Results 1 - 10
of
38
ON CRYPTOGRAPHIC PROTOCOLS EMPLOYING ASYMMETRIC PAIRINGS – THE ROLE OF Ψ REVISITED
"... Abstract. Asymmetric pairings e: G1 × G2 → GT for which an efficiently-computable isomorphism ψ: G2 → G1 is known are called Type 2 pairings; if such an isomorphism ψ is not known then e is called a Type 3 pairing. Many cryptographic protocols in the asymmetric setting rely on the existence of ψ for ..."
Abstract
-
Cited by 27 (3 self)
- Add to MetaCart
(Show Context)
Abstract. Asymmetric pairings e: G1 × G2 → GT for which an efficiently-computable isomorphism ψ: G2 → G1 is known are called Type 2 pairings; if such an isomorphism ψ is not known then e is called a Type 3 pairing. Many cryptographic protocols in the asymmetric setting rely on the existence of ψ for their security reduction while some use it in the protocol itself. For these reasons, it is believed that some of these protocols cannot be implemented with Type 3 pairings, while for some the security reductions either cannot be transformed to the Type 3 setting or else require a stronger complexity assumption. Contrary to these widely held beliefs, we argue that Type 2 pairings are merely inefficient implementations of Type 3 pairings, and appear to offer no benefit for protocols based on asymmetric pairings from the point of view of functionality, security, and performance. 1.
Efficient Unidirectional Proxy Re-Encryption
"... Abstract. Proxy re-encryption (PRE) allows a semi-trusted proxy to convert a ciphertext originally intended for Alice into one encrypting the same message for Bob. The proxy only needs a re-encryption key given by Alice, and cannot learn anything about the message encrypted. This adds flexibility in ..."
Abstract
-
Cited by 12 (0 self)
- Add to MetaCart
(Show Context)
Abstract. Proxy re-encryption (PRE) allows a semi-trusted proxy to convert a ciphertext originally intended for Alice into one encrypting the same message for Bob. The proxy only needs a re-encryption key given by Alice, and cannot learn anything about the message encrypted. This adds flexibility in various data security applications, such as confidential email, digital right management and distributed storage. In this paper, we study unidirectional PRE, where the re-encryption key only enables delegation in one direction but not the opposite. In PKC 2009, Shao and Cao [23] proposed a unidirectional PRE in the random oracle model. However, we show how to launch a chosen-ciphertext attack (CCA) on this recently proposed scheme and discuss the flaws in their proof. We then propose an efficient unidirectional PRE scheme (without resorting to pairings). We gain the high efficiency and CCA-security under the computational Diffie-Hellman assumption, in the random oracle model. Key words: proxy re-encryption, unidirectional, chosen-ciphertext attack 1
Designated-Verifier Proxy Signature Schemes
- in the Age of Ubiquitous Computing (IFIP/ SEC 2005
, 2004
"... Abstract. In a proxy signature scheme, a user delegates his/her signing capability to another user in such a way that the latter can sign messages on behalf of the former. In this paper, we first propose a provably secure proxy signature scheme, which is based on a two-party Schnorr signature scheme ..."
Abstract
-
Cited by 9 (1 self)
- Add to MetaCart
(Show Context)
Abstract. In a proxy signature scheme, a user delegates his/her signing capability to another user in such a way that the latter can sign messages on behalf of the former. In this paper, we first propose a provably secure proxy signature scheme, which is based on a two-party Schnorr signature scheme. Then, we extend this basic scheme into designated-verifier proxy signatures (DVPS). More specifically, we get two versions of DVPS: weak DVPS and strong DVPS. In both versions, the validity of a proxy signature can be checked only by the designated verifier. In a weak DVPS scheme, however, the designated verifier can further convert such proxy signatures into public verifiable ones, while a strong DVPS scheme does not have the same property even if the designated verifier’s secret key is revealed willingly or unwillingly. In addition, we briefly discuss some potential applications for DVPS.
Password Authenticated Key Exchange by Juggling
- Proceedings of the 16th International Workshop on Security Protocols
, 2008
"... All in-text references underlined in blue are linked to publications on ResearchGate, letting you access and read them immediately. ..."
Abstract
-
Cited by 9 (6 self)
- Add to MetaCart
(Show Context)
All in-text references underlined in blue are linked to publications on ResearchGate, letting you access and read them immediately.
Vector Commitments and their Applications
"... Abstract. We put forward the study of a new primitive that we call Vector Commitment (VC, for short). Informally, VCs allow to commit to an ordered sequence of q values (m1,..., mq) in such a way that one can later open the commitment at specific positions (e.g., prove that mi is the i-th committed ..."
Abstract
-
Cited by 7 (1 self)
- Add to MetaCart
Abstract. We put forward the study of a new primitive that we call Vector Commitment (VC, for short). Informally, VCs allow to commit to an ordered sequence of q values (m1,..., mq) in such a way that one can later open the commitment at specific positions (e.g., prove that mi is the i-th committed message). For security, Vector Commitments are required to satisfy a notion that we call position binding which states that an adversary should not be able to open a commitment to two different values at the same position. Moreover, what makes our primitive interesting is that we require VCs to be concise, i.e. the size of the commitment string and of its openings has to be independent of the vector length. We show two realizations of VCs based on standard and well established assumptions, such as RSA, and Computational Diffie-Hellman (in bilinear groups). Next, we turn our attention to applications and we show that Vector Commitments are useful in a variety of contexts, as they allow for compact and efficient solutions which significantly improve previous works either in terms of efficiency of the resulting solutions, or in terms of ”quality ” of the underlying assumption, or both. These applications
J-PAKE: Authenticated Key Exchange Without PKI
"... Abstract. Password Authenticated Key Exchange (PAKE) is one of the important topics in cryptography. It aims to address a practical security problem: how to establish secure communication between two parties solely based on a shared password without requiring a Public Key Infrastructure (PKI). After ..."
Abstract
-
Cited by 7 (3 self)
- Add to MetaCart
(Show Context)
Abstract. Password Authenticated Key Exchange (PAKE) is one of the important topics in cryptography. It aims to address a practical security problem: how to establish secure communication between two parties solely based on a shared password without requiring a Public Key Infrastructure (PKI). After more than a decade of extensive research in this field, there have been several PAKE protocols available. The EKE and SPEKE schemes are perhaps the two most notable examples. Both techniques are however patented. In this paper, we review these techniques in detail and summarize various theoretical and practical weaknesses. In addition, we present a new PAKE solution called J-PAKE. Our strategy is to depend on well-established primitives such as the Zero-Knowledge Proof (ZKP). So far, almost all of the past solutions have avoided using ZKP for the concern on efficiency. We demonstrate how to effectively integrate the ZKP into the protocol design and meanwhile achieve good efficiency. Our protocol has comparable computational efficiency to the EKE and SPEKE schemes with clear advantages on security. Keywords: Password-Authenticated Key Exchange, EKE, SPEKE, key agreement. 1
Weak pseudorandom functions in Minicrypt
, 2008
"... A family of functions is weakly pseudorandom if a random member of the family is indistinguishable from a uniform random function when queried on random inputs. We point out a subtle ambiguity in the definition of weak PRFs: there are natural weak PRFs whose security breaks down if the randomness u ..."
Abstract
-
Cited by 6 (2 self)
- Add to MetaCart
A family of functions is weakly pseudorandom if a random member of the family is indistinguishable from a uniform random function when queried on random inputs. We point out a subtle ambiguity in the definition of weak PRFs: there are natural weak PRFs whose security breaks down if the randomness used to sample the inputs is revealed. To capture this ambiguity we distinguish between public-coin and secret-coin weak PRFs. We show that the existence of a secret-coin weak PRF which is not also a public-coin weak PRF implies the existence of two pass key-agreement (i.e. public-key encryption). So in Minicrypt, i.e. under the assumption that one-way functions exist but public-key cryptography does not, the notion of public- and secret-coin weak PRFs coincide. Previous to this paper all positive cryptographic statements known to hold exclusively in Minicrypt concerned the adaptive security of constructions using non-adaptively secure components. Weak PRFs give rise to a new set of statements having this property. As another example we consider the problem of range extension for weak PRFs. We show that in Minicrypt one can beat the best possible range expansion factor (using a fixed number of distinct keys) for a very general class of constructions (in particular, this class contains all constructions that are known today).
A fast and key-efficient reduction of chosen-ciphertext to known-plaintext security
- IN ADVANCES IN CRYPTOLOGY — EUROCRYPT ’07, VOLUME 4515 OF LNCS
, 2007
"... Motivated by the quest for reducing assumptions in security proofs in cryptography, this paper is concerned with designing efficient symmetric encryption and authentication schemes based on any weak pseudorandom function (PRF) which can be much more efficiently im-plemented than PRFs. Damg̊ard and N ..."
Abstract
-
Cited by 5 (1 self)
- Add to MetaCart
Motivated by the quest for reducing assumptions in security proofs in cryptography, this paper is concerned with designing efficient symmetric encryption and authentication schemes based on any weak pseudorandom function (PRF) which can be much more efficiently im-plemented than PRFs. Damg̊ard and Nielsen (CRYPTO ’02) have shown how to construct an efficient symmetric encryption scheme based on any weak PRF that is provably secure against chosen-plaintext attacks. The main ingredient is a range-extension construction for weak PRFs. By using well-known techniques, they also showed how their scheme can be made secure against the stronger chosen-ciphertext attacks. The results of our paper are three-fold. First, we give a range-extension construction for weak PRFs that is optimal within a large and nat-ural class of reductions (especially all known today). Second, we pro-pose a construction of a regular PRF from any weak PRF. Third, these two results imply a (for long messages) much more efficient chosen-ciphertext secure encryption scheme than the one proposed by Damg̊ard and Nielsen. The results also give answers to open questions posed by Naor and Reingold (CRYPTO ’98) and by Damg̊ard and Nielsen.
An analysis of the vector decomposition problem ⋆
"... Abstract. The vector decomposition problem (VDP) has been proposed as a computational problem on which to base the security of public key cryptosystems. We give a generalisation and simplification of the results of Yoshida on the VDP. We then show that, for the supersingular elliptic curves which ca ..."
Abstract
-
Cited by 4 (1 self)
- Add to MetaCart
(Show Context)
Abstract. The vector decomposition problem (VDP) has been proposed as a computational problem on which to base the security of public key cryptosystems. We give a generalisation and simplification of the results of Yoshida on the VDP. We then show that, for the supersingular elliptic curves which can be used in practice, the VDP is equivalent to the computational Diffie-Hellman problem (CDH) in a cyclic group. For the broader class of pairing-friendly elliptic curves we relate VDP to various co-CDH problems and also to a generalised discrete logarithm problem 2-DL which in turn is often related to discrete logarithm problems in cyclic groups. Keywords: Vector decomposition problem, elliptic curves, Diffie-Hellman problem, generalised discrete logarithm problem. 1
A revocation scheme preserving privacy
- in Information Security and Cryptology—Inscrypt 2006
"... ..."
