Results 1  10
of
38
ON CRYPTOGRAPHIC PROTOCOLS EMPLOYING ASYMMETRIC PAIRINGS – THE ROLE OF Ψ REVISITED
"... Abstract. Asymmetric pairings e: G1 × G2 → GT for which an efficientlycomputable isomorphism ψ: G2 → G1 is known are called Type 2 pairings; if such an isomorphism ψ is not known then e is called a Type 3 pairing. Many cryptographic protocols in the asymmetric setting rely on the existence of ψ for ..."
Abstract

Cited by 27 (3 self)
 Add to MetaCart
(Show Context)
Abstract. Asymmetric pairings e: G1 × G2 → GT for which an efficientlycomputable isomorphism ψ: G2 → G1 is known are called Type 2 pairings; if such an isomorphism ψ is not known then e is called a Type 3 pairing. Many cryptographic protocols in the asymmetric setting rely on the existence of ψ for their security reduction while some use it in the protocol itself. For these reasons, it is believed that some of these protocols cannot be implemented with Type 3 pairings, while for some the security reductions either cannot be transformed to the Type 3 setting or else require a stronger complexity assumption. Contrary to these widely held beliefs, we argue that Type 2 pairings are merely inefficient implementations of Type 3 pairings, and appear to offer no benefit for protocols based on asymmetric pairings from the point of view of functionality, security, and performance. 1.
Efficient Unidirectional Proxy ReEncryption
"... Abstract. Proxy reencryption (PRE) allows a semitrusted proxy to convert a ciphertext originally intended for Alice into one encrypting the same message for Bob. The proxy only needs a reencryption key given by Alice, and cannot learn anything about the message encrypted. This adds flexibility in ..."
Abstract

Cited by 12 (0 self)
 Add to MetaCart
(Show Context)
Abstract. Proxy reencryption (PRE) allows a semitrusted proxy to convert a ciphertext originally intended for Alice into one encrypting the same message for Bob. The proxy only needs a reencryption key given by Alice, and cannot learn anything about the message encrypted. This adds flexibility in various data security applications, such as confidential email, digital right management and distributed storage. In this paper, we study unidirectional PRE, where the reencryption key only enables delegation in one direction but not the opposite. In PKC 2009, Shao and Cao [23] proposed a unidirectional PRE in the random oracle model. However, we show how to launch a chosenciphertext attack (CCA) on this recently proposed scheme and discuss the flaws in their proof. We then propose an efficient unidirectional PRE scheme (without resorting to pairings). We gain the high efficiency and CCAsecurity under the computational DiffieHellman assumption, in the random oracle model. Key words: proxy reencryption, unidirectional, chosenciphertext attack 1
DesignatedVerifier Proxy Signature Schemes
 in the Age of Ubiquitous Computing (IFIP/ SEC 2005
, 2004
"... Abstract. In a proxy signature scheme, a user delegates his/her signing capability to another user in such a way that the latter can sign messages on behalf of the former. In this paper, we first propose a provably secure proxy signature scheme, which is based on a twoparty Schnorr signature scheme ..."
Abstract

Cited by 9 (1 self)
 Add to MetaCart
(Show Context)
Abstract. In a proxy signature scheme, a user delegates his/her signing capability to another user in such a way that the latter can sign messages on behalf of the former. In this paper, we first propose a provably secure proxy signature scheme, which is based on a twoparty Schnorr signature scheme. Then, we extend this basic scheme into designatedverifier proxy signatures (DVPS). More specifically, we get two versions of DVPS: weak DVPS and strong DVPS. In both versions, the validity of a proxy signature can be checked only by the designated verifier. In a weak DVPS scheme, however, the designated verifier can further convert such proxy signatures into public verifiable ones, while a strong DVPS scheme does not have the same property even if the designated verifier’s secret key is revealed willingly or unwillingly. In addition, we briefly discuss some potential applications for DVPS.
Password Authenticated Key Exchange by Juggling
 Proceedings of the 16th International Workshop on Security Protocols
, 2008
"... All intext references underlined in blue are linked to publications on ResearchGate, letting you access and read them immediately. ..."
Abstract

Cited by 9 (6 self)
 Add to MetaCart
(Show Context)
All intext references underlined in blue are linked to publications on ResearchGate, letting you access and read them immediately.
Vector Commitments and their Applications
"... Abstract. We put forward the study of a new primitive that we call Vector Commitment (VC, for short). Informally, VCs allow to commit to an ordered sequence of q values (m1,..., mq) in such a way that one can later open the commitment at specific positions (e.g., prove that mi is the ith committed ..."
Abstract

Cited by 7 (1 self)
 Add to MetaCart
Abstract. We put forward the study of a new primitive that we call Vector Commitment (VC, for short). Informally, VCs allow to commit to an ordered sequence of q values (m1,..., mq) in such a way that one can later open the commitment at specific positions (e.g., prove that mi is the ith committed message). For security, Vector Commitments are required to satisfy a notion that we call position binding which states that an adversary should not be able to open a commitment to two different values at the same position. Moreover, what makes our primitive interesting is that we require VCs to be concise, i.e. the size of the commitment string and of its openings has to be independent of the vector length. We show two realizations of VCs based on standard and well established assumptions, such as RSA, and Computational DiffieHellman (in bilinear groups). Next, we turn our attention to applications and we show that Vector Commitments are useful in a variety of contexts, as they allow for compact and efficient solutions which significantly improve previous works either in terms of efficiency of the resulting solutions, or in terms of ”quality ” of the underlying assumption, or both. These applications
JPAKE: Authenticated Key Exchange Without PKI
"... Abstract. Password Authenticated Key Exchange (PAKE) is one of the important topics in cryptography. It aims to address a practical security problem: how to establish secure communication between two parties solely based on a shared password without requiring a Public Key Infrastructure (PKI). After ..."
Abstract

Cited by 7 (3 self)
 Add to MetaCart
(Show Context)
Abstract. Password Authenticated Key Exchange (PAKE) is one of the important topics in cryptography. It aims to address a practical security problem: how to establish secure communication between two parties solely based on a shared password without requiring a Public Key Infrastructure (PKI). After more than a decade of extensive research in this field, there have been several PAKE protocols available. The EKE and SPEKE schemes are perhaps the two most notable examples. Both techniques are however patented. In this paper, we review these techniques in detail and summarize various theoretical and practical weaknesses. In addition, we present a new PAKE solution called JPAKE. Our strategy is to depend on wellestablished primitives such as the ZeroKnowledge Proof (ZKP). So far, almost all of the past solutions have avoided using ZKP for the concern on efficiency. We demonstrate how to effectively integrate the ZKP into the protocol design and meanwhile achieve good efficiency. Our protocol has comparable computational efficiency to the EKE and SPEKE schemes with clear advantages on security. Keywords: PasswordAuthenticated Key Exchange, EKE, SPEKE, key agreement. 1
Weak pseudorandom functions in Minicrypt
, 2008
"... A family of functions is weakly pseudorandom if a random member of the family is indistinguishable from a uniform random function when queried on random inputs. We point out a subtle ambiguity in the definition of weak PRFs: there are natural weak PRFs whose security breaks down if the randomness u ..."
Abstract

Cited by 6 (2 self)
 Add to MetaCart
A family of functions is weakly pseudorandom if a random member of the family is indistinguishable from a uniform random function when queried on random inputs. We point out a subtle ambiguity in the definition of weak PRFs: there are natural weak PRFs whose security breaks down if the randomness used to sample the inputs is revealed. To capture this ambiguity we distinguish between publiccoin and secretcoin weak PRFs. We show that the existence of a secretcoin weak PRF which is not also a publiccoin weak PRF implies the existence of two pass keyagreement (i.e. publickey encryption). So in Minicrypt, i.e. under the assumption that oneway functions exist but publickey cryptography does not, the notion of public and secretcoin weak PRFs coincide. Previous to this paper all positive cryptographic statements known to hold exclusively in Minicrypt concerned the adaptive security of constructions using nonadaptively secure components. Weak PRFs give rise to a new set of statements having this property. As another example we consider the problem of range extension for weak PRFs. We show that in Minicrypt one can beat the best possible range expansion factor (using a fixed number of distinct keys) for a very general class of constructions (in particular, this class contains all constructions that are known today).
A fast and keyefficient reduction of chosenciphertext to knownplaintext security
 IN ADVANCES IN CRYPTOLOGY — EUROCRYPT ’07, VOLUME 4515 OF LNCS
, 2007
"... Motivated by the quest for reducing assumptions in security proofs in cryptography, this paper is concerned with designing efficient symmetric encryption and authentication schemes based on any weak pseudorandom function (PRF) which can be much more efficiently implemented than PRFs. Damg̊ard and N ..."
Abstract

Cited by 5 (1 self)
 Add to MetaCart
Motivated by the quest for reducing assumptions in security proofs in cryptography, this paper is concerned with designing efficient symmetric encryption and authentication schemes based on any weak pseudorandom function (PRF) which can be much more efficiently implemented than PRFs. Damg̊ard and Nielsen (CRYPTO ’02) have shown how to construct an efficient symmetric encryption scheme based on any weak PRF that is provably secure against chosenplaintext attacks. The main ingredient is a rangeextension construction for weak PRFs. By using wellknown techniques, they also showed how their scheme can be made secure against the stronger chosenciphertext attacks. The results of our paper are threefold. First, we give a rangeextension construction for weak PRFs that is optimal within a large and natural class of reductions (especially all known today). Second, we propose a construction of a regular PRF from any weak PRF. Third, these two results imply a (for long messages) much more efficient chosenciphertext secure encryption scheme than the one proposed by Damg̊ard and Nielsen. The results also give answers to open questions posed by Naor and Reingold (CRYPTO ’98) and by Damg̊ard and Nielsen.
An analysis of the vector decomposition problem ⋆
"... Abstract. The vector decomposition problem (VDP) has been proposed as a computational problem on which to base the security of public key cryptosystems. We give a generalisation and simplification of the results of Yoshida on the VDP. We then show that, for the supersingular elliptic curves which ca ..."
Abstract

Cited by 4 (1 self)
 Add to MetaCart
(Show Context)
Abstract. The vector decomposition problem (VDP) has been proposed as a computational problem on which to base the security of public key cryptosystems. We give a generalisation and simplification of the results of Yoshida on the VDP. We then show that, for the supersingular elliptic curves which can be used in practice, the VDP is equivalent to the computational DiffieHellman problem (CDH) in a cyclic group. For the broader class of pairingfriendly elliptic curves we relate VDP to various coCDH problems and also to a generalised discrete logarithm problem 2DL which in turn is often related to discrete logarithm problems in cyclic groups. Keywords: Vector decomposition problem, elliptic curves, DiffieHellman problem, generalised discrete logarithm problem. 1
A revocation scheme preserving privacy
 in Information Security and Cryptology—Inscrypt 2006
"... ..."