Catálogo de publicaciones - libros

The concept of erasure-tolerant information authentication was recently introduced to study an unconditionally secure setting where it is allowed to lose a limited number of message letters during transmission. Even if a part of the message is lost, the verifier will still be able to check the authenticity of some or all of the received message letters. In general, there might be some letters whose authenticity cannot be verified although they have arrived at the recipient’s side. These letters will be discarded.

We consider a special case when the verifier can always check the authenticity of all received message letters. This property is desirable since no data will be lost due to the verifier’s inability to verify its authenticity (i.e., the scheme does not introduce additional degradation of the quality of the received information). We provide necessary and sufficient conditions for a set system based erasure-tolerant authentication scheme to be non-degrading. We also discuss efficient implementations and propose a provably secure stream authentication scheme that makes use of erasure-tolerant authentication codes.

In 1999, two signature schemes based on the flexible RSA problem (a.k.a. strong RSA problem) were independently introduced: the Gennaro-Halevi-Rabin (GHR) signature scheme and the Cramer-Shoup (CS) signature scheme. Remarkably, these schemes meet the highest security notion in the . They however differ in their implementation. The CS scheme and its subsequent variants and extensions proposed so far feature a loose security reduction, which, in turn, implies larger security parameters. The security of the GHR scheme and of its twinning-based variant are shown to be tightly based on the flexible RSA problem but additionally (i) either assumes the existence of hash functions, or (ii) requires an mapping into the prime numbers in both the signing verification algorithms.

In this paper, we revisit the GHR signature scheme and completely remove the extra assumption made on the hash functions without relying on injective prime mappings. As a result, we obtain a signature scheme (and an on-line/off-line variant thereof) whose security is and related to the strong RSA assumption.

Standard signature schemes are usually designed only to achieve unforgeability – i.e. preventing forgery of signatures on new messages not previously signed. However, most signature schemes are randomised and allow many possible signatures for a single message. In this case, it may be possible to produce a new signature on a previously signed message. Some applications require that this type of forgery also be prevented – this requirement is called unforgeability.

At PKC2006, Boneh Shen and Waters presented an efficient transform based on any randomised trapdoor hash function which converts a weakly unforgeable signature into a strongly unforgeable signature and applied it to construct a strongly unforgeable signature based on the CDH problem. However, the transform of Boneh et al only applies to a class of so-called signatures. Although many schemes fall in this class, some do not, for example the signature. Hence it is natural to ask whether one can obtain a truly generic efficient transform based on any randomised trapdoor hash function which converts weakly unforgeable signature into a strongly unforgeable one. We answer this question in the positive by presenting a simple modification of the Boneh-Shen-Waters transform. Our modified transform uses two randomised trapdoor hash functions.

When exploring solutions to some of the formidable security problems facing RFID deployment, researchers are often willing to countenance the use of a strong symmetric primitive such as the AES. At the same time it is often claimed that public key cryptography cannot be deployed on low-cost tags. In this paper we give a detailed analysis of the GPS identification scheme. We show that with regards to all three attributes of space, power, and computation time, the on-tag demands of GPS identification compare favourably to the landmark AES implementation by Feldhofer . Thus, assumed limits to implementing asymmetric cryptography on low-end devices may need to be re-evaluated.

This work presents a bit-slice implementation of the Whirlpool hash function for 64-bit CPUs, which processes a single input block in one pass. It describes the general approach for developing the formulas and presents the results. This implementation does not need table lookups that depend on the data, which makes it immune against cache timing attacks, e.g. if used in an HMAC. Moreover, it requires 63% less memory (code and data) than the reference implementation of Whirlpool, and the performance of an implementation in C that uses some SSE2 instructions is only about 40% less. Additional improvements seem possible.