CWI Cryptology Group

Abstract: A related-key attack on a blockcipher allows the attacker to obtain input-output examples not just under the target key but under keys related to it. These types of attacks are very popular in cryptanalysis and the recent attacks on AES are of this form. This talk surveys theoretical work that has attempted to precisely define the attack model, consider which attacks are meaningful and provably achieve security against as wide a class of attacks as possible. The talk is based on [Bellare-Kohno Eurocrypt 2003] and [Bellare-Cash Crypto 2010].

Abstract: The notion of smooth projective hash functions was proposed by Cramer and Shoup and can be seen as special type of zero-knowledge proof system for a language. Though originally used as a means to build efficient chosen-ciphertext secure public-key encryption schemes, some variations of the Cramer-Shoup smooth projective hash functions also found applications in several other contexts, such as password-based authenticated key exchange and oblivious transfer. In this talk, I will review the original concept of smooth projective hash functions along with its security properties and examples of instantiations. Next, I will discuss some generalizations along with their applications. In particular, I will discuss show how smooth projective hash functions can be used to provide efficient solutions to well-known cryptographic problems, such as password-based authenticated key exchange and public-key certification. Finally, I will conclude this talk by providing some future research directions and open problems.

Abstract: This is joint work with Tolga Acar, Mira Belenkiy, and Mihir Bellare. We initiate a provable-security treatment of cryptographic agility. A primitive (for example PRFs, authenticated encryption schemes or digital signatures) is agile when multiple, individually secure schemes can securely share the same key. We provide a surprising connection between two seemingly unrelated but challenging questions. The first, new to this paper, is whether wPRFs (weak-PRFs) are agile. The second, already posed several times in the literature, is whether every secure (IND-R) encryption scheme is secure when encrypting cycles. We resolve the second question in the negative and thereby the first as well. We go on to provide a comprehensive treatment of agility, with definitions for various different primitives. We explain the practical motivations for agility. We provide foundational results that show to what extent it is achievable and practical constructions to achieve it to the best extent possible. On the theoretical side our work uncovers new notions and relations and settles stated open questions, and on the practical side it serves to guide developers.