Pascal Paillier

Public-key cryptosystems based on composite degree residuosity classes

This paper investigates a novel computational problem, namely the Composite Residuosity Class Problem, and its applications to public-key cryptography. We propose a new trapdoor mechanism and derive from this technique three encryption schemes : a trapdoor permutation and two homomorphic probabilistic encryption schemes computationally comparable to RSA. Our cryptosystems, based on usual modular arithmetics, are provably secure under appropriate assumptions in the standard model.

Searchable encryption revisited: consistency properties, relation to anonymous IBE, and extensions

We identify and fill some gaps with regard to consistency (the extent to which false positives are produced) for public-key encryption with keyword search (PEKS). We define computational and statistical relaxations of the existing notion of perfect consistency, show that the scheme of [7] is computationally consistent, and provide a new scheme that is statistically consistent. We also provide a transform of an anonymous IBE scheme to a secure PEKS scheme that, unlike the previous one, guarantees consistency. Finally we suggest three extensions of the basic notions considered here, namely anonymous HIBE, public-key encryption with temporary keyword search, and identity-based encryption with keyword search.

Fully collusion secure dynamic broadcast encryption with constant-size ciphertexts or decryption keys

This paper puts forward new efficient constructions for public-key broadcast encryption that simultaneously enjoy the following properties: receivers are stateless; encryption is collusion-secure for arbitrarily large collusions of users and security is tight in the standard model; new users can join dynamically i.e. without modification of user decryption keys nor ciphertext size and little or no alteration of the encryption key. We also show how to permanently revoke any subgroup of users. Most importantly, our constructions achieve the optimal bound of O(1)-size either for ciphertexts or decryption keys, where the hidden constant relates to a couple of elements of a pairing-friendly group. Our broadcast-KEM trapdoor technique, which has independent interest, also provides a dynamic broadcast encryption system improving all previous efficiency measures (for both execution time and sizes) in the private-key setting.

On second-order differential power analysis

Differential Power Analysis (DPA) is a powerful cryptanalytic technique aiming at extracting secret data from a cryptographic device by collecting power consumption traces and averaging over a series of acquisitions. In order to prevent the leakage, hardware designers and software programmers make use of masking techniques (a.k.a. data whitening methods). However, the resulting implementations may still succumb to second-order DPA. Several recent papers studied second-order DPA but, although the conclusions that are drawn are correct, the analysis is not. This paper fills the gap by providing an exact analysis of second-order DPA as introduced by Messerges. It also considers several generalizations, including an extended analysis in the more general Hamming-distance model.

Discrete-Log-Based signatures may not be equivalent to discrete log

We provide evidence that the unforgeability of several discrete-log based signatures like Schnorr signatures cannot be equivalent to the discrete log problem in the standard model. This contradicts in nature well-known proofs standing in weakened proof methodologies, in particular proofs employing various formulations of the Forking Lemma in the random oracle Model. Our impossibility proofs apply to many discrete-log-based signatures like ElGamal signatures and their extensions, DSA, ECDSA and KCDSA as well as standard generalizations of these, and even RSA-based signatures like GQ. We stress that our work sheds more light on the provable (in)security of popular signature schemes but does not explicitly lead to actual attacks on these.

Efficient Public-Key Cryptosystems Provably Secure Against Active Adversaries

This paper proposes two new public-key cryptosystems semantically secure against adaptive chosen-ciphertext attacks. Inspired from a recently discovered trapdoor technique based on composite-degree residues, our converted encryption schemes are proven, in the random oracle model, secure against active adversaries (NM-CCA2) under the assumptions that the Decision Composite Residuosity and Decision Partial Discrete Logarithms problems are intractable. We make use of specific techniques that differ from Bellare-Rogaway or Fujisaki-Okamoto conversion methods. Our second scheme is specifically designed to be efficient for decryption and could provide an elegant alternative to OAEP.

Smart Card Crypto-Coprocessors for Public-Key Cryptography

This paper intends to provide information about up-to-date performances of smart-card arithmetic coprocessors regarding major public-key cryptosystems and analyze the main tendences of this developing high-tech industry and related markets. We also comment hardware limitations of current technologies and provide a technique for extending them by virtually doubling their capacities.

Universal Padding Schemes for RSA

A common practice to encrypt with RSA is to first apply a padding scheme to the message and then to exponentiate the result with the public exponent; an example of this is OAEP. Similarly, the usual way of signing with RSA is to apply some padding scheme and then to exponentiate the result with the private exponent, as for example in PSS. Usually, the RSA modulus used for encrypting is different from the one used for signing. The goal of this paper is to simplify this common setting. First, we show that PSS can also be used for encryption, and gives an encryption scheme semantically secure against adaptive chosen-ciphertext attacks, in the random oracle model. As a result, PSS can be used indifferently for encryption or signature. Moreover, we show that PSS allows to safely use the same RSA key-pairs for both encryption and signature, in a concurrent manner. More generally, we show that using PSS the same set of keys can be used for both encryption and signature for any trapdoor partial-domain one-way permutation. The practical consequences of our result are important: PKIs and public-key implementations can be significantly simplified.

Trapdooring Discrete Logarithms on Elliptic Curves over Rings

This paper introduces three new probabilistic encryption schemes using elliptic curves over rings. The cryptosystems are based on three specific trapdoor mechanisms allowing the recipient to recover discrete logarithms on different types of curves. The first scheme is an embodiment of Naccache and Sterns cryptosystem and realizes a discrete log encryption as originally wanted in [23] by Vanstone and Zuccherato. Our second scheme provides an elliptic curve version of Okamoto and Uchiyamas probabilistic encryption, thus answering a question left open in [10] by the same authors. Finally, we introduce a Paillier-like encryption scheme based on the use of twists of anomalous curves. Our contributions provide probabilistic, homomorphic and semantically secure cryptosystems that concretize all previous research works on discrete log encryption in the elliptic curve setting.

Decryptable searchable encryption

As such, public-key encryption with keyword search (a.k.a PEKS or searchable encryption) does not allow the recipient to decrypt keywords i.e. encryption is not invertible. This paper introduces searchable encryption schemes which enable decryption. An additional feature is that the decryption key and the trapdoor derivation key are totally independent, thereby complying with many contexts of application. We put forward a seemingly optimal construction for decryptable searchable encryption which makes use of one KEM, one IDKEM and a couple of hash functions. We define a proper security model for decryptable searchable encryption and show that basic security requirements on the underlying KEM and IDKEM are enough for our generic construction to be strongly secure in the random oracle model.