289 research outputs found
Polynomial-Time, Semantically-Secure Encryption Achieving the Secrecy Capacity
In the wiretap channel setting, one aims to get information-theoretic privacy
of communicated data based only on the assumption that the channel from sender
to receiver is noisier than the one from sender to adversary. The secrecy
capacity is the optimal (highest possible) rate of a secure scheme, and the
existence of schemes achieving it has been shown. For thirty years the ultimate
and unreached goal has been to achieve this optimal rate with a scheme that is
polynomial-time. (This means both encryption and decryption are proven
polynomial time algorithms.) This paper finally delivers such a scheme. In fact
it does more. Our scheme not only meets the classical notion of security from
the wiretap literature, called MIS-R (mutual information security for random
messages) but achieves the strictly stronger notion of semantic security, thus
delivering more in terms of security without loss of rate
New Proofs for NMAC and HMAC: Security Without Collision-Resistance
HMAC was proved by Bellare, Canetti and Krawczyk [2] to be a PRF assuming that (1)
the underlying compression function is a PRF, and (2) the iterated hash
function is weakly collision-resistant.
However, recent attacks show that assumption (2) is false for
MD5 and SHA-1,
removing the proof-based support for HMAC in these cases.
This paper proves that HMAC is a PRF
under the sole assumption that the compression function is a PRF. This recovers
a proof based guarantee since no known attacks compromise the pseudorandomness
of the compression function, and it also helps explain the resistance-to-attack
that HMAC has shown even when implemented with hash functions whose
(weak) collision resistance is compromised. We also show that an even
weaker-than-PRF condition on the compression function, namely that it is a
privacy-preserving MAC, suffices to establish HMAC is a MAC as long as the hash
function meets the very weak requirement of being computationally almost
universal, where again the value lies in the fact that known attacks do not
invalidate the assumptions made
Code-Based Game-Playing Proofs and the Security of Triple Encryption
The game-playing technique is a powerful tool for analyzing cryptographic constructions. We illustrate this by using games as the central tool for proving security of three-key triple-encryption, a long-standing open problem. Our result, which is in the ideal-cipher model, demonstrates that for DES parameters (56-bit keys and 64-bit plaintexts) an adversary\u27s maximal advantage is small until it asks about queries. Beyond this application, we develop the foundations for game playing, formalizing a general framework for game-playing proofs and discussing techniques used within such proofs. To further exercise the game-playing framework we show how to use games to get simple proofs for the PRP/PRF Switching Lemma, the security of the basic CBC~MAC, and the chosen-plaintext-attack security of OAEP
A Characterization of Chameleon Hash Functions and New, Efficient Designs
This paper shows that chameleon hash functions and Sigma
protocols are equivalent. We provide a transform of any suitable Sigma protocol
to a chameleon hash function, and also show that any chameleon hash function is
the result of applying our transform to some suitable Sigma protocol. This
enables us to unify previous designs of chameleon hash functions, seeing them
all as emanating from a common paradigm, and also obtain new designs that are
more efficient than previous ones. In particular, via a modified version of the
Fiat-Shamir protocol, we obtain the fastest known chameleon hash function with
a proof of security based on the STANDARD factoring assumption.
The increasing number of applications of
chameleon hash functions,
including on-line/off-line signing, chameleon signatures, designated-verifier
signatures and conversion from weakly-secure to fully-secure
signatures, make our work of
contemporary interest
Recommended from our members
Many-to-one Trapdoor Functions and Their Relation to Public-Key Cryptosystems
The heart of the task of building public key cryptosystems is viewed as that of "making trapdoors;" in fact, public key cryptosystems and trapdoor functions are often discussed as synonymous. How accurate is this view? In this paper we endeavor to get a better understanding of the nature of "trapdoorness" and its relation to public key cryptosystems, by broadening the scope of the investigation: we look at general trapdoor functions; that is, functions that are not necessarily injective (ie., one-to-one). Our first result is somewhat surprising: we show that non-injective trapdoor functions (with super-polynomial pre-image size) can be constructed from any one-way function (and hence it is unlikely that they suffice for public key encryption). On the other hand, we show that trapdoor functions with polynomial pre-image size are sufficient for public key encryption. Together, these two results indicate that the pre-image size is a fundamental parameter of trapdoor functions. We then turn our attention to the converse, asking what kinds of trapdoor functions can be constructed from public key cryptosystems. We take a first step by showing that in the random-oracle model one can construct injective trapdoor functions from any public key cryptosystem.Engineering and Applied Science
Symmetric and Dual PRFs from Standard Assumptions: A Generic Validation of an HMAC Assumption
The security of HMAC is proven under the assumption that its compression function is a dual PRF, meaning a PRF when keyed by either of its two inputs. But, not only do we not know whether particular compression functions really are dual PRFs, we do not know if dual PRFs even exist. What if the goal is impossible? This paper addresses this with a foundational treatment of dual PRFs, giving constructions based on standard assumptions. This provides what we call a generic validation of the dual PRF assumption for HMAC. Our approach is to introduce and construct symmetric PRFs, which imply dual PRFs and may be of independent interest. We give a general construction of a symmetric PRF based on a function having a weak form of collision resistance coupled with a leakage hardcore function, a strengthening of the usual notion of hardcore functions we introduce. We instantiate this general construction in two ways to obtain a symmetric and dual PRF assuming (1) Any collision-resistant hash function, or (2) Any one-way permutation. A construction based on any one-way function evades us and is left as an intriguing open problem
The Security of Practical Two-Party RSA Signature Schemes
In a two-party RSA signature scheme, a client and server, each
holding a share of an RSA decryption exponent , collaborate to compute an
RSA signature under the corresponding public key known to both. This
primitive is of growing interest in the domain of server-aided password-based
security, where the client\u27s share of is based on its password. To minimize
cost, designers are looking at very simple, practical protocols based on the
early ideas of Boyd, but their security is unclear. We analyze a class of these
protocols. We suggest two notions of security for two-party signature schemes
and provide proofs of security for the schemes in our class based on
assumptions about RSA and the hash function underlying the scheme
Pseudorandom Functions and Permutations Provably Secure Against Related-Key Attacks
This paper fills an important foundational gap with the first proofs, under standard assumptions and in the standard model, of the existence of pseudorandom functions (PRFs) and pseudorandom permutations (PRPs) resisting rich and relevant forms of related-key attacks (RKA). An RKA allows the adversary to query the function not only under the target key but under other keys derived from it in adversary-specified ways. Based on the Naor-Reingold PRF we obtain an RKA-PRF whose keyspace is a group and that is proven, under DDH, to resist attacks in which the key may be operated on by arbitrary adversary-specified group elements. Previous work was able only to provide schemes in idealized models (ideal cipher, random oracle), under new, non-standard assumptions, or for limited classes of attacks. The reason was technical difficulties that we resolve via a new approach and framework that, in addition to the above, yields other RKA-PRFs including a DLIN-based one derived from the Lewko-Waters PRF. Over the last 15 years cryptanalysts and blockcipher designers have routinely and consistently targeted RKA-security; it is visibly important for abuse-resistant cryptography; and it helps protect against fault-injection sidechannel attacks. Yet ours are the first significant proofs of existence of secure constructs. We warn that our constructs are proofs-of-concept in the foundational style and not practical
Partial Signatures and their Applications
We introduce Partial Signatures, where a signer, given a message, can
compute a ``stub\u27\u27 which preserves her anonymity, yet later she, but
nobody else, can complete the stub to a full and verifiable signature
under her public key. We provide a formal definition requiring three
properties, namely anonymity, unambiguity and unforgeability. We
provide schemes meeting our definition both with and without random
oracles. Our schemes are surprisingly cheap in both bandwidth and
computation. We describe applications including anonymous bidding and
betting
Encryption Schemes Secure under Selective Opening Attack
We provide the first public key encryption schemes proven secure against selective opening attack
(SOA). This means that if an adversary obtains a number of ciphertexts and then corrupts some
fraction of the senders, obtaining not only the corresponding messages but also the coins under which
they were encrypted then the security of the other messages is guaranteed. Whether or not schemes with
this property exist has been open for many years. Our schemes are based on a primitive we call lossy
encryption. Our schemes have short keys (public and secret keys of a fixed length suffice for encrypting
an arbitrary number of messages), are stateless, are non-interactive, and security does not rely on
erasures. The schemes are without random oracles, proven secure under standard assumptions (DDH,
Paillier’s DCR, QR, lattices), and even efficient. We are able to meet both an indistinguishability
(IND-SOA-C) and a simulation-style, semantic security (SS-SOA-C) definition
- …