Catálogo de publicaciones - libros

HMQV is a hashed variant of the MQV key agreement protocol proposed by Krawczyk at CRYPTO 2005. In this paper, we present some attacks on HMQV and MQV that are successful if public keys are not properly validated. In particular, we present an attack on the two-pass HMQV protocol that does not require knowledge of the victim’s ephemeral private keys. The attacks illustrate the importance of performing some form of public-key validation in Diffie-Hellman key agreement protocols, and furthermore highlight the dangers of relying on security proofs for discrete-logarithm protocols where a concrete representation for the underlying group is not specified.

We discuss the question of how to interpret reduction arguments in cryptography. We give some examples to show the subtlety and difficulty of this question.

We build new RSA-based encryption schemes secure against adaptive chosen-ciphertext attack (CCA-secure) without random oracles. To do this, we first define a new general RSA-related assumption, the Oracle RSA-type assumption, and give two specific instances of this assumption. Secondly, we express RSA-based encryption schemes as tag-based encryption schemes (TBE), where the public exponent is the tag. We define selective-tag weak chosen-ciphertext security for the special RSA-based case and call it selective-exponent weak chosen-ciphertext security. RSA-based schemes secure in this sense can be used as a building block for the construction of chosen-ciphertext secure encryption schemes using a previous technique. We build two concrete CCA-secure encryption schemes whose security is based on the two concrete Oracle RSA-type assumptions respectively, and whose efficiency is comparable to the most efficient CCA-secure schemes known.

We say that a signature scheme is strongly existentially unforgeable if no adversary, given message/signature pairs adaptively, can generate a new signature on either a signature on a new message or a new signature on a previously signed message. Strongly existentially unforgeable signature schemes are used to construct many applications, such as an IND-CCA2 secure public-key encryption scheme and a group signature scheme.

We propose two general and efficient conversions, both of which transform a secure signature scheme to a strongly existentially unforgeable signature scheme. There is a tradeoff between the two conversions. The first conversion requires the random oracle, but the signature scheme transformed by the first conversion has shorter signature length than the scheme transformed by the second conversion. The second conversion does not require the random oracle. Therefore, if the original signature scheme is of the standard model, the strongly existentially unforgeable property of the converted signature scheme is proved also in the standard model.

Both conversions ensure tight security reduction to the underlying security assumptions. Moreover, the transformed schemes by the first or second conversion satisfy the on-line/off-line property. That is, signers can precompute almost all operations on the signing before they are given a message.

We introduce a new digital signature model, called conditionally verifiable signature (CVS), which allows a signer to specify and convince a recipient under what conditions his signature would become valid and verifiable; the resulting signature is not publicly verifiable immediately but can be converted back into an ordinary one (verifiable by anyone) after the recipient has obtained proofs, in the form of signatures/endorsements from a number of third party witnesses, that all the specified conditions have been fulfilled. A fairly wide set of conditions could be specified in CVS. The only job of the witnesses is to certify the fulfillment of a condition and none of them need to be actively involved in the actual signature conversion, thus protecting user privacy. It is guaranteed that the recipient cannot cheat as long as at least one of the specified witnesses does not collude. We formalize the concept of CVS and give a generic CVS construction based on any CPA-secure identity based encryption (IBE) scheme. Theoretically, we show that the existence of IBE with indistinguishability under a chosen plaintext attack (a weaker notion than the standard one) is necessary and sufficient for the construction of a secure CVS.

In this paper, we study the problem of (PRMT) and (PSMT) between a sender and a receiver in a synchronous network, where and are connected by vertex disjoint paths called wires, each of which facilitates bidirectional communication. We assume that atmost of these wires are under the control of adversary. We present two-phase- PRMT protocol considering Byzantine adversary as well as mixed adversary. We also present a three phase PRMT protocol which reliably sends a message containing field elements by overall communicating () field elements. This is a significant improvement over the PRMT protocol proposed in [10] to achieve the same task which takes () phases. We also present a three-phase- PSMT protocol which securely sends a message consisting of field elements by communicating () field elements.

We show in this paper how to apply well known methods from sparse linear algebra to the problem of computing the immunity of a Boolean function against algebraic or fast algebraic attacks. For an -variable Boolean function, this approach gives an algorithm that works for both attacks in (2) complexity and (2) memory. Here and corresponds to the degree of the algebraic system to be solved in the last step of the attacks. For algebraic attacks, our algorithm needs significantly less memory than the algorithm in [ACG06] with roughly the same time complexity (and it is precisely the memory usage which is the real bottleneck of the last algorithm). For fast algebraic attacks, it does not only improve the memory complexity, it is also the algorithm with the best time complexity known so far for most values of the degree constraints.

In this paper we present a new block cipher over a small finite domain where is either 2 or 2 . After that we suggest a use of this cipher for enciphering members of arbitrary small finite domains where . With cost of an extra mapping, this method could be further extended for enciphering in arbitrary domain where . At last, in a discussion section we suggest a few interesting usage scenarios for such a cipher as an argument that enciphering with arbitrary small finite domains is a very useful primitive on its own rights, as well as for designing of a higher level protocols.

The existence of 9-variable Boolean functions having nonlinearity strictly greater than 240 has been shown very recently (May 2006) by Kavut, Maitra and Yücel; a few functions with nonlinearity 241 have been identified by a heuristic search in the class of Rotation Symmetric Boolean Functions (RSBFs). In this paper, using combinatorial results related to the Walsh spectra of RSBFs, we efficiently perform the exhaustive search to enumerate the 9-variable RSBFs having nonlinearity > 240 and found that there are 8 ×189 many functions with nonlinearity 241 and there is no RSBF having nonlinearity > 241. We further prove that among these functions, there are only two which are different up to the affine equivalence. This is found by utilizing the binary nonsingular circulant matrices and their variants. Finally we explain the coding theoretic significance of these functions. This is the first time orphan cosets of (1, ) having minimum weight 241 are demonstrated for = 9. Further they provide odd weight orphans for = 9; earlier these were known for certain ≥11.

The MEM mode is a nonce-based encryption mode of operation proposed by Chakraborty and Sarkar, which was claimed to be secure against symmetric nonce respecting adversaries. We first compare this security model with two similar models and then show that MEM is not secure under symmetric respecting attacks. One attack needs one decryption and one encryption queries, and the other only needs one encryption query.