Martijn Stam

A New Randomness Extraction Paradigm for Hybrid Encryption

We present a new approach to the design of IND-CCA2 secure hybrid encryption schemes in the standard model. Our approach provides an efficient generic transformation from 1-universal to 2-universal hash proof systems. The transformation involves a randomness extractor based on a 4-wise independent hash function as the key derivation function. Our methodology can be instantiated with efficient schemes based on standard intractability assumptions such as Decisional Diffie-Hellman, Quadratic Residuosity, and Pailliers Decisional Composite Residuosity. Interestingly, our framework also allows to prove IND-CCA2 security of a hybrid version of 1991s Damgards ElGamal public-key encryption scheme under the DDH assumption.

Beyond Uniformity: Better Security/Efficiency Tradeoffs for Compression Functions

Suppose we are given a perfect n+ c-to-nbit compression function fand we want to construct a larger m+ s-to-sbit compression function Hinstead. What level of security, in particular collision resistance, can we expect from Hif it makes rcalls to f? We conjecture that typically collisions can be found in 2(nr+ cri¾? m)/(r+ 1)queries. This bound is also relevant for building a m+ s-to-sbit compression function based on a blockcipher with k-bit keys and n-bit blocks: simply set c= k, or c= 0 in case of fixed keys. We also exhibit a number of (conceptual) compression functions whose collision resistance is close to this bound. In particular, we consider the following four scenarios: 1 A 2n-to-nbit compression function making two calls to an n-to-nbit primitive, providing collision resistance up to 2n/3/nqueries. This beats a recent bound by Rogaway and Steinberger that 2n/4queries to the underlying random n-to-nbit function suffice to find collisions in any rate-1/2 compression function. In particular, this shows that Rogaway and Steinbergers recent bound of 2(nri¾? mi¾? s/2)/r)queries (for c= 0) crucially relies upon a uniformity assumption; a blanket generalization to arbitrary compression functions would be incorrect. 1 A 3n-to-2nbit compression function making a single call to a 3n-to-nbit primitive, providing collision resistance up to 2nqueries. 1 A 3n-to-2nbit compression function making two calls to a 2n-to-nbit primitive, providing collision resistance up to 2nqueries. 1 A single call compression function with parameters satisfying m≤ n+ c, n≤ s, c≤ m. This result provides a tradeoff between how many bits you can compress for what level of security given a single call to an n+ c-to-nbit random function.

Security of symmetric encryption in the presence of ciphertext fragmentation

In recent years, a number of standardized symmetric encryption schemes have fallen foul of attacks exploiting the fact that in some real world scenarios ciphertexts can be delivered in a fragmented fashion. We initiate the first general and formal study of the security of symmetric encryption against such attacks. We extend the SSH-specific work of Paterson and Watson (Eurocrypt 2010) to develop security models for the fragmented setting. We also develop security models to formalize the additional desirable properties of ciphertext boundary hiding and robustness against Denial-of-Service (DoS) attacks for schemes in this setting. We illustrate the utility of each of our models via efficient constructions for schemes using only standard cryptographic components, including constructions that simultaneously achieve confidentiality, ciphertext boundary hiding and DoS robustness.

Hardware and software normal basis arithmetic for pairing-based cryptography in characteristic three

Although identity-based cryptography offers a number of functional advantages over conventional public key methods, the computational costs are significantly greater. The dominant part of this cost is the Tate pairing, which, in characteristic three, is best computed using the algorithm of Duursma and Lee. However, in hardware and constrained environments, this algorithm is unattractive since it requires online computation of cube roots or enough storage space to precompute required results. We examine the use of normal basis arithmetic in characteristic three in an attempt to get the best of both worlds: an efficient method for computing the Tate pairing that requires no precomputation and that may also be implemented in hardware to accelerate devices such as smart-cards.

On Small Characteristic Algebraic Tori in Pairing-Based Cryptography

The value of the Tate pairing on an elliptic curve over a finite field may be viewed as an element of an algebraic torus. Using this simple observation, we transfer techniques recently developed for torus-based cryptography to pairing-based cryptography, resulting in more efficient computations, and lower bandwidth requirements. To illustrate the efficacy of this approach, we apply the method to pairings on supersingular elliptic curves in characteristic three.

Obfuscation for Cryptographic Purposes

Loosely speaking, an obfuscation O of a function f should satisfy two requirements: firstly, using O, it should be possible to evaluate f; secondly, O should not reveal anything about f that cannot be learnt from oracle access to f alone. Several definitions for obfuscation exist. However, most of them are very hard to satisfy, even when focusing on specific applications such as obfuscating a point function (e.g., for authentication purposes).In this work, we propose and investigate two new variants of obfuscation definitions. Our definitions are simulation-based (i.e., require the existence of a simulator that can efficiently generate fake obfuscations) and demand only security on average (over the choice of the obfuscated function). We stress that our notions are not free from generic impossibilities: there exist natural classes of function families that cannot be securely obfuscated. Hence we cannot hope for a general-purpose obfuscator with respect to our definition. However, we prove that there also exist several natural classes of functions for which our definitions yield interesting results.Specifically, we show that our definitions have the following properties: Usefulness:Securely obfuscating (the encryption function of) a secure private-key encryption scheme yields a secure public-key encryption scheme.Achievability:There exist obfuscatable private-key encryption schemes. Also, a point function chosen uniformly at random can easily be obfuscated with respect to the weaker one (but not the stronger one) of our definitions. (Previous work focused on obfuscating point functions from arbitrary distributions.)Generic impossibilities:There exist unobfuscatable private-key encryption schemes. Furthermore, pseudorandom functions cannot be obfuscated with respect to our definitions. Our results show that, while it is hard to avoid generic impossibilities, useful and reasonable obfuscation definitions are possible when considering specific tasks (i.e., function families).

Hash based digital signature schemes

We discuss various issues associated with signature schemes based solely upon hash functions. Such schemes are currently attractive in some limited applications, but their importance may increase if ever a practical quantum computer was built. We discuss issues related to both their implementation and their security. As far as we are aware this is the first complete treatment of practical implementations of hash based signature schemes in the literature.

A Comparison of CEILIDH and XTR

We give a comparison of the performance of the recently proposed torus-based public key cryptosystem CEILIDH, and XTR. Underpinning both systems is the mathematics of the two dimensional algebraic torus \(T_{6}(\mathbb{F}_{p})\). However, while they both attain the same discrete logarithm security and each achieve a compression factor of three for all data transmissions, the arithmetic performed in each is fundamentally different. In its inception, the designers of CEILIDH were reluctant to claim it offers any particular advantages over XTR other than its exact compression and decompression technique. From both an algorithmic and arithmetic perspective, we develop an efficient version of CEILIDH and show that while it seems bound to be inherently slower than XTR, the difference in performance is much smaller than what one might infer from the original description. Also, thanks to CEILIDH’s simple group law, it provides a greater flexibility for applications, and may thus be considered a worthwhile alternative to XTR.

Random Oracles with(out) Programmability

This paper investigates the Random Oracle Model (ROM) feature known as programmability, which allows security reductions in the ROM to dynamically choose the range points of an ideal hash function. This property is interesting for at least two reasons: first, because of its seeming artificiality (no standard model hash function is known to support such adaptive programming); second, the only known security reductions for many important cryptographic schemes rely fundamentally on programming. We provide formal tools to study the role of programmability in provable security. This includes a framework describing three levels of programming in reductions (none, limited, and full). We then prove that no black-box reductions can be given for FDH signatures when only limited programming is allowed, giving formal support for the intuition that full programming is fundamental to the provable security of FDH.We also show that Shoup’s trapdoor-permutation-based key-encapsulation is provably CCA-secure with limited programmability, but no black-box reduction succeeds when no programming at all is permitted. Our negative results use a new concrete-security variant of Hsiao and Reyzin’s two-oracle separation technique.

On the joint security of encryption and signature, revisited

We revisit the topic of joint security for combined public key schemes, wherein a single keypair is used for both encryption and signature primitives in a secure manner. While breaking the principle of key separation, such schemes have attractive properties and are sometimes used in practice. We give a general construction for a combined public key scheme having joint security that uses IBE as a component and that works in the standard model. We provide a more efficient direct construction, also in the standard model.