Catálogo de publicaciones - libros

In (,) threshold secret sharing scheme, Tompa and Woll consider a problem of cheaters who try to make another participant reconstruct invalid secret. Later, the model of such cheating is formalized in some researches. Some schemes secure against cheating of these models are proposed. However, in these models, the number of colluding participants is restricted to  − 1 or less. In this paper, we consider or more colluding participants. Of course, secrecy is not maintained to such participants. However, if considering detecting the fact of cheating, we need to consider a cheating from or more colluding participants. In this paper, we propose a (,) threshold secret sharing scheme that is capable of detecting the fact of cheating from  − 1 or less colluding participants. A scheme proposed by Tompa and Woll can be proven to be a (,) threshold secret sharing scheme that is capable of detecting the fact of cheating from  − 1 or less colluding participants. However, our proposed scheme is much more efficient with respect to the size of shares.

In this paper we show that the full-round Eagle-64 and Eagle-128 are vulnerable to the related-key amplified boomerang attack. The attack on the full-round Eagle-64 requires 2 full-round Eagle-64 decryptions with 2 related-key chosen ciphertexts, while the attack on the full-round Eagle-128 requires about 2 full-round Eagle-128 encryptions with 2 related-key chosen plaintexts. These works are the first known attacks on Eagle-64 and Eagle-128.

SMS4 is a 128-bit block cipher used in the WAPI standard for providing data confidentiality in wireless networks. In this paper we investigate and explain the origin of the S-Box employed by the cipher, show that an embedded cipher similar to BES can be obtained for SMS4 and demonstrate the fragility of the cipher design by giving variants that exhibit 2 weak keys.

We also show attacks on reduced round versions of the cipher. The best practical attack we found is an integral attack that works on 10 rounds out of 32 rounds with a complexity of 2 operations; it can be extended to 13 rounds using round key guesses, resulting in a complexity of 2 operations and a data complexity of 2 chosen pairs.

In this paper, we present a forgery attack to a black-box traitor tracing scheme [2] called as CPP scheme. CPP scheme has efficient transmission rate and allows the tracer to identify a traitor with just one invalid ciphertext.

Since the original CPP scheme is vulnerable to the multi-key attack, we improved CPP to thwart the attack. However, CPP is vulnerable to a fatal forgery attack. In the forgery attack, two traitors can collude to forge all valid decryption keys. The forged keys appear as perfect genuine keys, can decrypt all protected content, but are untraceable by the tracer. Fortunately, we can patch this weakness with increasing the decoder storage.

This paper improves the Finiasz-Vaudenay construction of , a hardware-oriented public-key cryptosystem, whose security relies on the hardness of finding a low-weight multiple of a given polynomial, and on the decoding of certain noisy cyclic linear codes. Our improvement makes it possible to decrypt in polynomial time (instead of exponential time), to directly prove semantic security (instead of one-wayness), and to achieve pretty good asymptotic performances. We further build IND-CCA secure schemes using the KEM/DEM and Fujisaki-Okamoto hybrid encryption frameworks in the random oracle model. This can encrypt an arbitrary message with an overhead of about 5 Kb in less than 15 ms, on an ASIC of about 10 000 gates at 4 MHz.

It is said that an encryption scheme provides anonymity when it is infeasible for the adversary to determine under which key the ciphertext was created. (i.e. the receiver of the ciphertext is anonymous from the point of view of the adversary.) From the previous results, we can find four techniques, repeating, expanding, RSACD, and sampling twice, for achieving the anonymity property of the encryption schemes based on RSA.

In this paper, we focus on the four techniques described above in the case using Paillier’s bijective function instead of the RSA function. We slightly modify his function and construct a family of Paillier’s trap-door permutations, and a family of Paillier’s trap-door permutations with a common domain. We also apply our proposed families of Paillier’s trap-door permutations to encryption with the above four techniques, and prove their security.

We propose the construction of certificateless key encapsulation mechanism (CL-KEM) in the standard model, which is also secure against malicious-but-passive KGC attacks. It is based on an ID-based KEM, a public key encryption and a message authentication code. The high efficiency of our construction is due to the efficient implementations of these underlying building blocks, and is comparable to Bentahar et al.’s CL-KEMs, which are only proven secure under the random oracle model with no consideration of the malicious-but-passive KGC attacks. The second contribution of our work is that we introduce the notion of certificateless tag-based KEM (CL-TKEM), which is an extension of Abe et al.’s work in the certificateless setting. We show that an efficient CL-TKEM can be constructed by modifying our CL-KEM. We also show that with a CL-TKEM and a one-time data encapsulation mechanism (DEM), an efficient hybrid certificateless encryption can be constructed by applying Abe et al.’s transformation in the certificateless setting.

This paper proposes new techniques of double-size multiplications with single-size modular multiplication units. Smartcards are usually equipped with crypto-coprocessors for accelerating the computation of modular multiplications, however, their operand size is limited. Security institutes such as NIST and standards such as EMV have recommended or forced to increase the bit-length of RSA cryptography over years. Therefore, techniques to compute double-size modular multiplications with single-size modular multiplication units has been studied this decade to extend the life expectancy of the low-end devices. We propose new double-size techniques based on multipliers implementing either or modular multiplications, or even both simultaneously ( modular multiplication), in which case one can potentially compute modular multiplications twice faster.

This paper presents a new approach to precompute all odd points [3], [5],..., [2 − 1],  ≥ 2 on an elliptic curve over . Those points are required for the efficient evaluation of a scalar multiplication, the most important operation in elliptic curve cryptography. The proposed method precomputes the points in affine coordinates and needs only one single field inversion for the computation. The new method is superior to all known methods that also use one field inversion. Compared to methods that require several field inversions for the precomputation, the proposed method is faster for a broad range of ratios of field inversions and field multiplications. The proposed method benefits especially from ratios as they occur on smart cards.

The security of a public key cryptosystem can be enhanced by distributing secret keys among a number of decryption servers: the threshold encryption approach. In EUROCRYPT 2005, Abe et al. showed that the secure threshold key encapsulation mechanism with a tag (threshold Tag-KEM) immediately yields secure threshold encryption; we only have to construct threshold Tag-KEM to construct threshold encryption. In this paper, we propose a construction of CCA-secure threshold Tag-KEM from threshold KEM (without a tag) that achieves one-wayness by utilizing a signature scheme with tight security reduction. Through our construction, we show instantiation of CCA-secure threshold encryption whose ciphertext-size and encryption-cost are independent of the number of servers under the RSA assumption in the random oracle model.