum random-oracle in a
new setting, which could be of independent interest. Applying the
transformation to an existential-unforgeable signature scheme due to Cash et
al., which can be shown to be quantum-secure assuming certain lattice problems
are hard for quantum computers, we get an efficient quantum-secure strongly
unforgeable signature scheme in the quantum random-oracle model.Comment: 15 pages, to appear in Proceedings TQC 201
Random Oracles in a Quantum World
The interest in post-quantum cryptography - classical systems that remain
secure in the presence of a quantum adversary - has generated elegant proposals
for new cryptosystems. Some of these systems are set in the random oracle model
and are proven secure relative to adversaries that have classical access to the
random oracle. We argue that to prove post-quantum security one needs to prove
security in the quantum-accessible random oracle model where the adversary can
query the random oracle with quantum states.
We begin by separating the classical and quantum-accessible random oracle
models by presenting a scheme that is secure when the adversary is given
classical access to the random oracle, but is insecure when the adversary can
make quantum oracle queries. We then set out to develop generic conditions
under which a classical random oracle proof implies security in the
quantum-accessible random oracle model. We introduce the concept of a
history-free reduction which is a category of classical random oracle
reductions that basically determine oracle answers independently of the history
of previous queries, and we prove that such reductions imply security in the
quantum model. We then show that certain post-quantum proposals, including ones
based on lattices, can be proven secure using history-free reductions and are
therefore post-quantum secure. We conclude with a rich set of open problems in
this area.Comment: 38 pages, v2: many substantial changes and extensions, merged with a
related paper by Boneh and Zhandr
Security Analysis of the Unrestricted Identity-Based Aggregate Signature Scheme
Aggregate signatures allow anyone to combine different signatures signed by
different signers on different messages into a single short signature. An ideal
aggregate signature scheme is an identity-based aggregate signature (IBAS)
scheme that supports full aggregation since it can reduce the total transmitted
data by using an identity string as a public key and anyone can freely
aggregate different signatures. Constructing a secure IBAS scheme that supports
full aggregation in bilinear maps is an important open problem. Recently, Yuan
{\it et al.} proposed an IBAS scheme with full aggregation in bilinear maps and
claimed its security in the random oracle model under the computational
Diffie-Hellman assumption. In this paper, we show that there exists an
efficient forgery attacker on their IBAS scheme and their security proof has a
serious flaw.Comment: 9 page
- …