Catálogo de publicaciones - libros

The bilinearity of pairings allows efficient signature verification for signature schemes based on discrete logarithm type problem and often provides useful additional functionalities to signature schemes. In recent years, bilinear pairings have been widely used to create signature schemes. But the bilinearity can also be an attack point in uncarefully designed protocols. We cryptanalyze two signature schemes presented at CISC ’05, Cheng et al.’s group signature scheme and Gu et al.’s ID-based verifiably encrypted signature scheme, both based on bilinear pairings. We show that their improper uses of a bilinear pairing lead to untraceable group signatures for Cheng et al.’s group signature scheme and universally forgeable signatures for Gu et al.’s ID-based verifiably encrypted signature scheme.

Standard identity-based (ID-based) signature schemes typically rely on the assumption that secret keys are kept perfectly secure. However, with more and more cryptographic primitives are deployed on insecure devices (e.g. mobile devices), key-exposure seems inevitable. This problem is perhaps the most devastating attack on a cryptosystem since it typically means that security is entirely lost. To minimize the damage caused by key-exposure in ID-based signatures scenarios, Zhou et al. [32] applied Dodis et al.’s key-insulation mechanism [12] and proposed an ID-based key-insulated signature (IBKIS) scheme. However, their scheme is not strong key-insulated, i.e, if an adversary compromises the helper key, he can derive all the temporary secret keys and sign messages on behalf the legitimate user. In this paper, we re-formalize the definition and security notions for IBKIS schemes, and then propose a new IBKIS scheme with secure key-updates. The proposed scheme is strong key-insulated and perfectly key-insulated. Our scheme also enjoys desirable properties such as unbounded number of time periods and random-access key-updates.

Intrusion-resilient signatures are key-evolving protocols that extend the concepts of forward-secure and key-insulated signatures. As in the latter schemes, time is divided into distinct periods where private keys are periodically updated while public keys remain fixed. Private keys are stored in both a user and a base; signature operations are performed by the user while the base is involved in periodic updates. Such a system remains secure after arbitrarily many compromises of both modules as long as break-ins are not simultaneous. Besides, when they simultaneously occur within some time period, past periods remain safe. In this work, we propose the first intrusion-resilient signature in the standard model (i.e. without random oracles) which provides both short signatures and at most log-squared private storage in the number of time periods.

A new family of binary sequences S _ e ( ρ ) ( U _ e ( ρ )) of period 2^ n –1 is constructed for odd (even) n = me and an integer ρ with 1 ≤ ρ < ⌈ $\frac{m}{2}$ ⌉. The new family S _ e ( ρ ) (or U _ e ( ρ )) contains Kim and No’s construction as a subset if m -sequences are excluded from both constructions. Furthermore, the new sequences are proved to have low correlation property, large linear span and large family size.

Clock-Controlled combiner is a common type of keystream generator for stream cipher applications. In this paper, we introduce a kind of probabilistic model for two clock-controlled combiners, and then study the rate of coincidence between the output sequences of these generators and corresponding LFSRs’ sequences. The analysis conducted indicates that these two combiners may be vulnerable to the correlation attacks.

Novel design method and design flow of block cipher coprocessor is presented based on the WDDL (Wave Dynamic Differential Logic) and Wave-Pipelining techniques. This design flow utilized the current commercially available EDA (Electronic Design Automatic) tools to a large degree. The WDDL and wave-pipelining based coprocessor not only resists power analysis, but also achieves high performance and low power consumption in nature. According to the design flow, this paper implements a DES coprocessor. The simulation results show that the novel design method does achieve high performance, low power consumption and power analysis resistant ability at the cost of chip area.

In this paper, we present One-Key Poly1305 MAC(OPMAC) and prove its security for arbitrary length message. OPMAC is deterministic and takes only one 16-byte key. Previously, Poly1305 MAC is nonce-based and requires two 16-byte keys and a 16-byte nonce, 48-byte in total.

This work builds on earlier work by Rogaway at Asiacrypt 2004 on tweakable block cipher (TBC) and modes of operations. Our first contribution is to generalize Rogaway’s TBC construction by working over a ring R and by the use of a masking sequence of functions. The ring R can be instantiated as either GF (2^ n ) or as ℤ . Further, over GF (2^ n ), efficient instantiations of the masking sequence of functions can be done using either a Linear Feedback Shift Register (LFSR), a powering construction or a cellular automata map. Rogaway’s TBC construction was built from the powering construction over GF (2^ n ). Our second contribution is to use the general TBC construction to instantiate general constructions of various modes of operations (AE, PRF, MAC, AEAD) given by Rogaway.

In this paper, we investigate the problem of increasing the threshold parameter of the Shamir ( t , n )-threshold scheme without interacting with the dealer. Our construction will reduce the problem of secret recovery to the polynomial reconstruction problem which can be solved using a recent algorithm by Guruswami and Sudan. In addition to be dealer-free, our protocol does not increase the communication cost between the dealer and the n participants when compared to the original ( t , n )-threshold scheme. Despite an increase of the asymptotic time complexity at the combiner, we show that recovering the secret from the output of the previous polynomial reconstruction algorithm is still realistic even for large values of t . Furthermore the scheme does not require every share to be authenticated before being processed by the combiner. This will enable us to reduce the number of elements to be publicly known to recover the secret to one digest produced by a collision resistant hash function which is smaller than the requirements of most verifiable secret sharing schemes.

Signcryption is such a public key cryptographic primitive that simultaneously provides the functionality of signature and encryption within a single logic step. Despite the flurry of recent results on signcryption, there are no signcryption schemes which possess both tight security and short expansion. This paper presented a short signcryption scheme to achieve both above merits. Thanks to q -strong Diffie-Hellman problem and parings, our scheme is quite efficient and security: the signcryption operation has almost the same cost as an El Gamal encryption while the reverse operation only requires one pairing evaluation and two exponentiations, the ciphertext expansion is about 260 bits which is much smaller than that of all previously proposed schemes, and the security of our scheme is tightly related to q -Strong Diffie-Hellman problem in the random oracle model.