Skip to main content
Fachgebiete
Automobil + Motoren Bauwesen + Immobilien Business IT + Informatik Elektrotechnik + Elektronik Energie + Nachhaltigkeit Finance + Banking Management + Führung Marketing + Vertrieb Maschinenbau + Werkstoffe Versicherung + Risiko
DE
EN
Bücher
Zeitschriften
Themenseiten
Organisationspsychologie Projektmanagement Marketing Smart Manufacturing
Weitere Formate
Podcasts Webinare Technik Webinare Wirtschaft Kongresse Veranstaltungskalender Awards
Jetzt Einzelzugang starten
Zugang für Unternehmen
Referenzkunden
SLX-Digitalkonferenz: Zukunftswerkstatt 2024

Mehr Umsatz mit Top-Kontakten

Am 7. Mai erfahren Sie, wie Vertriebsteams Leadgenerierung, Leadnurturing und Leadstrategien effizient steuern können.
Erweiterte Suche
Anmelden
nach oben

2015 | Buch

Weak-Key and Related-Key Analysis of Hash-Counter-Hash Tweakable Enciphering Schemes Kapitel lesen Erstes Kapitel lesen

Information Security and Privacy

20th Australasian Conference, ACISP 2015, Brisbane, QLD, Australia, June 29 -- July 1, 2015, Proceedings

herausgegeben von: Ernest Foo, Douglas Stebila

Verlag: Springer International Publishing

Buchreihe : Lecture Notes in Computer Science

Enthalten in: Springer Professional "Wirtschaft+Technik" , Springer Professional "Technik" , Springer Professional "Wirtschaft"

Einloggen, um Zugang zu erhalten
insite
SUCHEN

Über dieses Buch

This book constitutes the refereed conference proceedings of the 20th Australasian Conference on Information Security and Privacy, ACISP 2015, held in Brisbane, QLD, Australia, in June/July 2015.

The 28 revised full papers presented in this volume were carefully revised and selected from 112 submissions. The papers are organized in topical sections on symmetric cryptanalysis; public key cryptography; identity-based encryption; digital signatures; security protocols; privacy protocols; symmetric constructions; homomorphic encryption and obfuscation.

Inhaltsverzeichnis

Frontmatter

Symmetric Cryptanalysis

Frontmatter
Weak-Key and Related-Key Analysis of Hash-Counter-Hash Tweakable Enciphering Schemes
Abstract
We analyze three tweakable enciphering schemes (TES) XCB, HCTR and HCH, which all consist of polynomial evaluation hash function as their first and third layers and CTR mode in the middle. The weak keys of polynomial evaluation hash in message authentication code and authenticated encryption have been thoroughly analyzed, but have never applied in TES. We point out that XCB, HCTR and HCH (and two variations of HCH: HCHp and HCHfp) can not resist distinguishing attack, key-recovery attack and plaintext-recovery attack once the weak key is recognized. We also analyze the security of related-key attacks against these schemes, showing that HCTR, HCHp and HCHfp suffer related-key attack and XCB and HCH can resist related-key attack under the assumption that the underlying block cipher resists related-key attack.
Zhelei Sun, Peng Wang, Liting Zhang
Cryptanalysis of Reduced-Round Whirlwind
Abstract
The Whirlwind hash function, which outputs a 512-bit digest, was designed by Barreto \(et\ al.\) and published by Design, Codes and Cryptography in 2010. In this paper, we provide a thorough cryptanalysis on Whirlwind. Firstly, we focus on security properties at the hash function level by presenting (second) preimage, collision and distinguishing attacks on reduced-round Whirlwind. In order to launch the preimage attack, we have to slightly tweak the original Meet-in-the-Middle preimage attack framework on AES-like compression functions by partially fixing the values of the state. Based on this slightly tweaked framework, we are able to construct several new and interesting preimage attacks on reduced-round Whirlpool and AES hashing modes as well. Secondly, we investigate security properties of the reduced-round components of Whirlwind, including semi-free-start and free-start (near) collision attacks on the compression function, and a limited-birthday distinguisher on the inner permutation. As far as we know, our results are currently the best cryptanalysis on Whirlwind.
Bingke Ma, Bao Li, Ronglin Hao, Xiaoqian Li
Improving the Biclique Cryptanalysis of AES
Abstract
Biclique attack is currently the only key-recovery attack on the full AES with a single key. Bogdanov et al. applied it to all the three versions of AES by constructing bicliques with size \(2^8\times 2^8\) and reducing the number of S-boxes computed in the matching phase. Their results were improved later by better selections of differential characteristics in the biclique construction. In this paper, we improve the biclique attack by increasing the biclique size to \(2^{16}\times 2^8\) and \(2^{16}\times 2^{16}\). We have a biclique attack on each of the following AES versions:
  • AES-128 with time complexity \(2^{126.13}\) and data complexity \(2^{56}\),
  • AES-128 with time complexity \(2^{126.01}\) and data complexity \(2^{72}\),
  • AES-192 with time complexity \(2^{189.91}\) and data complexity \(2^{48}\), and
  • AES-256 with time complexity \(2^{254.27}\) and data complexity \(2^{40}\).
Our results have the best time complexities among all the existing key-recovery attacks with data less than the entire code book.
Biaoshuai Tao, Hongjun Wu

Public Key Cryptography

Frontmatter
A New General Framework for Secure Public Key Encryption with Keyword Search
Abstract
Public Key Encryption with Keyword Search (PEKS), introduced by Boneh et al. in Eurocrypt’04, allows users to search encrypted documents on an untrusted server without revealing any information. This notion is very useful in many applications and has attracted a lot of attention by the cryptographic research community. However, one limitation of all the existing PEKS schemes is that they cannot resist the Keyword Guessing Attack (KGA) launched by a malicious server. In this paper, we propose a new PEKS framework named Dual-Server Public Key Encryption with Keyword Search (DS-PEKS). This new framework can withstand all the attacks, including the KGA from the two untrusted servers, as long as they do not collude. We then present a generic construction of DS-PEKS using a new variant of the Smooth Projective Hash Functions (SPHFs), which is of independent interest.
Rongmao Chen, Yi Mu, Guomin Yang, Fuchun Guo, Xiaofen Wang
Dynamic Threshold Public-Key Encryption with Decryption Consistency from Static Assumptions
Abstract
Dynamic threshold public-key encryption (dynamic TPKE) is a natural extension of ordinary TPKE which allows decryption servers to join the system dynamically after the system is set up, and allows the sender to dynamically choose the authorized set and the decryption threshold at the time of encryption. Currently, the only known dynamic TPKE scheme is a scheme proposed by Delerablée and Pointcheval (CRYPTO 2008). This scheme is proven to provide message confidentiality under a \(q\)-type assumption, but to achieve decryption consistency, a random oracle extension is required.
In this paper we show conceptually simple methods for constructing dynamic TPKE schemes with decryption consistency from only static assumptions (e.g., the decisional linear assumption in bilinear groups) without relying on random oracles. Our first construction is a purely generic construction from public-key encryption with non-interactive opening (PKENO) formalized by Damgård et al. (CT-RSA 2008). However, this construction achieves a slightly weaker notion of decryption consistency compared to the random oracle extension of the Delerablée and Pointcheval scheme, which satisfies the notion defined by Boneh, Boyen and Halevi (CT-RSA 2005). Our second construction uses a specific PKENO scheme based on the decisional linear assumption in combination with the efficient zero-knowledge proofs by Groth and Sahai. In contrast to our first construction, our second construction achieves the stronger notion of decryption consistency defined by Boneh, Boyen and Halevi.
Yusuke Sakai, Keita Emura, Jacob C.N. Schuldt, Goichiro Hanaoka, Kazuo Ohta
Sponge Based CCA2 Secure Asymmetric Encryption for Arbitrary Length Message
Abstract
OAEP and other similar schemes proven secure in Random-Oracle Model require one or more hash functions with output size larger than those of standard hash functions. In this paper, we show that by utilizing popular Sponge constructions in OAEP framework, we can eliminate the need of such hash functions. We provide a new scheme in OAEP framework based on Sponge construction and call our scheme Sponge based asymmetric encryption padding (SpAEP). SpAEP is based on 2 functions: Sponge and SpongeWrap, and requires only standard output sizes proposed and standardized for Sponge functions. Our scheme is CCA2 secure for any trapdoor one-way permutation in the ideal permutation model for arbitrary length messages. Our scheme utilizes the versatile Sponge function to enhance the capability and efficiency of the OAEP framework. SpAEP with any trapdoor one-way permutation can also be used as a key encapsulation mechanism and a tag-based key encapsulation mechanism for hybrid encryption. Our scheme SpAEP utilizes the permutation model efficiently in the setting of public key encryption in a novel manner.
Tarun Kumar Bansal, Donghoon Chang, Somitra Kumar Sanadhya
Trade-Off Approaches for Leak Resistant Modular Arithmetic in RNS
Abstract
On an embedded device, an implementation of cryptographic operation, like an RSA modular exponentiation [12], can be attacked by side channel analysis. In particular, recent improvements on horizontal power analysis [3, 10] render ineffective the usual counter-measures which randomize the data at the very beginning of the computations [2, 4]. To counteract horizontal analysis it is necessary to randomize the computations all along the exponentiation. The leak resistant arithmetic (LRA) proposed in [1] implements modular arithmetic in residue number system (RNS) and randomizes the computations by randomly changing the RNS bases. We propose in this paper a variant of the LRA in RNS: we propose to change only one or a few moduli of the RNS basis. This reduces the cost of the randomization and makes it possible to be executed at each loop of a modular exponentiation.
Christophe Negre, Guilherme Perin

Identity-Based Encryption

Frontmatter
Towards Forward Security Properties for PEKS and IBE
Abstract
In cryptography, forward secrecy is a well-known property for key agreement protocols. It ensures that a session key will remain private even if one of the long-term secret keys is compromised in the future. In this paper, we investigate some forward security properties for Public-key Encryption with Keyword Search (PEKS) schemes, which allow a client to store encrypted data and delegate search operations to a server. The proposed properties guarantee that the client’s privacy is protected to the maximum extent even if his private key is compromised in the future. Motivated by the generic transformation from anonymous Identity-Based Encryption (IBE) to PEKS, we correspondingly propose some forward security properties for IBE, in which case we assume the attacker learns the master secret key. We then study several existing PEKS and IBE schemes, including a PEKS scheme by Nishioka, an IBE scheme by Boneh, Raghunathan and Segev, and an IBE scheme by Arriaga, Tang and Ryan. Our analysis indicates that the proposed forward security properties can be achieved by some of these schemes if the attacker is RO-non-adaptive (the attacker does not define its distributions based on the random oracle). Finally, we propose the concept of correlated-input indistinguishable hash function and show how to extend the Boyen-Waters anonymous IBE scheme to achieve the forward security properties against adaptive attackers.
Qiang Tang
IBE Under $$k$$ k -LIN with Shorter Ciphertexts and Private Keys
Abstract
Many identity-based encryption schemes under the \(k\)-LIN assumption contain \(2k+1\) group elements in the ciphertext overhead and private keys. In this paper,
  • We push the limit further by constructing an IBE scheme under the \(k\)-LIN assumption with \(2k\) group elements in the ciphertext overhead and private keys.
  • Our technique additionally expands to the scheme of Boneh, Raghunathan, and Segev (CRYPTO 2013) to yield more efficient function-private IBE under the DLIN assumption.
The shortened size inherently leads to less exponentiations and pairings in encryption and decryption, and hence yielding schemes with better computational efficiency under \(k\)-LIN.
Kaoru Kurosawa, Le Trieu Phong
Improved Identity-Based Online/Offline Encryption
Abstract
The notion of online/offline encryption was put forth by Guo, Mu and Chen (FC 2008), where they proposed an identity-based scheme called identity-based online/offline encryption (IBOOE). An online/offline encryption separates an encryption into two stages: offline and online. The offline phase carries much more computational load than the online phase, where the offline phase does not require the information of the message to be encrypted and the identity of the receiver. Subsequently, many applications of IBOOE have been proposed in the literature. As an example, Hobenberger and Waters (PKC 2014) have recently applied it to attribute-based encryption. In this paper, we move one step further and explore a much more efficient variant. We propose an efficient semi-generic transformation to obtain an online/offline encryption from a tradition identity-based encryption (IBE). Our transformation provides a new method to separate the computation of receiver’s identity into offline and online phases. The IBOOE schemes using our transformation saves one group element in both offline and online phases compared to other IBOOE schemes in identity computing. The transformed scheme still maintains the same level of security as in the original IBE scheme.
Jianchang Lai, Yi Mu, Fuchun Guo, Willy Susilo
Constructions of CCA-Secure Revocable Identity-Based Encryption
Abstract
Key revocation functionality is important for identity-based encryption (IBE) to manage users dynamically. Revocable IBE (RIBE) realizes such revocation functionality with scalability. In PKC 2013, Seo and Emura first considered decryption key exposure resistance (DKER) as a new realistic threat, and proposed the first RIBE scheme with DKER. Their RIBE scheme is adaptively secure against chosen plaintext attacks (CPA), and there is no concrete RIBE scheme adaptively secure against chosen ciphertext attacks (CCA) even without DKER so far. In this paper, we first propose two constructions of adaptively CCA-secure RIBE schemes with DKER. The first scheme is based on an existing transformation, which is called a BCHK transformation, that a CPA-secure hierarchical IBE scheme can be transformed into a CCA-secure scheme. The second scheme is constructed via the KEM/DEM framework. Specifically, we newly propose a revocable identity-based key encapsulation mechanism (RIB-KEM), and we show a generic construction of a CCA-secure RIBE scheme from the RIB-KEM and a data encapsulation mechanism (DEM). The second scheme is more efficient than the first one in terms of the ciphertext size.
Yuu Ishida, Yohei Watanabe, Junji Shikata

Digital Signatures

Frontmatter
Linkable Message Tagging: Solving the Key Distribution Problem of Signature Schemes
Abstract
Digital signatures guarantee practical security only if the corresponding verification keys are distributed authentically; however, arguably, satisfying solutions for the latter haven’t been found yet. This paper introduces a novel approach for cryptographic message authentication where this problem does not arise: A linkable message tagging scheme (LMT) identifies pairs of messages and accompanying authentication tags as related if and only if these tags were created using the same secret key. Importantly, our primitive fully avoids public keys, and hence elegantly sidesteps the key distribution problem of signature schemes.
As an application of LMT we envision an email authentication system with minimal user interaction. Email clients could routinely equip all outgoing messages with corresponding tags and verify for incoming messages whether they indeed originate from the same entity as previously or subsequently received messages with identical sender address.
As technical contributions we formalize the notions of LMT and its (more efficient) variant CMT (classifiable message tagging), including corresponding notions of unforgeability. For both variants we propose a range of provably secure constructions, basing on different hardness assumptions, with and without requiring random oracles.
Felix Günther, Bertram Poettering
Generic Transformation to Strongly Existentially Unforgeable Signature Schemes with Continuous Leakage Resiliency
Abstract
In ProvSec 2014, Wang and Tanaka proposed a transformation which converts weakly existentially unforgeable (wEUF) signature schemes into strongly existentially unforgeable (sEUF) ones in the bounded leakage model. To obtain the construction, they combined the leakage resilient (LR) chameleon hash functions with the Generalised Boneh-Shen-Waters (GBSW) transformation proposed by Steinfeld, Pieprzyk, and Wang. However, their transformation cannot be used in a more realistic model called continual leakage model since the secret key of the LR chameleon hash functions cannot be updated.
In this paper, we propose a transformation which can convert wEUF signature schemes into sEUF ones in the continual leakage model. To achieve our goal, we give a new definition of continuous leakage resilient (CLR) chameleon hash function and construct it based on the CLR signature scheme proposed by Malkin, Teranishi, Vahlis, and Yung. Although the CLR chameleon hash functions satisfy the property of strong collision-resistance, because of the existence of the updating algorithm, an adversary may find the kind of collisions such that messages are the same but randomizers are different. From this fact, we cannot combine our chameleon hash functions with the GBSW transformation directly, or the sEUF security of the transformed signature schemes cannot be achieved. To solve this problem, we improve the original GBSW transformation by making use of the Groth-Sahai proof system and then combine it with our CLR chameleon hash functions.
Yuyu Wang, Keisuke Tanaka
Constant Size Ring Signature Without Random Oracle
Abstract
Ring signature enables an user to anonymously sign a message on behalf of a group of users termed as ‘ring’ formed in an ‘ad-hoc’ manner. A naive scheme produces a signature linear in the size of the ring, but this is extremely inefficient when ring size is large. Dodis et al. proposed a constant size scheme in EUROCRYPT’13, but its security is provided in random oracle model. Best known result without random oracle is a sub-linear size construction by Chandran et al. in ICALP’07 and a follow-up work by Essam Ghadafi in IMACC’13. Therefore, construction of a constant size ring signature scheme without random oracle meeting stringent security requirement still remained as an interesting open problem.
Our first contribution is a generic technique to convert a compatible signature scheme to a constant-sized ring signature scheme. The technique employs a constant size set membership check that may be of independent interest. Our construction is instantiated with asymmetric pairing over groups of composite order and meets strongest security requirements, viz. anonymity under full key exposure and unforgeability against insider-corruption without using random oracle under simple hardness assumptions. We also demonstrate a concrete instantiation of the scheme with Full Boneh-Boyen signature scheme.
Priyanka Bose, Dipanjan Das, Chandrasekharan Pandu Rangan

Security Protocols

Frontmatter
Constant-Round Leakage-Resilient Zero-Knowledge Argument for NP from the Knowledge-of-Exponent Assumption
Abstract
In this paper, we study the design of constant-round or even 3-round zero-knowledge protocols for all NP languages resistant against side channel attack. Garg, Jain, and Sahai firstly formalize a meaningful definition of \((1+\epsilon )\)-leakage-resilient zero-knowledge(LRZK), and give a construction of \((1+\epsilon )\)-LRZK, for every constant \(\epsilon >0\). Then, with Barak’s non-black-box (NBB) simulation technique, Pandey presents the first construction of constant-round LRZK satisfying the ideal requirement \(\epsilon =0\). In this paper, we focus on the construction of constant-round (especially 3-round) LRZK protocols for all NP languages satisfying the ideal requirement \(\epsilon =0\), by means of other techniques. Specially, based on extended Knowledge-of-Exponent Assumption over bilinear groups, we obtain a constant-round LRZK argument for Hamiltonian Cycle (HC) problem, and a 3-round LRZK arguments for circuit satisfiability, which is the first 3-round LRZK protocol for NP.
Tingting Zhang, Hongda Li, Guifang Huang
Modelling Ciphersuite and Version Negotiation in the TLS Protocol
Abstract
Real-world cryptographic protocols such as the widely used Transport Layer Security (TLS) protocol support many different combinations of cryptographic algorithms (called ciphersuites) and simultaneously support different versions. Recent advances in provable security have shown that most modern TLS ciphersuites are secure authenticated and confidential channel establishment (ACCE) protocols, but these analyses generally focus on single ciphersuites in isolation. In this paper we extend the ACCE model to cover protocols with many different sub-protocols, capturing both multiple ciphersuites and multiple versions, and define a security notion for secure negotiation of the optimal sub-protocol. We give a generic theorem that shows how secure negotiation follows, with some additional conditions, from the authentication property of secure ACCE protocols. Using this framework, we analyse the security of ciphersuite and three variants of version negotiation in TLS, including a recently proposed mechanism for detecting fallback attacks.
Benjamin Dowling, Douglas Stebila
VisRAID: Visualizing Remote Access for Intrusion Detection
Abstract
Detecting malicious attempts to access computers is difficult with current security applications. Many current applications do not give the user the right information to find and analyze possible attempts. We present VisRAID – a novel visual analytics web application for detecting intrusions via remote access attempts, and a user study to evaluate the effectiveness and usability of the application with security professionals. The implications of the study will help inform the design of future security visualization applications.
Leliel Trethowen, Craig Anslow, Stuart Marshall, Ian Welch
BP-XACML an Authorisation Policy Language for Business Processes
Abstract
XACML has become the defacto standard for enterprise-wide, policy-based access control. It is a structured, extensible language that can express and enforce complex access control policies. There have been several efforts to extend XACML to support specific authorisation models, such as the OASIS RBAC profile to support Role Based Access Control. A number of proposals for authorisation models that support business processes and workflow systems have also appeared in the literature. However, there is no published work describing an extension to allow XACML to be used as a policy language with these models. This paper analyses the specific requirements of a policy language to express and enforce business process authorisation policies. It then introduces BP-XACML, a new profile that extends the RBAC profile for XACML so it can support business process authorisation policies. In particular, BP-XACML supports the notion of tasks, and constraints at the level of a task instance, which are important requirements in enforcing business process authorisation policies.
Khalid Alissa, Jason Reid, Ed Dawson, Farzad Salim

Symmetric Cryptanalysis

Frontmatter
How TKIP Induces Biases of Internal States of Generic RC4
Abstract
RC4, designed by Rivest, is widely used including WPA, which is one of the security protocols for IEEE 802.11 wireless standard. The first 3-byte RC4 keys in WPA generated by IV are known since IV can be obtained by observing a packet. In 2014, Sen Gupta et al. found linear correlations between the keystream byte and known RC4 key bytes. In 2015, Our previous work extended linear correlations to include unknown internal states as well as the keystream byte and known RC4 key bytes. They found more than 150 linear correlations experimentally, and proved only 6 cases theoretically. In this paper, we will provide theoretical proof of 15 cases out of their unproven linear correlations. These theoretical results demonstrated how TKIP key generation procedure in WPA induces biases on internal states different from generic RC4.
Ryoma Ito, Atsuko Miyaji
Preventing Fault Attacks Using Fault Randomization with a Case Study on AES
Abstract
Infective countermeasures have been shown to be the most efficient way to prevent fault attacks which are one of the most effective side-channel attacks on symmetric key ciphers. However, none of the countermeasures have been found to last in terms of security. Battistello et al. [1] has broken the last two surviving infective methods against fault attacks on AES and emphasized on the need of a better security framework for fault attack countermeasures. The current work is the first such step towards achieving the design of a secure infective countermeasure as suggested by [1]. We develop a theoretical framework based on fault randomization to formalize the infective approach used in fault attack countermeasures. On the basis of this formalization, a new infective countermeasure is proposed which employs a randomized non-linear mixing coupled with a linear diffusion function. A case study on AES with a practical construction of the countermeasure is presented. The full design is implemented on Xilinx SPARTAN-3 FPGA platform and compared favorably with a related scheme in literature.
Shamit Ghosh, Dhiman Saha, Abhrajit Sengupta, Dipanwita Roy Chowdhury
Analysis of Rainbow Tables with Fingerprints
Abstract
Cryptanalytic time-memory tradeoffs were introduced by Martin Hellman in 1980 to perform key-recovery attacks on cryptosystems. Rainbow tables are a variant and a major advance presented by Philippe Oechslin at Crypto 2003. Checkpoints for rainbow tables have been proposed in Indocrypt 2005 as a method to reduce the cost of false alarms. Endpoints truncation has also been suggested to reduce their memory consumption.
This article shows that checkpoints and endpoints share the same nature and unifies checkpoints and endpoint truncation in a single model. An analysis of the average cryptanalysis time is presented and validated experimentally, and a method to determine fingerprint configuration systematically is proposed.
Rainbow tables with fingerprints exhibit a speedup of about two with respect to their classical counterparts in average cryptanalysis time.
Gildas Avoine, Adrien Bourgeois, Xavier Carpent

Privacy Protocols

Frontmatter
A New Public Remote Integrity Checking Scheme with User Privacy
Abstract
With a cloud storage, users can store their data files on a remote cloud server with a high quality on-demand cloud service and are able to share their data with other users. Since cloud servers are not usually regarded as fully trusted and the cloud data can be shared amongst users, the integrity checking of the remote files has become an important issue. A number of remote data integrity checking protocols have been proposed in the literature to allow public auditing of cloud data by a third party auditor (TPA). However, user privacy is not taken into account in most of the existing protocols. We believe that preserving the anonymity (i.e., identity privacy) of the data owner is also very importa nt in many applications. In this paper, we propose a new remote integrity checking scheme which allows the cloud server to protect the identity information of the data owner against the TPA. We also define a formal security model to capture the requirement of user anonymity, and prove the anonymity as well as the soundness of the proposed scheme.
Yiteng Feng, Yi Mu, Guomin Yang, Joseph K. Liu
Efficient Dynamic Provable Data Possession with Public Verifiability and Data Privacy
Abstract
We present a Dynamic Provable Data Possession (PDP) system with Public Verifiability and Data Privacy. Three entities are involved: a client who is the owner of the data to be stored, a server that stores the data and a Third Party Auditor (TPA) who may be required when the client wants to check the integrity of its data stored on the server. The system is publicly verifiable with the possible help of the TPA who acts on behalf of the client. The system exhibits data dynamicity at block level allowing data insertion, deletion and modification to be performed. Finally, the system is secure at the untrusted server and data private. We present a practical PDP system by adopting asymmetric pairings to gain efficiency and reduce the group exponentiation and pairing operations. In our scheme, no exponentiation and only three pairings are required during the proof of data possession check, which clearly outperforms all the existing schemes in the literature. Furthermore, our protocol supports proof of data possession on as many data blocks as possible at no extra cost.
Clémentine Gritti, Willy Susilo, Thomas Plantard
Privately Computing Set-Union and Set-Intersection Cardinality via Bloom Filters
Abstract
In this paper we propose a new approach to privately compute the set-union cardinality and the set-intersection cardinality among multiple honest-but-curious parties. Our approach is inspired by a proposal of Ashok and Mukkamala (DBSec’14) which deploys Bloom filters to approximate the size tightly. One advantage of their solution is that it avoids ample public-key cryptography. Unfortunately, we show here that their protocol is vulnerable to actual attacks. We therefore propose a new Bloom filter based protocol, also forgoing heavy cryptography, and prove its security.
Rolf Egert, Marc Fischlin, David Gens, Sven Jacob, Matthias Senker, Jörn Tillmanns

Symmetric Constructions

Frontmatter
Generalizing PMAC Under Weaker Assumptions
Abstract
In this paper, we study the security of PMAC-type constructions generalizing the underlying primitive to keyed functions. We first consider the construction with two different primitives: one for intermediate calls and another for finalization. While the security of original PMAC was based on the assumption that the primitive (block ciphers) is a pseudo-random permutation (PRP), here we show that for MAC security of the construction, we just need MAC security of the internal primitives and privacy-preserving MAC (PP-MAC) security for the finalization primitive. As PP-MAC is strictly weaker than a pseudo-random function (PRF), this shows that PRF assumption on underlying primitives is not a necessary condition to achieve MAC security of PMAC type constructions. In the context, we also show that for PRF security of the construction, we only need the finalization primitive to be PRF secure. The requirement on the internal primitive reduces from PRF to just a secure MAC. Moreover, we show that for MAC security of the construction, PRF security of underlying primitive is not essential. We claim that, if we restrict to use only one primitive (as two keys are required, if two different primitives are used) then for MAC security, the primitive only needs to be PP-MAC secure. This essentially makes the construction single key PP-MAC domain extender, having the parallelizability advantage over iCBC-MAC. We also show that, if we want the construction to be PRF secure, then we need the underlying primitive to be PRF secure. This can be thought as an alternative proof of the original PMAC, not restricted to block-ciphers only but takes care any keyed functions.
Nilanjan Datta, Kan Yasuda
sp-AELM: Sponge Based Authenticated Encryption Scheme for Memory Constrained Devices
Abstract
In authenticated encryption schemes, there are two techniques for handling long ciphertexts while working within the constraints of a low buffer size: Releasing unverified plaintext (RUP) or Producing intermediate tags (PIT). In this paper, in addition to these two techniques, we propose another way to handle a long ciphertext with a low buffer size by storing and releasing only one (generally, or only few) intermediate state, without releasing or storing any part of an unverified plaintext and without need of generating any intermediate tag. In this paper we explain this generalized technique using our new construction sp-AELM. sp-AELM is a sponge based authenticated encryption scheme that provides support for limited memory devices. We also provide its security proof for privacy and authenticity in an ideal permutation model, using a code based game playing framework. Furthermore, we also present two more variants of sp-AELM that serve the same purpose and are more efficient than sp-AELM.
The ongoing CAESAR competition has 9 submissions which are based on the Sponge construction. We apply our generalized technique of storing single intermediate state to all these submissions, to determine their suitability with a devices having limited memory. Our findings show that only ASCON and one of the PRIMATE’s mode(namely GIBBON) satisify the limited memory constraint using this technique, while the remaining 8 schemes (namely, Artemia, ICEPOLE, Ketje, Keyak, NORX, \(\Pi \)-cipher, STRIBOB and two of the PRIMATEs mode: APE & HANUMAN) are not suitable for this scenario directly.
Megha Agrawal, Donghoon Chang, Somitra Sanadhya

Homomorphic Encryption and Obfuscation

Frontmatter
Secure Statistical Analysis Using RLWE-Based Homomorphic Encryption
Abstract
Homomorphic encryption enables various calculations while preserving the data confidentiality. Here we apply the homomorphic encryption scheme proposed by Brakerski and Vaikuntanathan (CRYPTO 2011) to secure statistical analysis between two variables. For reduction of ciphertext size and practical performance, we propose a method to pack multiple integers into a few ciphertexts so that it enables efficient computation over the packed ciphertexts. Our packing method is based on Yasuda et al.’s one (DPM 2013). While their method gives efficient secure computation only for small integers, our modification is effective for larger integers. Our implementation shows that our method is faster than the state-of-the-art work. Specifically, for one million integers of 16 bits (resp. 128 bits), it takes about 20 minutes (resp. 3.6 hours) for secure covariance and correlation on an Intel Core i7-3770 3.40 GHz CPU.
Masaya Yasuda, Takeshi Shimoyama, Jun Kogure, Kazuhiro Yokoyama, Takeshi Koshiba
Bad Directions in Cryptographic Hash Functions
Abstract
A 25-gigabyte “point obfuscation” challenge “using security parameter 60” was announced at the Crypto 2014 rump session; “point obfuscation” is another name for password hashing. This paper shows that the particular matrix-multiplication hash function used in the challenge is much less secure than previous password-hashing functions are believed to be. This paper’s attack algorithm broke the challenge in just 19 minutes using a cluster of 21 PCs.
Daniel J. Bernstein, Andreas Hülsing, Tanja Lange, Ruben Niederhagen
Backmatter
Metadaten
Titel
Information Security and Privacy
herausgegeben von
Ernest Foo
Douglas Stebila
Copyright-Jahr
2015
Electronic ISBN
978-3-319-19962-7
Print ISBN
978-3-319-19961-0
DOI
https://doi.org/10.1007/978-3-319-19962-7