Adriana Palacio

GQ and Schnorr Identification Schemes: Proofs of Security against Impersonation under Active and Concurrent Attacks

The Guillou-Quisquater (GQ) and Schnorr identification schemes are amongst the most efficient and best-known Fiat-Shamir follow-ons, but the question of whether they can be proven secure against impersonation under active attack has remained open. This paper provides such a proof for GQ based on the assumed security of RSA under one more inversion, an extension of the usual one-wayness assumption that was introduced in [5]. It also provides such a proof for the Schnorr scheme based on a corresponding discrete-log related assumption. These are the first security proofs for these schemes under assumptions related to the underlying one-way functions. Both results extend to establish security against impersonation under concurrent attack.

An Uninstantiable Random-Oracle-Model Scheme for a Hybrid-Encryption Problem

We present a simple, natural random-oracle (RO) model scheme, for a practical goal, that is uninstantiable, meaning is proven in the RO model to meet its goal yet admits no standard-model instantiation that meets this goal. The goal in question is IND-CCA-preserving asymmetric encryption which formally captures security of the most common practical usage of asymmetric encryption, namely to transport a symmetric key in such a way that symmetric encryption under the latter remains secure. The scheme is an ElGamal variant, called Hash ElGamal, that resembles numerous existing RO-model schemes, and on the surface shows no evidence of its anomalous properties. These results extend our understanding of the gap between the standard and RO models, and bring concerns raised by previous work closer to practice by indicating that the problem of RO-model schemes admitting no secure instantiation can arise in domains where RO schemes are commonly designed.

The Knowledge-of-Exponent Assumptions and 3-Round Zero-Knowledge Protocols

Hada and Tanaka [11,12] showed the existence of 3-round, negligible-error zero-knowledge arguments for NP based on a pair of non-standard assumptions, here called KEA1 and KEA2. In this paper we show that KEA2 is false. This renders vacuous the results of [11,12]. We recover these results, however, under a suitably modified new assumption called KEA3. What we believe is most interesting is that we show that it is possible to “falsify” assumptions like KEA2 that, due to their nature and quantifier-structure, do not lend themselves easily to “efficient falsification” (Naor [15]).

Towards Plaintext-Aware Public-Key Encryption Without Random Oracles

We consider the problem of defining and achieving plaintext-aware encryption without random oracles in the classical public-key model. We provide definitions for a hierarchy of notions of increasing strength: PA0, PA1 and PA2, chosen so that PA1+IND-CPA → IND-CCA1 and PA2+IND-CPA → IND-CCA2. Towards achieving the new notions of plaintext awareness, we show that a scheme due to Damgard [12], denoted DEG, and the lite version of the Cramer-Shoup scheme [11], denoted CS-lite, are both PA0 under the DHKO assumption of [12], and PA1 under an extension of this assumption called DHK1. As a result, DEG is the most efficient proven IND-CCA1 scheme known.

Protecting against key-exposure: strongly key-insulated encryption with optimal threshold

Key-insulated encryption schemes use a combination of key splitting and key evolution to protect against key exposure. Existing schemes, however scale poorly, having cost proportional to the number t of time periods that may be compromised by the adversary, and thus are practical only for small values of t. Yet in practice t might be large.This paper presents a strongly key-insulated encryption scheme with optimal threshold. In our scheme, t need not be known in advance and can be as large as one less than the total number of periods, yet the cost of the scheme is not impacted. This brings key-insulated encryption closer to practice. Our scheme is based on the Boneh-Franklin identity-based encryption (IBE) scheme [9], and exploits algebraic properties of the latter.Another contribution of this paper is to show that (not strongly) key-insulated encryption with optimal threshold and allowing random-access key updates (which our scheme and all others known allow) is equivalent to a restricted form of IBE. This means that the connection between key-insulated encryption and IBE is not accidental.

Public-key cryptographic primitives provably as secure as subset sum

We propose a semantically-secure public-key encryption scheme whose security is polynomial-time equivalent to the hardness of solving random instances of the subset sum problem. The subset sum assumption required for the security of our scheme is weaker than that of existing subset-sum based encryption schemes, namely the lattice-based schemes of Ajtai and Dwork (STOC’97), Regev (STOC’03, STOC’05), and Peikert (STOC’09). Additionally, our proof of security is simple and direct. We also present a natural variant of our scheme that is secure against key-leakage attacks, and an oblivious transfer protocol that is secure against semi-honest adversaries.

Key Insulation and Intrusion Resilience over a Public Channel

Key insulation (KI) and Intrusion resilience (IR) are methods to protect a users key against exposure by utilizing periodic communications with an auxiliary helper. But existing work assumes a secure channel between user and helper. If we want to realize KI or IR in practice we must realize this secure channel. This paper looks at the question of how to do this when the communication is over what we are more likely to have in practice, namely a public channel such as the Internet or a wireless network. We explain why this problem is not trivial, introduce models and definitions that capture the desired security in a public channel setting, and provide a complete (and surprising) answer to the question of when KI and IR are possible over a public channel. The information we provide is important to guide practitioners with regard to the usage of KI and IR and also to guide future research in this area.