Non-malleable public key encryption in BRSIM/UC

We propose an extension to the BRSIM/UC library of Backes, Pfitzmann and Waidner [1] with non-malleable public key encryption. We also investigate the requirement of “full randomization” of public key encryption primitives in [1], and show that additional randomization to attain word uniqueness is theoretically not justified

Towards Efficient Provable Data Possession in Cloud Storage

Provable Data Possession (\PDP) allows data owner to periodically and remotely audit their data stored in a cloud storage, without retrieving the file and without keeping a local copy. Ateniese~\emph{et al.} (CCS 07) proposed the first {\PDP} scheme, which is very efficient in communication and storage. However their scheme requires a lot of group exponentiation operations: In the setup, one group exponentiation is required to generate a tag per each data block. In each verification, (equivalently) $(m + \ell)$ group exponentiations are required to generate a proof, where $m$ is the size of a data block and $\ell$ is the number of blocks accessed during a verification. This paper proposed an efficient {\PDP} scheme. Compared to Ateniese~\emph{et al.} (CCS 07), the proposed scheme has the same complexities in communication and storage, but is more efficient in computation: In the setup, no group exponentiations are required. In each verification, only (equivalently) $m$ group exponentiations are required to generate a proof. The security of the proposed scheme is proved under Knowledge of Exponent Assumption and Factoriztion Assumption

Secure Two-Party Computation with Low Communication

We propose a 2-party UC-secure protocol that can compute any function securely. The protocol requires only two messages, communication that is poly-logarithmic in the size of the circuit description of the function, and the workload for one of the parties is also only poly-logarithmic in the size of the circuit. This implies, for instance, delegatable computation that requires no expensive off-line phase and remains secure even if the server learns whether the client accepts its results. To achieve this, we define two new notions of extractable hash functions, propose an instantiation based on the knowledge of exponent in an RSA group, and build succinct zero-knowledge arguments in the CRS model

The Cramer-Shoup Encryption Scheme Is Plaintext Aware in the Standard Model

Abstract. In this paper we examine the notion of plaintext awareness as it applies to hybrid encryption schemes. We apply this theory to the Cramer-Shoup hybrid scheme acting on fixed length messages and deduce that the Cramer-Shoup scheme is plaintext-aware in the standard model. This answers a previously open conjecture of Bellare and Palacio on the existence of fully plaintext-aware encryption schemes.

The Cramer-Shoup Encryption Scheme is Plaintext Aware in the Standard Model

Abstract. In this paper we examine the security criteria for a KEM and a DEM that are sufficient for the overall hybrid encryption scheme to be plaintext-aware in the standard model. We apply this theory to the Cramer-Shoup hybrid scheme acting on fixed length messages and deduce that the Cramer-Shoup scheme is plaintext-aware in the standard model. This answers a previously open conjecture of Bellare and Palacio on the existence of plaintext-aware encryption schemes. 1 Introduction Plaintext awareness is a simple concept with a difficult explanation. An encryp-tion scheme is plaintext aware if it is practically impossible for any entity to produce a ciphertext without knowing the associated message. This effectivelyrenders a decryption oracle useless to an attacker, as any ciphertext submitted for decryption must either be invalid or the attacker must already know thedecryption of that ciphertext and so does not gain any information by querying the oracle. Thus a scheme that is plaintext aware and semantically secure shouldbe secure against adaptive attacks. There are two problems with this simplistic approach. Firstly, if we wish toachieve the IND-CCA2 definition of security for an encryption scheme, then we have to be careful about how we define plaintext awareness, because, in thismodel, the attacker is always given one ciphertext for which he does not know the corresponding decryption (the challenge ciphertext). It is usually compara-tively simple to achieve plaintext awareness when you do not have to consider the attacker as able to get hold of ciphertexts for which he does not know thecorresponding decryption. We will follow the notation of Bellare and Palacio [4] and term this PA1 plaintext-awareness. A scheme that is IND-CPA andPA1 plaintext aware is only IND-CCA1 secure [4]. It is a lot harder to prove plaintext-awareness in full generality, when the attacker has access to an oraclethat will return ciphertexts for which the attacker does not know the corresponding decryption, especially if the attacker has some measure of control overthe probability distribution that the oracle uses to select the messages that it encrypts. This is termed PA2 plaintext awareness

A Probabilistic Public Key Encryption Scheme Based on Quartic Reciprocity (Draft V1.22)

Using a novel class of single bit one-way trapdoor functions we construct a theoretical probabilistic public key encryption scheme that has many interesting properties. These functions are constructed from binary quadratic forms and rational quartic reciprocity laws. They are not based on class group operations nor on universal one-way hash functions. Inverting these functions appears to be as difficult as factoring, and other than factoring, we know of no reductions between this new number theory problem and the standard number theoretic problems used cryptographically. We are unable to find away to construct a ciphertext without knowing the plaintext, hence this encryption scheme appears to be plaintext aware ($PA1$). By using quartic reciprocity properties there is less information leakage than with quadratic reciprocity based schemes and consequently this encryption scheme appears to be completely non-malleable as defined by M. Fischlin (2005), and strongly plaintext aware ($SPA$) and secret-key aware ($SKA$) as well, as defined by M. Barbosa and P. Farshim (2009). Assuming plaintext awareness ($PA1$), the difficulty of inverting our one-way trapdoor function and the hardness of certain standard number theoretic problems, then this scheme is provably secure against adaptive chosen ciphertext attacks ($IND-CCA2$). The public key is a product of two secret primes. Decryption is fast, requiring just one modular multiplication and one Jacobi symbol evaluation. The encryption step is polynomial time, but slow, and there is a great deal of message expansion. However, the encryption step is amenable to parallelization, both across bits, as well as at the level of encrypting a single bit. The encryption step is also amenable to asynchronous pre-computation. After the pre-computation step, for a $t$ bit public key, encryption only requires three multiplications (with $t+ 2c + 5$ bit length numbers) per encrypted bit, where $100 \leq c \leq 150$ is an adjustable security parameter. The computational cost to break an encrypted bit can be optionally adjusted down on a per bit basis. With no additional keys, multiple senders can individually join secret information to each encrypted bit without changing the parity of the encrypted bit. (Recovering this secret information is harder than recovering the private key.) Each sender can separately and publicly reveal their secret information without revealing the plaintext bit. The senders of the encrypted message bit can also individually authenticate they are senders without the use of a message authentication code and without revealing the plaintext bit. We are not aware of any hardware faults or other adverse events that might occur during decryption that could be exploited to break the secret key. Encryption faults can occur that could be exploited to reveal plaintext bits, however, these faults can be detected with high probability and with low computational cost