| 1 |
Front Matter |
|
|
Abstract
|
| 2 |
Generic Transformation to Strongly Unforgeable Signatures |
Qiong Huang,Duncan S. Wong,Yiming Zhao |
|
Abstract
Recently, there are several generic transformation techniques proposed for converting unforgeable signature schemes (the message in the forgery has not been signed yet) into strongly unforgeable ones (the message in the forgery could have been signed previously). Most of the techniques are based on trapdoor hash functions and all of them require adding supplementary components onto the original key pair of the signature scheme. In this paper, we propose a new generic transformation which converts . unforgeable signature scheme into a strongly unforgeable one, and also keeps the key pair of the signature scheme unchanged. Our technique is based on .. We show that they can be constructed efficiently from any one-time signature scheme that is based on one-way functions. The performance of our technique also compares favorably with that of those trapdoor-hash-function-based ones. In addition, this new generic transformation can also be used for attaining strongly unforgeable signature schemes in other cryptographic settings which include certificateless signature, identity-based signature, and several others. To the best of our knowledge, similar extent of versatility is not known to b
|
| 3 |
Efficient Generic On-Line/Off-Line Signatures Without Key Exposure |
Xiaofeng Chen,Fangguo Zhang,Willy Susilo,Yi Mu |
|
Abstract
The “hash-sign-switch” paradigm was firstly proposed by Shamir and Tauman with the aim to design an efficient on-line/off-line signature scheme. However, all existing on-line/off-line signature schemes based on Shamir-Tauman’s paradigm suffer from the key exposure problem of chameleon hashing. That is, if the signer applies the same hash value more than once to obtain two signatures on two different messages, the recipient can obtain a hash collision and use it to recover the signer’s trapdoor information. Therefore, the signer should pre-compute and store plenty of different chameleon hash values and the corresponding signatures on the hash values in the off-line phase, and send the collision and the signature for a certain hash value in the on-line phase. Hence, the computation and storage cost for the off-line phase and the communication cost for the on-line phase in Shamir-Tauman’s signature scheme are still a little more overload..In this paper, we first introduce a special double-trapdoor hash family based on the discrete logarithm assumption to solve this problem. We then apply the “hash-sign-switch” paradigm to propose a much more efficient generic on-line/off-line signatur
|
| 4 |
Merkle Signatures with Virtually Unlimited Signature Capacity |
Johannes Buchmann,Erik Dahmen,Elena Klintsevich,Katsuyuki Okeya,Camille Vuillaume |
|
Abstract
We propose GMSS, a new variant of the Merkle signature scheme. GMSS is the first Merkle-type signature scheme that allows a . (2.) number of documents to be signed with one key pair. Compared to recent improvements of the Merkle signature scheme, GMSS reduces the signature size as well as the signature generation cost.
|
| 5 |
Midpoints Versus Endpoints: From Protocols to Firewalls |
Diana von Bidder-Senn,David Basin,Germano Caronni |
|
Abstract
Today’s protocol specifications only define the behaviour of principals representing communication endpoints. But in addition to endpoints, networks contain midpoints, which are machines that observe or filter traffic between endpoints. In this paper, we explain why midpoints should handle protocols differently from endpoints and thus midpoint specifications are needed. With a case study, using the TCP protocol and three different firewalls as midpoints, we illustrate the consequences of the current lack of protocol specifications for midpoints, namely that the same protocol is implemented differently by the different firewalls. We then propose a solution to the problem: We give an algorithm that generates a midpoint automaton from specifications of endpoint automata. We prove that the resulting midpoint automata are correct in that they forward only those messages that could have resulted from protocol-conform endpoints. Finally, we illustrate the algorithm on the TCP protocol.
|
| 6 |
An Adversary Aware and Intrusion Detection Aware Attack Model Ranking Scheme |
Liang Lu,Rei Safavi-Naini,Jeffrey Horton,Willy Susilo |
|
Abstract
A successful computer system intrusion is often resulted from an attacker combining exploits of individual vulnerability. This can be modelled by attack models and attack graphs to provide a global view on system security against attacker’s goal. However, as the size and complexity of attack models and attack graphs usually greatly exceeds human ability to visualize, understand and analyze, a scheme is required to identify important portions of attack models and attack graphs. Mehta . proposed to rank states of an attack model by the probability of an adversary reaching a state by a sequence of exploiting individual vulnerabilities in a previous scheme. Important portions can hence be identified by ranks of states. However, Mehta .’s ranking scheme is based on the PageRank algorithm which models a web surfing scenario, but has not considered much on the dissimilarity between web surfing scenarios and computer system intrusion scenarios. In this paper, we extend Mehta .’s scheme by taking into consideration dissimilarity between web surfing scenarios and computer system intrusion scenarios. We experiment with the same network model used in Mehta .’s scheme and have the results compa
|
| 7 |
Analyzing an Electronic Cash Protocol Using Applied Pi Calculus |
Zhengqin Luo,Xiaojuan Cai,Jun Pang,Yuxin Deng |
|
Abstract
and . are essential security properties for electronic cash protocols. Many protocols have been proposed to meet these two properties. However, most of them have not been formally proved to be untraceable and unreuseable. In this paper we propose to use the applied pi calculus as a framework for describing and analyzing electronic cash protocols, and we analyze Ferguson’s electronic cash protocol as a case study. We believe that this approach is suitable for many different electronic cash protocols.
|
| 8 |
Cryptanalysis of the TRMC-4 Public Key Cryptosystem |
Xuyun Nie,Lei Hu,Jintai Ding,Jianyu Li,John Wagner |
|
Abstract
In 2006, the inventors of TRMC public key cryptosystem proposed a new variant of TRMC, TRMC-4, which can resist the existing attack, in particular, the Joux et al attack. In this paper, we show that the new version is vulnerable to attack via the linearization equations (LE) method. For any given valid ciphertext and its corresponding TRMC-4 public key, we can derive the corresponding plaintext within 2..-operations, after performing once for the public key a computation of complexity less than 2.. Our results are confirmed by computer experiments.
|
| 9 |
Estimating the Prime-Factors of an RSA Modulus and an Extension of the Wiener Attack |
Hung-Min Sun,Mu-En Wu,Yao-Hsin Chen |
|
Abstract
In the RSA system, balanced modulus . denotes a product of two large prime numbers . and ., where . < . < 2.. Since Integer-Factorization is difficult, . and . are simply estimated as .. In the Wiener attack, . is adopted to be the estimation of . + . in order to raise the security boundary of private-exponent .. This work proposes a novel approach, called EPF, to determine the appropriate prime-factors of .. The estimated values are called ”EPFs of .., and are denoted as .. and ... Thus .. and .. can be adopted to estimate . + . more accurately than by simply adopting .. In addition, we show that the Verheul and Tilborg’s extension of the Wiener attack can be considered to be brute-guessing for the MSBs of . + .. Comparing with their work, EPF can extend the Wiener attack to reduce the cost of exhaustive-searching for 2. + 8 bits down to 2. − 10 bits, where . depends on .and the private key .. The security boundary of private-exponent . can be raised 9 bits again over Verheul and Tilborg’s result.
|
| 10 |
A Timing Attack on Blakley’s Modular Multiplication Algorithm, and Applications to DSA |
Bahador Bakhshi,Babak Sadeghiyan |
|
Abstract
In this paper, we introduce a timing attack scheme against a 160-bit modular multiplication with Blakley’s algorithm. It is assumed that a set of public inputs are multiplied by a secret parameter and running time of each multiplication is given, but the multiplication result is not known and a machine similar to victim machine isn’t available. The proposed attack extracts all 160 bits of the secret parameter. Running time of Blakley’s algorithm is analyzed and it is shown that running time of each step is dependent on the running time of other steps. The dependencies make the parameters of the attack be dependent on the secret key, while it makes the attack rather complicated. A heuristic algorithm is used to find the parameters of the attack. As a real scenario, the attack is applied against on-line implementation of Digital Signature Algorithm, which employs Blakley’s modular multiplication. Practical results show that secret key of DSA will be found using 1,000,000 timing samples.
|
| 11 |
Protecting AES Software Implementations on 32-Bit Processors Against Power Analysis |
Stefan Tillich,Christoph Herbst,Stefan Mangard |
|
Abstract
The Advanced Encryption Standard is used in many embedded devices to provide security. In the last years, several researchers have proposed to enhance general-purpose processors with custom instructions to increase the efficiency of cryptographic algorithms. In this work we have evaluated the impact of such instruction set extensions on the implementation security of AES. We have compared several AES implementation options which incorporate state-of-the-art software countermeasures against power-analysis attacks—with and without the use of instruction set extensions. For both scenarios we provide a thorough analysis for different countermeasures with regard to security, performance, and memory. We have found that even a moderate level of protection requires a considerable overhead both in terms of speed and memory. The instruction set extensions, which have been solely designed to increase performance, help to reduce this overhead, but it still remains high. An implementation with proper protection through software countermeasures is only feasible in a setting where the need for resistance against power analysis outweighs the need for performance.
|
| 12 |
Constant-Round Authenticated Group Key Exchange with Logarithmic Computation Complexity |
Junghyun Nam,Juryon Paik,Ung Mo Kim,Dongho Won |
|
Abstract
Protocols for group key exchange (GKE) are cryptographic algorithms that describe how a group of parties communicating over a public network can come up with a common secret key. Due to their critical role in building secure multicast channels, a number of GKE protocols have been proposed over the years in a variety of settings. However despite many impressive achievements, it still remains a challenging problem to design a secure GKE protocol which scales very well for large groups. Our observation is that all constant-round authenticated GKE protocols providing forward secrecy thus far are not fully scalable, but have a computation complexity that scales only linearly in group size. Motivated by this observation, we propose a new and the first forward-secure authenticated GKE protocol that achieves both constant round complexity and logarithmic computation complexity. In particular, our GKE protocol is fully scalable in all key metrics when considered in the context of a broadcast network. The scalability of the protocol is achieved by using a complete binary tree structure combined with a so-called “nonce-chained authentication technique”. Besides its scalability, our protocol f
|
| 13 |
Preventing Collusion Attacks on the One-Way Function Tree (OFT) Scheme |
Xuxin Xu,Lingyu Wang,Amr Youssef,Bo Zhu |
|
Abstract
The one-way function tree (OFT) scheme proposed by Balenson . is widely regarded as an efficient key management solution for multicast communication in large dynamic groups. Following Horng’s claim that the original OFT scheme was vulnerable to a collusion attack, Ku . studied the collusion attack on OFT and proposed a solution to prevent the attack. The solution, however, requires to broadcast about .. + . (. is the height of the key tree) keys for every eviction operation, whereas the original OFT scheme only requires about . keys. This modified OFT scheme thus loses a key advantage that the original OFT has over the logical key hierarchy (LKH) scheme, that is a halving in broadcast size. In this paper, we revisit collusion attacks on the OFT scheme. We generalize the examples of attacks given by Horng and Ku . to a generic collusion attack on OFT, and derive necessary and sufficient conditions for such an attack to exist. We then show a solution for preventing collusion attacks while minimizing the average broadcast size. Our simulation results show that the proposed solution allows OFT to outperform LKH in many cases.
|
| 14 |
Bayesian Methods for Practical Traitor Tracing |
Philip Zigoris,Hongxia Jin |
|
Abstract
The practical success of broadcast encryption hinges on the ability to (1) revoke the access of compromised keys and (2) determine which keys have been compromised. In this work we focus on the latter, the so-called . problem. The first method utilizes a Bayesian hierarchical model to replace a crucial step in a well known tracing algorithm. Previously, this step relied on worst case bounds, which often overestimate the number of tests needed to diagnose compromised keys. The second is an adaptive tracing algorithm that selects forensic tests according to the . criteria. The results of the tests refine an explicit model of our beliefs that certain keys are compromised. In choosing tests based on this criteria, we significantly reduce the number of tests, as compared to the state-of-the-art techniques, required to identify compromised keys.
|
| 15 |
A New Protocol for Conditional Disclosure of Secrets and Its Applications |
Sven Laur,Helger Lipmaa |
|
Abstract
Many protocols that are based on homomorphic encryption are private only if a client submits inputs from a limited range .. Conditional disclosure of secrets (CDS) helps to overcome this restriction. In a CDS protocol for a set ., the client obtains server’s secret if and only if the client’s inputs belong to . and thus the server can guard itself against malformed queries. We extend the existing CDS protocols to work over additively homomorphic cryptosystems for every set from ... The new construction is modular and easy to apply. As an example, we derive a new oblivious transfer protocol with log-squared communication and a millionaire’s protocol with logarithmic communication. We also implement private, universally verifiable and robust multi-candidate electronic voting so that all voters only transmit an encryption of their vote. The only hardness assumption in all these protocols is that the underlying public-key cryptosystem is IND-CPA secure and the plaintext order does not have small factors.
|
| 16 |
An Unconditionally Secure Protocol for Multi-Party Set Intersection |
Ronghua Li,Chuankun Wu |
|
Abstract
Existing protocols for private set intersection are based on homomorphic public-key encryption and the technique of representing sets as polynomials in the cryptographic model. Based on the ideas of these protocols and the two-dimensional verifiable secret sharing scheme, we propose a protocol for private set intersection in the information-theoretic model. By representing the sets as polynomials, the set intersection problem is converted into the task of computing the common roots of the polynomials. By sharing the coefficients of the polynomials among parties, the common roots can be computed out using the shares. As long as more than 2./3 parties are semi-honest, our protocol correctly computes the intersection of . sets, and reveals no other information than what is implied by the intersection and the secrets sets controlled by the active adversary. This is the first specific protocol for private set intersection in the information-theoretic model as far as we know.
|
| 17 |
Privacy-Preserving Set Union |
Keith Frikken |
|
Abstract
Recently there has been a significant amount of work on privacy-preserving set operations, including: set intersection [14,6,21,9], testing set disjointness [17], multi-set operations [18], and set union [16,1,18] . In this paper, we introduce novel protocols for privacy- preserving set union in the malicious adversary model. More specifically, each participant inputs a set of values, and at the end of the protocol, each participant learns the items that are in at least one participant’s set without learning the frequency of the items or which participant(s) contributed specific items. To our knowledge our protocol is the most efficient privacy-preserving set union protocol for the malicious adversary model to date.
|
| 18 |
Universal Accumulators with Efficient Nonmembership Proofs |
Jiangtao Li,Ninghui Li,Rui Xue |
|
Abstract
Based on the notion of accumulators, we propose a new cryptographic scheme called universal accumulators. This scheme enables one to commit to a set of values using a short accumulator and to efficiently compute a membership witness of any value that has been accumulated. Unlike traditional accumulators, this scheme also enables one to efficiently compute a nonmembership witness of any value that has not been accumulated. We give a construction for universal accumulators and prove its security based on the strong RSA assumption. We further present a construction for dynamic universal accumulators; this construction allows one to dynamically add and delete inputs with constant computational cost. Our construction directly builds upon Camenisch and Lysyanskaya’s dynamic accumulator scheme. Universal accumulators can be seen as an extension to dynamic accumulators with support of nonmembership witness. We also give an efficient zero-knowledge proof protocol for proving that a committed value is not in the accumulator. Our dynamic universal accumulator construction enables efficient membership revocation in an anonymous fashion.
|
| 19 |
Unlinkable Secret Handshakes and Key-Private Group Key Management Schemes |
Stanisław Jarecki,Xiaomin Liu |
|
Abstract
We present the first practical . scheme. An unlinkable secret handshake is a two-way authentication protocol in a PKI setting which protects privacy and anonymity of . information about the participants to . except of their intended authentication partners. Namely, if entity A certified by organization .. wants to authenticate itself only to other entities certified by .., and, symmetrically, entity B certified by .. wants to authenticate itself only to entities also certified by .., then a secret handshake protocol authenticates these parties and establishes a fresh shared key between them if and only if .. = .. and the two parties entered valid certificates for this CA into the protocol. If, however .. ≠ .., or .. = .. but either . or . is not certified by this CA, the secret handshake protocol reveals . to the participants except of the bare fact that their inputs do not match. In other words, an Unlinkable Secret Handshake scheme is a perfectly private authentication method in the PKI setting: One can establish authenticated communication with parties that possess the credentials required by one’s policy, and at the same time one’s affiliation . identity remain perfectly secret
|
| 20 |
Identity-Based Proxy Re-encryption |
Matthew Green,Giuseppe Ateniese |
|
Abstract
In a proxy re-encryption scheme a semi-trusted proxy converts a ciphertext for Alice into a ciphertext for Bob without seeing the underlying plaintext. A number of solutions have been proposed in the public-key setting. In this paper, we address the problem of Identity-Based proxy re-encryption, where ciphertexts are transformed from one . to another. Our schemes are compatible with current IBE deployments and do not require any extra work from the IBE trusted-party key generator. In addition, they are non-interactive and one of them permits multiple re-encryptions. Their security is based on a standard assumption (DBDH) in the random oracle model.
|
|Archiver|手机版|小黑屋|
派博传思国际
( 京公网安备110108008328)
GMT+8, 2025-8-13 12:41
发表于 2025-3-21 20:00:20
