Security of discrete log cryptosystems in the random oracle and the generic model

We introduce novel security proofs that use combinatorial counting arguments rather than reductions to the discrete logarithm or to the Diffie-Hellman problem. Our security results are sharp and clean with no polynomial reduction times involved. We consider a combination of the random oracle model and the generic model. This corresponds to assuming an ideal hash function H given by an oracle and an ideal group of prime order q, where the binary encoding of the group elements is useless for cryptographic attacks In this model, we first show that Schnorr signatures are secure against the one-more signature forgery : A generic adversary performing t generic steps including l sequential interactions with the signer cannot produce l+1 signatures with a better probability than (t 2)/q. We also characterize the different power of sequential and of parallel attacks. Secondly, we prove signed ElGamal encryption is secure against the adaptive chosen ciphertext attack, in which an attacker can arbitrarily use a decryption oracle except for the challenge ciphertext. Moreover, signed ElGamal encryption is secure against the one-more decryption attack: A generic adversary performing t generic steps including l interactions with the decryption oracle cannot distinguish the plaintexts of l + 1 ciphertexts from random strings with a probability exceeding (t 2)/q

An instantiation of the Cramer-Shoup encryption paradigm using bilinear map groups

Item does not contain fulltex

A Brief History of Provably-Secure Public-Key Encryption

Public-key encryption schemes are a useful and interesting field of cryptographic study. The ultimate goal for the cryptographer in the field of public-key encryption would be the production of a very efficient encryption scheme with a proof of security in a strong security model using a weak and reasonable computational assumption. This ultimate goal has yet to be reached. In this invited paper, we survey the major results that have been achieved in the quest to find such a scheme

Making Sigma-Protocols Non-interactive Without Random Oracles

Damg˚ard, Fazio and Nicolosi (TCC 2006) gave a transformation of Sigma-protocols, 3-move honest verifier zero-knowledge proofs, into efficient non-interactive zero-knowledge arguments for a designated verifier. Their transformation uses additively homomorphic encryption to encrypt the verifier’s challenge, which the prover uses to compute an encrypted answer. The transformation does not rely on the random oracle model but proving soundness requires a complexity leveraging assumption. We propose an alternative instantiation of their transformation and show that it achieves culpable soundness without complexity leveraging. This improves upon an earlier result by Ventre and Visconti (Africacrypt 2009), who used a different construction which achieved weak culpable soundness. We demonstrate how our construction can be used to prove validity of encrypted votes in a referendum. This yields a voting system with homomorphic tallying that does not rely on the Fiat-Shamir heuristic

Non-malleable public key encryption in BRSIM/UC

We propose an extension to the BRSIM/UC library of Backes, Pfitzmann and Waidner [1] with non-malleable public key encryption. We also investigate the requirement of “full randomization” of public key encryption primitives in [1], and show that additional randomization to attain word uniqueness is theoretically not justified

A Probabilistic Public Key Encryption Scheme Based on Quartic Reciprocity (Draft V1.22)

Using a novel class of single bit one-way trapdoor functions we construct a theoretical probabilistic public key encryption scheme that has many interesting properties. These functions are constructed from binary quadratic forms and rational quartic reciprocity laws. They are not based on class group operations nor on universal one-way hash functions. Inverting these functions appears to be as difficult as factoring, and other than factoring, we know of no reductions between this new number theory problem and the standard number theoretic problems used cryptographically. We are unable to find away to construct a ciphertext without knowing the plaintext, hence this encryption scheme appears to be plaintext aware ($PA1$). By using quartic reciprocity properties there is less information leakage than with quadratic reciprocity based schemes and consequently this encryption scheme appears to be completely non-malleable as defined by M. Fischlin (2005), and strongly plaintext aware ($SPA$) and secret-key aware ($SKA$) as well, as defined by M. Barbosa and P. Farshim (2009). Assuming plaintext awareness ($PA1$), the difficulty of inverting our one-way trapdoor function and the hardness of certain standard number theoretic problems, then this scheme is provably secure against adaptive chosen ciphertext attacks ($IND-CCA2$). The public key is a product of two secret primes. Decryption is fast, requiring just one modular multiplication and one Jacobi symbol evaluation. The encryption step is polynomial time, but slow, and there is a great deal of message expansion. However, the encryption step is amenable to parallelization, both across bits, as well as at the level of encrypting a single bit. The encryption step is also amenable to asynchronous pre-computation. After the pre-computation step, for a $t$ bit public key, encryption only requires three multiplications (with $t+ 2c + 5$ bit length numbers) per encrypted bit, where $100 \leq c \leq 150$ is an adjustable security parameter. The computational cost to break an encrypted bit can be optionally adjusted down on a per bit basis. With no additional keys, multiple senders can individually join secret information to each encrypted bit without changing the parity of the encrypted bit. (Recovering this secret information is harder than recovering the private key.) Each sender can separately and publicly reveal their secret information without revealing the plaintext bit. The senders of the encrypted message bit can also individually authenticate they are senders without the use of a message authentication code and without revealing the plaintext bit. We are not aware of any hardware faults or other adverse events that might occur during decryption that could be exploited to break the secret key. Encryption faults can occur that could be exploited to reveal plaintext bits, however, these faults can be detected with high probability and with low computational cost