Signature Scheme

Symmetric secret"-based RFID systems are widely adopted in supply chains. In such RFID systems, a reader's ability to identify a RFID tag relies on the possession of the tag's secret which is usually only known by its owner. If a "symmetric secret"-based RFID system is deployed in third party logistics (3PL) supply chains, all the three parties (the sender of the goods, the receiver of the goods and the 3PL provider) should have a copy of those tags' secrets to access the tags. In case the three parties in 3PL supply chain are not all honest, sharing the secrets among the three parties will cause security and privacy problems. To solve these problems, we firstly formalize the security and privacy requirements of RFID system for 3PL supply considering the existence of the internal adversaries as well as the external adversaries. Then we propose two different protocols which satisfy the requirements, one is based on aggregate massage authentication codes, the other is based on aggregate signature scheme. Based on the comparisons of the two protocols on performance and usability, we get the conclusion that overall the aggregate MAC-based solution is more applicable in 3PL supply chains.

The paper presents a fully distributed private aggregation protocol that can be employed in dynamical networks where communication is only assumed on a neighbor-to-neighbor basis. The novelty of the scheme is its low overhead in communication and computation due to a pre-processing phase that can be executed even before the participants know their input to aggregation. Moreover, the scheme is resilient to node drop-outs, and it is defined without introducing any trusted or untrusted third parties. We prove the privacy of the scheme itself and subsequently, we discuss the privacy leakage caused by the output of the scheme. Finally, we discuss implementation of the proposed protocol to solve distributed optimization problems using two versions of the alternating direction method of multipliers (ADMM).

Research within "post-quantum" cryptography has focused on development of schemes that resist quantum cryptanalysis. However, if such schemes are to be deployed, practical questions of efficiency and physical security should also be addressed; this is particularly important for embedded systems. To this end, we investigate issues relating to side-channel attack against the McEliece and Niederreiter public-key cryptosystems, for example improving those presented by , and novel countermeasures against such attack.

Anonymous proxy signature is suitable for the situation where the proxy signer's identity needs to be kept secret. The verifier needs to reveal the real identity of the proxy signer with the help of the original signer. A new ID-based anonymous proxy chameleon signature scheme based on bilinear pairing is proposed in this paper. This scheme is based on Gap Diffie-Hellman group and meets the security requirements such as verifiability, un-forge ability, anonymity, traceability, Prevention of misuse, non-repudiation and Message hiding.

It is known how to transform certain canonical three-pass identification schemes into signature schemes via the Fiat-Shamir transform. Pointcheval and Stern showed that those schemes are existentially unforgeable in the random-oracle model leveraging the, at that time, novel forking lemma. Recently, a number of 5-pass identification protocols have been proposed. Extending the above technique to capture 5-pass identification schemes would allow to obtain novel unforgeable signature schemes. In this paper, we provide an extension of the forking lemma (and the Fiat-Shamir transform) in order to assess the security of what we call ngeneric signature schemes. These include signature schemes that are derived from certain (2n + 1)-pass identification schemes. In doing so, we put forward a generic methodology for proving the security of a number of signature schemes derived from (2n + 1)-pass identification schemes for n ≥ 2. As an application of this methodology, we obtain two new code-based existentially-unforgeable signature schemes, along with a security reduction. In particular, we solve an open problem in multivariate cryptography posed by Sakumoto, Shirai and Hiwatari at CRYPTO 2011.

Under the assumption t h a t encryption functions exist, we show that es in NP Dossess zero-knowledge Dr& T h a t is, it is possible to demonstrate that a CNF formula is satisfiable without revealing any other property of the formula. In particular, without yielding neither a satisfying assignment nor weaker properties such as whether there is a satisfying assignment in which xl=TRUE, o r whether there is a satisfying assignment in which z 1=x3 etc. The above result allows us to prove two fundamental theorems in the field of (twoparty and multi-party) cryptographic protocols. These theorems yield automatic and efficient transformations that, given a protocol that is correct with respect to an extremely weak adversary, o u t p u t a protocol correct in the most adversarial scenario. Thus, these theorems imply powerful methodologies for developing two-party and multiparty cryptographic protocols.

We investigate the feasibility of a variety of cryptographic tasks with imperfect randomness. The kind of imperfect randomness we consider are entropy sources, such as those considered by Santha and Vazirani, Chor and Goldreich, and Zuckerman. We show the following: ¯Certain cryptographic tasks like bit commitment, encryption, secret sharing, zero-knowledge, noninteractive zero-knowledge, and secure two-party computation for any non-trivial function are impossible to realize if parties have access to entropy sources with slightly less-than-perfect entropy, i.e., sources with imperfect randomness. These results are unconditional and do not rely on any unproven assumption. ¯On the other hand, based on stronger variants of standard assumptions, secure signature schemes are possible with imperfect entropy sources. As another positive result, we show (without any unproven assumption) that interactive proofs can be made sound with respect to imperfect entropy sources.

A large and growing body of research has sought to secure cryptographic systems against physical attacks. Motivated by a large variety of real-world physical attacks on memory, an important line of work was initiated by Akavia, Goldwasser, and Vaikuntanathan [1] where security is sought under the assumptions that: (1) all memory is leaky, and (2) leakage can be an arbitrarily chosen (efficient) function of the memory. However, physical attacks on memory are not limited to leakagethrough side-channels, but can also include active tampering attacks through a variety of physical attacks, including heat and EM radiation. Nevertheless, protection against the analogous model for tampering -where (1) all memory is tamperable, and (2) where the tampering can be an arbitrarily chosen (efficient) function applied to the memory -has remained an elusive target, despite significant effort on tampering-related questions. In this work, we tackle this question by considering a model where we assume that both of these pairs of statements are true -that all memory is both leaky and (arbitrarily) tamperable. Furthermore, we assume that this leakage and tampering can happen repeatedly and continually (extending the model of in the context of leakage). We construct a signature scheme and an encryption scheme that are provably secure against such attacks, assuming that memory can be updated in a randomized fashion between episodes of tampering and leakage. In both schemes we rely on the linear assumption over bilinear groups. We also separately consider a model where only continual and repeated tampering (but only bounded leakage) is allowed, and we are able to obtain positive results assuming only that "self-destruct" is possible, without the need for memory updates. Our results also improve previous results in the continual leakage regime without tampering . Whereas previous schemes secure against continual leakage (of arbitrary bounded functions of the secret key), could tolerate only 1/2leakage-rate between key updates under the linear assumption over bilinear groups, our schemes can tolerate 1leakage-rate between key updates, under the same assumption.

In this paper, we construct a fully homomorphic encryption (FHE) scheme over integers with the message space Z Q for any prime Q. Even for the binary case Q = 2, our decryption circuit has a smaller degree than that of the previous scheme; the multiplicative degree is reduced from O(λ(log λ) 2 ) to O(λ), where λ is the security parameter. We also extend our FHE scheme to a batch FHE scheme.

Elliptic Curve Cryptography (ECC) and the related cryptographic systems have become widespread alternatives to provide secure channels of communication within our everexpanding networked universe. Cryptosystems play an important role in keeping the privacy of information when it is sent over the network or stored. But as threats and resources grow exponentially higher the only solution is to constantly develop and make more complex systems to remain safe. The Menezes-Vanstone Elliptic Curve Cryptosystem (MVECC) is a cryptographic scheme based on elliptic curve mathematics, designed for data encryption and transmission. A linear Bé zier curve is a mathematical construct used in computer graphics, and it's defined by a set of control points. This paper presents an extension to MVECC with a linear Bé zier curve equation. This is implemented using a modification of the linear Bé zier curve equation to propose the encryption/decryption equations. Also, define a new secret key 𝜅, with u (where 𝑢 ∈ [0,1]) and create it with scalar multiplication in ECC by the public key 𝑅 𝑘 of MVECC. The purpose of this paper is to enhance the general complexity of the MVECC for key generation, encryption, and decryption operations. This research paper aims to increase the complexity of MVECC by incorporating the behavior of the linear Bé zier curve equation. The test of randomness of the ciphertext of the proposed method is depends on several tests issued by the National Institute of Standards and Technology (NIST). The timing of the proposed method has been tested, and the required processes have been calculated. Results show that the proposed modification has the complexity and randomness to provide higher security levels.

We propose a short traceable signature scheme based on bilinear pairings. Traceable signatures, introduced by Kiayias, Tsiounis and Yung (KTY), support an extended set of fairness mechanisms (mechanisms for anonymity management and revocation) when compared with the traditional group signatures. Designing short signatures based on the power of pairing has been a current activity of cryptographic research, and is especially needed for long constructions like that of traceable signatures. The size of a signature in our scheme is less than one third of the size in the KTY scheme and about 40% of the size of the pairing based traceable signature (which has been the shortest till today). The security of our scheme is based on the Strong Diffie-Hellman assumption and the Decision Linear Diffie-Hellman assumption. We prove the security of our system in random oracle model using the security model given by KTY.

We consider a situation where the adversary performs a second preimage attack and is able to influence slightly the preconditions under which the iterated hash function is used. In the first variant of the attack, the adversary is able to choose the initial value of the hash function after receiving the original message. In the second variant, the adversary is allowed to determine a prefix of the original message and has to create a second preimage with the same prefix. Both of these attacks use diamond structures and the expected number of compression function calls required to complete each of them successfully is in O( √ n•2 2n 3 ) while on random oracle hash function it is in O(2 n ). We also show that it is possible to decrease the before mentioned expected value to O( 2n-l 3 ) if the length of the original message is 2 l and l is sufficiently large. Furthermore, we generalize these attacks to work against concatenated hash functions as well.

Metering Infrastructure (AMI) networks. However, few works have studied the efficient use of public key cryptography certificates in such a network and most of them focus on certificates' revocation. In this paper, we extensively investigate the performance our previous proposal on an efficient certificate renewal scheme that we proposed for AMI networks. First, quantitative analysis is carried out to compare our scheme against signature-based certificate renewal schemes. Then, all schemes are implemented in a realistic network model using NS-3 to evaluate their performance. Simulation results demonstrate the improved performance of our scheme in computational cost, communication overhead, end-to-end delay, packet delivery ratio, and required bandwidth compared with the signature-based certificate renewal scheme.

Recent work, including ZKBoo, ZKB++, and Ligero, has developed efficient non-interactive zero-knowledge proofs of knowledge (NIZKPoKs) for Boolean circuits based on symmetric-key primitives alone, using the "MPC-in-the-head" paradigm of Ishai et al. We show how to instantiate this paradigm with MPC protocols in the preprocessing model; once optimized, this results in an NIZKPoK with shorter proofs (and comparable computation) as in prior work for circuits containing roughly 300-100,000 AND gates. In contrast to prior work, our NIZKPoK also supports witness-independent preprocessing, which allows the prover to shift most of its work to an offline phase before the witness is known. We use our NIZKPoK to construct a signature scheme based only on symmetric-key primitives (and hence with "post-quantum" security). The resulting scheme has shorter signatures than the scheme built using ZKB++ (and comparable signing/verification time), and is even competitive with hash-based signature schemes. To further highlight the flexibility and power of our NIZKPoK, we also use it to build efficient ring and group signatures based on symmetric-key primitives alone. To our knowledge, the resulting schemes are the most efficient constructions of these primitives that offer post-quantum security.

A seminal result in cryptography is that signature schemes can be constructed (in a black-box fashion) from any one-way function. The minimal assumptions needed to construct blind signature schemes, however, have remained unclear. Here, we rule out black-box constructions of blind signature schemes from one-way functions. In fact, we rule out constructions even from a random permutation oracle, and our results hold even for blind signature schemes for 1-bit messages that achieve security only against honest-but-curious behavior. This work was done while visiting the University of Maryland. Camenisch, Neven, and Shelat [9] (see also ) shows that any unique blind signature scheme implies oblivious transfer. Combined with known results showing that oblivious transfer cannot be constructed in a black-box fashion from one-way permutations, this at first may appear to rule out black-box constructions of blind signatures from one-way permutations. The uniqueness requirement, however, is quite strong: Fiore and Schröder show that unique signatures (even without the blindness requirement) cannot be constructed in a black-box fashion even from trapdoor permutations . More importantly, uniqueness is not a standard desideratum for blind signatures and the result of Camenisch et al. implies nothing for blind signatures without the uniqueness property. In another line of work, Fischlin and Schröder show that three-round blind signature schemes with signature-derivation checks cannot be constructed in a black-box way from any non-interactive problem. Their result, however, says nothing about protocols with more rounds, or for schemes that do not have signature-derivation checks. We refer to the reader to for a comprehensive survey of the above results. As our main result, we show: Theorem 1 (Main theorem). There is no black-box construction of blind signature schemes from one-way functions.

We propose and analyze two efficient signature schemes whose security is tightly related to the Diffie-Hellman problems in the random oracle model. The security of our first scheme relies on the hardness of the computational Diffie-Hellman problem; the security of our second scheme-which is more efficient than the first-is based on the hardness of the decisional Diffie-Hellman problem, a stronger assumption. Given the current state of the art, it is as difficult to solve the Diffie-Hellman problems as it is to solve the discrete logarithm problem in many groups of cryptographic interest. Thus, the signature schemes shown here can currently offer substantially better efficiency (for a given level of provable security) than existing schemes based on the discrete logarithm assumption. The techniques we introduce can also be applied in a wide variety of settings to yield more efficient cryptographic schemes (based on various number-theoretic assumptions) with tight security reductions.

Efficient member revocation and strong security against attacks are prominent requirements in group signature schemes. Among the revocation approaches Verifier-local revocation is the most flexible and efficient method since it requires to inform only the verifiers regarding the revoked members. The verifier-local revocation technique uses a token system to manage members’ status. However, the existing group signature schemes with verifier-local revocability rely on weaker security. On the other hand, existing static group signature schemes rely on a stronger security notion called, full-anonymity. Achieving the full-anonymity for group signature schemes with verifier-local revocation is a quite challenging task. This paper aims to obtain stronger security for the lattice-based group signature schemes with verifier-local revocability, which is closer to the full-anonymity. Moreover, this paper delivers a new key-generation method which outputs revocation tokens without derivin...

A group signature scheme allows group members to issue signatures on behalf of the group, while hiding for each signature which group member actually issued it. Such scheme also involves a group manager, who is able to open any group signature by showing which group member issued it. We introduce the concept of list signatures as a variant of group signatures which sets a limit on the number of signatures each group member may issue. These limits must be enforced without having the group manager open signatures of honest group members-which excludes the trivial solution in which the group manager opens every signature to see whether some group members exceed their limits. Furthermore, we consider the problem of publicly identifying group members who exceed their limits, also without involving the group manager.

This memo represents a republication of PKCS #1 v2.1 from RSA Laboratories' Public-Key Cryptography Standards (PKCS) series, and change control is retained within the PKCS process. The body of this document is taken directly from the PKCS #1 v2.1 document, with certain corrections made during the publication process. Table of Contents 1. Introduction.

This bulletin describes a recently devised attack on PKCS #1 v1.5, the RSA Encryption Standard [3]. This attack affects only the digital envelope portion of PKCS #1. In the following sections we describe the digital enveloping method in PKCS #1 and the new attack. We also describe a variety of countermeasures that successfully thwart the attack, in particular, we describe the countermeasure to be found in PKCS #1 v2.

In this paper, we propose a novel privacy-preserving location assurance protocol for secure location-aware services over vehicular ad hoc networks (VANETs). In particular, we introduce the notion of location-aware credentials based on "hash-sign-switch" paradigm so as to guarantee the trustworthiness of location in location-aware services while providing conditional privacy preservation which is a desirable property for secure vehicular communications. Furthermore, the proposed protocol provides efficient procedures that alleviate a burden of computation for location-aware signature generation and verification on vehicles in VANETs. In order to achieve these goals, we consider online/offline signature scheme and identity-based aggregate signature scheme as our building blocks. Finally, we demonstrate experimental results to confirm the efficiency and effectiveness of the proposed protocol.

Attaching digital signatures to state update messages in global distributed shared object (DSO) systems is not trivial. If the DSO consists of a number of autonomous local representative that use open, public networks for maintaining the state consistency, allowing a local representative to sign state update messages is not appropriate. More sophisticated schemes are required to prevent unauthorized state updates by malicious local representative or external parties. This paper examines the problem in detail, compares a number of possible solutions, and identifies the most suitable one and demonstrates how the state update messages can be signed using the identified solution.

Multisignature threshold schemes combine the properties of threshold group-oriented signature schemes and Multisignature schemes to yield a signature scheme that allows more group members to collaboratively sign an arbitrary message. In contrast to threshold group signatures, the individual signers do not remain anonymous, but are publicly identifiable from the information contained in the valid Multisignature. The main objective of our project is to propose such a secure and efficient Multisignature scheme. Our project shows that the proposed scheme eliminates the latest attacks to which other similar schemes are subject. Multisignature is based on distributed-key management infrastructure (DKMI), which consists of distributed-key generation (DKG) protocol and distributed-key redistribution/updating (DKRU) protocol. The round optimal DKRU protocol solves a major problem with existing secret redistribution /updating schemes by giving group members a mechanism to identify malicious o...

Factoring-based public-key cryptosystems have an overall complexity which is dominated by the key-production algorithm, which requires the generation of prime numbers. This is most inconvenient in settings where the key-generation is not an one-off process, e.g., secure delegation of computation or EKE password-based key exchange protocols. To this end, we extend the Goldwasser-Micali (GM) cryptosystem to a provably secure system, denoted SIS, where the generation of primes is bypassed. By developing on the correct choice of the parameters of SIS, we align SIS's security guarantees (i.e., resistance to factoring of moduli, etc.) to those of other well-known factoring-based cryptosystems. Taking into consideration different possibilities to implement the fundamental operations, we explicitly compare and contrast the asymptotic complexity of well-known public-key cryptosystems (e.g., GM and/or RSA) with that of SIS's. The latter shows that once we are ready to accept an increase in the size of the moduli, SIS offers a generally lower asymptotic complexity than, e.g., GM or even RSA (when scaling correctly the number of encrypted bits). This would yield most significant speed-ups to applications like the aforementioned secure delegation of computation or protocols where a fresh key needs to be generated with every new session, e.g., EKE password-based key exchange protocols.

Many electronic cash systems have been proposed with the proliferation of the Internet and the activation of electronic commerce. E-cash enables the exchange of digital coins with value assured by the bank's signature and with concealed user identity. In an electronic cash system, a user can withdraw coins from the bank and then spends each coin anonymously and unlinkably. In this paper, we design an efficient anonymous mobile payment system based on bilinear pairings, in which the anonymity of coins is revocable by a trustee in case of dispute. The message transfer from the customer to the merchant occurs only once during the payment protocol. Also, the amount of communication between customer and merchant is about 800 bits. Therefore, our mobile payment system can be used in the wireless networks with the limited bandwidth. The security of the new system is under the computational Diffie-Hellman problem in the random oracle model.

Many electronic cash systems have been proposed with the proliferation of the Internet and the activation of electronic commerce. E-cash enables the exchange of digital coins with value assured by the bank's signature and with concealed user identity. In an electronic cash system, a user can withdraw coins from the bank and then spends each coin anonymously and unlinkably. In this paper, we design an efficient anonymous mobile payment system based on bilinear pairings, in which the anonymity of coins is revocable by a trustee in case of dispute. The message transfer from the customer to the merchant occurs only once during the payment protocol. Also, the amount of communication between customer and merchant is about 800 bits. Therefore, our mobile payment system can be used in the wireless networks with the limited bandwidth. The security of the new system is under the computational Diffie-Hellman problem in the random oracle model.

In this paper we propose a secure and efficient off-line electronic transaction protocol based on an IDbased public key encryption system and group signature schemes, which is constructed from bilinear pairings. The anonymity of the customer is revocable by a trustee in case of dispute. Because the amount of communication in the payment protocol is about 1280 bits, our off-line electronic transaction protocol can be used in the wireless networks with the limited bandwidth or the limited-storage environment such as smart card.

on which the proxy signer can sign. Also, proxy signature schemes can be classified as proxy-unprotected and proxy-protected schemes. In an proxy-protected scheme, the original signer cannot forge a proxy signature in the name of the proxy signer. The proxyprotected schemes provide more security level than the proxy-unprotected signature schemes. A lot of proxy signature schemes [6], [7] and some ID-based proxy signature schemes with special features were proposed, such as identity-based multi-proxy signature [8], [9], identity-based strong designated verifier proxy signature [10], [11]. Cao and Cao [9] claimed that their scheme is provably secure in the random oracle model. However, Xiong et al. [12] proved that their scheme is not secure under their security model. The first proxy signature scheme based on the factoring integer problem is proposed by Shao [13], in 2003. Recently, Zhou et al. [14] proposed two efficient proxy protected signature schemes. Their first scheme is based on RSA [15] assumption and the second scheme is based on the integer factorization problem. Zhou et al. [14] claim that their schemes are more efficient than other schemes. However, Park et al. [16] point out their schemes are insecure. Moreover, Liu et al. [17] point out that Zhou et al.'s [14] schemes are vulnerable to the undelegated proxy signature attack: any attacker without the delegation of the original signer can generate a valid proxy signature. Xue et al. [18] proposed two proxy signature schemes based on the difficulty of factorings of large integers without formal security proofs. Recently, Shao [19] proposed proxy protected signature scheme based on RSA. Also, most proxy signature schemes are based on the difficulty of discrete logarithm problem [20] or elliptic curve discrete logarithm problem [21]. Chen et al. proposed in [20] a proxy signature scheme based on the Digital Signature Algorithm (DSA). Mambo et al. [1], [22] proposed three proxy signature schemes based on ElGamal's signature scheme [23], Schnorr's signature

In this paper we present a secure and efficient transaction protocol that provides the anonymity and can detect the double spending. The proposed payment system is based on the ElGamal encryption scheme, the ElGamal signature scheme and the ElGamal blind signature protocol. We show that our transaction protocol is secure and efficient. We give the definitions of unlinkability and unforgeability of our security model and we prove that the proposed transaction protocol is unforgeable and satisfies the unlinkability property. We show that the proposed system is more efficient, in terms of the computation and communication cost, than the compared payment systems (Eslami et al. in Electron Commer Res

In data outsourcing, a client stores a large amount of data on an untrusted server; subsequently, the client can request the server to compute a function on any subset of the data. This setting naturally leads to two security requirements: confidentiality of input data, and authenticity of computations. Existing approaches that satisfy both requirements simultaneously are built on fully homomorphic encryption, which involves expensive computation on the server and client and hence is impractical. In this paper, we propose two verifiable homomorphic encryption schemes that do not rely on fully homomorphic encryption. The first is a simple and e cient scheme for linear functions. The second scheme supports the class of multivariate quadratic functions, by combining the Paillier cryptosystem with a new homomorphic message authentication code (MAC) scheme. Through formal security analysis, we show that the schemes are semantically secure and unforgeable.

We propose a decoding algorithm for a class of convolutional codes called skew BCH convolutional codes. These are convolutional codes of designed Hamming distance endowed with a cyclic structure yielding a left ideal of a non-commutative ring (a quotient of a skew polynomial ring). In this setting, right and left division algorithms exist, so our algorithm follows the guidelines of the Sugiyama's procedure for finding the error locator and error evaluator polynomials for BCH block codes.

The main problem in designing effective code obfuscation is to guarantee security. State of the art obfuscation techniques rely on an unproven concept of security, and therefore are not regarded as provably secure. In this paper, we undertake a theoretical investigation of code obfuscation security based on Kolmogorov complexity and algorithmic mutual information. We introduce a new definition of code obfuscation that requires the algorithmic mutual information between a code and its obfuscated version to be minimal, allowing for controlled amount of information to be leaked to an adversary. We argue that our definition avoids the impossibility results of Barak et al. and is more advantageous then obfuscation indistinguishability definition in the sense it is more intuitive, and is algorithmic rather than probabilistic.

Abstract: In [3] the authors give the first mathematical formalization of an unconditionally secure commitment scheme. Their construction has some similarities to one used to build authentication codes, so they raise the question whether there is some relation between commitment ...

There are two principal notions of security for cryptographic systems. For a few systems, they can be proven to have perfect secrecy against an opponent with unlimited computational power, in terms of information theory. However, the security of most systems, including public key cryptosystems, is based on complexity theoretic assumptions. In both cases there is an implicit notion of average-case analysis. In the case of conditional security, the underlying assumption is usually average-case, not worst case hardness. And for unconditional security, entropy itself is an average case notion of encoding length. Kolmogorov complexity (the size of the smallest program that generates a string) is a rigorous measure of the amount of information, or randomness, in an individual string x. By considering the timebounded Kolmogorov complexity (program limited to run in time t(|x|)) we can take into account the computational difficulty of extracting information. We present a new notion of security based on Kolmogorov complexity. The first goal is to provide a formal definition of what it means for an individual instance to be secure. The second goal is to bridge the gap between information theoretic security, and computational security, by using time-bounded Kolmogorov complexity. In this paper, we lay the groundwork of the study of cryptosystems from the point of view of security of individual instances by considering three types of information-theoretically secure cryptographic systems: cipher systems (such as the one-time pad), threshold secret sharing, and authentication schemes.

The worthwhile data mining tools encourage the companies to share their data to be mined. Whereas, the companies are avoided passing their data to the miner directly because of their privacy and confidentially roles. Multi Party Computation (MPC) is a cryptographic tool which consummates aggregation on distributed data with ensuring the privacy preserving of sensitive data. In this paper, we represent a secure summation algorithm for online transactions, where the users will join the system piecemeal. The algorithm emerges the excessively useful response time, so the execution time of summation for 1000 users' data is only 0.9s.

Direct Anonymous Attestation (DAA) is an anonymous digital signature that aims to provide both signer authentication and privacy. DAA was designed for the attestation service of the Trusted Platform Module (TPM). In this application, a DAA signer role is divided into two parts: the principal signer which is a TPM, and an assistant signer which is a standard computing platform in which the TPM is embedded, called the Host. A design feature of a DAA solution is to make the TPM workload as low as possible. This paper presents a lattice-based DAA (L-DAA) scheme to meet this requirement. Security of this scheme is proved in the Universally Composable (UC) security model under the hard assumptions of the Ring Inhomogeneous Short Integer Solution (Ring-ISIS) and Ring Learning With Errors (Ring-LWE) problems. Our L-DAA scheme includes two building blocks, one is a modification of the Boyen lattice based signature scheme and another is a modification of the Baum et al. lattice based commitme...

Side Channel Attack (SCA) exploits the physical information leakage (such as electromagnetic emanation) from a device that performs some cryptographic operation and poses a serious threat in the present IoT era. In the last couple of decades, there have been a large body of research works dedicated to streamlining/improving the attacks or suggesting novel countermeasures to thwart those attacks. However, a closer inspection reveals that a vast majority of published works in the context of symmetric key cryptography is dedicated to block ciphers (or similar designs). This leaves the problem for the stream ciphers wide open. There are few works here and there, but a generic and systematic framework appears to be missing from the literature. Motivating by this observation, we explore the problem of SCA on stream ciphers with extensive details. Loosely speaking, our work picks up from the recent TCHES’21 paper by Sim, Bhasin and Jap. We present a framework by extending the efficiency of...

Certificateless public key cryptography (CL-PKC), does not require the use of the certificate to guarantee the authenticity of public keys. It does rely on the use of a trusted third party (TTP) who is in possession of a master key. CL-PKC does not suffer from the key escrow property. Thus, CL-PKC can be seen as a model for the use of public key cryptography.

In this paper we expand Lentstra's manuscript [Le] and try to explain the different steps of the Rijndael algorithm in a comprehensive and detailed manner. Moreover we prove that the encryption algorithm is invertible, implying that the decryption is valid. Rijndael is a block cipher, designed by Joan Daemen and Vincent Rijmen. The design of Rijndael was strongly influenced by the design of the block cipher Square. Because of Rijndael's combination of security, performance, efficiency, ease of implementation and flexibility, it won the U.S. Advanced Encryption Standard competition. In this paper, we will focus on the finite field algebra used by Rijndael, and expand upon the ideas presented in Lenstra's manuscript [Le]. First we need some mathematical preliminaries about groups and fields. Groups are structures that consist of a set of elements and one operation defined on these elements. Definition: A group < G, + > consists of a set G and an operation defined on its elements, here denoted by '+':

Hard mathematical problems are at the core of security arguments in cryptography. In this paper, we study mathematical generalizations of the famous Rubik's cube puzzle, namely the factorization, representation and balance problems in non-Abelian groups. These problems arise naturally when describing the security of Cayley hash functions, a class of cryptographic hash functions with very interesting properties. The factorization problem is also strongly related to a famous long-standing conjecture of Babai, at the intersection of group theory and graph theory. A constructive proof of Babai's conjecture would make all Cayley hash functions insecure, but on the other hand it would have many positive applications in graph theory and computer science. In this paper, we classify existing attacks against Cayley hash functions and we review known results on Babai's conjecture. Despite recent cryptanalytic progress on particular instances, we show that the factorization, representation and balance problems presumably remain good sources of cryptographic hard problems. Our study demonstrates that Cayley hash functions deserve further interest by the cryptography community. Disclaimer. This paper contains essentially no new result but it rather collects and organizes all the results that were independently found by two distinct scientific communities on the same problems. Between September 2009 and May 2010, the first author gave a sequence of talks to a cryptographic audience, entitled "Hash functions and Cayley graphs: the end of the story?". Surprisingly, many cryptographers seemed to either ignore the beautiful Cayley hash construction, or believe that it had been definitively broken. The very positive feedback received after these talks motivated us to write this survey and to complete it with known results on Babai's conjecture.

We present the design and implementation of a compiler that automatically generates protocols that perform two-party computations. The input to our protocol is the specification of a computation with secret inputs (e.g., a signature algorithm) expressed using operations in the field Õ of integers modulo a prime Õ and in the multiplicative subgroup of order Õ in £ Ô for Õ Ô ½ with generator . The output of our compiler is an implementation of each party in a two-party protocol to perform the same computation securely, i.e., so that both parties can together compute the function but neither can alone. The protocols generated by our compiler are provably secure, in that their strength can be reduced to that of the original cryptographic computation via simulation arguments. Our compiler can be applied to various cryptographic primitives (e.g., signature schemes, encryption schemes, oblivious transfer protocols) and other protocols that employ a trusted party (e.g., key retrieval, key distribution).

Proxy signature schemes have been invented to delegate signing rights. The paper proposes a new concept of Identify Based Strong Bi-Designated Verifier threshold proxy signature (ID-SBDVTPS) schemes. Such scheme enables an original signer to delegate the signature authority to a group of 'n' proxy signers with the condition that 't' or more proxy signers can cooperatively sign messages on behalf of the original signer and the signatures can only be verified by any two designated verifiers and that they cannot convince anyone else of this fact.

Video authentication aims to ensure the trustworthiness of the video by verifying the integrity and source of video data. It has gained much attention in the recent years. In this paper we present the issues in the designing of a video authentication system. These ...

Recently there has been an interest in zero-knowledge protocols with stronger properties, such as concurrency, simulation soundness, non-malleability, and universal composability. In this paper we show a novel technique to convert a large class of existing honest-verifier zero-knowledge protocols into ones with these stronger properties in the common reference string model. More precisely, our technique utilizes a signature scheme existentially unforgeable against adaptive chosen-message attacks, and transforms any -protocol (which is honest-verifier zero-knowledge) into a simulation sound concurrent zero-knowledge protocol. We also introduce -protocols, a variant of -protocols for which our technique further achieves the properties of nonmalleability and/or universal composability. In addition to its conceptual simplicity, a main advantage of this new technique over previous ones is that it avoids the Cook-Levin theorem, which tends to be rather

The object of this paper is the concrete security of recent multivariate signature schemes. A major challenge is to reconcile some "tricky" ad-hoc constructions that allow to make short signatures, with regular provable security. The paper is composed of two parts. In the first part of this paper we formalize and confront with the most recent attacks the security of several known multivariate trapdoor functions. For example the signature scheme Quartz is based on a trapdoor function G belonging to a family called HFEv-. It has two independent security parameters, and we claim that if d is big enough, no better method to compute an inverse of G than the exhaustive search is known. This will allow us to formulate our key assumption on which the provable security results can be build. In the second part, we study the security concrete security of signature schemes under our assumption. We study some general constructions, that transform a trapdoor function into a short signature scheme, and in particular these designed to obtain short signatures. On the one hand, we present generic attacks on such constructions. On the other hand, we study the possibility to prove or justify the security with some well chosen assumptions. Unfortunately for Quartz, our lower and upper security bounds do not coincide. Still the best attack known for Quartz is our generic attack using O(2 80 ) computations with O(2 80 ) of memory. We will also propose an alternative way of doing short signatures for which both bounds do coincide. Finally we also apply our results for Flash and Sflash.

The object of this paper is the concrete security of recent multivariate signature schemes. A major challenge is to reconcile some "tricky" ad-hoc constructions that allow to make short signatures, with regular provable security. The paper is composed of two parts. In the first part of this paper we formalize and confront with the most recent attacks the security of several known multivariate trapdoor functions. For example the signature scheme Quartz is based on a trapdoor function G belonging to a family called HFEv-. It has two independent security parameters, and we claim that if d is big enough, no better method to compute an inverse of G than the exhaustive search is known. This will allow us to formulate our key assumption on which the provable security results can be build. In the second part, we study the security concrete security of signature schemes under our assumption. We study some general constructions, that transform a trapdoor function into a short signature scheme, and in particular these designed to obtain short signatures. On the one hand, we present generic attacks on such constructions. On the other hand, we study the possibility to prove or justify the security with some well chosen assumptions. Unfortunately for Quartz, our lower and upper security bounds do not coincide. Still the best attack known for Quartz is our generic attack using O(2 80 ) computations with O(2 80 ) of memory. We will also propose an alternative way of doing short signatures for which both bounds do coincide. Finally we also apply our results for Flash and Sflash.

Applied cryptographic protocols have to meet a rich set of security requirements under diverse environments and against diverse adversaries. However, currently used security specifications, based on either simulation (e.g., 'ideal functionality' in UC) or games , are monolithic, combining together different aspects of protocol requirements, environment and assumptions. Such security specifications are complex, error-prone, and foil reusability, modular analysis and incremental design. We present the Modular Security Specifications (MoSS) framework, which cleanly separates the security requirements (goals) which a protocol should achieve, from the models (assumptions) under which each requirement should be ensured. This modularity allows us to reuse individual models and requirements across different protocols and tasks, and to compare protocols for the same task, either under different assumptions or satisfying different sets of requirements. MoSS is flexible and extendable, e.g., it can support both asymptotic and concrete definitions for security. So far, we confirmed the applicability of MoSS to two applications: secure broadcast protocols and PKI schemes.