Catálogo de publicaciones - libros

The notion and the first construction of a tweakable enciphering scheme, called CMC, was presented by Halevi-Rogaway at Crypto 2003. In this paper, we present HCH, which is a new construction of such a scheme. The construction uses the hash-encrypt-hash approach introduced by Naor-Reingold. This approach has recently been used in the constructions of tweakable enciphering schemes HCTR and PEP. HCH has several advantages over the previous schemes CMC, EME, EME*, HCTR, and PEP. CMC, EME, and EME* use two block-cipher invocations per message block, while HCTR, PEP, and HCH use only one. PEP uses four multiplications per block, while HCTR and HCH use only two. In HCTR, the security bound is cubic, while in HCH security bound is quadratic.

One of the most widely used shared-key authentication schemes today is a challenge-response scheme. In this scheme, a function such as a message authentication code or a symmetric encryption scheme plays an important role. To ensure the security, we need to assume that these functions are included in a certain kind of functions family, e.g., a pseudorandom functions family. For example, functions such as SHA1-HMAC, DES and AES often assumed as the pseudorandom functions. But unfortunately, nobody knows that these functions are really pseudorandom functions and if not, then the security of the challenge-response scheme is not ensured any more. The common way to reduce this kind of fear is to construct the shared-key authentication scheme which can be proven secure with a weaker assumption on these functions. In this paper, we show that a shared-key authentication scheme which is a simple modified version of the original challenge-response authentication scheme can be constructed from a weaker cryptographic assumption known as .

Recently Bernstein [4] has provided a simpler proof of indistinguishability of CBC construction [3] which is giving insight of the construction. Indistinguishability of any function intuitively means that the function behaves very closely to a uniform random function. In this paper we make a unifying and simple approach to prove indistinguishability of many existing constructions. We first revisit Bernstein’s proof. Using this idea we can show a simpler proof of indistinguishability of a class of DAG based construction [8], XCBC [5], TMAC [9], OMAC [7] and PMAC [6]. We also provide a simpler proof for stronger bound of CBC [1] and a simpler proof of security of on-line Hash-CBC [2]. We note that there is a flaw in the security proof of Hash-CBC given in [2]. This paper will help to understand security analysis of indistinguishability of many constructions in a simpler way.

We investigate the impact of larger digit sets on the length of Double-Base Number system (DBNS) expansions. We present a new representation system called whose expansions can be extremely sparse. When compared with double-base chains, the average length of extended DBNS expansions of integers of size in the range 200–500 bits is approximately reduced by 20% using one precomputed point, 30% using two, and 38% using four. We also discuss a new approach to approximate an integer by 23 where belongs to a given digit set. This method, which requires some precomputations as well, leads to realistic DBNS implementations. Finally, a left-to-right scalar multiplication relying on extended DBNS is given. On an elliptic curve where operations are performed in Jacobian coordinates, improvements of up to 13% overall can be expected with this approach when compared to window NAF methods using the same number of precomputed points. In this context, it is therefore the fastest method known to date to compute a scalar multiplication on a generic elliptic curve.

The Merkle signature scheme (MSS) is an interesting alternative for well established signature schemes such as RSA, DSA, and ECDSA. The security of MSS only relies on the existence of cryptographically secure hash functions. MSS has a good chance of being quantum computer resistant. In this paper, we propose CMSS, a variant of MSS, with reduced private key size, key pair generation time, and signature generation time. We demonstrate that CMSS is competitive in practice by presenting a highly efficient implementation within the Java Cryptographic Service Provider FlexiProvider. We present extensive experimental results and show that our implementation can for example be used to sign messages in Microsoft Outlook.

In this paper, we propose a new notion called (R-iff-L Ring Signature). In R-iff-L ring signatures, a signer can sign on behalf of the whole group, just like ordinary ring signatures. However, if he signs twice or more, he can be linked and his identity can be revoked by everyone. We formally define a new security model for the new notion in identity-based (ID-based) setting and propose a constant-size ID-based construction, that is, the size of the signature is of the size of the group. In addition, we enhance the security model of ID-based linkable ring signature scheme and provide an implementation with constant size setting. Both schemes are provably secure in our new model.

Following the work of Al-Riyami we define the notion of key encapsulation mechanism supporting cryptographic workflow (WF-KEM) and prove a KEM-DEM composition theorem which extends the notion of hybrid encryption to cryptographic workflow. We then generically construct a WF-KEM from an identity-based encryption (IBE) scheme and a secret sharing scheme. Chosen ciphertext security is achieved using one-time signatures. Adding a public-key encryption scheme we are able to modify the construction to obtain escrow-freeness. We prove all our constructions secure in the standard model.

This paper describes two identity based encryption (IBE) protocols in the multi-receiver setting. The first protocol is secure in the selective-ID model while the second protocol is secure in the full model. The proofs do not depend on the random oracle heuristic. The main interesting feature of both protocols is that the ciphertext size is ||/, where is the intended set of receivers and is a parameter of the protocol. To the best of our knowledge, in the multi-receiver IBE setting, these are the first protocols to achieve sub-linear ciphertext sizes. There are three previous protocols for this problem – two using the random oracle heuristic and one without. We make a detailed comparison to these protocols and highlight the advantages of the new constructions.

In this paper, we apply the parallel key-insulation mechanism to identity-based encryption (IBE) scenarios, and minimize the damage caused by key-exposure in IBE systems. We first formalize the definition and security notions for ID-based parallel key-insulated encryption (IBPKIE) systems, and then propose an IBPKIE scheme based on Water’s IBE scheme. To the best of our knowledge, this is the first IBPKIE scheme up to now. Our scheme enjoys two attractive features: (i) it is provably secure without random oracles; (ii) it not only allows frequent key updating, but also does not increase the risk of helper key-exposure.

Information security on small, embedded devices has become a necessity for high-speed business. ARM processors are the most common for use in embedded devices. In this paper, we analyze speed and memory tradeoffs of AES, the leading symmetric cipher, on an ARM7TDMI processor. We give cycle counts as well as RAM and ROM footprints for many implementation techniques. By analyzing the techniques, we give the options we found which are the most useful for certain purposes. We also introduce a new implementation of AES that saves ROM by not explicitly storing all the SBOX data.