CWI Cryptology Group

Abstract: A new family of pseudorandom generators based on the decisional Diffie-Hellman assumption is presented. The new construction is a modified and generalized version of the Dual Elliptic Curve generator proposed by Barker and Kelsey. Although the original Dual Elliptic Curve generator is shown to be insecure, the modified version is provably secure and very efficient in comparison with other pseudorandom generators based on discrete log assumptions.
Our generator can be based on any group of prime order provided an additional requirement is met (i.e., there exists an efficiently computable function that in some sense ranks the elements of the group). Three concrete examples are presented. The techniques used to design the concrete examples, such as the new probabilistic randomness extractors, may be of independent interest to other applications.
Joint work with Reza Rezaeian Farashahi and Andrey Sidorenko.

Abstract: One of the celebrated applications of Identity-Based Encryption (IBE) is the Canetti, Halevi, and Katz (CHK) transformation from any (selective-identity secure) IBE scheme into a full chosen-ciphertext secure encryption scheme. Since such IBE schemes in the standard model are known from previous work this immediately provides new chosen-ciphertext secure encryption schemes in the standard model. This paper revisits the notion of Tag-Based Encryption (TBE) and provides security definitions for the selective-tag case. Even though TBE schemes belong to a more general class of cryptographic schemes than IBE, we observe that (selective-tag secure) TBE is a sufficient primitive for the CHK transformation and therefore implies chosen-ciphertext secure encryption.

We exemplify the usefulness of our TBE approach by constructing a TBE scheme based on the Hashed Diffie-Hellman assumption. In contrast to all known IBE schemes our TBE construction does not deploy pairings. The resulting scheme, when viewed as a key-encapsulation mechanism, leads to the most efficient chosen-ciphertext secure encapsulation scheme in the standard model.

Abstract: In a work to appear at Asiacrypt'06, we show how identity-based signature schemes with some additional properties can be securely constructed, starting from a standard (PKI-based) digital signature scheme and a PKI-based signature scheme with the same property. In this talk we will explain the simple idea behind these generic constructions, and we will list which additional properties can be achieved in this way. Then we will detail the case of blind signatures: we will give the basic definitions, the construction, and a sketch of the security proofs (i.e. proving that the resulting identity-based blind signature scheme is secure if both the standard signature scheme and the PKI-based blind signature scheme are secure). Finally, we will see that, following this construction with known schemes, one obtains an identity-based blind signature scheme (the first one with provable security) which is as efficient as the existing ones.

Abstract: In the ''provable security'' paradigm one has confidence on the security of a cryptographic protocol by exhibiting a reduction from a conjectured intractable mathematical problem to a successful attack on the protocol. The concrete security (aka exact security) approach explicitly captures the quantitative aspects of security, by means of an concrete treatment of the security reductions. This enables to obtain practical measurements such as the number of cycles of adversary computation the scheme can withstand or how long a security parameter must be. In this talk we discuss the state of the art on this topic.