Subgroup membership problems and public key cryptosystems

Gjøsteen, Kristian

January 2004

<p>Public key encryption was first proposed by Diffie and Hellman [16], and widely popularised with the RSA cryptosystem [37]. Over the years, the security goals of public key encryption have been studied [17, 22], as have adversary models [30, 36], and many public key cryptosystems have been proposed and analysed.</p><p>It turns out that the security of many of those cryptosystems [16, 18, 22, 29, 34, 35] are based on a common class of mathematical problems, called subgroup membership problems. Cramer and Shoup [10] designed a chosen-ciphertextsecure cryptosystem based on a general subgroup membership problem (generalising their previous work [9]), and provided two new instances. Yamamura and Saito [41] defined a general subgroup membership problem, catalogued several known subgroup membership problems, and designed a private information retrieval system based on a subgroup membership problem. Nieto, Boyd and Dawson [31] designed a cryptosystem based on essentially a symmetric subgroup membership problem (see Section 4.4 and Section 6.1).</p><p>Chapter 2 and 3 contain certain preliminary discussions necessary for the later work. In Chapter 4, we discuss subgroup membership problems, both abstractly and concrete families. For all of the concrete examples, there is a related problem called the splitting problem. We discuss various elementary reductions, both abstract and for concrete families. In cryptographic applications, a third related problem, called the subgroup discrete logarithm problem, is also interesting, and we discuss this in some detail. We also discuss a variant of the subgroup membership problem where there are two subgroups that are simultaneously hard to distinguish. We prove a useful reduction (Theorem 4.11) for this case. The technique used in the proof is reused throughout the thesis.</p><p>In Chapter 5, we discuss two homomorphic cryptosystems, based on trapdoor splitting problems. This gives us a uniform description of a number of homomorphic cryptosystems, and allows us to apply the theory and results of Chapter 4 to the security of those cryptosystems.</p><p>Using the technique of Theorem 4.11, we develop a homomorphic cryptosystem that is not based on a trapdoor problem. This gives us a fairly efficient cryptosystem, with potentially useful properties.</p><p>We also discuss the security of a homomorphic cryptosystem under a nonstandard assumption. While these results are very weak, they are stronger than results obtained in the generic model.</p><p>In Chapter 6, we develop two key encapsulation methods. The first can be proven secure against passive attacks, using the same technique as in the proof of Theorem 4.11. The second method can be proven secure against active attacks in the random oracle model, but to do this, we need a certain non-standard assumption.</p><p>Finally, in Chapter 7 we discuss a small extension to the framework developed by Cramer and Shoup [10], again by essentially reusing the technique used to prove Theorem 4.11. This gives us a cryptosystem that is secure against chosen ciphertext attacks, without recourse to the random oracle model or nonstandard assumptions. The cryptosystem is quite practical, and performs quite well compared to other variants of the Cramer-Shoup cryptosystem.</p>

Public key cryptography

Subgroup membership problems and public key cryptosystems

Gjøsteen, Kristian

January 2004

Public key encryption was first proposed by Diffie and Hellman [16], and widely popularised with the RSA cryptosystem [37]. Over the years, the security goals of public key encryption have been studied [17, 22], as have adversary models [30, 36], and many public key cryptosystems have been proposed and analysed. It turns out that the security of many of those cryptosystems [16, 18, 22, 29, 34, 35] are based on a common class of mathematical problems, called subgroup membership problems. Cramer and Shoup [10] designed a chosen-ciphertextsecure cryptosystem based on a general subgroup membership problem (generalising their previous work [9]), and provided two new instances. Yamamura and Saito [41] defined a general subgroup membership problem, catalogued several known subgroup membership problems, and designed a private information retrieval system based on a subgroup membership problem. Nieto, Boyd and Dawson [31] designed a cryptosystem based on essentially a symmetric subgroup membership problem (see Section 4.4 and Section 6.1). Chapter 2 and 3 contain certain preliminary discussions necessary for the later work. In Chapter 4, we discuss subgroup membership problems, both abstractly and concrete families. For all of the concrete examples, there is a related problem called the splitting problem. We discuss various elementary reductions, both abstract and for concrete families. In cryptographic applications, a third related problem, called the subgroup discrete logarithm problem, is also interesting, and we discuss this in some detail. We also discuss a variant of the subgroup membership problem where there are two subgroups that are simultaneously hard to distinguish. We prove a useful reduction (Theorem 4.11) for this case. The technique used in the proof is reused throughout the thesis. In Chapter 5, we discuss two homomorphic cryptosystems, based on trapdoor splitting problems. This gives us a uniform description of a number of homomorphic cryptosystems, and allows us to apply the theory and results of Chapter 4 to the security of those cryptosystems. Using the technique of Theorem 4.11, we develop a homomorphic cryptosystem that is not based on a trapdoor problem. This gives us a fairly efficient cryptosystem, with potentially useful properties. We also discuss the security of a homomorphic cryptosystem under a nonstandard assumption. While these results are very weak, they are stronger than results obtained in the generic model. In Chapter 6, we develop two key encapsulation methods. The first can be proven secure against passive attacks, using the same technique as in the proof of Theorem 4.11. The second method can be proven secure against active attacks in the random oracle model, but to do this, we need a certain non-standard assumption. Finally, in Chapter 7 we discuss a small extension to the framework developed by Cramer and Shoup [10], again by essentially reusing the technique used to prove Theorem 4.11. This gives us a cryptosystem that is secure against chosen ciphertext attacks, without recourse to the random oracle model or nonstandard assumptions. The cryptosystem is quite practical, and performs quite well compared to other variants of the Cramer-Shoup cryptosystem.

Public key cryptography

Versatile Montgomery multiplier architectures

Gaubatz, Gunnar.

Unknown Date

Thesis (M.S.)--Worcester Polytechnic Institute. / Keywords: computer arithmetic; modular multiplication; public key cryptography; Montgomery; vlsi; high radix. Includes bibliographical references (p. 87-90).

Leakage resilient cryptographic scheme and GPU-based pairing operation

Xiong, Hao, 熊昊

January 2013

Cryptographic schemes are designed to protect the privacy of the users. Numerous schemes have been proposed for different purposes. One important type of schemes is called the secret sharing scheme. In a secret sharing scheme, a secret value can be shard among authorized parties. Another important type of schemes is identity based encryption and its variant: certificateless encryption. Traditionally, both of them assume the absolute privacy of secret shares or secret keys. However, this assumption may not hold in the real world. Side-channel attack, such as time analysis and memory attack will enable the attackers to get partial information about them. Therefore, we propose the leakage resilient cryptographic schemes to guarantee the privacy under various key-exposure attack. Generally speaking, there are three leakage models: the bounded leakage model, continual leakage model and auxiliary input model. We will focus on the first two models in this thesis. This thesis addresses two leakage resilient cryptographic schemes. The first one is called Continual Leakage-Resilient Dynamic Secret Sharing. In this scheme, the attacker can continuously leak on the private value owned by the user with the constrain that the length of the leaked information should be less than ℓ bits between updates. The dealer is able to dynamically choose a set of n users and a threshold of t users (which is called authorized set) to reconstruct secret with the same broadcast message. The user can also dynamic join and leave the scheme. The privacy of the secret value can be guaranteed even up to t-1 users are corrupted and the information of all other users are leaked. The second one is called Leakage-Resilient Certificateless Public-Key Encryption. Certificateless encryption is proposed to solve the key escrow problem in PKG. Instead of relying on the PKG to generate the full secret key in the traditional model, we generate partial secret key on PKG. We then combine it with our selected secret value to generate the final secret key. This will solve the key escrow problem since the PKG has no knowledge about the secret value chosen. Our scheme is the first leakage-resilient version of certificateless encryption. In our security model, both the master key held by the PKG and the secret key (including the secret value) held by the user can be leaked by the attacker. We first construct the scheme in bounded leakage model and then extend it to continual leakage model. Finally, all of these schemes require lots of composite order bilinear pairing operations. We will describe how to improve the efficient of it on graphics hardware in chapter 4. We run the parings in parallel on GPU to accelerate them. The implement scheme and efficient are presented in this thesis. / published_or_final_version / Computer Science / Doctoral / Doctor of Philosophy

Computer security

Public key cryptography

Two mathematical security aspects of the RSA cryptosystem : signature padding schemes and key generation with a backdoor

Arboit, Geneviève

January 2008

No description available.

Coding theory.

Public key cryptography.

Encryption security against key-dependent-message attacks: applications, realizations and separations

Hajiabadi, Mohammad

17 August 2016

In this thesis we study the notion of circular security for bit-encryption schemes. Informally speaking, a bit-encryption scheme is circular secure if it remains secure even if the key of the system is used to encrypt its own individual bits. This notion (or slight extensions thereof) has foundational applications, most notably in the context of fully-homomorphic encryption and amplification techniques for key dependent- message security. We explore the notion of circular security from three different perspectives, stemming from (1) assumptions sufficient to realize this notion, (2) minimal black-box assumptions on which this notion can be based and (c) applications of this notion when combined with other properties. Our main results are as follows: We give a construction of circular-secure public-key bit encryption based on any public-key encryption scheme that satisfies two special properties. We show that our constructed scheme besides circular security also offers two forms of key-leakage resilience. Our construction unifies two existing specific constructions of circular-secure schemes in the literature and also gives rise to the first construction based on homomorphic hash proof systems. We show that seed-circular-secure public-key bit-encryption schemes cannot be based on semantically-secure public-key encryption schemes in a fully-blackbox way. A scheme is seed-circular-secure if it allows for the bits of the seed (used to generate the public/secret keys) to be securely encrypted under the corresponding public key. We then extend this result to rule out a large and non-trivial class of constructions for circular security that we call key-isolating constructions. We give generic constructions of several fundamental cryptographic primitives based on a public-key bit-encryption scheme that combines circular security with a structural property called reproducibility. The main primitives that we build include families of trapdoor functions with strong security properties (i.e., one-wayness under correlated inputs), adaptive-chosen-ciphertext (CCA2) secure encryption schemes and deterministic encryption schemes. / Graduate / 0984

Data encryption (Computer science)

Public key cryptography

On the complexity of homomorphic encryption. / 同態加密的複雜度 / CUHK electronic theses & dissertations collection / Tong tai jia mi de fu za du

January 2013

Lee, Chin Ho. / Thesis (M.Phil.)--Chinese University of Hong Kong, 2013. / Includes bibliographical references (leaves 77-82). / Electronic reproduction. Hong Kong : Chinese University of Hong Kong, [2012] System requirements: Adobe Acrobat Reader. Available via World Wide Web. / Abstracts also in Chinese.

Data encryption (Computer science)

Public key cryptography

The BGN public-key cryptosystem and its application to authentication, oblivious transfers, and proof-of-visit. / CUHK electronic theses & dissertations collection

January 2006

In The Second Theory of Cryptography Conference (TCC 2005), Boneh, Goh, and Nissim proposed a new structure of bilinear groups that have a composite order and a new cryptosystem which is intractable on a decisional problem over the subgroup in such structure [BGN05]. Their proposal, which referred to as the BGN cryptosystem by researchers, receive much attention and is quickly followed by two publications in CRYPTO'05 [BI05, OI05]. / In this thesis, the author performs in-depth study of the BGN public-key cryptosystem and existing literatures on its applications. The author observes two properties of BGN, namely the indistinguishability of the BGN ciphertexts of sum and product of two messages, and the verifiability of elements from composite prime subgroups in BGN settings. The author further proposes three new applications of BGN, namely the protocols for authentication, oblivious transfer, and proof-of-visit respectively. / The BGN cryptosystem is a dual homomorphic public-key cryptosystem that enables the evaluation of 2-DNF (disjunctive normal form) formulas on ciphertexts. In their work, Boneh et. al. also presented three applications, namely private information retrieval with reduced computational complexity, an e-voting system without non-interactive zero knowledge proofs, and a protocol for universally verifiable computation. Few number of works also produced from the BGN public-key system, include non-interactive zero-knowledge proof (NIZK), obfuscated ciphertext mixing, and signature. / Chan Yuen Yan. / "June 2006." / Adviser: Victor K. Wei. / Source: Dissertation Abstracts International, Volume: 67-11, Section: B, page: 6498. / Thesis (Ph.D.)--Chinese University of Hong Kong, 2006. / Includes bibliographical references (p. 85-100). / Electronic reproduction. Hong Kong : Chinese University of Hong Kong, [2012] System requirements: Adobe Acrobat Reader. Available via World Wide Web. / Electronic reproduction. [Ann Arbor, MI] : ProQuest Information and Learning, [200-] System requirements: Adobe Acrobat Reader. Available via World Wide Web. / Abstracts in English and Chinese. / School code: 1307.

Data encryption (Computer science)

Public key cryptography

Implementation aspects of elliptic curve cryptography

Sava��, Erkay

20 June 2000

As the information-processing and telecommunications revolutions now underway will continue to change our life styles in the rest of the 21st century, our personal and economic lives rely more and more on our ability to transact over the electronic medium in a secure way. The privacy, authenticity, and integrity of the information transmitted or stored on networked computers must be maintained at every point of the transaction. Fortunately, cryptography provides algotrithms and techniques for keeping information secret, for determining that the contents of a transaction have not been tampered with, for determining who has really authorized the transaction, and for binding the involved parties with the contents of the transaction. Since we need security on every piece of digital equipment that helps conduct transactions over the internet in the near future, space and time performances of cryptographic algorithms will always remain to be among the most critical aspects of implementing cryptographic functions. A major class of cryptographic algorithms comprises public-key schemes which enable to realize the message integrity and authenticity check, key distribution, digital signature functions etc. An important category of public-key algorithms is that of elliptic curve cryptosystems (ECC). One of the major advantages of elliptic curve cryptosystems is that they utilize much shorter key lengths in comparison to other well known algorithms such as RSA cryptosystems. However, as do the other public-key cryptosystems ECC also requires computationally intensive operations. Although the speed remains to be always the primary concern, other design constraints such as memory might be of significant importance for certain constrained platforms. In this thesis, we are interested in developing space- and time-efficient hardware and software implementations of the elliptic curve cryptosystems. The main focus of this work is to improve and devise algorithms and hardware architectures for arithmetic operations of finite fields used in elliptic curve cryptosystems. / Graduation date: 2001

Curves, Elliptic

Design and development of a web-based DOD PKI common access card (CAC) instructional tool /

Athanasopoulos, Vasileios D.

January 2004

Thesis (M.S. in Computer Science)--Naval Postgraduate School, March 2004. / Thesis advisor(s): Cynthia E. Irvine, J.D. Fulp, Glenn R. Cook. Includes bibliographical references (p. 79-80). Also available online.