Breaking the Shin-Shin-Rhee remotely keyed encryption schemes

Remotely keyed encryption (RKE) schemes provide fast symmetric encryption and decryption using a small-bandwidth security module and a powerful host. Such schemes keep the key inside the security module to prevent key compromise.Shin, Shin, and Rhee proposed a length-preserving as well as a length-increasing RKE scheme that both use only a single round of interaction between host and security module. With the length-preserving scheme they claim to answer an open problem of Blaze, Feigenbaum, and Naor.However, in the present paper we show that both their schemes are completely insecure. Further, we present heuristic arguments on why a one-round length-preserving RKE scheme might be impossible.     

Authenticated encryption schemes with message linkages for message flows

Two efficient authenticated encryption schemes with message linkages are proposed. One is a basic scheme, that it has the better performance in comparison with the all previously proposed schemes in terms of the communication and the computation costs. However, it has a property as same as the previously proposed schemes, that the message blocks can be recovered only after the entire signature blocks have been received. Therefore, the basic scheme is applicable to encrypt all-or-nothing flow. Thus, we improve the basic scheme and also propose a generalized scheme, which allows the receiver to recover the partial message blocks before receiving the entire signature blocks. That is, the receiver may perform the receiving and the recovering processes simultaneously. Therefore, the generalized scheme is applicable to message flows. The generalized scheme requires smaller bandwidth and computational time as compared to the previously proposed authenticated encryption schemes with message linkages for message flows.     

Ciphertext verification security of symmetric encryption schemes

This paper formally discusses the security problem caused by the ciphertext verification,presenting a new security notion named IND-CVA(indistinguishability under ciphertext verification attacks) to characterize the privacy of encryption schemes in this situation. Allowing the adversary to access to both encryption oracle and ciphertext verification oracle,the new notion IND-CVA is slightly stronger than IND-CPA(indistinguishability under chosen-plaintext attacks) but much weaker than IND-CCA(indistinguisha...     

Simulatability and security of certificateless threshold signatures

We analyze the relationship between the notion of certificateless public key cryptography (CL-PKC) and identity-based schemes without a trusted private key generator (PKG), formally define the security of certificateless threshold signatures, and propose a concrete implementation based on bilinear pairings. To exhibit the security of our proposal, we develop the theory of simulatability and relationship between the certificateless threshold signatures and the underlying (non-threshold) ID-based signatures. We show that the proposed scheme is robust and existentially unforgeable against adaptively chosen message attacks under CDH assumption in the random oracle model.     

Relations between semantic security and anonymity in identity-based encryption

Semantic security and anonymity are the two main properties that an identity-based encryption scheme can satisfy. Such properties can be defined in either an adaptive or a selective scenario, which differ on the moment where the attacker chooses the identity/ies that are the target of the attack. There are well-known separations between selective and adaptive semantic security on the one hand, and between selective and adaptive anonymity on the other hand.In this paper we investigate the relations between these selective and adaptive notions, for identity-based encryption schemes enjoying at the same time some security and anonymity properties. On the negative side, we prove that there is a separation between selective and adaptive anonymity even for schemes which enjoy adaptive semantic security. On the positive side, we prove that selective semantic security and adaptive anonymity imply adaptive semantic security.     

Improvements of authenticated encryption schemes with message linkages for message flows

Recently, Tseng et al. proposed two authenticated encryption schemes (basic scheme and generalized scheme) with message linkages, which are efficient in terms of the communication and computation costs in comparison with all the previously proposed schemes. The basic authenticated encryption scheme suited for only after receiving the entire signature blocks, the recipient can then recover the message blocks. In order to allow the receiver to perform the receiving and the recovering processes simultaneously according to application requirements and the transmission efficiency of the network, the generalized authenticated encryption scheme was then proposed. In this paper, we show that both Tseng et al.’s authenticated encryption schemes do not achieve integrity and authentication. Improvements are then proposed to repair the weaknesses.     

Breaking the short certificateless signature scheme

Certificateless cryptography eliminates the need of certificates in the Public Key Infrastructure and solves the inherent key escrow problem in the identity-based cryptography. Recently, Huang et al. proposed two certificateless signature schemes from pairings. They claimed that their first short certificateless signature scheme is provably secure against a normal type I adversary and a super type II adversary. In this paper, we show that their short certificateless signature scheme is broken by a type I adversary who can replace users’ public keys and access to the signing oracle under the replaced public keys.     

Relations between the security models for certificateless encryption and ID-based key agreement

We discuss the relationship between ID-based key agreement protocols, certificateless encryption and ID-based key encapsulation mechanisms. In particular we show how in some sense ID-based key agreement is a primitive from which all others can be derived. In doing so we focus on distinctions between what we term pure ID-based schemes and non-pure schemes, in various security models. We present security models for ID-based key agreement which do not “look natural” when considered as analogues of normal key agreement schemes, but which look more natural when considered in terms of the models used in certificateless encryption. We illustrate our models and constructions with two running examples, one pairing based and one non-pairing based. Our work highlights distinctions between the two approaches to certificateless encryption and adds to the debate about what is the “correct” security model for certificateless encryption.     

Improved convertible authenticated encryption scheme with provable security

Convertible authenticated encryption (CAE) schemes allow a signer to produce an authenticated ciphertext such that only a designated recipient can decrypt it and verify the recovered signature. The conversion property further enables the designated recipient to reveal an ordinary signature for dealing with a later dispute over repudiation. Based on the ElGamal cryptosystem, in 2009, Lee et al. proposed a CAE scheme with only heuristic security analyses. In this paper, we will demonstrate that their scheme is vulnerable to the chosen-plaintext attack and then further propose an improved variant. Additionally, in the random oracle model, we prove that the improved scheme achieves confidentiality against indistinguishability under adaptive chosen-ciphertext attacks (IND-CCA2) and unforgeability against existential forgery under adaptive chosen-message attacks (EF-CMA).     

Self-generated-certificate public key encryption without pairing and its application

Recently, Liu et al. [26] discovered that Certificateless Public Key Encryption (CL-PKE) suffers the Denial-of-Decryption (DoD) attack. Based on CL-PKC, the authors introduced a new paradigm called Self-Generated-Certificate Public Key Cryptography (SGC-PKC) that captured the DoD attack and proposed the first scheme derived from a novel application of Water’s Identity-Based Encryption scheme [43]. In this paper, we propose a new SGC-PKE scheme that does not depend on the bilinear pairings and hence, is more efficient and requires shorter public keys than Liu et al.’s scheme. More importantly, our scheme reaches Girault’s trust level 3 [16] (cf. Girault’s trust level 2 of Liu and Au’s scheme), the same trust level achieved by a traditional PKI. In addition, we also discuss how our scheme can lead to a secure and self-organized key management and authentication system for ad hoc wireless networks with a function of user-controlled key renewal.     

Simulatable certificateless two-party authenticated key agreement protocol

Key agreement (KA) allows two or more users to negotiate a secret session key among them over an open network. Authenticated key agreement (AKA) is a KA protocol enhanced to prevent active attacks. AKA can be achieved using a public-key infrastructure (PKI) or identity-based cryptography. However, the former suffers from a heavy certificate management burden while the latter is subject to the so-called key escrow problem. Recently, certificateless cryptography was introduced to mitigate these limitations. In this paper, we first propose a security model for AKA protocols using certificateless cryptography. Following this model, we then propose a simulatable certificateless two-party AKA protocol. Security is proven under the standard computational Diffie-Hellman (CDH) and bilinear Diffie-Hellman (BDH) assumptions. Our protocol is efficient and practical, because it requires only one pairing operation and five multiplications by each party.     

Tweakable enciphering schemes using only the encryption function of a block cipher

A new construction of block cipher based tweakable enciphering schemes (TES) is described. The major improvement over existing TESs is that the construction uses only the encryption function of the underlying block cipher. Consequently, this leads to substantial savings in the size of hardware implementation of TES applications such as disk encryption. This improvement is achieved without loss in efficiency of encryption and decryption compared to previously known schemes. We further show that the same idea can also be used with a stream cipher which supports an initialization vector (IV) leading to the first example of a TES from such a primitive.     

A chaos-based symmetric image encryption scheme using a bit-level permutation

In recent years, a variety of chaos-based digital image encryption algorithms have been suggested. Most of these algorithms implement permutations and diffusions at the pixel level by considering the pixel as the smallest (atomic) element of an image. In fact, a permutation at the bit level not only changes the position of the pixel but also alters its value. Here we propose an image cryptosystem employing the Arnold cat map for bit-level permutation and the logistic map for diffusion. Simulations have been carried out and analyzed in detail, demonstrating the superior security and high efficiency of our cryptosystem.     

两个公钥加密方案的安全性分析

广播加密和基于属性加密是两种重要的公钥加密方案,可将加密内容同时传送给多个用户,在付费电视、数字版权管理和资源访问控制等领域有重要应用。对一个基于身份广播加密方案进行了分析,表明攻击者只要得到某个用户的私钥,就可以计算其他任何用户的私钥。研究了一个基于属性加密方案,该方案并不能真正地隐藏访问结构,攻击者仅由密文就能得到对应的访问结构。     

One-time encryption-key technique for the traditional DL-based encryption scheme with anonymity

In modern cryptosystem, Anonymity means that in some sense any adversary cannot tell which one of public keys has been used for encrypting a plaintext, and was first formally defined as the indistinguishability of keys by Bellare et al. in 2001. Recently, several well-known techniques have been proposed in order to achieve the anonymity of public-key encryption schemes. In this paper, anonymity is considered first from a new perspective. And then basing on this new perspective, a one-time encryption-key technique is proposed to achieve the anonymity of traditional discrete-logarithm-based (DL-based) encryption scheme. In this new technique, for each encryption, a random one-time encryption-key will be generated to encrypt the plaintext, instead of the original public-key. Consequently, in roughly speaking, by the randomness of the generated one-time encryption-key, this new technique should achieve the anonymity. Furthermore, in the formal proof of anonymity, only based on several weaker conditions, the one-time encryption-key technique efficiently achieves the provable indistinguishability of keys under chosen ciphertext attack (IK-CCA anonymity). As a result, compared with the work of Hayashi and Tanaka in 2006, the one-time encryption-key technique presented here has fewer requirements for achieving the provable anonymity.     

Cryptanalysis and improvement of a certificateless encryption scheme in the standard model

Certificateless public key cryptography elimi- nates inherent key escrow problem in identity-based cryptog- raphy, and does not yet requires certificates as in the tradi- tional public key infrastructure. In this paper, we give crypt- analysis to Hwang et al.＇s certificateless encryption scheme which is the first concrete certificateless encryption scheme that can be proved to be secure against ＂malicious-but- passive＂ key generation center （KGC） attack in the stan- dard model. Their scheme is proved to be insecure even in a weaker security model called ＂honest-but-curious＂ KGC at- tack model. We then propose an improved scheme which is really secure against ＂malicious-but-passive＂ KGC attack in the standard model.     

A knapsack-based probabilistic encryption scheme

Knapsack-based cryptosystems had been viewed as the most attractive and the most promising asymmetric cryptographic algorithms for a long time due to their NP-completeness nature and high speed in encryption/decryption. Unfortunately, most of them are broken for the low-density feature of the underlying knapsack problems. In this paper, we investigate a new easy compact knapsack problem and propose a novel knapsack-based probabilistic public-key cryptosystem in which the cipher-text is non-linear with the plaintext. For properly chosen parameters, the underlying knapsack problem enjoys a high density larger than 1.06 in the worst case. Hence, it is secure against the low-density subset-sum attacks. Our scheme can also defeat other potential attacks such as the brute force attacks and the simultaneous Diophantine approximation attack. Compared with previous knapsack-based cryptosystems, our scheme is efficient and practical.     

Certificateless signature scheme with security enhanced in the standard model

Certificateless cryptography is an attractive paradigm, which combines the advantages of identity-based cryptography (without certificate) and traditional public key cryptography (no escrow). Recently, to solve the drawbacks of the existing certificateless signature (CL-S) schemes without random oracles, Yu et al. proposed a new CL-S scheme, which possesses several merits including shorter system parameters and higher computational efficiency than the previous schemes. However, in this work, we will point out that their CL-S scheme is insecure against key replacement attack and malicious-but-passive KGC attack. We further propose an improved scheme that overcomes the security flaws without affecting the merits of the original scheme. We prove that our scheme is existentially unforgeable against adaptive chosen message attacks under the computational Diffie–Hellman assumption in the standard model.     

A design for cloud-assisted Fair-Play Management System of online contests with provable security

Contest hosting faces more fairness challenges and security risks from real to virtual. Malicious competitors are easier to perform false starts without preventing unfairness. Eavesdroppers have higher possibility to obtain any contest file without the intended right. The leakage of competitors’ identities is with higher probability. However online contest is popular for the convenience. It performs with diverse forms such as auctions, games and exams.With incremental requirements on fair-play, we build a new security model and propose the generally designed framework of Fair-Play Management System (FPMS) over clouds. Involving “cloud” as public storage will release much burden of real-time transmissions in networks, though it may double the security risks from outside. Moreover it is harder to guarantee to all competitors the synchronical start of a contest under inside attacks such as false starts. Facing challenges on confidentiality, anonymity and fairness simultaneously, we find that public-key encryption is more effective than symmetric-key encryption to support multiple data owners in a cloud. By leveraging a Randomness-reused Identity-Based Encryption (RIBE) scheme, FPMS can resist all mentioned attacks within a cloud-assisted environment, and support security towards multiple data owners that respectively host multiple contests. As a complement, the analysis on the provable security of FPMS is given finally, as well as a further analysis on the fair-play performance. Though transmission delay is hardly avoided under provable security requirements, the FPMP performs quasi synchronical with ignorable delay differences to deliver the start order.