David Galindo

Boneh-Franklin identity based encryption revisited

The first practical identity based encryption (IBE) scheme was proposed by Boneh and Franklin in [BF03]. In this work we point out that there is a flawed step in the security reduction exhibited by the authors. Fortunately, it is possible to fix it without changing the scheme or the underlying assumption. In the second place, we introduce a variant of the seminal IBE scheme which allows a more efficient security reduction. This variant is simpler, and has more compact ciphertexts than Boneh-Franklin’s proposal, while keeping the computational cost. Finally, we observe that the flawed step pointed out here is present in several works, and that our techniques can be applied to obtain tighter reductions for previous relevant schemes.

A Schnorr-Like Lightweight Identity-Based Signature Scheme

The use of concatenated Schnorr signatures [Sch91] for the hierarchical delegation of public keys is a well-known technique. In this paper we carry out a thorough analysis of the identity-based signature scheme that this technique yields. The resulting scheme is of interest since it is intuitive, simple and does not require pairings. We prove that the scheme is secure against existential forgery on adaptive chosen message and adaptive identity attacks using a variant of the Forking Lemma [PS00]. The security is proven in the Random Oracle Model under the discrete logarithm assumption. Next, we provide an estimation of its performance, including a comparison with the state of the art on identity-based signatures. We draw the conclusion that the Schnorr-like identity-based signature scheme is arguably the most efficient such scheme known to date.

Breaking yum and lee generic constructions of certificate-less and certificate-based encryption schemes

Identity-based public key cryptography is aimed at simplifying the management of certificates in traditional public key infrastructures by means of using the identity of a user as its public key. The user must identify itself to a trusted authority in order to obtain the secret key corresponding to its identity. The main drawback of this special form of public key cryptography is that it is key escrowed. Certificate-based and certificate-less cryptography have been recently proposed as intermediate paradigms between traditional and identity-based cryptography, seeking to simplify the management of certificates while avoiding the key escrow property of identity-based cryptography. In this work we cryptanalyse the certificate-based and certificate-less encryption schemes presented by Yum and Lee at EuroPKI 2004 and ICCSA 2004 conferences.

Improved certificate-based encryption in the standard model

Certificate-based encryption has been recently proposed as a means to simplify the certificate management inherent to traditional public key encryption. In this paper, we present an efficient certificate-based encryption scheme which is fully secure in the standard model. Our construction is more efficient (in terms of computational cost and ciphertext size) than any of the previous constructions known without random oracles.

Identity-Based Encryption with Master Key-Dependent Message Security and Leakage-Resilience

We introduce the concept of identity-based encryption (IBE) with master key-dependent chosen-plaintext (mKDM-sID-CPA) security. These are IBE schemes that remain secure even after the adversary sees encryptions, under some initially selected identities, of functions of the master secret keys. We then show that the Canetti, Halevi and Katz (Eurocrypt 2004) transformation delivers chosen-ciphertext secure key-dependent encryption (KDM-CCA) schemes when applied to mKDM-sID-CPA secure IBE schemes. Previously only one generic construction of KDM-CCA secure public key schemes was known, due to Camenisch, Chandran and Shoup (Eurocrypt 2009), and it required non-interactive zero knowledge proofs (NIZKs). Thus we show that NIZKs are not intrinsic to KDM-CCA public key encryption. As a proof of concept, we are able to instantiate our new concept under the Rank assumption on pairing groups and for affine functions of the secret keys. The scheme is inspired by the work by Boneh, Halevi, Hamburg and Ostrovsky (Crypto 2008). Our instantiation is only able to provide security against single encryption queries, or alternatively, against a bounded number of encryption queries. Secondly, we show that a special parameters setting of our main scheme provides master-key leakage-resilient identity-based encryption against chosen-plaintext attacks. This recently proposed security notion aims at taking into account security against side-channel attacks that only decrease the entropy of the master-key up to a certain threshold. Thirdly, we give new and better reductions between the Rank problem (previously named as Matrix-DDH or Matrix d-Linear problem) and the Decisional Linear problem.

A Killer Application for Pairings: Authenticated Key Establishment in Underwater Wireless Sensor Networks

Wireless sensors are low power devices which are highly constrained in terms of computational capabilities, memory, and communication bandwidth. While battery life is their main limitation, they require considerable energy to communicate data. The latter is specially dramatic in underwater wireless sensor networks (UWSN), where the acoustic transmission mechanisms are less reliable and more energy-demanding. Saving in communication is thus the primary concern in underwater wireless sensors. With this constraint in mind, we argue that non-interactive identity-based key agreement built on pairings provides the best solution for key distribution in large UWSN when compared to the state of the art. At first glance this claim is surprising, since pairing computation is very demanding. Still, pairing-based non-interactive key establishment requires minimal communication and at the same time enjoys excellent properties when used for key distribution.

Public-key encryption with non-interactive opening: new constructions and stronger definitions

Public-key encryption schemes with non-interactive opening (PKENO) allow a receiver to non-interactively convince third parties that a ciphertext decrypts to a given plaintext or, alternatively, that such a ciphertext is invalid. Two practical generic constructions for PKENO have been proposed so far, starting from either identity-based encryption or public-key encryption with witness-recovering decryption (PKEWR). We show that the known transformation from PKEWR to PKENO fails to provide chosen-ciphertext security; only the transformation from identity-based encryption remains thus valid. Next, we prove that PKENO can alternatively be built out of robust non-interactive threshold public-key cryptosystems, a primitive that differs from identity-based encryption. Using the new transformation, we construct two efficient PKENO schemes: one based on the Decisional Diffie-Hellman assumption (in the Random-Oracle Model) and one based on the Decisional Linear assumption (in the standard model). Last but not least, we propose new applications of PKENO in protocol design. Motivated by these applications, we reconsider proof soundness for PKENO and put forward new definitions that are stronger than those considered so far. We give a taxonomy of all definitions and demonstrate them to be satisfiable.

Extended security arguments for signature schemes

The well-known forking lemma by Pointcheval and Stern has been used to prove the security of the so-called generic signature schemes. These signature schemes are obtained via the Fiat-Shamir transform from three-pass identification schemes. A number of five-pass identification protocols have been proposed in the last few years. Extending the forking lemma and the Fiat-Shamir transform would allow to obtain new signature schemes since, unfortunately, these newly proposed schemes fall outside the original framework. In this paper, we provide an extension of the forking lemma in order to assess the security of what we call n-generic signature schemes. These include signature schemes that are derived from certain (2n+1)-pass identification schemes. We thus obtain a generic methodology for proving the security of a number of signature schemes derived from recently published five-pass identification protocols, and potentially for (2n+1)-pass identification schemes to come.

On the energy cost of authenticated key agreement in wireless sensor networks

Wireless sensors are battery-powered devices which are highly constrained in terms of computational capabilities, memory and communication bandwidth. While battery life is their main limitation, they require considerable energy to communicate data. Due to this, it turns out that the energy saving of computationally inexpensive primitives (like symmetric key cryptography (SKC)) can be nullified by the bigger amount of data they require to be sent. In this work, we study the energy cost of key agreement protocols between peers in a network using asymmetric key cryptography. Our main concern is to reduce the amount of data to be exchanged, which can be done by using special cryptographic paradigms like identity-based and self-certified cryptography. The main news is that an intensive computational primitive for resource-constrained devices, such as non-interactive identity-based authenticated key exchange, performs comparably or even better than traditional authenticated key exchange (AKE) in a variety of scenarios. Moreover, protocols based in this primitive can provide better security properties in real deployments than other simple protocols based on symmetric cryptography. Our findings illustrate to what extent the latest implementation advancements push the efficiency boundaries of public key cryptography (PKC) in wireless sensor networks (WSNs). Copyright

Breaking and Repairing Damgård et al. Public Key Encryption Scheme with Non-interactive Opening

We show a simple chosen-ciphertext attack against a public key encryption scheme with non-interactive opening (PKENO) presented by Damgard, Kiltz, Hofheinz and Thorbek in CT-RSA 2008. In a PKENO scheme a receiver can convincingly reveal to a verifier what the result of decrypting a ciphertext C is, without interaction and without compromising the confidentiality of non-opened ciphertexts. A special interesting feature of PKENO is that a verifier can even ask for opening proofs on invalid ciphertexts. Those opening proofs will convince the verifier that the ciphertext was indeed invalid. We show that one of the schemes by Damgard et al. does not achieve the claimed security goal. Next we provide a fix for it. The repaired scheme presents essentially no overhead and is proven secure under the Decisional Bilinear Diffie-Hellman assumption in the standard model.