Jinyong Chang

A Generic Construction of Homomorphic MAC for Multi-File Transmission in Network Coding

—Homomorphic message authentication codes (MAC) have been proposed to thwart pollution attacks in network coding. The existing schemes mainly are based on the vector inner product or trace function over finite fields. Recently, Wang and Hu presented a generic construction of homomorphic MAC scheme based on linear mapping over finite fields which is an excellent abstract of the vector inner product and the trace function. However, their construction can only be used for single-file transmission. In this paper, we convert their scheme into a new one that supports multi-file transmission. Moreover, our scheme needs shorter key when one wants to achieve the same security as that of Wang et al.

Security analysis of a TESLA-based homomorphic MAC scheme for authentication in P2P live streaming system

In this paper, we present a pollution attack on the homomorphic message authentication code scheme PMAC, which was proposed, by Cheng, Jiang, and Zhang in [IEEE Journal on Selected Areas in Communications/Supplement 2013; 319: 291-298]. In particular, Cheng et al. claimed that their main contribution lies in that, compared with the existing scheme, such as SpaceMac, PMAC can achieve a reliable security 1/qi?ź instead of 1/q for SpaceMac, where q is usually set as a small number in practical applications and i?ź is a flexible parameter chosen by users to improve their security level. However, by presenting a pollution attack, we prove that PMAC can only achieve the security at most 1/q no matter how large i?ź is. Our attack shows that it may be dangerous to directly use PMAC in the peer-to-peer live streaming systems. Moreover, we also point out a basic but fatal error in their proof of theorem 1 and hope that by identifying the design flaw, similar mistakes can be avoided in future design of homomorphic message authentication code. Copyright

The ECCA Security of Hybrid Encryptions

In PKC 2014, Dana Dachman-Soled, et al. introduced enhanced chosen-ciphertext security (ECCA) for public key encryption. The enhancement refers to that the decryption oracle provided to the adversary is augmented to return not only the output of the decryption algorithm on a queried cipher-text but also of a randomness-recovery algorithm associated to the scheme. The authors have given the application of ECCA-secure encryption and we believe that ECCA security will find more application in the future. In this paper, we consider ECCA security of the well-known hybrid encryption (Tag-KEM/DEM) which was presented by Masayuki Abe, et al. in EUROCRYPT 2005. Meanwhile, we also consider ECCA security of hybrid encryption (KEM/Tag-DEM). We have proved that the hybrid encryption is secure against enhanced chosen cipher-text attack (ECCA) if both KEM part and DEM part satisfy some assumptions.

The KDM-CCA Security of REACT

In CT-RSA 2001, Okamoto and Pointcheval proposed a general conversion: Rapid enhanced-security asymmetric cryptosystem transform (REACT, for short), which achieves the CCA security in the random oracle from very weak building blocks and is (almost) optimal in terms of computational overload.

Practical key-dependent message chosen-ciphertext security based on decisional composite residuosity and quadratic residuosity assumptions

An encryption scheme is key-dependent message chosen plaintext attack KDM-CPA secure if it is secure even against an attacker who has access to encryptions of messages that depend on the secret key. Such situations naturally occur in some scenarios such as formal calculus, hard-disk encryption, or multi-party protocols. However, up to now, there are not many schemes that achieve KDM-CPA security, let alone KDM chosen ciphertext attack KDM-CCA security. The constructions proposed by Camenisch, Chandran, and Shoup Eurocrypt 2009, and Hofheinz Eurocrypt 2013 are the only two general constructions that can be proved to be KDM-CCA secure in the standard model. Besides, Qin, Liu, and Huang ACISP 2013 also presented another concrete implementation. In particular, they showed how to obtain KDM-CCA security from the classic Cramer-Shoup cryptosystem based on the decisional Diffie-Hellman assumption w.r.t. a new ensemble of functions we call QLH ensemble. Since the Cramer-Shoup scheme has short ciphertext size and higher computational efficiency, they obtain practical KDM-CCA security w.r.t. a reasonably large ensemble.

KDM-CCA security of the Cramer-Shoup cryptosystem, revisited

An encryption scheme is key-dependent message chosen plaintext attack (KDM-CPA) secure means that it is secure even if an adversary obtains encryptions of messages that depend on the secret key. However, there are not many schemes that are KDM-CPA secure, let alone key-dependent message chosen ciphertext attack (KDM-CCA) secure. So far, only two general constructions, due to Camenisch, Chandran, and Shoup (Eurocrypt 2009), and Hofheinz (Eurocrypt 2013), are known to be KDM-CCA secure in the standard model. Another scheme, a concrete implementation, was recently proposed by Qin, Liu and Huang (ACISP 2013), where a KDM-CCA secure scheme was obtained from the classic Cramer-Shoup (CS) cryptosystem w.r.t. a new family of functions. In this paper, we revisit the KDM-CCA security of the CS-scheme and prove that, in two-user case, the CS-scheme achieves KDM-CCA security w.r.t. richer ensembles, which covers the result of Qin et al. In addition, we present another proof about the result in (QLH13) by extending our approach used in two-user case to n-user case, which achieves a tighter reduction to the decisional Diffie-Hellman (DDH) assumption.