59 research outputs found
Philanthropy in BRICS countries and the UN Sustainable Development Goals
Philanthropy in the BRICS countries and the UN Sustainable Development Goals is a review prepared by Russian Donors Forum alongside with the research Philanthropy and social investment in the BRICS countries. The review analyses how philanthropy in Brazil, Russia, India, China and South Africa is aligning its activity with the UN Sustainable Development Goals (SDGs), what progress has already been made and what challenges the sector faces.The review studies the common features of philanthropy of the BRICS countries, as well as the role of Agenda 2030 in the sector of philanthropy and social investment in each of the countries
Efficient Fuzzy Search on Encrypted Data
We study the problem of efficient (sub-linear) fuzzy search on encrypted outsourced data, in the symmetric-key setting. In particular, a user who stores encrypted data on a remote untrusted server forms queries that enable the server to efficiently locate the records containing the requested keywords, even though the user may misspell keywords or provide noisy data in the query. We define an appropriate primitive for a general \emph{closeness} function on the message space that we call \emph{efficiently fuzzy-searchable encryption} (\emph{EFSE}).
Next we identify an optimal security notion for EFSE. We demonstrate that existing schemes do not meet our security definition and propose a new scheme that we prove secure under basic assumptions. Unfortunately, the scheme requires large ciphertext length, but we show that, in a sense, this space-inefficiency is unavoidable for a general, optimally-secure scheme.
Seeking the right balance between efficiency and security, we then show how to construct schemes that are more efficient and satisfy a weaker security notion that we propose. To illustrate, we present and analyze a more space-efficient scheme for supporting fuzzy search on biometric data that achieves the weaker notion
A New Pseudorandom Generator from Collision-Resistant Hash Functions
We present a new hash-function-based pseudorandom generator (PRG). Our PRG is reminiscent of the classical constructions iterating a function on a random seed and extracting Goldreich-Levin hardcore bits at each iteration step. The latest PRG of this type that relies on reasonable assumptions (regularity and one-wayness) is due to Haitner et al. In addition to a regular one-way function, each iteration in their ``randomized iterate\u27\u27 scheme uses a new pairwise-independent function, whose descriptions are part of the seed of the PRG. Our construction does not use pairwise-independent functions and is thus more efficient, requiring less computation and a significantly shorter seed. Our scheme\u27s security relies on the standard notions of collision-resistance and regularity of the underlying hash function, where the collision-resistance is required to be {\em exponential}. In particular, any polynomial-time adversary should have less than probability of finding collisions, where is the output size of the hash function. We later show how to relax the regularity assumption by introducing a new notion that we call {\em worst-case regularity}, which lower bounds the size of primages of different elements from the range (while the common regularity assumption requires all such sets to be of equal size). Unlike previous results, we provide a concrete security statement
Identity-based Encryption with Efficient Revocation
Identity-based encryption (IBE) is an exciting
alternative to public-key encryption, as IBE eliminates the need for
a Public Key Infrastructure (PKI). Any setting,
PKI- or identity-based, must provide a means to revoke users from
the system. Efficient revocation is a well-studied problem in the
traditional PKI setting. However in the setting of IBE, there has
been little work on studying the revocation mechanisms. The most
practical solution requires the senders to also use time periods
when encrypting, and all the receivers (regardless of whether their
keys have been compromised or not) to update their private keys
regularly by contacting the trusted authority. We note that this
solution does not scale well -- as the number of users increases,
the work on key updates becomes a bottleneck. We propose an IBE
scheme that significantly improves key-update efficiency on the side
of the trusted party (from linear to logarithmic in the number of
users), while staying efficient for the users. Our scheme builds on
the ideas of the Fuzzy IBE primitive and binary tree data structure,
and is provably secure
An Uninstantiable Random-Oracle-Model Scheme for a Hybrid Encryption Problem
We present a simple, natural random-oracle (RO) model
scheme, for a practical goal, that is uninstantiable,
meaning is proven in the RO model to meet its goal yet admits
NO standard-model instantiation that meets this goal. The
goal in question is IND-CCA-preserving asymmetric
encryption which formally captures security of the most common
practical usage of asymmetric encryption, namely to transport a
symmetric key in such a way that symmetric encryption under the
latter remains secure. The scheme is an ElGamal variant, called
Hash ElGamal, that resembles numerous existing RO-model schemes,
and on the surface shows no evidence of its anomalous properties.
More generally, we show that a certain goal, that we call
key-verifiable, ciphertext-verifiable IND-CCA-preserving
asymmetric encryption, is achievable in the RO model (by Hash
ElGamal in particular) but unachievable in the standard model.
This helps us better understand the source of the anomalies in
Hash ElGamal and also lifts our uninstantiability result from
being about a specific scheme to being about a primitive or goal.
These results extend our understanding of the gap between the
standard and RO models, and bring concerns raised by previous work
closer to practice by indicating that the problem of RO-model
schemes admitting no secure instantiation can arise in domains
where RO schemes are commonly designed
Order-Preserving Encryption Revisited: Improved Security Analysis and Alternative Solutions
We further the study of order-preserving symmetric encryption (OPE), a primitive for allowing efficient range queries on encrypted data, recently initiated (from a cryptographic perspective) by Boldyreva et al.~(Eurocrypt \u2709).
First, we address the open problem of characterizing what encryption via a random order-preserving function (ROPF) leaks about underlying data (ROPF being the ``ideal object\u27\u27 in the security definition, POPF, satisfied by their scheme.)
In particular, we show that, for a database of randomly distributed plaintexts and appropriate choice of parameters, ROPF encryption leaks neither the precise value of any plaintext nor the precise distance between any two of them.
The analysis here introduces useful new techniques.
On the other hand, we show that ROPF encryption leaks approximate value of any plaintext as well as approximate distance between any two plaintexts, each to an accuracy of about square root of the domain size.
We then study schemes that are not order-preserving, but which nevertheless allow efficient range queries and achieve security notions stronger than POPF. In a setting where the entire database is known in advance of key-generation (considered in several prior works), we show that recent constructions of ``monotone minimal perfect hash functions\u27\u27 allow to efficiently achieve (an adaptation of) the notion of IND-O(rdered) CPA also considered by Boldyreva et al., which asks that \emph{only} the order relations among the plaintexts is leaked.
Finally, we introduce {\em modular} order-preserving encryption (MOPE), in which the scheme of Boldyreva et al. is prepended with a random shift cipher. MOPE improves the security of OPE in a sense, as it does not leak any information about plaintext location.
We clarify that our work should not be interpreted as saying the original scheme of Boldyreva et al., or the variants that we introduce, are ``secure\u27\u27 or ``insecure.\u27\u27 Rather, the goal of this line of research is to help practitioners decide whether the options provide a suitable security-functionality tradeoff for a given application
Secure Proxy Signature Schemes for Delegation of Signing Rights
A proxy signature scheme permits an entity to
delegate its signing rights to another entity. These schemes have
been suggested for use in numerous applications, particularly in
distributed computing. But to date, no proxy signature schemes
with guaranteed security have been proposed; no precise
definitions or proofs of security have been provided for such
schemes. In this paper, we formalize a notion of security for
proxy signature schemes and present provably-secure schemes. We
analyze the security of the well-known delegation-by-certificate
scheme and show that after some slight but important
modifications, the resulting scheme is secure, assuming the
underlying standard signature scheme is secure. We then show that
employment of the recently introduced aggregate signature schemes
permits bandwidth and computational savings. Finally, we analyze
the proxy signature scheme of Kim, Park and Won, which offers
important performance benefits. We propose modifications to this
scheme that preserve its efficiency, and yield a proxy signature
scheme that is provably secure in the random-oracle model, under
the discrete-logarithm assumption
On Notions of Security for Deterministic Encryption, and Efficient Constructions without Random Oracles
The study of deterministic public-key encryption was initiated by
Bellare et al. (CRYPTO~\u2707), who provided the ``strongest possible
notion of security for this primitive (called PRIV) and
constructions in the random oracle (RO) model. We focus on
constructing efficient deterministic encryption schemes
\emph{without} random oracles. To do so, we propose a slightly
weaker notion of security, saying that no partial information about
encrypted messages should be leaked as long as each message is
a-priori hard-to-guess \emph{given the others} (while PRIV did not
have the latter restriction). Nevertheless, we argue that this
version seems adequate for certain practical applications. We show
equivalence of this definition to single-message and
indistinguishability-based ones, which are easier to work with.
Then we give general constructions of both chosen-plaintext (CPA)
and chosen-ciphertext-attack (CCA) secure deterministic encryption
schemes, as well as efficient instantiations of them under standard
number-theoretic assumptions. Our constructions build on the
recently-introduced framework of Peikert and Waters (STOC \u2708) for
constructing CCA-secure \emph{probabilistic} encryption schemes,
extending it to the deterministic-encryption setting and yielding
some improvements to their original results as well
Provable Security Analysis of FIDO2
We carry out the first provable security analysis of the new FIDO2 protocols, the promising FIDO Alliance\u27s proposal for a standard for passwordless user authentication. Our analysis covers the core components of FIDO2: the W3C’s Web Authentication (WebAuthn) specification and the new Client-to-Authenticator Protocol (CTAP2).
Our analysis is modular. For WebAuthn and CTAP2, in turn, we propose appropriate security models that aim to capture their intended security goals and use the models to analyze their security. First, our proof confirms the authentication security of WebAuthn. Then, we show CTAP2 can only be proved secure in a weak sense; meanwhile we identify a series of its design flaws and provide suggestions for improvement. To withstand stronger yet realistic adversaries, we propose a generic protocol called sPACA and prove its strong security; with proper instantiations sPACA is also more efficient than CTAP2. Finally, we analyze the overall security guarantees provided by FIDO2 and WebAuthn+sPACA based on the security of its components.
We expect that our models and provable security results will help clarify the security guarantees of the FIDO2 protocols. In addition, we advocate the adoption of our sPACA protocol as a substitute of CTAP2 for both stronger security and better performance
- …