Abstract: Predicate encryption is a new encryption paradigm which gives a master secret key owner fine-grained control over access to encrypted data. The master secret key owner can generate secret key tokens corresponding to predicates. An encryption of data x can be evaluated using a secret token corresponding to a predicate f; the user learns whether the data satisfies the predicate, i.e., whether f(x) = 1. Prior work on public-key predicate encryption has focused on the notion of data or plaintext privacy, the property that ciphertexts reveal no information about the encrypted data to an attacker other than what is inherently revealed by the tokens the attacker possesses. In this paper, we consider a new notion called predicate privacy, the property that tokens reveal no information about the encoded query predicate. Predicate privacy is inherently impossible to achieve in the public-key setting and has therefore received little attention in prior work. In this work, we consider predicate encryption in the symmetric-key setting and present a symmetrickey predicate encryption scheme which supports inner product queries. We prove that our scheme achieves both plaintext privacy and predicate privacy.

Abstract: In 1998, Blaze, Bleumer, and Strauss proposed a cryptographic primitive called proxy re-encryption, in which a proxy transforms - without seeing the corresponding plaintext - a ciphertext computed under Alice's public key into one that can be opened using Bob's secret key. Recently, an appropriate definition of chosen-ciphertext security and a construction fitting this model were put forth by Canetti and Hohenberger. Their system is bidirectional: the information released to divert ciphertexts from Alice to Bob can also be used to translate ciphertexts in the opposite direction. In this paper, we present the first construction of unidirectional proxy re-encryption scheme with chosen-ciphertext security in the standard model (i.e. without relying on the random oracle idealization), which solves a problem left open at CCS'07. Our construction is efficient and requires a reasonable complexity assumption in bilinear map groups. Like the Canetti-Hohenberger scheme, it ensures security according to a relaxed definition of chosen-ciphertext introduced by Canetti, Krawczyk and Nielsen.

Abstract: In a proxy re-encryption system, a semi-trusted proxy can convert a ciphertext originally intended for Alice into a ciphertext intended for Bob, without learning the underlying plaintext. Proxy re-encryption has found many practical applications, such as encrypted email forwarding, secure distributed file systems, and outsourced filtering of encrypted spam. In ACM CCS'07, Canetti and Hohenberger presented a proxy re-encryption scheme with chosen-ciphertext security, and left an important open problem to construct a chosen-ciphertext secure proxy re-encryption scheme without pairings. In this paper, we solve this open problem by proposing a new proxy re-encryption scheme without resort to bilinear pairings. Based on the computational Diffie-Hellman (CDH) problem, the chosen-ciphertext security of the proposed scheme is proved in the random oracle model.

Abstract: We construct obfuscators of point functions with multibit output and other related functions A point function with multibit output returns a fixed string on a single input point and zero everywhere else Obfuscation of such functions has a useful application as a strong form of symmetric encryption which guarantees security even when the key has very low entropy: Essentially, learning information about the plaintext is paramount to finding the key via exhaustive search on the key space Although the constructions appear to be simple and modular, their analysis turns out to be quite intricate In particular, we uncover some weaknesses in the current definitions of obfuscation One weakness is that current definitions do not guarantee security even under very weak forms of composition We thus define a notion of obfuscation that is preserved under an appropriate composition operation The constructions can use any obfuscator of point functions under the proposed definition Alternatively, they can use perfect one way (POW) functions with statistical indistinguishability, or with computational indistinguishability at the price of somewhat weaker security

Abstract: In this paper, we formally prove that padding the plaintext with a random bit-string provides the semantic security against chosen plaintext attack (IND-CPA) for the McEliece (and its dual, the Niederreiter) cryptosystems under the standard assumptions. Such padding has recently been used by Suzuki, Kobara and Imai in the context of RFID security. Our proof relies on the technical result by Katz and Shin from Eurocrypt '05 showing "pseudorandomness" implied by the learning parity with noise (LPN) problem. We do not need the random oracles as opposed to the known generic constructions which, on the other hand, provide a stronger protection as compared to our scheme--against (adaptive) chosen ciphertext attack, i.e., IND-CCA(2). In order to show that the padded version of the cryptosystem remains practical, we provide some estimates for suitable key sizes together with corresponding workload required for successful attack.

Abstract: The vast parallelism, exceptional energy efficiency and extraordinary information density inherent in DNA molecules are being explored for computing, data storage and cryptography. DNA cryptography is a new field of cryptography arising with the research of DNA computing in recent years. In this paper, an encryption scheme is designed by using the technologies of DNA synthesis, PCR amplification and DNA digital coding as well as the theory of traditional cryptography. By applying the special function of primers to PCR amplification, the primers and coding mode are used as the key of the scheme. The traditional encryption method and DNA digital coding are used to preprocess to the plaintext, which can effectively prevent attack from a possible word as PCR primers. Biological difficult issues and cryptography computing difficulties provide a double security safeguards for the scheme. And the security analysis shows that the encryption scheme has high confidential strength. To demonstrate the performance, we present an interesting example to encode and decode message just between specific two persons using the proposed scheme.

Abstract: The authors present a short note describing the newly emerging optical side channel. The basic idea of the channel is very simple – many parts of the integrated circuits consist of transistors that represent one of the two logical states 0 or 1. When the state changes, there is some light that is emitted in the form of a few photons. A device employing the method which is able to detect these photons (called picosecond imaging circuit analysis) is available in several laboratories, for example, in the French space agency CNES. From the point of view of the cryptanalyst, once the optical side channel information is available for a specific cipher on a device, it is possible to identify deep inner states that should not be revealed. In fact, it turns out that for an outdated and unprotected 0.8 µm PIC16F84A microcontroller it is possible to recover the AES secret key directly during the initial AddRoundKey operation as the side channel can distinguish the individual key bits being XORed to the plaintext.

Abstract: We consider decentralized estimation of a noise-corrupted deterministic signal in a bandwidth-constrained sensor network communicating through an insecure medium. Each sensor collects a noise-corrupted version, performs a local quantization, and transmits a 1-bit message to an ally fusion center through a wireless medium where the sensor outputs are vulnerable to unauthorized observation from enemy/third-party fusion centers. In this paper, we introduce an encrypted wireless sensor network (eWSN) concept where stochastic enciphers operating on binary sensor outputs are introduced to disguise the sensor outputs, creating an eWSN scheme. Noting that the plaintext (original) and ciphertext (disguised) messages are constrained to a single bit due to bandwidth constraints, we consider a binary channel-like scheme to probabilistically encipher (i.e., flip) the sensor outputs. We first consider a symmetric key encryption case where the "0" and "1" enciphering probabilities are equal. The key is represented by the bit enciphering probability. Specifically, we derive the optimal estimator of the deterministic signal approached from a maximum-likelihood perspective and the Cramer-Rao lower bound for the estimation problem utilizing the key. Furthermore, we analyze the effect of the considered cryptosystem on enemy fusion centers that are unaware of the fact that the WSN is encrypted (i.e., we derive the bias, variance, and mean square error (MSE) of the enemy fusion center). We then extend the cryptosystem to admit unequal enciphering schemes for "0" and "1", and analyze the estimation problem from both the prospectives of ally (that has access to the enciphering keys) and (third-party) enemy fusion centers. The results show that when designed properly, a significant amount of bias and MSE can be introduced to an enemy fusion center with the cost to the ally fusion center being a marginal increase [factor of (1-Omega1-Omega0 )-2, where 1-Omegaj, j=0, 1 is the "j" enciphering probability in the estimation variance (compared to the variance of a fusion center estimate operating in a vulnerable WSN).

Abstract: Recently, at Crypto 2008, Boneh, Halevi, Hamburg, and Ostrovsky (BHHO) solved the longstanding open problem of “circular encryption,” by presenting a public key encryption scheme and proving that it is semantically secure against key dependent chosen plaintext attack (KDMCPA security) under standard assumptions (and without resorting to random oracles). However, they left as an open problem that of designing an encryption scheme that simultaneously provides security against both key dependent chosen plaintext and adaptive chosen ciphertext attack (KDM-CCA2 security). In this paper, we solve this problem. First, we show that by applying the Naor-Yung “double encryption” paradigm, one can combine any KDM-CPA secure scheme with any (ordinary) CCA2 secure scheme, along with an appropriate non-interactive zero-knowledge proof, to obtain a KDM-CCA2 secure scheme. Second, we give a concrete instantiation that makes use the above KDM-CPA secure scheme of BHHO, along with a generalization of the Cramer-Shoup CCA2 secure encryption scheme, and recently developed pairing-based NIZK proof systems. This instantiation increases the complexity of the BHHO scheme by just a small constant factor.

Abstract: Session I: Algebraic and Number Theoretical Cryptanalysis (I).- Total Break of the ?-IC Signature Scheme.- Recovering NTRU Secret Key from Inversion Oracles.- Solving Systems of Modular Equations in One Variable: How Many RSA-Encrypted Messages Does Eve Need to Know?.- Session II: Theory of Public Key Encryption.- Relations Among Notions of Plaintext Awareness.- Completely Non-malleable Encryption Revisited.- Invited Talk I.- Cryptographic Test Correction.- Session III: Digital Signatures (I).- Off-Line/On-Line Signatures: Theoretical Aspects and Experimental Results.- Construction of Universal Designated-Verifier Signatures and Identity-Based Signatures from Standard Signatures.- Proxy Signatures Secure Against Proxy Key Exposure.- Session IV: Identification, Broadcast and Key Agreement.- Lattice-Based Identification Schemes Secure Under Active Attacks.- Efficient Simultaneous Broadcast.- SAS-Based Group Authentication and Key Agreement Protocols.- Session V: Implementation of Fast Arithmetic.- An Optimized Hardware Architecture for the Montgomery Multiplication Algorithm.- New Composite Operations and Precomputation Scheme for Elliptic Curve Cryptosystems over Prime Fields.- Session VI: Digital Signatures (II).- Online-Untransferable Signatures.- Security of Digital Signature Schemes in Weakened Random Oracle Models.- A Digital Signature Scheme Based on CVP ???.- Session VII: Algebraic and Number Theoretical Cryptanalysis (II).- An Analysis of the Vector Decomposition Problem.- A Parameterized Splitting System and Its Application to the Discrete Logarithm Problem with Low Hamming Weight Product Exponents.- Session VIII: Public Key Encryption.- Certificateless Encryption Schemes Strongly Secure in the Standard Model.- Unidirectional Chosen-Ciphertext Secure Proxy Re-encryption.- Public Key Broadcast Encryption with Low Number of Keys and Constant Decryption Time.

Abstract: We present a probabilistic private-key encryption scheme named LPN-C whose security can be reduced to the hardness of the Learning from Parity with Noise (LPN) problem. The proposed protocol involves only basic operations in GF(2) and an error-correcting code. We show that it achieves indistinguishability under adaptive chosen plaintext attacks (IND-P2-C0). Appending a secure MAC renders the scheme secure under adaptive chosen ciphertext attacks. This scheme enriches the range of available cryptographic primitives whose security relies on the hardness of the LPN problem.

Abstract: An algorithm for embedding compression in the Baptista-type chaotic cryptosystem is proposed. The lookup table used for encryption is determined adaptively by the probability of occurrence of plaintext symbols. As a result, more probable symbols will have a higher chance to be visited by the chaotic search trajectory. The required number of iterations is small and can be represented by a short code. The compression capability is thus achieved. Simulation results show that the compression performance on standard test files is satisfactory while the security is not compromised. Our scheme also guarantees that the ciphertext is not longer than the plaintext.

Abstract: Researching on chaos-based image encryption scheme is becoming increasingly popular; unfortunately, most of the algorithms proposed provide poor security because of their failure to resist attack. A new digital image encryption scheme based on variable parameters double logistic systems is presented. The subkey sequences are generated after optimizing and adjusting from the chaotic maps which have certain relation to the plaintext, which enhances the security of the cryptosystem. The analysis and the simulation results imply this encryption scheme possesses the features of large key spaces, sensitive key dependence, and good security. Especially this algorithm is able to effectively resist traditional attack.

Abstract: Chaos-based image encryption algorithms are widely investigated recently. Concrete implementation of theses conventional chaos-based algorithms usually arise some security problems due to the computation precision restriction. This paper proposes an improved chaos-based image encryption scheme, in which the grayscale substitution is done by circular bit shift method. The scheme enlarges key space to 2212, which improves the security under precision restricted condition. The combination of position permutation and grayscale substitution operation makes the encryption system strong against known/chosen-plaintext attack. The chaotic binary and decimal key streams are proved to have good statistical property. Theoretical analysis and experimental results show that the scheme proposed in this paper is more secure than conventional chaos-based ones.

Abstract: In this paper, an Image Encryption System by special kind of cellular automata (cellular automata with memory) and also an appropriate transition function for the cryptosystem have been proposed. Also a lossy idea is used to present a secure cryptosystem. The use of lossy method provides a secure method and it is shown that the result is resistant to cryptanalysis attacks, especially known plaintext and chosen plaintext. When the original image is compared with the decrypted image by human visual system, it is not recognizable which one is decrypted and which one is the original image.

Abstract: In this paper, we propose a new Certificate-Based Encryption (CBE) scheme which is fully secure in the standard model. We achieve chosen ciphertext (CCA) security directly without any transformation. When compared to all previous generic constructions (in either random oracle or standard model), our scheme is far more efficient than those schemes. When compared to the CBE scheme in [16] (which is the only concrete implementation secure in the standard model), we enjoy a great improvement in terms of space efficiency. Their scheme requires more than 160 group elements for the public parameters in order to gain an acceptable security. Our scheme just requires 5 group elements. In addition, the message space of our scheme is almost double as the one in [16]. A larger message space implies that it requires a smaller number of encryption operations of the same plaintext, resulting in a smaller overall ciphertext and overhead as well.

Abstract: Recently, two chaotic image encryption schemes have been proposed, in which shuffling the positions and changing the grey values of image pixels are combined. This paper provides the chosen plaintext attack to recover the corresponding plaintext of a given ciphertext. Furthermore, it points out that the two schemes are not sufficiently sensitive to small changes of the plaintext. Based on the given analysis, it proposes an improved algorithm which includes two rounds of substitution and one round of permutation to strengthen the overall performance.

Abstract: A system and method is directed to providing an n-dimensional entity for encoding and storing data securely. A user provides a cursor position within the n-dimensional entity, and a user seed to a pseudo-random number generator. The user seed may be combined with a fingerprint of a computing system in which the invention operates. The n-dimensional entity is populated with bits from the pseudo-random number generator. Bits within the n-dimensional entity are associated with actions to be performed at each cursor position. Subsequent cursor directions within the n-dimensional entity are determined using a random number generator. Plaintext is bitwise translated to a direction and an offset from the cursor position to a bit matching the plaintext bit within the n-dimensional entity. The offset is employed to modify a row of truly random bits in an encoded array.

Abstract: In this paper, under the combination of arithmetic coding and logistic map, a novel chaotic encryption scheme is presented. The plaintexts are encrypted and compressed by using an arithmetic coder whose mapping intervals are changed irregularly according to a keystream derived from chaotic map and plaintext. Performance and security of the scheme are also studied experimentally and theoretically in detail.

Abstract: The utility model discloses a device used for checking and filtering the communication data, so that data transmission between the client-side and the server can be checked and filtered, including the SSL /TLS proxy server which is used to decrypt the SSL /TLS protocol enciphered data from the client-side / server to the plain text and then such plain text is delivered to safety inspection and filtrating equipment. The processed plaintext data is encrypted to SSL /TLS data which are sent to the server / client-side; safety inspection and filtrating equipment is connected with the TLS proxy server for receiving and examining the plaintext data. If the possible danger is found, the unsafe data shall be filtered and the processed plaintext data shall be returned to SSL /TLS proxy server. Furthermore, the utility model discloses a method for checking and filtering the data via the above-mentioned device, so as to effectively decrease or remove the hostile network attack via the SSL /TLS cryptographic protocol.

Abstract: The existence of an efficient and provably secure algebraically homomorphic scheme (AHS), i.e., one that supports both addition and multiplication operations, is a long stated open problem. All proposals so far are either insecure or not provable secure, inefficient, or allow only for one multiplication (and arbitrary additions). As only very limited progress has been made on the existing approaches in the recent years, the question arises whether new methods can lead to more satisfactory solutions. In this paper we show how to construct a provably secure AHS based on a coding theory problem. It allows for arbitrary many additions and for a fixed, but arbitrary number of multiplications and works over arbitrary finite fields. Besides, it possesses some useful properties: i) the plaintext space can be extended adaptively without the need for re-encryption, ii) it operates over arbitrary infinite fields as well, e.g., rational numbers, but the hardness of the underlying decoding problem in such cases is less studied, and iii) depending on the parameter choice, the scheme has inherent error-correcting up to a certain number of transmission errors in the ciphertext. However, since our scheme is symmetric and its ciphertext size grows exponentially with the expected total number of encryptions, its deployment is limited to specific client/server applications with few number of multiplications. Nevertheless, we believe room for improvement due to the huge number of alternative coding schemes that can serve as the underlying hardness problem. For these reasons and because of the interesting properties of our scheme, we believe that using coding theory to design AHS is a promising approach and hope to encourage further investigations.

Abstract: A searchable public key encryption (PEKS) scheme allows to generate, for any given message W , a trapdoor TW , such that TW allows to check whether a given ciphertext is an encryption ofW or not. Of course, TW should not reveal any additional information about the plaintext. PEKS schemes have interesting applications: for instance, consider an email gateway that wants to prioritize or filter encrypted emails based on keywords contained in the message text. The email recipient can then enable the gateway to do so by releasing the trapdoors for the corresponding keywords. This way, the gateway can check emails for these keywords, but it learns nothing more about the email contents. PEKS schemes have first been formalized and constructed by Boneh et al.. But with one exception, no known construction of a PEKS scheme supports the decryption of ciphertexts. That is, known constructions allow to test for a certain message, but they do not allow to retrieve the message, even when having the full secret key. Besides being somewhat unnatural for an encryption scheme, this “no-decryption”-property also limits the applicability of a PEKS scheme. The one exception, a PEKS scheme with decryption due to Fuhr and Paillier, is formulated in the random oracle model, and inherently relies on the statistical properties of the random oracle. In fact, Fuhr and Paillier leave it as an open problem to construct a PEKS scheme with decryption in the standard model. In this paper, we construct the first PEKS scheme with decryption (PEKSD scheme) in the standard model. Our sole assumption is an anonymous IBE scheme. We explain the technical difficulties that arise with previous attempts to build a PEKS scheme with decryption and how we overcome these difficulties. Technically, we isolate a vital additional property of IBE schemes (a property we call well-addressedness and which states that a ciphertext is tied to an identity and will be rejected when trying to decrypt with respect to any other identity) and show how to generically achieve it. Our construction of a PEKSD scheme from an anonymous IBE scheme provides a natural example of a non-shielding construction (in which the decryption algorithm queries the encryption algorithm). Gertner et al. have shown that an IND-CCA secure public key encryption scheme cannot be constructed and proven from an IND-CPA secure scheme in a black-box and shielding way. However, our results give evidence that encryption queries in the decryption algorithm may well prove useful in a security reduction. ∗CWI, Amsterdam, The Netherlands. E-mail: Dennis.Hofheinz@cwi.nl †CWI, Amsterdam, The Netherlands. E-mail: e.n.weinreb@cwi.nl

Abstract: Consider an electronic election scheme implemented using a mix-net; a large number of voters submit their votes and then a smaller number of servers compute the result. The mix-net accepts an encrypted vote from each voter and outputs the set of votes in sorted order without revealing the permutation used. To ensure a fair election, the votes of corrupt voters should be independent of the votes of honest voters, i.e., some type of non-malleability or plaintext awareness is needed. However, for efficiency reasons the servers typically expect inputs from some homomorphic cryptosystem, which is inherently malleable. In this paper we consider the problem of how non-malleability can be guaranteed in the submission phase and still allow the servers to start their computation with ciphertexts of the homomorphic cryptosystem. This can clearly be achieved using general techniques, but we would like a solution which is: (i) provably secure under standard assumptions, (ii) non-interactive for submittors (iii) very efficient for all parties in terms of computation and communication. We give the first solution to this problem which has all these properties. Our solution is surprisingly simple and can be based on various Cramer-Shoup cryptosystems. To capture its security properties we introduce a variation of CCA2-security.

Abstract: In this paper, we investigate the decoding problem of Reed-Solomon (RS) codes, also known as the polynomial reconstruction problem (PR), from a cryptographic hardness perspective. Namely, we deal with samplable PR instances over parameter choices for which decoding is not known to be feasibly solvable and where part of the solution polynomial is the hidden input. We put forth a natural decisional intractability assumption that relates to this decoding problem: distinguishing between a single randomly chosen error location and a single randomly chosen nonerror location for a given corrupted RS codeword with random noise. We prove that under this assumption, PR instances are entirely pseudorandom, i.e., they are indistinguishable from random vectors over the underlying finite field. Moreover, under the same assumption, we show that it is hard to extract any partial information related to the hidden input encoded by the corrupted PR instance, i.e., PR instances hide their message polynomial solution in the semantic security sense. The above results lay a framework for the exploitation of PR as an intractability assumption for provable security of cryptographic primitives. Based on this framework, we present provably secure cryptographic constructions for (1) a pseudorandom number generator, (2) a semantically secure version of the oblivious polynomial evaluation (OPE) protocol, and (3) a stateful cipher with a set of interesting properties that include: semantic security, forward secrecy, error-correcting decryption and an array of random self-reducibility properties with respect to the plaintext choice, key choice, and partial domain choice.

Abstract: The Hill cipher is a famous symmetric cryptosystem that have several advantages in data encryption. However, the Hill cipher algorithm cannot encrypt images that contain large areas of a single color. Thus, it does not hide all features of the image which reveals patterns in the plaintext. Moreover, it can be easily broken with a known plaintext attack revealing weak security. In this paper, novel cryptosystem is used to encrypt image that overcomes these disadvantages. The novel cryptosystem uses randomly generated self-invertible matrix as an encryption key for each block encryption and also this method eliminates the computational complexity involved in finding inverse of the matrix while decryption. The proposed variant yields higher security and significantly superior encryption quality compared to the original one.

Abstract: Data aggregation is one of the most important techniques in wireless sensor networks to save energy through reducing lots of transmission. However, plaintext aggregation is insecure since eavesdropping or modifying messages is possible. Due to this, concealed data aggregation schemes based on homomorphic encryption have been proposed. Ciphertexts can be operated algebraic computations without decryption in those schemes. Unfortunately, they only provide data confidentiality. While compromising secret in captured sensor nodes, an adversary can still create forged ciphertexts. In this paper, we combines Boneh et al.'s aggregate signature scheme and Mykletun et al.'s concealed data aggregation scheme to overcome the above problems. The proposed scheme aggregates not only ciphertexts but also signatures. Through verifying aggregated signature, data integrity of each plaintext can be guaranteed. Furthermore, the communication overhead for each cluster head is still constant. Each cluster head sends an aggregated signature and an aggregated ciphertext to the base station. For resource constrained environment, the proposed scheme is secure and efficient practically.

Abstract: In one embodiment, a mechanism for chained output feedback encryption is disclosed. In one embodiment, a method includes generating a keystream at a block cipher encryption module with inputs of a key and the result of an exclusive-or (XOR) operation on two or more previous keystream outputs, and producing ciphertext by combining the generated keystream with plaintext.

Abstract: Synchronous stream ciphers produce long keystreams to be XORed with plaintext. The output keystreams should be indistinguishable from truly random sequences and should not leak any information about the secret key and the internal state of the cipher. In this study, we propose six new statistical tests to evaluate the randomness properties of synchronous stream ciphers. We applied four of these tests to the ciphers presented to ECRYPT and tabulated the results.