In this paper, we present an efficient k-out-of-n secret sharing scheme, which can identify up to... more In this paper, we present an efficient k-out-of-n secret sharing scheme, which can identify up to t rushing cheaters, with probability at least 1 − , where 0 < < 1/2, provided t < k/2. This is the optimal number of cheaters that can be tolerated in the setting of public cheater identification, on which we focus in this work. In our scheme, the set of all possible shares V i satisfies the condition that |V i | = (t+1) 2n+k−3 |S| 2n+k−3 , where S denotes the set of all possible secrets. In PODC-2012, Ashish Choudhury came up with an efficient t-cheater identifiable k-out-of-n secret sharing scheme, which was a solution of an open problem proposed by Satoshi Obana in EUROCRYPT-2011. The share size, with respect to a secret consisting of one field element, of Choudhury's proposal in PODC-2012 is |V i | = (t+1) 3n |S| 3n. Therefore, our scheme presents an improvement in share size over the above construction. Hence, to the best of our knowledge, our proposal currently has the minimal share size among existing efficient schemes with optimal cheater resilience, in the case of a single secret.
Abstract. Oblivious transfer (OT) is a cryptographic primitive of cen-tral importance, in particu... more Abstract. Oblivious transfer (OT) is a cryptographic primitive of cen-tral importance, in particular in two- and multi-party computation. There exist various protocols for different variants of OT, but any such realiza-tion from scratch can be broken in principle by at least one of the two involved parties if she has sufficient computing power—and the same even holds when the parties are connected by a quantum channel. We show that, on the other hand, if noise—which is inherently present in any physical communication channel—is taken into account, then OT can be realized in an unconditionally secure way for both parties, i.e., even against dishonest players with unlimited computing power. We give the exact condition under which a general noisy channel allows for realiz-ing OT and show that only “trivial ” channels, for which OT is obviously impossible to achieve, have to be excluded. Moreover, our realization of OT is efficient: For a security parameter α> 0—an upper bound on the...
Proceedings of the 18th International Conference on Security and Cryptography
Data such as an individual's income, favorite sports team, typical commute route, vehicle mainten... more Data such as an individual's income, favorite sports team, typical commute route, vehicle maintenance history, medical records, etc. are typically not useful for making large-scale decisions such as where to build a new hospital, identifying which roads are in need of upkeep, and the like. However, aggregates of of these data across hundreds of individuals are useful to governments and to companies. Data cooperatives/unions offer a place for individuals to store their data and a service of data aggregation and interpretation to governments, non-profit organizations, and businesses while maintaining individuals' anonymity. We propose the use of anonymization techniques coupled with graph algorithms over homomorphically encrypted (HE) graphs as a basis of analysis for this accumulated data. We believe this approach ensures individuals' privacy and anonymity while preserving the usefulness of the plaintext data.
Abstract. We present two efficient protocols for two flavors of oblivious transfer (OT): the Rabi... more Abstract. We present two efficient protocols for two flavors of oblivious transfer (OT): the Rabin and 1-out-of-2 OT using the McEliece cryptosystem and Shamir’s zero-knowledge identification scheme based on permuted kernels. This is a step towards diversifying computational assumptions on which OT – the primitive of central importance – can be based. Although we obtain a weak version of Rabin OT (where the malicious receiver may decrease his erasure probability), it can nevertheless be reduced to secure 1-out-of-2 OT. Elaborating on the first protocol, we provide a practical construction for 1-out-of-2 OT.
Abstract. We present protocols for two flavors of oblivious transfer (OT): the Rabin and 1-out-of... more Abstract. We present protocols for two flavors of oblivious transfer (OT): the Rabin and 1-out-of-2 OT based on the assumptions related to security of the McEliece cryptosystem and two zero-knowledge identification (ZKID) schemes, Stern’s from Crypto ’93 and Shamir’s from Crypto ’89, which are based on syndrome decoding and permuted kernels, respectively. This is a step towards diversifying computational assumptions on which OT – cryptographic primitive of central importance – can be based. As a by-product, we expose new interesting applications for both ZKID schemes: Stern’s can be used for proving correctness of McEliece encryption, while Shamir’s – for proving that some matrix represents a permuted subcode of a given code. Unfortunately, it turned out to be difficult to reduce the sender’s security of both schemes to a hard problem, although the intuition suggests a successful attack may allow to solve some long-standing problems in coding theory.
The code-based public-key encryption schemes by McEliece and Niederreiter are famous candidates f... more The code-based public-key encryption schemes by McEliece and Niederreiter are famous candidates for the post-quantum world. In this work, we study key-privacy (or anonymity) for these schemes in the standard model. Specifically, we show that the following two paradigms for constructing IND-CCA2 encryption yield IK-CCA2 encryption, if the underlying primitive satisfies IK-CPA under k-repetition: (1) The Rosen-Segev construction (TCC 2009), we instantiate it with the Niederreiter scheme; (2) The Döttling et al. construction (IEEE Transactions on Information Theory 2012), we instantiate it with both the McEliece scheme and the Niederreiter scheme. As far as we know, these instantiations give the first IK-CCA2 code-based schemes in the standard model. In our proofs, we rely on an important observation by Yamakawa et al. (AAECC 2007) that the randomized McEliece encryption is IK-CPA in the standard model. As a side result, we show that the randomized Niederreiter encryption is IK-CPA as well.
The code-based public-key encryption schemes by McEliece and Niederreiter are famous candidates f... more The code-based public-key encryption schemes by McEliece and Niederreiter are famous candidates for the post-quantum world. In this work, we study key-privacy (or anonymity) for these schemes in the standard model. Specifically, we show that the following two paradigms for constructing \(\mathrm {IND}\text {-}\mathrm {CCA}2\) encryption yield \(\mathrm {IK}\text {-}\mathrm {CCA}2\) encryption, if the underlying primitive satisfies \(\mathrm {IK}\text {-}\mathrm {CPA}\) under k-repetition: (1) The Rosen-Segev construction (TCC 2009), we instantiate it with the Niederreiter scheme; (2) The Dottling et al. construction (IEEE Transactions on Information Theory 2012), we instantiate it with both the McEliece scheme and the Niederreiter scheme. As far as we know, these instantiations give the first IK-CCA2 code-based schemes in the standard model. In our proofs, we rely on an important observation by Yamakawa et al. (AAECC 2007) that the randomized McEliece encryption is \(\mathrm {IK}\te...
Proceedings of the 10th International Conference on Ubiquitous Information Management and Communication, 2016
With the spread of the Internet, many mobile devices are used in our daily lives, such as tablets... more With the spread of the Internet, many mobile devices are used in our daily lives, such as tablets and mobile phones. Then, personal data are often saved on data servers of the storage providers such as Amazon, Google, Yahoo, Baidu and others. In this context, the secret sharing can be used to store personal data onto several providers, simultaneously reducing the risk of data loss, the data leakage to unauthorized parties, and data falsification. Secret sharing is one of the solutions to combine security and availability in the distributed storage. However, few works considered servers' affiliations, and specifically, the problem that a malicious provider may recover secret data illegally through manipulation on servers that hold enough shares to recover the secret. In this paper, to resolve the problem, we propose a two-threshold secret sharing scheme in order to enforce a new type of cross-group policy. By combining t-out-of-m providers' secret sharing scheme and a k-out-o...
We use interactive hashing to achieve the most ecient OT protocol to date based solely on the ass... more We use interactive hashing to achieve the most ecient OT protocol to date based solely on the assumption that trapdoor permutations (TDP) exist. Our protocol can be seen as the following (simple) modication of either of the two famous OT constructions: 1) In the one by Even et al (1985), a receiver must send a random domain element to a sender through IH; 2) In the one by Ostrovsky et al (1993), the players should use TDP instead of one-way permutation. A similar approach is employed to achieve oblivious transfer based on the security of the McEliece cryptosystem. In this second protocol, the receiver inputs a public key into IH, while privately keeping the corresponding secret key. Two dierent versions of IH are used: the computationally secure one in the rst protocol, and the informationtheoretically secure one in the second.
We present a survey of recent results in the area of zero-knowledge (ZK) protocols based on codin... more We present a survey of recent results in the area of zero-knowledge (ZK) protocols based on coding problems and the related Learning Parities with Noise (LPN) problem. First, we sketch the constructions of two ZK code-based identification schemes: the one based on general decoding by Jain et al. (Asiacrypt 2012) and the one based on syndrome decoding by Stern (Crypto 1993). Next, we show that these two systems can also be used to implement a proof of plaintext knowledge for the code-based public key encryption schemes: the one by McEliece and the one by Niederreiter, respectively. Finally, we briefly discuss verifiable encryption and digital signatures as applications.
2020 Sixth International Conference on Mobile And Secure Services (MobiSecServ), 2020
Information assurance properties are fundamental in securing emerging computer systems. Maintaini... more Information assurance properties are fundamental in securing emerging computer systems. Maintaining properties like authorization in these systems relies on knowing the protocol being used and the type of device using it. Scenarios like IoT often include a diverse set of device types and protocols which call for an approach that can encompass this diversity, such as network traffic analysis. With encrypted communication becoming more standard, current traffic analysis approaches are rendered ineffective and new means are called for to enable this type of detection. Presented here is a machine learning approach to network analysis that aims to uphold security properties on the network through the fundamental steps of detecting device types and protocols used. By inspecting VPN traffic, we classify different device types as they login with the Open Authorization (OAuth) protocol, achieving 96% correct classification in some scenarios. We then turn our attention to detecting the underl...
Code-based cryptographic schemes recently raised to prominence as quantum-safe alternatives to th... more Code-based cryptographic schemes recently raised to prominence as quantum-safe alternatives to the currently employed numbertheoretic constructions, which do not resist quantum attacks. In this article, we discuss the Courtois-Finiasz-Sendrier signature scheme and derive code-based signature schemes using the Fiat-Shamir transformation from code-based zero-knowledge identification schemes, namely the Stern scheme, the Jain-Krenn-Pietrzak-Tentes scheme, and the CayrelVeron-El Yousfi scheme. We analyze the security of these code-based signature schemes and derive the security parameters to achieve the 80bit and 128-bit level of classical security. To derive the secure parameters, we have studied the hardness of Syndrome Decoding Problem. Furthermore, we implement the signature schemes, based on the Fiat-Shamir transform, which were mentioned above, and compare their performance on a PC.
Cloud computing brought a shift from the traditional client-server model to DataBase as a Service... more Cloud computing brought a shift from the traditional client-server model to DataBase as a Service DBaaS, where the data owner outsources her database as well as the data management function to the cloud service provider. Although cloud services relieve the clients from the data management burdens, a significant concern about the data privacy remains. In this work, we focus on privacy-preserving k-nearest neighbour k-NN query, and provide the first sublinear solution with preprocessing with computational complexity $$\tilde{O}k\text {log}^4n$$ in the honest-but-curious adversarial setting. Our constructions use the data structure called kd-tree to achieve sublinear query complexity. In order to protect data access patterns, garbled circuits are used to simulate Oblivious RAM ORAM for accessing data in the kd-tree. Compared to the existing solutions, our scheme imposes little overhead on both the data owner and the querying client.
At EUROCRYPT 2011, Obana proposed a k-out-of-n secret sharing scheme capable of identifying up to... more At EUROCRYPT 2011, Obana proposed a k-out-of-n secret sharing scheme capable of identifying up to t cheaters with probability 1 under the condition t < k=3. In that scheme, the share sizejVij satises jVij =jSj= , which is almost optimal. However, Obana's scheme is known to be vulnerable to attacks by rushing adversary who can observe the messages sent by the honest participants prior to deciding her own messages. In this paper, we present a new scheme, which is secure against rushing adversary, with jVij = jSj= n t+1 , assuming t < k=3. We note that the share size of our proposal is substantially smaller compared to jVij = jSj(t + 1) 3n = 3n in the scheme by Choudhury at PODC 2012 when the secret is a single eld element. A modication of the later scheme is secure against rushing adversary under a weaker t < k=2 condition. Therefore, our scheme demonstrates an improvement in share size achieved for the price of strengthening the assumption on t.
This paper evaluates security of the key agreement system for wireless networks proposed recently... more This paper evaluates security of the key agreement system for wireless networks proposed recently by Aono et al. This system exploiting the reciprocal property of radio communication channel shows a high potential for providing unconditional security where protection is provided even against an eavesdropper with unlimited computing power. However, a rigorous security analysis was missing there. In this work, we move towards it: we define and compute the information measures characterizing for the legitimate parties and the eavesdropper their uncertainty about the generated key. Furthermore, we show a method for choosing parameters of this system such that the parties succeed in generating a common key while the adversary is ignorant about it with high probability. We also point out that the system needs strengthening using privacy amplification in order to achieve unconditional security under some reasonable (as we shall argue) assumptions: a) that an eavesdropper did not intercept ...
Verifiable secret sharing (VSS) allows honest parties to ensure consistency of their shares even ... more Verifiable secret sharing (VSS) allows honest parties to ensure consistency of their shares even if a dealer and/or a subset of parties are corrupt. We focus on perfect VSS, i.e., those providing perfect privacy, correctness and commitment with zero error, in the unconditional (information-theoretic) security setting where no assumption on the computational power of the participants is imposed.
Oblivious Transfer (OT) is a fundamental cryptographic protocol that finds a number of applicatio... more Oblivious Transfer (OT) is a fundamental cryptographic protocol that finds a number of applications, in particular, as an essential building block for two-party and multi-party computation. We construct a round-optimal (2 rounds) universally composable (UC) protocol for oblivious transfer secure against active adaptive adversaries from any OW-CPA secure public-key encryption scheme with certain properties in the random oracle model (ROM). In terms of computation, our protocol only requires the generation of a public/secret-key pair, two encryption operations and one decryption operation, apart from a few calls to the random oracle. In~terms of communication, our protocol only requires the transfer of one public-key, two ciphertexts, and three binary strings of roughly the same size as the message. Next, we show how to instantiate our construction under the low noise LPN, McEliece, QC-MDPC, LWE, and CDH assumptions. Our instantiations based on the low noise LPN, McEliece, and QC-MDPC...
We present CMCAP (context-mapped capabilities), a decentralized mechanism for specifying and enfo... more We present CMCAP (context-mapped capabilities), a decentralized mechanism for specifying and enforcing adaptive access control policies for resource-centric security. Policies in CMCAP express runtime constraints defined as containment domains with context-mapped capabilities, and ephemeral sandboxes for dynamically enforcing desired information flow properties while preserving functional correctness for the sandboxed programs. CMCAP is designed to remediate DAC's weakness and address the inflexibility that makes current MAC frameworks impractical to the common user. We use a Linux-based implementation of CMCAP to demonstrate how a program's dynamic profile is used for access control and intrusion prevention.
Verifying protocol implementations via application analysis can be cumbersome. Rapid development ... more Verifying protocol implementations via application analysis can be cumbersome. Rapid development cycles of both the protocol and applications that use it can hinder up-to-date analysis. A better approach is to use formal models to characterize the applications platform and then verify the protocol through analysis of the network traffic tied to the models. To test this method, the popular protocol OAuth is considered. Currently, formal models of OAuth do not take into consideration the mobile environment, and implementation verification is largely based on code analysis. Our preliminary results are two fold; we sketch an extension to a formal model that incorporates the specifics of the Android platform and classify OAuth device types using machine learning on encrypted VPN traffic.
In this paper, we present an efficient k-out-of-n secret sharing scheme, which can identify up to... more In this paper, we present an efficient k-out-of-n secret sharing scheme, which can identify up to t rushing cheaters, with probability at least 1 − , where 0 < < 1/2, provided t < k/2. This is the optimal number of cheaters that can be tolerated in the setting of public cheater identification, on which we focus in this work. In our scheme, the set of all possible shares V i satisfies the condition that |V i | = (t+1) 2n+k−3 |S| 2n+k−3 , where S denotes the set of all possible secrets. In PODC-2012, Ashish Choudhury came up with an efficient t-cheater identifiable k-out-of-n secret sharing scheme, which was a solution of an open problem proposed by Satoshi Obana in EUROCRYPT-2011. The share size, with respect to a secret consisting of one field element, of Choudhury's proposal in PODC-2012 is |V i | = (t+1) 3n |S| 3n. Therefore, our scheme presents an improvement in share size over the above construction. Hence, to the best of our knowledge, our proposal currently has the minimal share size among existing efficient schemes with optimal cheater resilience, in the case of a single secret.
Abstract. Oblivious transfer (OT) is a cryptographic primitive of cen-tral importance, in particu... more Abstract. Oblivious transfer (OT) is a cryptographic primitive of cen-tral importance, in particular in two- and multi-party computation. There exist various protocols for different variants of OT, but any such realiza-tion from scratch can be broken in principle by at least one of the two involved parties if she has sufficient computing power—and the same even holds when the parties are connected by a quantum channel. We show that, on the other hand, if noise—which is inherently present in any physical communication channel—is taken into account, then OT can be realized in an unconditionally secure way for both parties, i.e., even against dishonest players with unlimited computing power. We give the exact condition under which a general noisy channel allows for realiz-ing OT and show that only “trivial ” channels, for which OT is obviously impossible to achieve, have to be excluded. Moreover, our realization of OT is efficient: For a security parameter α> 0—an upper bound on the...
Proceedings of the 18th International Conference on Security and Cryptography
Data such as an individual's income, favorite sports team, typical commute route, vehicle mainten... more Data such as an individual's income, favorite sports team, typical commute route, vehicle maintenance history, medical records, etc. are typically not useful for making large-scale decisions such as where to build a new hospital, identifying which roads are in need of upkeep, and the like. However, aggregates of of these data across hundreds of individuals are useful to governments and to companies. Data cooperatives/unions offer a place for individuals to store their data and a service of data aggregation and interpretation to governments, non-profit organizations, and businesses while maintaining individuals' anonymity. We propose the use of anonymization techniques coupled with graph algorithms over homomorphically encrypted (HE) graphs as a basis of analysis for this accumulated data. We believe this approach ensures individuals' privacy and anonymity while preserving the usefulness of the plaintext data.
Abstract. We present two efficient protocols for two flavors of oblivious transfer (OT): the Rabi... more Abstract. We present two efficient protocols for two flavors of oblivious transfer (OT): the Rabin and 1-out-of-2 OT using the McEliece cryptosystem and Shamir’s zero-knowledge identification scheme based on permuted kernels. This is a step towards diversifying computational assumptions on which OT – the primitive of central importance – can be based. Although we obtain a weak version of Rabin OT (where the malicious receiver may decrease his erasure probability), it can nevertheless be reduced to secure 1-out-of-2 OT. Elaborating on the first protocol, we provide a practical construction for 1-out-of-2 OT.
Abstract. We present protocols for two flavors of oblivious transfer (OT): the Rabin and 1-out-of... more Abstract. We present protocols for two flavors of oblivious transfer (OT): the Rabin and 1-out-of-2 OT based on the assumptions related to security of the McEliece cryptosystem and two zero-knowledge identification (ZKID) schemes, Stern’s from Crypto ’93 and Shamir’s from Crypto ’89, which are based on syndrome decoding and permuted kernels, respectively. This is a step towards diversifying computational assumptions on which OT – cryptographic primitive of central importance – can be based. As a by-product, we expose new interesting applications for both ZKID schemes: Stern’s can be used for proving correctness of McEliece encryption, while Shamir’s – for proving that some matrix represents a permuted subcode of a given code. Unfortunately, it turned out to be difficult to reduce the sender’s security of both schemes to a hard problem, although the intuition suggests a successful attack may allow to solve some long-standing problems in coding theory.
The code-based public-key encryption schemes by McEliece and Niederreiter are famous candidates f... more The code-based public-key encryption schemes by McEliece and Niederreiter are famous candidates for the post-quantum world. In this work, we study key-privacy (or anonymity) for these schemes in the standard model. Specifically, we show that the following two paradigms for constructing IND-CCA2 encryption yield IK-CCA2 encryption, if the underlying primitive satisfies IK-CPA under k-repetition: (1) The Rosen-Segev construction (TCC 2009), we instantiate it with the Niederreiter scheme; (2) The Döttling et al. construction (IEEE Transactions on Information Theory 2012), we instantiate it with both the McEliece scheme and the Niederreiter scheme. As far as we know, these instantiations give the first IK-CCA2 code-based schemes in the standard model. In our proofs, we rely on an important observation by Yamakawa et al. (AAECC 2007) that the randomized McEliece encryption is IK-CPA in the standard model. As a side result, we show that the randomized Niederreiter encryption is IK-CPA as well.
The code-based public-key encryption schemes by McEliece and Niederreiter are famous candidates f... more The code-based public-key encryption schemes by McEliece and Niederreiter are famous candidates for the post-quantum world. In this work, we study key-privacy (or anonymity) for these schemes in the standard model. Specifically, we show that the following two paradigms for constructing \(\mathrm {IND}\text {-}\mathrm {CCA}2\) encryption yield \(\mathrm {IK}\text {-}\mathrm {CCA}2\) encryption, if the underlying primitive satisfies \(\mathrm {IK}\text {-}\mathrm {CPA}\) under k-repetition: (1) The Rosen-Segev construction (TCC 2009), we instantiate it with the Niederreiter scheme; (2) The Dottling et al. construction (IEEE Transactions on Information Theory 2012), we instantiate it with both the McEliece scheme and the Niederreiter scheme. As far as we know, these instantiations give the first IK-CCA2 code-based schemes in the standard model. In our proofs, we rely on an important observation by Yamakawa et al. (AAECC 2007) that the randomized McEliece encryption is \(\mathrm {IK}\te...
Proceedings of the 10th International Conference on Ubiquitous Information Management and Communication, 2016
With the spread of the Internet, many mobile devices are used in our daily lives, such as tablets... more With the spread of the Internet, many mobile devices are used in our daily lives, such as tablets and mobile phones. Then, personal data are often saved on data servers of the storage providers such as Amazon, Google, Yahoo, Baidu and others. In this context, the secret sharing can be used to store personal data onto several providers, simultaneously reducing the risk of data loss, the data leakage to unauthorized parties, and data falsification. Secret sharing is one of the solutions to combine security and availability in the distributed storage. However, few works considered servers' affiliations, and specifically, the problem that a malicious provider may recover secret data illegally through manipulation on servers that hold enough shares to recover the secret. In this paper, to resolve the problem, we propose a two-threshold secret sharing scheme in order to enforce a new type of cross-group policy. By combining t-out-of-m providers' secret sharing scheme and a k-out-o...
We use interactive hashing to achieve the most ecient OT protocol to date based solely on the ass... more We use interactive hashing to achieve the most ecient OT protocol to date based solely on the assumption that trapdoor permutations (TDP) exist. Our protocol can be seen as the following (simple) modication of either of the two famous OT constructions: 1) In the one by Even et al (1985), a receiver must send a random domain element to a sender through IH; 2) In the one by Ostrovsky et al (1993), the players should use TDP instead of one-way permutation. A similar approach is employed to achieve oblivious transfer based on the security of the McEliece cryptosystem. In this second protocol, the receiver inputs a public key into IH, while privately keeping the corresponding secret key. Two dierent versions of IH are used: the computationally secure one in the rst protocol, and the informationtheoretically secure one in the second.
We present a survey of recent results in the area of zero-knowledge (ZK) protocols based on codin... more We present a survey of recent results in the area of zero-knowledge (ZK) protocols based on coding problems and the related Learning Parities with Noise (LPN) problem. First, we sketch the constructions of two ZK code-based identification schemes: the one based on general decoding by Jain et al. (Asiacrypt 2012) and the one based on syndrome decoding by Stern (Crypto 1993). Next, we show that these two systems can also be used to implement a proof of plaintext knowledge for the code-based public key encryption schemes: the one by McEliece and the one by Niederreiter, respectively. Finally, we briefly discuss verifiable encryption and digital signatures as applications.
2020 Sixth International Conference on Mobile And Secure Services (MobiSecServ), 2020
Information assurance properties are fundamental in securing emerging computer systems. Maintaini... more Information assurance properties are fundamental in securing emerging computer systems. Maintaining properties like authorization in these systems relies on knowing the protocol being used and the type of device using it. Scenarios like IoT often include a diverse set of device types and protocols which call for an approach that can encompass this diversity, such as network traffic analysis. With encrypted communication becoming more standard, current traffic analysis approaches are rendered ineffective and new means are called for to enable this type of detection. Presented here is a machine learning approach to network analysis that aims to uphold security properties on the network through the fundamental steps of detecting device types and protocols used. By inspecting VPN traffic, we classify different device types as they login with the Open Authorization (OAuth) protocol, achieving 96% correct classification in some scenarios. We then turn our attention to detecting the underl...
Code-based cryptographic schemes recently raised to prominence as quantum-safe alternatives to th... more Code-based cryptographic schemes recently raised to prominence as quantum-safe alternatives to the currently employed numbertheoretic constructions, which do not resist quantum attacks. In this article, we discuss the Courtois-Finiasz-Sendrier signature scheme and derive code-based signature schemes using the Fiat-Shamir transformation from code-based zero-knowledge identification schemes, namely the Stern scheme, the Jain-Krenn-Pietrzak-Tentes scheme, and the CayrelVeron-El Yousfi scheme. We analyze the security of these code-based signature schemes and derive the security parameters to achieve the 80bit and 128-bit level of classical security. To derive the secure parameters, we have studied the hardness of Syndrome Decoding Problem. Furthermore, we implement the signature schemes, based on the Fiat-Shamir transform, which were mentioned above, and compare their performance on a PC.
Cloud computing brought a shift from the traditional client-server model to DataBase as a Service... more Cloud computing brought a shift from the traditional client-server model to DataBase as a Service DBaaS, where the data owner outsources her database as well as the data management function to the cloud service provider. Although cloud services relieve the clients from the data management burdens, a significant concern about the data privacy remains. In this work, we focus on privacy-preserving k-nearest neighbour k-NN query, and provide the first sublinear solution with preprocessing with computational complexity $$\tilde{O}k\text {log}^4n$$ in the honest-but-curious adversarial setting. Our constructions use the data structure called kd-tree to achieve sublinear query complexity. In order to protect data access patterns, garbled circuits are used to simulate Oblivious RAM ORAM for accessing data in the kd-tree. Compared to the existing solutions, our scheme imposes little overhead on both the data owner and the querying client.
At EUROCRYPT 2011, Obana proposed a k-out-of-n secret sharing scheme capable of identifying up to... more At EUROCRYPT 2011, Obana proposed a k-out-of-n secret sharing scheme capable of identifying up to t cheaters with probability 1 under the condition t < k=3. In that scheme, the share sizejVij satises jVij =jSj= , which is almost optimal. However, Obana's scheme is known to be vulnerable to attacks by rushing adversary who can observe the messages sent by the honest participants prior to deciding her own messages. In this paper, we present a new scheme, which is secure against rushing adversary, with jVij = jSj= n t+1 , assuming t < k=3. We note that the share size of our proposal is substantially smaller compared to jVij = jSj(t + 1) 3n = 3n in the scheme by Choudhury at PODC 2012 when the secret is a single eld element. A modication of the later scheme is secure against rushing adversary under a weaker t < k=2 condition. Therefore, our scheme demonstrates an improvement in share size achieved for the price of strengthening the assumption on t.
This paper evaluates security of the key agreement system for wireless networks proposed recently... more This paper evaluates security of the key agreement system for wireless networks proposed recently by Aono et al. This system exploiting the reciprocal property of radio communication channel shows a high potential for providing unconditional security where protection is provided even against an eavesdropper with unlimited computing power. However, a rigorous security analysis was missing there. In this work, we move towards it: we define and compute the information measures characterizing for the legitimate parties and the eavesdropper their uncertainty about the generated key. Furthermore, we show a method for choosing parameters of this system such that the parties succeed in generating a common key while the adversary is ignorant about it with high probability. We also point out that the system needs strengthening using privacy amplification in order to achieve unconditional security under some reasonable (as we shall argue) assumptions: a) that an eavesdropper did not intercept ...
Verifiable secret sharing (VSS) allows honest parties to ensure consistency of their shares even ... more Verifiable secret sharing (VSS) allows honest parties to ensure consistency of their shares even if a dealer and/or a subset of parties are corrupt. We focus on perfect VSS, i.e., those providing perfect privacy, correctness and commitment with zero error, in the unconditional (information-theoretic) security setting where no assumption on the computational power of the participants is imposed.
Oblivious Transfer (OT) is a fundamental cryptographic protocol that finds a number of applicatio... more Oblivious Transfer (OT) is a fundamental cryptographic protocol that finds a number of applications, in particular, as an essential building block for two-party and multi-party computation. We construct a round-optimal (2 rounds) universally composable (UC) protocol for oblivious transfer secure against active adaptive adversaries from any OW-CPA secure public-key encryption scheme with certain properties in the random oracle model (ROM). In terms of computation, our protocol only requires the generation of a public/secret-key pair, two encryption operations and one decryption operation, apart from a few calls to the random oracle. In~terms of communication, our protocol only requires the transfer of one public-key, two ciphertexts, and three binary strings of roughly the same size as the message. Next, we show how to instantiate our construction under the low noise LPN, McEliece, QC-MDPC, LWE, and CDH assumptions. Our instantiations based on the low noise LPN, McEliece, and QC-MDPC...
We present CMCAP (context-mapped capabilities), a decentralized mechanism for specifying and enfo... more We present CMCAP (context-mapped capabilities), a decentralized mechanism for specifying and enforcing adaptive access control policies for resource-centric security. Policies in CMCAP express runtime constraints defined as containment domains with context-mapped capabilities, and ephemeral sandboxes for dynamically enforcing desired information flow properties while preserving functional correctness for the sandboxed programs. CMCAP is designed to remediate DAC's weakness and address the inflexibility that makes current MAC frameworks impractical to the common user. We use a Linux-based implementation of CMCAP to demonstrate how a program's dynamic profile is used for access control and intrusion prevention.
Verifying protocol implementations via application analysis can be cumbersome. Rapid development ... more Verifying protocol implementations via application analysis can be cumbersome. Rapid development cycles of both the protocol and applications that use it can hinder up-to-date analysis. A better approach is to use formal models to characterize the applications platform and then verify the protocol through analysis of the network traffic tied to the models. To test this method, the popular protocol OAuth is considered. Currently, formal models of OAuth do not take into consideration the mobile environment, and implementation verification is largely based on code analysis. Our preliminary results are two fold; we sketch an extension to a formal model that incorporates the specifics of the Android platform and classify OAuth device types using machine learning on encrypted VPN traffic.
Uploads
Papers by Kirill Morozov