309 research outputs found
Polynomial-Time, Semantically-Secure Encryption Achieving the Secrecy Capacity
In the wiretap channel setting, one aims to get information-theoretic privacy
of communicated data based only on the assumption that the channel from sender
to receiver is noisier than the one from sender to adversary. The secrecy
capacity is the optimal (highest possible) rate of a secure scheme, and the
existence of schemes achieving it has been shown. For thirty years the ultimate
and unreached goal has been to achieve this optimal rate with a scheme that is
polynomial-time. (This means both encryption and decryption are proven
polynomial time algorithms.) This paper finally delivers such a scheme. In fact
it does more. Our scheme not only meets the classical notion of security from
the wiretap literature, called MIS-R (mutual information security for random
messages) but achieves the strictly stronger notion of semantic security, thus
delivering more in terms of security without loss of rate
New Proofs for NMAC and HMAC: Security Without Collision-Resistance
HMAC was proved by Bellare, Canetti and Krawczyk [2] to be a PRF assuming that (1)
the underlying compression function is a PRF, and (2) the iterated hash
function is weakly collision-resistant.
However, recent attacks show that assumption (2) is false for
MD5 and SHA-1,
removing the proof-based support for HMAC in these cases.
This paper proves that HMAC is a PRF
under the sole assumption that the compression function is a PRF. This recovers
a proof based guarantee since no known attacks compromise the pseudorandomness
of the compression function, and it also helps explain the resistance-to-attack
that HMAC has shown even when implemented with hash functions whose
(weak) collision resistance is compromised. We also show that an even
weaker-than-PRF condition on the compression function, namely that it is a
privacy-preserving MAC, suffices to establish HMAC is a MAC as long as the hash
function meets the very weak requirement of being computationally almost
universal, where again the value lies in the fact that known attacks do not
invalidate the assumptions made
Code-Based Game-Playing Proofs and the Security of Triple Encryption
The game-playing technique is a powerful tool for analyzing cryptographic constructions. We illustrate this by using games as the central tool for proving security of three-key triple-encryption, a long-standing open problem. Our result, which is in the ideal-cipher model, demonstrates that for DES parameters (56-bit keys and 64-bit plaintexts) an adversary\u27s maximal advantage is small until it asks about queries. Beyond this application, we develop the foundations for game playing, formalizing a general framework for game-playing proofs and discussing techniques used within such proofs. To further exercise the game-playing framework we show how to use games to get simple proofs for the PRP/PRF Switching Lemma, the security of the basic CBC~MAC, and the chosen-plaintext-attack security of OAEP
Robust Computational Secret Sharing and a Unified Account of Classical Secret-Sharing Goals
We give a unified account of classical secret-sharing goals from a modern cryptographic vantage. Our treatment encompasses perfect, statistical, and computational secret sharing; static and dynamic adversaries; schemes with or without robustness; schemes where a participant recovers the secret and those where an external party does so. We then show that Krawczyk\u27s 1993 protocol for robust computational secret sharing (RCSS) need not be secure, even in the random-oracle model and for threshold schemes, if the encryption primitive it uses satisfies only one-query indistinguishability (ind1), the only notion Krawczyk defines. Nonetheless, we show that the protocol is secure (in the random-oracle model, for threshold schemes) if the encryption scheme also satisfies one-query key-unrecoverability (key1). Since practical encryption schemes are ind1+key1 secure, our result effectively shows that Krawczyk\u27s RCSS protocol is sound (in the random-oracle model, for threshold schemes). Finally, we prove the security for a variant of Krawczyk\u27s protocol, in the standard model and for arbitrary access structures, assuming ind1 encryption and a statistically-hiding, weakly-binding commitment scheme
A Characterization of Chameleon Hash Functions and New, Efficient Designs
This paper shows that chameleon hash functions and Sigma
protocols are equivalent. We provide a transform of any suitable Sigma protocol
to a chameleon hash function, and also show that any chameleon hash function is
the result of applying our transform to some suitable Sigma protocol. This
enables us to unify previous designs of chameleon hash functions, seeing them
all as emanating from a common paradigm, and also obtain new designs that are
more efficient than previous ones. In particular, via a modified version of the
Fiat-Shamir protocol, we obtain the fastest known chameleon hash function with
a proof of security based on the STANDARD factoring assumption.
The increasing number of applications of
chameleon hash functions,
including on-line/off-line signing, chameleon signatures, designated-verifier
signatures and conversion from weakly-secure to fully-secure
signatures, make our work of
contemporary interest
Policy-Based Signatures
We introduce policy-based signatures (PBS), where a signer can only sign
messages conforming to some authority-specified policy. The main
requirements are unforgeability and privacy, the latter meaning that
signatures not reveal the policy. PBS offers value along two
fronts: (1)~On the practical side, they allow a corporation to
control what messages its employees can sign under the corporate key.
(2)~On the theoretical side, they unify existing work, capturing
others forms of signatures as special cases or allowing them to be
easily built. Our work focuses on definitions of PBS, proofs that
this challenging primitive is realizable for arbitrary policies,
efficient constructions for specific policies, and a few
representative applications
Recommended from our members
Many-to-one Trapdoor Functions and Their Relation to Public-Key Cryptosystems
The heart of the task of building public key cryptosystems is viewed as that of "making trapdoors;" in fact, public key cryptosystems and trapdoor functions are often discussed as synonymous. How accurate is this view? In this paper we endeavor to get a better understanding of the nature of "trapdoorness" and its relation to public key cryptosystems, by broadening the scope of the investigation: we look at general trapdoor functions; that is, functions that are not necessarily injective (ie., one-to-one). Our first result is somewhat surprising: we show that non-injective trapdoor functions (with super-polynomial pre-image size) can be constructed from any one-way function (and hence it is unlikely that they suffice for public key encryption). On the other hand, we show that trapdoor functions with polynomial pre-image size are sufficient for public key encryption. Together, these two results indicate that the pre-image size is a fundamental parameter of trapdoor functions. We then turn our attention to the converse, asking what kinds of trapdoor functions can be constructed from public key cryptosystems. We take a first step by showing that in the random-oracle model one can construct injective trapdoor functions from any public key cryptosystem.Engineering and Applied Science
The Security of Practical Two-Party RSA Signature Schemes
In a two-party RSA signature scheme, a client and server, each
holding a share of an RSA decryption exponent , collaborate to compute an
RSA signature under the corresponding public key known to both. This
primitive is of growing interest in the domain of server-aided password-based
security, where the client\u27s share of is based on its password. To minimize
cost, designers are looking at very simple, practical protocols based on the
early ideas of Boyd, but their security is unclear. We analyze a class of these
protocols. We suggest two notions of security for two-party signature schemes
and provide proofs of security for the schemes in our class based on
assumptions about RSA and the hash function underlying the scheme
Non-Malleable Encryption: Equivalence between Two Notions, and an Indistinguishability-based Characterization
We prove the equivalence of two definitions of non-malleable
encryption, one based on the simulation approach of Dolev, Dwork and Naor and the other based on the comparison approach of Bellare,
Desai, Pointcheval and Rogaway.
Our definitions are slightly stronger than the original ones.
The equivalence relies on a new
characterization of non-malleable encryption in terms of the standard
notion of indistinguishability of Goldwasser and Micali. We show that
non-malleability is equivalent to indistinguishability under a
``parallel chosen ciphertext attack,\u27\u27 this being a new kind of chosen
ciphertext attack we introduce, in which the adversary\u27s decryption
queries are not allowed to depend on answers to previous queries, but
must be made all at once. This characterization simplifies both the
notion of non-malleable encryption and its usage, and enables one to
see more easily how it compares with other notions of encryption. The
results here apply to non-malleable encryption under any form of
attack, whether chosen-plaintext, chosen-ciphertext, or adaptive
chosen-ciphertext
Symmetric and Dual PRFs from Standard Assumptions: A Generic Validation of an HMAC Assumption
The security of HMAC is proven under the assumption that its compression function is a dual PRF, meaning a PRF when keyed by either of its two inputs. But, not only do we not know whether particular compression functions really are dual PRFs, we do not know if dual PRFs even exist. What if the goal is impossible? This paper addresses this with a foundational treatment of dual PRFs, giving constructions based on standard assumptions. This provides what we call a generic validation of the dual PRF assumption for HMAC. Our approach is to introduce and construct symmetric PRFs, which imply dual PRFs and may be of independent interest. We give a general construction of a symmetric PRF based on a function having a weak form of collision resistance coupled with a leakage hardcore function, a strengthening of the usual notion of hardcore functions we introduce. We instantiate this general construction in two ways to obtain a symmetric and dual PRF assuming (1) Any collision-resistant hash function, or (2) Any one-way permutation. A construction based on any one-way function evades us and is left as an intriguing open problem
- …