37 research outputs found
Verifiable Random Oracles
Ziel dieser Arbeit ist es, Random Oracle zu instanziieren, ohne dabei Sicherheit zu verlieren,
die im Random Oracle Modell bewiesen wurde. Das dies mit Funktionsfamilien nicht geht
ist eine wohl bekannte Aussage, die zuerst von Halevi et al. (IACRâ1998) gezeigt wurde. Wir
werden aus diesem Grund auf Interaktion zurĂŒckgreifen, aber versuchen, den erzeugten
Overhead möglichst zu reduzieren.
Um möglichst wenig zu Interagieren fĂŒhren wir ein neues ideales Modell mit Namen
Verifiable Random Oracle ein. Dieses Modell bietet zusÀtzlich zum Random Oracle ein
Verifikations-Orakel, welches bei Eingabe (x, h) 1 ausgibt, falls RO(x) = h und anderenfalls
0. Wir stellen danach zwei konkrete Instanziierungen fĂŒr Verifiable Random Oracle vor,
von denen eine keine vertrauenswĂŒrdige Party benötigt. ZusĂ€tzlich reduzieren wir den
Netzwerk-Overhead (also die GesamtgröĂe der verwendeten Nachrichten).
Wenn wir unsere Instanziierungen zusammen mit der Fiat-Shamir Transformation verwen-
den, bleibt die Simulation-Soundness Extractability Eigenschaft erhalten. Der Beweiser der
Fiat-Shamir Transformation verliert leider seine nicht-InteraktivitÀt. Der Verifizierer bleibt
jedoch Nicht-interaktiv, da die Instanziierungen des Verifikations-Orakels nicht-interaktiv
sind. Die Beweise fĂŒr diese Behauptungen bilden einen signifikanten Teil dieser Arbeit
Fiat-Shamir for highly sound protocols is instantiable
The FiatâShamir (FS) transformation (Fiat and Shamir, Crypto '86) is a popular paradigm for constructing very efficient non-interactive zero-knowledge (NIZK) arguments and signature schemes from a hash function and any three-move interactive protocol satisfying certain properties. Despite its wide-spread applicability both in theory and in practice, the known positive results for proving security of the FS paradigm are in the random oracle model only, i.e., they assume that the hash function is modeled as an external random function accessible to all parties. On the other hand, a sequence of negative results shows that for certain classes of interactive protocols, the FS transform cannot be instantiated in the standard model.
We initiate the study of complementary positive results, namely, studying classes of interactive protocols where the FS transform does have standard-model instantiations. In particular, we show that for a class of âhighly soundâ protocols that we define, instantiating the FS transform via a q-wise independent hash function yields NIZK arguments and secure signature schemes. In the case of NIZK, we obtain a weaker âq-boundedâ zero-knowledge flavor where the simulator works for all adversaries asking an a-priori bounded number of queries q; in the case of signatures, we obtain the weaker notion of random-message unforgeability against q-bounded random message attacks.
Our main idea is that when the protocol is highly sound, then instead of using random-oracle programming, one can use complexity leveraging. The question is whether such highly sound protocols exist and if so, which protocols lie in this class. We answer this question in the affirmative in the common reference string (CRS) model and under strong assumptions. Namely, assuming indistinguishability obfuscation and puncturable pseudorandom functions we construct a compiler that transforms any 3-move interactive protocol with instance-independent commitments and simulators (a property satisfied by the LapidotâShamir protocol, Crypto '90) into a compiled protocol in the CRS model that is highly sound. We also present a second compiler, in order to be able to start from a larger class of protocols, which only requires instance-independent commitments (a property for example satisfied by the classical protocol for quadratic residuosity due to Blum, Crypto '81). For the second compiler we require dual-mode commitments.
We hope that our work inspires more research on classes of (efficient) 3-move protocols where FiatâShamir is (efficiently) instantiable
A supplement to Liu et al.\u27s certificateless signcryption scheme in the standard model
Recently, Liu et al. proposed the first certificateless signcryption scheme without random oracles and proved it was semantically secure in the standard model. However, Selvi et al. launched a fatal attack to its confidentiality by replacing users\u27 public keys, thus pointed out this scheme actually doesn\u27t reach the semantic security as claimed. In this paper, we come up with a rescue scheme based on Liu et al.\u27s original proposal. A Schnorr-based one-time signature is added to each user\u27s public key, which is used to resist Selvi et al.\u27s attack. In addition, according to the mistake made in Liu et al.\u27s security proof, we also show that our improvement is really secure in the standard model under the intractability of the decisional bilinear Diffie-Hellman assumption
Stronger difficulty notions for client puzzles and denial-of-service-resistant protocols
Client puzzles are meant to act as a defense against denial of service (DoS) attacks by requiring a client to solve some moderately hard problem before being granted access to a resource. However, recent client puzzle difficulty definitions (Stebila and Ustaoglu, 2009; Chen et al., 2009) do not ensure that solving n puzzles is n times harder than solving one puzzle. Motivated by examples of puzzles where this is the case, we present stronger definitions of difficulty for client puzzles that are meaningful in the context of adversaries with more computational power than required to solve a single puzzle.
A protocol using strong client puzzles may still not be secure against DoS attacks if the puzzles are not used in a secure manner. We describe a security model for analyzing the DoS resistance of any protocol in the context of client puzzles and give a generic technique for combining any protocol with a strong client puzzle to obtain a DoS-resistant protocol
ID Based Signcryption Scheme in Standard Model
Designing an ID based signcryption scheme in the standard model is among the most interesting and important problems in cryptography. However, all the existing systems in the ID based setting, in the standard model, do not have either the unforgeability property or the indistinguishability property or both of them. In this paper, we present the first provably secure ID based signcryption scheme in the standard model with both these properties. The unforgeability property of this scheme is based on the hardness of Computational Diffie-Hellman problem and the indistinguishability property of this scheme is based on the hardness of Decisional Bilinear Diffie-Hellman problem. Our scheme is strongly unforgeable in the strong attack mode called insider security. Moreover, our scheme possess an interesting property called public verifiability of the ciphertext. Our scheme integrates cleverly, a modified version of Waters\u27 IBE and a suitably modified version of the ID based signature scheme in the standard model proposed by Paterson et al. However, our security reductions are more efficient. Specifically, while the security reductions for indistinguishability is similar to the bounds of Waters\u27 scheme, the unforgeability reductions are way better than the bounds for Paterson et al.\u27s scheme
Enabling Machine-aided Cryptographic Design
The design of cryptographic primitives such as digital signatures and public-key encryption is very often a manual process conducted by expert cryptographers. This persists despite the fact that many new generic or semi-generic methods have been proposed to construct new primitives by transforming existing ones in interesting ways. However, manually applying transformations to existing primitives can be error-prone, ad-hoc and tedious. A natural question is whether automating the process of applying cryptographic transformations would yield competitive or better results?
In this thesis, we explore a compiler-based approach for automatically performing certain cryptographic designs. Similar approaches have been applied to various types of cryptographic protocol design with compelling results. We extend this same approach and show that it also can be effective towards automatically applying cryptographic transformations.
We first present our extensible architecture that automates a class of cryptographic transformations on primitives. We then propose several techniques that address the aforementioned question including the Charm cryptographic framework, which enables rapid prototyping of cryptographic primitives from abstract descriptions. We build on this work and show the extent to which transformations can be performed automatically given these descriptions. To illustrate this automation, we present a series of cryptographic tools that demonstrate the effectiveness of our automated approach. Our contributions are listed as follows:
- AutoBatch: Batch verification is a transformation that improves signature verification time by efficiently processing many signatures at once. Historically, this manual process has been prone to error and tedious for practitioners. We describe the design of an automated tool that finds efficient batch verification algorithms from abstract descriptions of signature schemes.
- AutoGroup: Cryptographers often prefer to describe their pairing-based constructions using symmetric group notation for simplicity, while they prefer asymmetric groups for implementation due to the efficiency gains. The symmetric- to-asymmetric translation is usually performed through manual analysis of a scheme and finding an efficient translation that suits applications can be quite challenging. We present an automated tool that uses SMT solvers to find efficient asymmetric translations from abstract descriptions of cryptographic schemes.
- AutoStrong: Strongly unforgeable signatures are desired in practice for a variety of cryptographic protocols. Several transformations exist in the literature that show how to obtain strongly unforgeable signatures from existentially unforgeable ones. We focus on a particular highly-efficient transformation due to Boneh, Shen and Waters that is applicable if the signature satisfies a notion of partitioning. Checking for this property can be challenging and has been less explored in the literature. We present an automated tool that also utilizes SMT solvers to determine when this property is applicable for constructing efficient strongly unforgeable signatures from abstract descriptions.
We anticipate that these proof-of-concept tools embody the notion that certain cryptographic transformations can be safely and effectively outsourced to machines
A Characterization of Chameleon Hash Functions and New, Efficient Designs
This paper shows that chameleon hash functions and Sigma
protocols are equivalent. We provide a transform of any suitable Sigma protocol
to a chameleon hash function, and also show that any chameleon hash function is
the result of applying our transform to some suitable Sigma protocol. This
enables us to unify previous designs of chameleon hash functions, seeing them
all as emanating from a common paradigm, and also obtain new designs that are
more efficient than previous ones. In particular, via a modified version of the
Fiat-Shamir protocol, we obtain the fastest known chameleon hash function with
a proof of security based on the STANDARD factoring assumption.
The increasing number of applications of
chameleon hash functions,
including on-line/off-line signing, chameleon signatures, designated-verifier
signatures and conversion from weakly-secure to fully-secure
signatures, make our work of
contemporary interest
Constant-Size Structure-Preserving Signatures: Generic Constructions and Simple Assumptions
This paper presents efficient structure-preserving signature schemes based on assumptions as simple as Decision-Linear. We first give two general frameworks for constructing fully secure signature schemes from weaker building blocks such as variations of one-time signatures and random-message secure signatures. They can be seen as refinements of the Even-Goldreich-Micali framework, and preserve many desirable properties of the underlying schemes such as constant signature size and structure preservation. We then instantiate them based on simple (i.e., not q-type) assumptions over symmetric and asymmetric bilinear groups. The resulting schemes are structure-preserving and yield constant-size signatures consisting o