Jacob C. N. Schuldt

On the joint security of encryption and signature, revisited

We revisit the topic of joint security for combined public key schemes, wherein a single keypair is used for both encryption and signature primitives in a secure manner. While breaking the principle of key separation, such schemes have attractive properties and are sometimes used in practice. We give a general construction for a combined public key scheme having joint security that uses IBE as a component and that works in the standard model. We provide a more efficient direct construction, also in the standard model.

On the security of dynamic group signatures: preventing signature hijacking

We identify a potential weakness in the standard security model for dynamic group signatures which appears to have been overlooked previously. More specifically, we highlight that even if a scheme provably meets the security requirements of the model, a malicious group member can potentially claim ownership of a group signature produced by an honest group member by forging a proof of ownership. This property leads to a number of vulnerabilities in scenarios in which dynamic group signatures are likely to be used. We furthermore show that the currently most efficient dynamic group signature scheme does not provide protection against this type of malicious behavior. To address this, we introduce the notion of opening soundness for group signatures which essentially requires that it is infeasible to produce a proof of ownership of a valid group signature for any user except the original signer. We then show a relatively simple modification of the scheme by Groth (ASIACRYPT 2007, full version) which allows us to prove opening soundness for the modified scheme without introducing any additional assumptions. We believe that opening soundness is an important and natural security requirement for group signatures, and hope that future schemes will adopt this type of security.

Verifiable predicate encryption and applications to CCA security and anonymous predicate authentication

In this paper, we focus on verifiability of predicate encryption. A verifiable predicate encryption scheme guarantees that all legitimate receivers of a ciphertext will obtain the same message upon decryption. While verifiability of predicate encryption might be a desirable property by itself, we furthermore show that this property enables interesting applications. Specifically, we provide two applications of verifiable predicate encryption. Firstly, we show that for a large class of verifiable predicate encryption schemes, it is always possible to convert a chosen-plaintext secure scheme into a chosen-ciphertext secure one. Secondly, we show that a verifiable predicate encryption scheme allows the construction of a deniable predicate authentication scheme . This primitive enables a user to authenticate a message to a verifier using a private key satisfying a specified relation while at the same time allowing the user to deny ever having interacted with the verifier. This scheme furthermore guarantees the anonymity of the user in the sense that the verifier will learn nothing about the users private key except that it satisfies the specified relation. Lastly, we show that many currently known predicate encryption schemes already provide verifiability, and furthermore demonstrate that many predicate encryption schemes which do not provide verifiability, can be easily converted into schemes providing verifiability. Our results not only highlight that verifiability is a very useful property of predicate encryption, but also show that efficient and practical schemes with this property can be obtained relatively easily.

Efficient generic constructions of signcryption with insider security in the multi-user setting

Signcryption is a primitive which provides the combined security properties of encryption and digital signatures i.e. confidentiality and unforgeability. A number of signcryption schemes have been presented in the literature, but up until now, no scheme which simultaneously achieves the currently strongest notions of insider confidentiality and strong insider unforgeability in the multi-user setting, has been proposed, without relying on random oracles or key registration. In this paper, we propose two new generic constructions of signcryption schemes from the combination of standard primitives and simple extensions of these. From our constructions, we instantiate a number of concrete and efficient signcryption schemes which satisfy the strongest notions of insider security in the multi-user setting while still being provably secure in the standard model.

Big Bias Hunting in Amazonia: Large-Scale Computation and Exploitation of RC4 Biases (Invited Paper)

RC4 is (still) a very widely-used stream cipher. Previous work by AlFardan et al. (USENIX Security 2013) and Paterson et al. (FSE 2014) exploited the presence of biases in the RC4 keystreams to mount plaintext recovery attacks against TLS-RC4 and WPA/TKIP. We improve on the latter work by performing large-scale computations to obtain accurate estimates of the single-byte and double-byte distributions in the early portions of RC4 keystreams for the WPA/TKIP context and by then using these distributions in a novel variant of the previous plaintext recovery attacks. The distribution computations were conducted using the Amazon EC2 cloud computing infrastructure and involved the coordination of 213 hyper-threaded cores running in parallel over a period of several days. We report on our experiences of computing at this scale using commercial cloud services. We also study Microsoft’s Point-to-Point Encryption protocol and its use of RC4, showing that it is also vulnerable to our attack techniques.

Multi-party Computation with Small Shuffle Complexity Using Regular Polygon Cards

It is well-known that a protocol for any function can be constructed using only cards and various shuffling techniques this is referred to as a card-based protocol. In this paper, we propose a new type of cards called regular polygon cards. These cards enable a new encoding for multi-valued inputs while the previous works can only handle binary inputs. We furthermore propose a new technique for constructing a card-based protocol for any n-ary function with small shuffle complexity. This is the first general construction in which the shuffle complexity is independent of the complexity size/depth of the desired functionality, although being directly proportional to the number of inputs. The construction furthermore supports a wide range of cards and encodings, including previously proposed types of cards. Our techniques provide a method for reducing the number of shuffles in card-based protocols.

On the Security of the Schnorr Signature Scheme and DSA Against Related-Key Attacks

In the ordinary security model for signature schemes, we consider an adversary that may forge a signature on a new message using only his knowledge of other valid message and signature pairs. To take into account side channel attacks such as tampering or fault-injection attacks, Bellare and Kohno (Eurocrypt 2003) formalized related-key attacks (RKA), where stronger adversaries are considered. In RKA for signature schemes, the adversary can also manipulate the signing key and obtain signatures for the modified key. This paper considers RKA security of two established signature schemes: the Schnorr signature scheme and (a well-known variant of) DSA. First, we show that these signature schemes are secure against a weak notion of RKA. Second, we demonstrate that, on the other hand, neither the Schnorr signature scheme nor DSA achieves the standard notion of RKA security, by showing concrete attacks on these. Lastly, we show that a slight modification of both the Schnorr signature scheme and (the considered variant of) DSA yields fully RKA secure schemes.

Non-transferable user certification secure against authority information leaks and impersonation attacks

While standard signatures provide an efficient mechanism for information certification, the lack of privacy protecting measures makes them unsuitable if sensitive or confidential information is being certified. In this paper, we revisit nominative signatures, first introduced by Kim, Park and Won, which provides the functionality and security guarantees required to implement a certification system allowing the user (and not the authority) to control the verifiability of an obtained certificate. Unlike systems based on related primitives, the use of nominative signatures protects the user against authority information leaks and impersonation attacks based on these. We refine the security model of nominative signatures, and propose a new efficient scheme which is provably secure based on the computational Diffie-Hellman problem and the decisional linear problem. To the best of our knowledge, this is the first nominative signature scheme which is provably secure in the standard model. Furthermore, unlike the previous schemes, the proposed scheme provides signatures which hide both the signer and user identity. Hence, through our nominative signature scheme, we achieve an efficient nontransferable user certification scheme with strong security guarantees.

Secure Multi-Party Computation Using Polarizing Cards

It is known that, using just a deck of cards, an arbitrary number of parties with private inputs can securely compute the output of any function of their inputs. In 2009, Mizuki and Sone constructed a six-card COPY protocol, a four-card XOR protocol, and a six-card AND protocol, based on a commonly used encoding scheme in which each input bit is encoded using two cards. However, up until now, it has remained an open problem to construct a set of COPY, XOR, and AND protocols based on a two-cards-per-bit encoding scheme, which all can be implemented using only four cards. In this paper, we show that it is possible to construct four-card COPY, XOR, and AND protocols using polarizing plates as cards and a corresponding two-cards-per-bit encoding scheme. Our protocols are optimal in the setting of two-cards-per-bit encoding schemes since four cards are always required to encode the inputs. As applications of our protocols, we show constructions of optimal input-preserving XOR and AND protocols, which we combine to obtain optimal half-adder, full-adder, voting protocols, and more.

Dynamic Threshold Public-Key Encryption with Decryption Consistency from Static Assumptions

Dynamic threshold public-key encryption (dynamic TPKE) is a natural extension of ordinary TPKE which allows decryption servers to join the system dynamically after the system is set up, and allows the sender to dynamically choose the authorized set and the decryption threshold at the time of encryption. Currently, the only known dynamic TPKE scheme is a scheme proposed by Delerablee and Pointcheval (CRYPTO 2008). This scheme is proven to provide message confidentiality under a \(q\)-type assumption, but to achieve decryption consistency, a random oracle extension is required.