Catálogo de publicaciones - libros

A multisignature scheme enables multiple signers to cooperate to generate one signature for some message. The aim of the multisignatures is to decrease the total length of the signature and/or the signing (verification) costs. This paper first discusses a formal security model of multisignatures following that of the group signatures [1,4]. This model allows an attacker against multisignatures to access five oracles adaptively. With this model, we can ensure more general security result than that with the existence model [14,11,12]. Second, we propose a multisignature scheme using a claw-free permutation. The proposed scheme can decrease the signature length compared to those of existence multisignature schemes using a trapdoor one-way permutation (TWOP) [11,12], because its signing does not require the random string. We also prove that the proposed scheme is tightly secure with the formal security model, in the random oracle model. Third, we discuss the security of the multisignature schemes [11,12] using a TOWP with the formal security model to confirm that these schemes can be proven to be tightly secure.

The Unbalanced Oil and Vinegar scheme (UOV) is a signature scheme based on multivariate quadratic equations. It has oil variables and vinegar variables. UOV has equations and variables, where = and = +. In this paper, we define the weak key of UOV and study how to find the weak key from the public key. Second, we study the security when > . And our result shows that the security strengths of the current version of TTS, TRMS, Rainbow and MFE are 2 ~2 3DES operations.

In this paper, we propose a new stream cipher construction based on block cipher design principles. The main idea is to replace the building blocks used in block ciphers by equivalent stream cipher components. In order to illustrate this approach, we construct a very simple synchronous stream cipher which provides a lot of flexibility for hardware implementations, and seems to have a number of desirable cryptographic properties.

In this paper we analyze the cipher, which is the cipher used in the Bluetooth specifications. We adapted and optimized the Binary Decision Diagram attack of Krause, for the specific details of . Our method requires 128 known bits of the keystream in order to recover the initial value of the four LFSR’s in the system. We describe several variants which we built to lower the complexity of the attack. We evaluated our attack against the real (non-reduced) cipher. Our best attack can recover the initial value of the four LFSR’s, for the first time, with a realistic space complexity of 2 (84MB RAM), and with a time complexity of 2. This attack can be massively parallelized to lower the overall time complexity. Beyond the specifics of , our work describes practical experience with BDD-based cryptanalysis, which so far has mostly been a theoretical concept.

We describe an attack on the RSA cryptosystem when the private exponent is chosen to be ’small’, under the condition that a sufficient amount of bits of is available to the attacker. The attack uses a 2-dimensional lattice and is therefore (in the area of the keyspace where it applies) more efficient than known attacks using Coppersmith techniques. Moreover, we show that the attacks of Wiener and Verheul/Van Tilborg, using continued fractions techniques, are special deterministic cases of our attack, which in general is heuristic.

In this paper, we consider the problem of combining a public key encryption (PKE) scheme and a public key encryption with keyword search (PEKS) scheme proposed by Boneh, Di Crescenzo, Ostrovsky and Persiano (BDOP) in Eurocrypt 2004. We argue that the two schemes need to be treated as a single scheme to securely provide the PEKS service that BDOP envisioned. We formally define such a scheme, which we call “PKE/PEKS” and its security against chosen ciphertext attack, which we call “IND-PKE/PEKS-CCA”. We then construct a highly efficient PKE/PEKS scheme using the PEKS scheme presented by BDOP and a variation of ElGamal encryption scheme and show that it is IND-PKE/PEKS-CCA secure in the random oracle model assuming that the Computational Diffie-Hellman (CDH) problem is intractable. We also propose a generic construction of PKE/PEKS, which is slightly less efficient than the first one. Finally, we present two extensions of a PKE/PEKS scheme to the multi-receiver setting and multi-keyword setting.

A policy-based encryption scheme allows a user to encrypt a message with respect to a credential-based policy formalized as monotone boolean expression written in standard normal form. The encryption is so that only a user having access to a qualified set of credentials for the policy is able to successfully decrypt the message. An inherent property of policy-based encryption is that in addition to the recipient an encrypted message is intended for, any collusion of credential issuers or end users who are able to collect a qualified set of credentials for the policy used to encrypt the message can decrypt it as well. In some applications, the collusion property may be acceptable or even useful. However, for most other applications it is undesirable. In this paper, we present a collusion-free policy-based encryption primitive, called policy-based public-key encryption. We provide precise definition for the new primitive as well as for the related security model. Then, we describe a concrete implementation using pairings over elliptic curves and prove its security in the random oracle model.

Having no trusted user interface, smart cards are unable to communicate with the user directly. Communication is possible with the aid of a terminal only, which leads to several security problems. For example, if the terminal is untrusted (which is a very typical scenario), it may perform a man-in-the middle attack. Thus, a malicious terminal can make the user sign documents that she would not sign otherwise. A signature that a card computes at a malicious terminal does not prove anything about the content of the signed document. What it does prove, is that the user did insert her card into a malicious terminal and she did intend to sign – something.

In this paper we propose a solution where a user has multiple smart cards, and each card represents a ’signal’, a certain piece of information. The user encodes her message by using a subset of her cards for signing at the untrusted terminal. The recipient decodes the message by checking which cards were used. We also make use of time stamps from a trusted time stamping authority to allow cards to be used more than once.

Currently, the most popular ways of dealing with the key distribution problem in sensor networks are random predistribution schemes. For relaxed, realistic assumptions about the attacker, the key infection protocol [1] is also available. In this paper, by accepting the relaxed assumptions from [1], we propose a scheme which makes pairwise keys “drift” or diverge, which enhances security and can be used as a key distribution method. The most notable feature of this scheme is that, under some assumptions about the sensor nodes, it incurs no communication overhead at all.

Broadcast Encryption (BE) schemes allow a sender to efficiently encrypt messages for a large set of receivers. The currently most efficient BE schemes in the stateless receiver scenario are based on symmetric cryptography. However, a variety of business models with mutually mistrusting senders necessitates the use of asymmetric cryptography. We propose a generic framework that allows to transform a large class of symmetric BE schemes into asymmetric schemes, where the transformation employs an arbitrary hierarchical identity based encryption scheme. Applying our framework, we transform a recent symmetric scheme, called layered punctured interval scheme, for which no asymmetric version has yet been published. In addition, we give a formal proof of the chosen ciphertext security of our framework, which allows to generically transform any future symmetric BE scheme within the large class into a chosen-ciphertext-secure asymmetric scheme with the same efficiency measures.