nieuws | weblog | economie | technologie | showbizz | vacatures | sport | jouwnieuws | contact
eerder | later
Meer: PRISM -- Privacy-Preserving Search in MapReduce, by Erik-Oliver Blass and Roberto Di Pietro and Refi |
rss feed |
toevoegen |
e-mail nieuwsalarm |
| 2011-08-13 01:00:04
We present PRISM, a privacy-preserving scheme for word search in cloud
computing. Assuming a curious cloud provider, privacy of data stored
in the cloud becomes an issue. The main challenge in the context of
cloud computing is to design a scheme that achieves privacy while
preserving the efficiency of cloud computing. Main approaches like
simple encryption, Private Information Retrieval (PIR) and encrypted
word search fall short of meeting these requirements. PRISM assures
privacy against the cloud by combining a PIR technique with the
MapReduce cloud computing paradigm. The problem of word search is
transformed into a set of parallel instances of PIR on small
datasets. Each PIR instance on a small dataset is efficiently
solved by a node in the cloud during the 'Map' phase of
MapReduce. Outcomes of map computations are then aggregated during
the 'Reduce' phase. Due to the linearity of PIR, the simple
aggregation of map results yields the final output of the word
search operation. We have implemented PRISM on Hadoop MapReduce and
evaluated its efficiency using real-world DNS logs. The overhead of
PRISM over non-private search is only 11%. Thus, PRISM offers
privacy-preserving search that meets cloud computing efficiency
requirements. Moreover, PRISM is compatible with standard
MapReduce, not requiring any change to the interface or
infrastructure.http://eprint.iacr.org/2011/244
Meer: Linear Cryptanalysis of PRINTcipher --- Trails and Samples Everywhere, by Martin Ågren and Thomas Jo |
rss feed |
toevoegen |
e-mail nieuwsalarm |
| 2011-08-12 21:07:04
PRINTcipher is a recent lightweight block cipher designed by Knudsen, Leander, Poschmann, and Robshaw. Some noteworthy characteristics are
a burnt-in key, a key-dependent permutation layer and identical round keys. Independent work on PRINTcipher has identified weak key classes that allow for a key recovery --- the obvious countermeasure is to avoid these weak keys at the cost of a small loss of key entropy. This paper identifies several larger classes of weak keys. We show how to distinguish classes of keys and give a 28-round linear attack applicable to half the keys. We show that there are several similar attacks, each focusing on a specific class of keys. We also observe how some specific properties of PRINTcipher allow us to collect several samples from each plaintext--ciphertext pair.http://eprint.iacr.org/2011/423
Meer: Cryptanalysis of AZUMI: an EPC Class-1 Generation-2 Standard Compliant RFID Authentication Protocol, |
rss feed |
toevoegen |
e-mail nieuwsalarm |
| 2011-08-12 21:07:04
In this paper, we analyze the security of AZUMI protocol which is compliant with the EPC-Class-1 Generation-2 standard and recently has been proposed by Peris \textit{et al.} This protocol is an improvement to a protocol proposed by Chen and Deng which has been cryptanalysed by Peris \textit{et al.} However, our security analysis clearly shows that the designers were not success in their attempt to improve the Chen and Deng protocol. More precisely, we present an efficient attack to disclose the tag secret $ID$ and the reader secret $ID$. In addition, we present a simple tag impersonation attack against this protocol. The success probability of all attacks are ''1'' and the cost of given attacks are at most eavesdropping two sessions of protocol. However, the given tag's $ID$ disclosure attack and reader's $ID$ disclosure attack also require $O(2^{16}) $ off-line evaluation of a $PRNG$ function.http://eprint.iacr.org/2011/424
Meer: Thwarting Higher-Order Side Channel Analysis with Additive and Multiplicative Maskings.pdf, by Lauri |
rss feed |
toevoegen |
e-mail nieuwsalarm |
| 2011-08-12 21:07:04
Higher-order side channel attacks is a class of powerful techniques
against cryptographic implementations. Their complexity grows
exponentially with the order, but for small orders (e.g. 2 and 3) recent studies have demonstrated that they pose a serious threat in practice. In this context, it is today of great importance to design software countermeasures enabling to counteract higher-order side channel attacks for any arbitrary chosen order. At CHES 2010, Rivain and Prouff have introduced such a countermeasure for the AES. It works for any arbitrary chosen order and benefits from a formal resistance proof. Until now, it was the single one with such assets. By generalizing at any order a countermeasure introduced at ACNS 2010 by Genelle et al. , we propose in this paper an alternative to Rivain and Prouff's solution. The new scheme can also be proven secure at any order and has the advantage of being at least 2 times more efficient than the existing solutions for orders 2 and 3, while maintaining the RAM consumption lower than 200 bytes.http://eprint.iacr.org/2011/425
Meer: Cryptanalysis of improved Yeh \textit{et al. }'s authentication Protocol: An EPC Class-1 Generation- |
rss feed |
toevoegen |
e-mail nieuwsalarm |
| 2011-08-12 21:07:04
EPC class 1 Generation 2(or in short term EPC-C1 G2) is one of the most important standards for RFID passive tags. However, the original protocol known to be insecure. To improve the security of this standard, several protocols have been proposed compliant to this standard. In this paper we analyze the improved Yeh \textit{et al. }'s protocol by Yoon which is conforming to EPC-C1 G2 standard and is one of the most recent proposed protocol in this field. We present several efficient attacks against this protocol. Our first attack is a passive attack that can retrieve all secret parameters of the tag on the cost of eavesdropping only one session of protocol between the tag and a legitimate reader (connected to the back-end database) and $O(2^{16})$ evaluations of $PRNG$-function in off-line . Although the extracted information are enough to mount other relevant attacks (e. g. such as traceability, tag impersonation, reader impersonation, and desynchronization attacks) and would be enough to rule out any security claim for this protocol, to highlight other weaknesses of the protocol we present another tag impersonation attack with the complexity of two runs of protocol and the success probability of ``1''. In addition, we show a straight forward way to trace the tag as long as it has not updated its secret values.http://eprint.iacr.org/2011/426
Meer: A new attack on the KMOVcryptosystem, by Abderrahmane Nitaj |
rss feed |
toevoegen |
e-mail nieuwsalarm |
| 2011-08-12 21:07:04
In this paper, we analyze the security of the KMOV public key cryptosystem. KMOV is based on elliptic curves over the ring $\mathbb{Z}_n$ where $n=pq$ is the product of two large unknown primes of equal bit-size. We consider KMOV with a public key $(n,e)$ where the exponent $e$ satisfies an equation $ex-(p+1)(q+1)y=z$, with unknown parameters $x$, $y$, $z$. Using Diophantine approximations and lattice reduction techniques, we show that KMOV is insecure when $x$, $y$, $z$ are suitably small.http://eprint.iacr.org/2011/427
Meer: AES Flow Interception: Key Snooping Method on Virtual Machine - Exception Handling Attack for AES-NI |
rss feed |
toevoegen |
e-mail nieuwsalarm |
| 2011-08-12 21:07:04
In this paper, we propose a method for snooping AES encryption key on Virtual Machine Monitor (VMM), and we present countermeasures against this attack. Recently, virtualization technology has rapidly emerged as a key technology for cloud computing. In general, the virtualization technology composes two software parts: one is virtual machine (VM) management software called Virtual Machine Monitor (VMM), and the other is its associated software. The virtualization technology at present does not provide methods for certifying dependability of the VMMs. In this situation, the following case is possible: when malicious service providers serve tampered VMMs and their users run their VMs on these VMMs, the users will suffer unintended information leakage. As one leakage case, in this paper, we propose a method for snooping AES encryption key on the VMM. In addition, we present countermeasures against this key snooping.http://eprint.iacr.org/2011/428
Meer: Round-efficient Oblivious Database Manipulation, by Sven Laur and Jan Willemson and Bingsheng Zhang |
rss feed |
toevoegen |
e-mail nieuwsalarm |
| 2011-08-12 21:07:04
Most of the multi-party computation frameworks can be viewed as
oblivious databases where data is stored and processed in a
secret-shared form. However, data manipulation in such databases can
be slow and cumbersome without dedicated protocols for certain
database operations. In this paper, we provide efficient protocols
for oblivious selection, filtering and shuffle---essential tools in
privacy-preserving data analysis. As the first contribution, we
present a $1$-out-of-$n$ oblivious transfer protocol with
$O(\log\log n)$ rounds, which achieves optimal communication and
time complexity and works over any ring $Z_N$. Secondly, we show
that the round complexity $\tau_{bd}$ of a bit decomposition protocol can
be almost matched with oblivious transfer, and that there exists an
oblivious transfer protocol with $O(\tau_{bd}\log^*n)$ rounds. Finally,
we also show how to construct round-efficient shuffle protocols with
optimal asymptotic computation complexity and provide several
optimizations.http://eprint.iacr.org/2011/429
Meer: Isogenies on Edwards and Huff curves, by Dustin Moody and Daniel Shumow |
rss feed |
toevoegen |
e-mail nieuwsalarm |
| 2011-08-12 21:07:04
Isogenies of elliptic curves over finite fields have been well-studied, in part because there are several cryptographic applications. Using Velu's formula, isogenies can be constructed explicitly given their kernel. Velu's formula applies to elliptic curves given by a Weierstrass equation. In this paper we show how to similarly construct isogenies on Edwards curves and Huff curves. Edwards and Huff curves are new normal forms for elliptic curves, different than the traditional Weierstrass form.http://eprint.iacr.org/2011/430
Meer: Roots of Square: Cryptanalysis of DoubleLayer Square and Square+, by Enrico Thomae and Christopher W |
rss feed |
toevoegen |
e-mail nieuwsalarm |
| 2011-08-12 21:07:04
Square is a multivariate quadratic encryption scheme proposed in 2009. It is a specialization of Hidden Field Equations by using only odd characteristic fields and also $X^2$ as its central map.
In addition, it uses embedding to reduce the number of variables in the public key. However, the system was broken at Asiacrypt 2009 using a differential attack. At PQC 2010 Clough and Ding proposed two new variants named \emph{DoubleLayer Square} and \emph{Square+}.
We show how to break DoubleLayer Square using a refined \emph{MinRank} attack in $2^{30}$ field operations. A similar fate awaits Square+ as it will be broken in $2^{32}$ field operations using a mixed MinRank attack over both the extension and the ground field. Both attacks recover the private key, given access to the public key. We also outline how possible variants such as Square- or multi-Square can be attacked.http://eprint.iacr.org/2011/431
Meer: Ciphers that Securely Encipher their own Keys, by Mihir Bellare and David Cash and Sriram Keelveedhi |
rss feed |
toevoegen |
e-mail nieuwsalarm |
| 2011-08-12 21:07:04
In response to needs of disk encryption standardization
bodies, we provide the first tweakable ciphers that are proven to
securely encipher their own keys. We provide both a narrowblock
design StE and a wideblock design EtE. Our proofs assume only
standard PRP-CCA security of the underlying tweakable ciphers.http://eprint.iacr.org/2011/432
Meer: Collusion-Preserving Computation, by Joël Alwen and Jonathan Katz and Ueli Maurer and Vassilis Zikas |
rss feed |
toevoegen |
e-mail nieuwsalarm |
| 2011-08-12 21:07:04
In collusion-free protocols, subliminal communication is impossible and parties are thus unable to communicate ``any information beyond what the protocol allows''. Collusion-free protocols are interesting for several reasons, but have specifically attracted attention because they can be used to reduce trust in game-theoretic mechanisms. Collusion-free protocols are impossible to achieve (in general) when all parties are connected by point-to-point channels, but exist under certain physical assumptions (Lepinksi et al., STOC~2005) or in specific network topologies (Alwen et al., Crypto~2008).
We provide a ``clean-slate'' definition of the stronger notion of collusion preservation. Our goals in revisiting the definition are:
-- To give a definition with respect to arbitrary communication resources (that includes as special cases the communication models from prior work). We can then, in particular, better understand what types of resources enable collusion-preserving protocols.
-- To construct protocols that allow no additional subliminal communication in the case when parties can communicate (a bounded amount of information) via other means. (This property is not implied by collusion-freeness.)
-- To provide a definition supporting \emph{composition}, so that protocols can be designed in a modular fashion using sub-protocols run among subsets of the parties.
In addition to proposing the definition, we explore implications of our model and show a general feasibility result for collusion-preserving computation of
arbitrary functionalities.http://eprint.iacr.org/2011/433
Meer: A New Protocol for Oblivious DFA Evaluation and Applications, by Payman Mohassel and Salman Niksefat |
rss feed |
toevoegen |
e-mail nieuwsalarm |
| 2011-08-12 21:07:04
In this paper, we design an efficient protocol for \emph{oblivious DFA evaluation} between an input holder (client) and a DFA holder (server). The protocol runs in a single round, and only requires a small amount of computation by each party. The most efficient version of our protocol only requires $O(k)$ asymmetric operations by either party, where $k$ is the security parameter. Morover, the client's total computation is only linear in his own input and independent of the size of the DFA. We prove the protocol fully-secure against a \emph{malicious client} and \emph{private} against a malicious server, using the standard \emph{simulation-based} security definitions for secure two-party computation.
We show how to transform our construction to solve multiple variants of the \emph{secure pattern matching} problem without any computational overhead. The more challenging variant is when parties are interested in the number of occurrences of a pattern in a text (but nothing else). We observe that what is needed is an oblivious DFA evaluation protocol that counts the number of accepting states visited during an input evaluation. We then introduce a novel technique for modifying our original protocol in order to solve the counting version of the problem without any loss in efficiency or security.
Finally, we implement our protocol and run a series of experiments on a machine with an Intel Core i7 processor with 4GB of RAM. The total running time of our construction (both parties included) is below 13 seconds for input strings as large as $150$K bits or DFAs with over $150$K states. The client's portion of computation is even less with a running time of less than 1 second (32 ms in case of large DFAs). This makes our solution suitable for deployment even on devices with low computational resources.http://eprint.iacr.org/2011/434
Meer: The IPS Compiler: Optimizations, Variants and Concrete Efficiency, by Yehuda Lindell and Benny Pinka |
rss feed |
toevoegen |
e-mail nieuwsalarm |
| 2011-08-12 21:07:04
In recent work, Ishai, Prabhakaran and Sahai (CRYPTO 2008) presented a new compiler (hereafter the IPS compiler) for constructing protocols that are secure in the presence of malicious adversaries without an honest majority from protocols that are only secure in the presence of semi-honest adversaries. The IPS compiler has many important properties: it provides a radically different way of obtaining security in the presence of malicious adversaries with no honest majority, it is black-box in the underlying semi-honest protocol, and it has excellent asymptotic efficiency.
In this paper, we study the IPS compiler from a number different angles. We present an efficiency improvement of the ``watchlist setup phase'' of the compiler that also facilitates a simpler and tighter analysis of the cheating probability. In addition, we present a conceptually simpler variant that uses protocols that are secure in the presence of covert adversaries as its basic building block. This variant can be used to achieve more efficient asymptotic security, as we show regarding black-box constructions of malicious oblivious transfer from semi-honest oblivious transfer. In addition, it deepens our understanding of the model of security in the presence of covert adversaries. Finally, we analyze the IPS compiler from a \emph{concrete efficiency} perspective and demonstrate that in some cases it can be competitive with the best efficient protocols currently known.http://eprint.iacr.org/2011/435
Meer: Faster Algorithms for Approximate Common Divisors: Breaking Fully-Homomorphic-Encryption Challenges |
rss feed |
toevoegen |
e-mail nieuwsalarm |
| 2011-08-12 21:07:04
At EUROCRYPT '10, van Dijk, Gentry, Halevi and Vaikuntanathan presented simple fully-homomorphic encryption (FHE) schemes
based on the hardness of approximate integer common divisors problems,
which were introduced in 2001 by Howgrave-Graham.
There are two versions for these problems: the partial version (PACD) and the general version (GACD).
The seemingly easier problem PACD was recently used by Coron, Mandal, Naccache and Tibouchi at CRYPTO '11 to build a more efficient variant of the FHE scheme
by van Dijk {\em et al.}. We present a new PACD algorithm whose running time is essentially the ``square root''
of that of exhaustive search, which was the best attack in practice. This allows us to experimentally break the FHE challenges proposed by Coron {\em et al.}
Our PACD algorithm directly gives rise to a new GACD algorithm, which is exponentially faster than exhaustive search:
namely, the running time is essentially the $3/4$-th root of that of exhaustive search.
Interestingly, our main technique can also be applied to other settings, such as noisy factoring and attacking low-exponent RSA.http://eprint.iacr.org/2011/436
Meer: Proofs of Ownership in Remote Storage Systems, by Shai Halevi, Danny Harnik, Benny Pinkas, Alexandr |
rss feed |
toevoegen |
e-mail nieuwsalarm |
| 2011-08-11 17:02:39
Cloud storage systems are increasingly popular nowadays, and a promising technology to keep their cost down is *deduplication*, namely removing unnecessary copies of repeating data. Moreover, *client-side deduplication* attempts to identify deduplication opportunities already at the client and save the bandwidth in uploading another copy of an existing file to the server.
In this work we identify attacks that exploit client-side deduplication, allowing an attacker to gain access to potentially huge files of other users based on a very small amount of side information. For example, an attacker who knows the hash signature of a file can convince the storage service that it owns that file, hence the server later lets the attacker download the entire file.
To overcome such attacks, we introduce proofs-of-ownership (PoWs), where a client proves to the server that it actually holds the data of the file and not just some short information about it. We formalize proof-of-ownership, present solutions based on Merkle trees and specific encodings, and analyze their security. We implemented one variant of the scheme, our performance measurements indicate that our protocol incurs only a small overhead (compared to naive client-side deduplication that is vulnerable to the attack).http://eprint.iacr.org/2011/207
Meer: Fully Homomorphic Encryption without Bootstrapping, by Zvika Brakerski and Craig Gentry and Vinod Va |
rss feed |
toevoegen |
e-mail nieuwsalarm |
| 2011-08-10 07:21:12
We present a radically new approach to fully homomorphic encryption (FHE) that dramatically improves performance and bases security on weaker assumptions. A central conceptual contribution in our work is a new way of constructing leveled fully homomorphic encryption schemes (capable of evaluating arbitrary polynomial-size circuits), {\em without Gentry's bootstrapping procedure}.
Specifically, we offer a choice of FHE schemes based on the learning with error (LWE) or ring-LWE (RLWE) problems that have $2^\secparam$ security against known attacks. For RLWE, we have:
1. A leveled FHE scheme that can evaluate $L$-level arithmetic circuits with $\tilde{O}(\secparam \cdot L^3)$ per-gate computation -- i.e., computation {\em quasi-linear} in the security parameter. Security is based on RLWE for an approximation factor exponential in $L$. This construction does not use the bootstrapping procedure.
2. A leveled FHE scheme that uses bootstrapping {\em as an optimization}, where the per-gate computation (which includes the bootstrapping procedure) is $\tilde{O}(\secparam^2)$, {\em independent of $L$}. Security is based on the hardness of RLWE for {\em quasi-polynomial} factors (as opposed to the sub-exponential factors needed in previous schemes).
We obtain similar results for LWE, but with worse performance. We introduce a number of further optimizations to our schemes. As an example, for circuits of large width -- e.g., where a constant fraction of levels have width at least $\secparam$ -- we can reduce the per-gate computation of the bootstrapped version to $\tilde{O}(\secparam)$, independent of $L$, by {\em batching the bootstrapping operation}. Previous FHE schemes all required $\tilde{\Omega}(\secparam^{3.5})$ computation per gate.
At the core of our construction is a much more effective approach for managing the noise level of lattice-based ciphertexts as homomorphic operations are performed, using some new techniques recently introduced by Brakerski and Vaikuntanathan (FOCS 2011).http://eprint.iacr.org/2011/277
Meer: Socio-Rational Secret Sharing as a New Direction in Both Rational Cryptography and Game Theory, by M |
rss feed |
toevoegen |
e-mail nieuwsalarm |
| 2011-08-07 20:52:48
This article is a journey starting at solution concepts in Game Theory, passing through reputation systems in Artificial Intelligence, and ending at a primary primitive in Cryptography. We introduce new concepts like a rational foresighted player, social game, and social equilibrium. We therefore propose a novel scheme, named socio-rational secret sharing, in which rational players have long-term interactions in a social context. In this society, players run secret sharing protocols while founding and sustaining a trust network among themselves. We combine rational secret sharing, proposed by Halpern and Teague [STOC'04], with social secret sharing, introduced by Nojoumian et. al. [IET InfoSec'10], in order to provide a new solution concept. To motivate our approach, consider a repeated secret sharing game such as sealed-bid auctions, where each auctioneer is supposed to receive shares of secure bids belonging to independent auctions. If we assume each party has a reputation value, we can then penalize (or reward) players who are selfish (or unselfish) from game to game in a long-term interaction. This social reinforcement rationally stimulates players to be cooperative. Despite of all the existing protocols in the rational cryptography literature, our solution has only a single reconstruction round and it is independent of the security assumption and the communication model of the secret sharing scheme being used.http://eprint.iacr.org/2011/370
Meer: Implementing 4-Dimensional GLV Method on GLS Elliptic Curves with j-Invariant 0, by Zhi Hu and Patri |
rss feed |
toevoegen |
e-mail nieuwsalarm |
| 2011-08-06 01:04:33
The Gallant-Lambert-Vanstone (GLV) method is a very efficient
technique for accelerating point multiplication on elliptic curves
with efficiently computable endomorphisms. Galbraith, Lin and Scott
(J. Cryptol. 24(3), 446-469 (2010)) showed that point multiplication
exploiting the 2-dimensional GLV method on a large class of curves
over GF(p^2) was faster than the standard method on general elliptic curves over GF(p), and left as an open problem to study the case of 4-dimensional GLV on special curves (e.g., j(E) = 0) over GF(p^2). We study the above problem in this paper. We show how to get the 4-dimensional GLV decomposition with proper decomposed coefficients, and thus reduce the number of doublings for point multiplication on these curves to only a quarter. The resulting implementation shows that the 4-dimensional GLV method on a GLS curve runs in about 0.78 the time of the 2-dimensional GLV method on the same curve and in between 0.78-0.87 the time of the 2-dimensional GLV method using the standard method over GF(p). In particular, our implementation reduces by up to 27% the time of the previously fastest implementation of point multiplication on x86-64 processors due to Longa and Gebotys (CHES2010).http://eprint.iacr.org/2011/315
Meer: $HB^N$: An HB-like protocol secure against man-in-the-middle attacks, by Carl Bosley and Kristiyan H |
rss feed |
toevoegen |
e-mail nieuwsalarm |
| 2011-08-06 01:04:33
We construct a simple authentication protocol whose security is based solely on the problem of Learning Parity with Noise (LPN) which is secure against Man-in-the-Middle attacks. Our protocol is suitable for RFID devices, whose limited circuit size and power constraints rule out the use of more heavyweight operations such as modular exponentiation. The protocol is extremely simple: both parties compute a noisy bilinear function of their inputs. The proof, however, is quite technical, and we believe that some of our technical tools may be of independent interest.http://eprint.iacr.org/2011/350
Meer: From Selective-ID to Full Security: The Case of the Inversion-Based Boneh-Boyen IBE Scheme, by Eike |
rss feed |
toevoegen |
e-mail nieuwsalarm |
| 2011-08-05 17:47:30
In this note we remark that the inversion-based selective-ID secure identity-based encryption (IBE) scheme from Boneh and Boyen
can be bootstrapped to full-ID security using a technique by Waters.http://eprint.iacr.org/2007/033
Meer: On the Analysis of Cryptographic Assumptions in the Generic Ring Model, by Tibor Jager and Jörg Schw |
rss feed |
toevoegen |
e-mail nieuwsalarm |
| 2011-08-05 17:47:30
Aggarwal and Maurer (Eurocrypt 2009) proved that breaking RSA is equivalent to factoring in the generic ring model. This model captures algorithms that operate on elements of an algebraic ring, by performing only the ring operations and without exploiting properties of a given representation of ring elements. This interesting result raises the question how to interpret proofs in the generic ring model. For instance, one may be tempted to deduce that a proof in
the generic model gives some evidence that solving the considered problem is also hard in the standard model, where elements of Zn are represented by integers modulo n. But is this reasonable?
We prove in the generic ring model that computing the Jacobi symbol of an integer modulo n is equivalent to factoring. Since there are simple and efficient non-generic algorithms which compute the Jacobi symbol, this provides an example for a natural computational problem
which is hard in the generic ring model, but easy to solve if elements of Zn are given in their standard representation as integers. Thus, a proof in the generic ring model is unfortunately not a strong indicator for the hardness of a computational problem in the standard model. Despite this negative result, generic hardness results still provide a lower complexity bound for a large class of algorithms, namely all algorithms solving a computational problem independent of a given representation of ring elements. Motivated by this fact, we show also that solving the quadratic residuosity problem generically is equivalent to factoring.http://eprint.iacr.org/2009/621
Meer: A New Security Model for Authenticated Key Agreement, by Augustin P. Sarr and Philippe Elbaz-Vincent |
rss feed |
toevoegen |
e-mail nieuwsalarm |
| 2011-08-05 17:47:30
The Canetti--Krawczyk (CK) and extended Canetti--Krawczyk (eCK) security models, are widely used to provide security arguments for key agreement protocols. We discuss security shades in the (e)CK models, and some practical attacks unconsidered in (e)CK--security arguments.
We propose a strong security model which encompasses the eCK one. We also propose a new protocol, called Strengthened MQV (SMQV), which in addition to provide the same efficiency as the (H)MQV protocols, is particularly suited for distributed implementations wherein a tamper--proof device is used to store long--lived keys, while session keys are used on an untrusted host machine. The SMQV protocol meets our security definition under the Gap Diffie--Hellman assumption and the Random Oracle model.http://eprint.iacr.org/2010/237
Meer: Interplay between (Im)perfectness, Synchrony and Connectivity: The Case of Reliable Message Transmis |
rss feed |
toevoegen |
e-mail nieuwsalarm |
| 2011-08-05 17:47:30
For unconditionally reliable message transmission (URMT) in synchronous directed networks of n nodes, a subset of which may be Byzantine faulty, it is well-known that the minimum connectivity requirements for zero-error (perfect) protocols to exist is strictly higher than those where a negligible yet non-zero error probability is allowed (Monte Carlo protocols).
In this work, we study the minimum connectivity requirements for the existence of (a) synchronous Las Vegas protocols, (b) asynchronous Monte Carlo protocols, and (c) asynchronous Las Vegas protocols for URMT. Interestingly, we prove that in any network, synchronous Las Vegas URMT protocol exists if and only if asynchronous Monte Carlo URMT protocol exists too. We further show that asynchronous Las Vegas URMT protocols exist if and only if synchronous perfect protocols exist. We conclude with another interesting result: there exists networks where the number of critical edges for the 'easier' randomized variants are asymptotically higher than that for the perfect variant. Thus, our results establish an interesting interplay between (im)perfectness, synchrony and connectivity for the case of URMT.http://eprint.iacr.org/2010/392
Meer: On CCA-Secure Fully Homomorphic Encryption, by J. Loftus and A. May and N.P. Smart and F. Vercauter |
rss feed |
toevoegen |
e-mail nieuwsalarm |
| 2011-08-05 17:47:30
It is well known that any encryption scheme which supports any form
of homomorphic operation cannot be secure against adaptive chosen ciphertext attacks. The question then arises as to what is the most stringent security definition which is achievable by homomorphic encryption schemes. Prior work has shown that various schemes which support a single homomorphic encryption scheme can be shown to be IND-CCA1, i.e. secure against lunchtime attacks. In this paper we extend this analysis to the recent fully homomorphic encryption scheme proposed by Gentry, as refined by Gentry, Halevi, Smart and Vercauteren. We show that the basic Gentry scheme is not IND-CCA1; indeed a trivial lunchtime attack allows one to recover the secret key. We then show that a minor modification to the variant of the somewhat homomorphic encryption scheme of Smart and Vercauteren will allow one to achieve IND-CCA1, indeed PA-1, in the standard model assuming a lattice based knowledge assumption. We also examine the security of the scheme against another security notion, namely security in the presence of ciphertext validity checking oracles; and show why CCA-like notions are important in applications in which multiple parties submit encrypted data to the ``cloud'' for secure processing.http://eprint.iacr.org/2010/560
Meer: ABC - A New Framework for Block Ciphers, by Uri Avraham and Eli Biham and Orr Dunkelman |
rss feed |
toevoegen |
e-mail nieuwsalarm |
| 2011-08-05 17:47:30
We suggest a new framework for block ciphers named Advanced Block Cipher, or shortly ABC. ABC has additional non-secret parameters that ensure that each call to the underlying block cipher uses a different pseudo-random permutation. It therefore ensures that attacks that require more than one block encrypted under the same secret permutation cannot apply. In particular, this framework protects against dictionary attacks, and differential and linear attacks, and eliminates weaknesses of ECB and CBC modes. This new framework shares a common structure with HAIFA, and can share the same logic with HAIFA compression functions. We analyze the security of several modes of operation for ABCs block ciphers, and suggest a few instances of ABCs.http://eprint.iacr.org/2010/658
Meer: Fully Homomorphic SIMD Operations, by N.P. Smart and F. Vercauteren |
rss feed |
toevoegen |
e-mail nieuwsalarm |
| 2011-08-05 17:47:30
At PKC 2010 Smart and Vercauteren presented a variant of
Gentry's fully homomorphic public key encryption scheme
and mentioned that the scheme could support SIMD style
operations.
The slow key generation process of the Smart--Vercauteren
system was then addressed in a paper by Gentry and Halevi,
but their key generation method appears to exclude the SIMD
style operation alluded to by Smart and Vercauteren.
In this paper, we show how to select parameters to
enable such SIMD operations, whilst still maintaining
practicality of the key generation technique of Gentry
and Halevi.
As such, we obtain a somewhat homomorphic scheme supporting
both SIMD operations and operations on large finite fields
of characteristic two.
This somewhat homomorphic scheme can be made fully
homomorphic in a naive way by recrypting all data elements
seperately. However, we show that the SIMD operations can be
used to perform the recrypt procedure in parallel, resulting
in a substantial speed-up.
Finally, we demonstrate how such SIMD operations
can be used to perform various tasks by studying two use
cases: implementing AES homomorphically and encrypted database
lookup.http://eprint.iacr.org/2011/133
Meer: Shortest Lattice Vectors in the Presence of Gaps, by Mingjie Liu and Xiaoyun Wang and Guangwu Xu and |
rss feed |
toevoegen |
e-mail nieuwsalarm |
| 2011-08-05 17:47:30
Given a lattice ${\mathcal L}$ with the $i$-th successive minimum $\lambda_i$, its $i$-th gap $\frac{\lambda_i}{\lambda_1}$
often provides useful information for analyzing the security of cryptographic schemes related to ${\mathcal L}$. The paper concerns short vectors for lattices with gaps. In the first part, an $\lambda_2$-gap estimation of LWE lattices with cryptographic significance is given. Under some conditions, a better reduction from $BDD_{\gamma'}$ to $uSVP_{\gamma}$ is obtained in the presence of larger $\lambda_2$-gap. The second part of the paper shows that gaps among the successive minima lead to a more efficient SVP search algorithm.. As far as we know, it is the first SVP algorithm
in allusion to lattices with gaps.http://eprint.iacr.org/2011/139
Meer: Fast and Private Computation of Set Intersection Cardinality, by Emiliano De Cristofaro and Paolo Ga |
rss feed |
toevoegen |
e-mail nieuwsalarm |
| 2011-08-05 17:47:30
The use of sensitive electronic information has increased tremendously in recent years. In many realistic application scenarios, legitimate needs for sensitive information must be reconciled with privacy concerns. This has motivated various privacy-protecting cryptographic techniques, such as Private Set Intersection (PSI) and Private Set Union (PSU). Such techniques involve two parties - a client and a server - each holding a private data set: the client learns only the intersection (or union) of the two respective sets, while the server learns nothing. How- ever, it is often imprudent to use PSI and PSU protocols alone, since their use may offer little or no privacy for the server. Instead, prospective participants in PSI/PSU protocols should use their respective policies to decide whether or not to participate. Policies can be based on variables, such as the size of set intersection and its relationship to the entire set size. To enable policy considerations in advance of private set operations, we need a cryptographic primitive called Private Set Intersection Cardinality (PSI-CA), which yields only the size of set intersection. PSI-CA protocols are also particularly appealing in numerous realistic scenarios where it is crucial to obtain the magnitude - rather than the content - of the set intersection.
This paper motivates the need for PSI-CA and constructs a very efficient (i.e., linear-complexity) protocol. Efficiency claims are supported by experiments with prototype implementations. Finally, an extension to support authorization of client input is also sketched.http://eprint.iacr.org/2011/141
Meer: An ID-based three-party authenticated key exchange protocol using elliptic curve cryptography for mo |
rss feed |
toevoegen |
e-mail nieuwsalarm |
| 2011-08-05 17:47:30
For secure communications in public network environments, various three-party authenticated key exchange (3PAKE) protocols are proposed to provide the transaction confidentiality and efficiency. In 2009, Yang et al. proposed an efficient three-party authenticated key exchange protocol based upon elliptic curve cryptography(ECC) for mobile-commerce environments. Because the elliptic curve cryptography is used, their 3PAKE protocol has low computation costs and light communication loads. However, Tan demonstrated that Yang et al.'s protocol suffers from the impersonation attack and the parallel attack. Tan also proposed an enhanced protocol to improve the security and the performance. However, Yang et al.'s protocol and Tan's protocol bases on the public key infrastructure(PKI). Then the server has to maintain the certificates for users' public keys. When the number of users is increased, the server needs a large storage space to store users' public keys and certificates. In addition, the server needs additional computations to verify the other's certificate in their protocols. This causes the computation loads and the energy costs of mobile devices very high. In this paper, we propose an ID-based 3PAKE using ECC. Compared with the related protocol, our protocol does not need additional computations to verify certificate and has the better performance. Then our protocol is more suitable and practical for mobile-commerce environments.http://eprint.iacr.org/2011/195eerder | later
©2006 mail jouwnieuws.nl | gratis webloggen! | gratis foto hosting | meest gezocht