Pub Date : 2020-05-04DOI: 10.1504/ijact.2020.10029198
M. R. M. Shamsabad, S. M. Dehnavi
Maximum distance separable (MDS) matrices play a crucial role in symmetric ciphers as diffusion layers. Dynamic diffusion layers for software applications are less considered up to now. Dynamic (randomised) components could make symmetric ciphers more resistant against statistical and algebraic attacks. In this paper, after some theoretical investigation we present a family of parametric n × n, binary matrices Aα, n = 4t, such that for 4t many α ∈ Fn2 the matrices Aα, A3α ⊕ I and A7α ⊕ I are non-singular. With the aid of the proposed family of matrices, some well-known diffusion layers including the cyclic AES-like matrices and some recursive MDS diffusion layers could be made dynamic, at little extra cost in software. Then, we provide new families of MDS matrices which could be used as dynamic diffusion layers, using the proposed family of matrices. The implementation cost of every member in the presented families of MDS diffusion layers (except one cyclic family) is equal to its inverse. The proposed diffusion layers have a suitable implementation cost on a variety of modern processors.
最大距离可分离矩阵作为扩散层在对称密码中起着至关重要的作用。软件应用的动态扩散层目前研究较少。动态(随机)组件可以使对称密码更能抵抗统计和代数攻击。本文通过一些理论研究,给出了一类参数n × n的二元矩阵a α, n = 4t,使得对于4t个α∈Fn2,矩阵a α, A3α⊕I和A7α⊕I是非奇异的。利用所提出的矩阵族,一些众所周知的扩散层,包括循环类aes矩阵和一些递归MDS扩散层,可以在软件上以很少的额外成本实现动态。然后,我们利用提出的矩阵族提供了新的MDS矩阵族,这些矩阵族可以作为动态扩散层。所提出的MDS扩散层族中每个成员(除一个循环族外)的实现成本都等于其逆。所提出的扩散层在各种现代处理器上具有合适的实现成本。
{"title":"Dynamic MDS diffusion layers with efficient software implementation","authors":"M. R. M. Shamsabad, S. M. Dehnavi","doi":"10.1504/ijact.2020.10029198","DOIUrl":"https://doi.org/10.1504/ijact.2020.10029198","url":null,"abstract":"Maximum distance separable (MDS) matrices play a crucial role in symmetric ciphers as diffusion layers. Dynamic diffusion layers for software applications are less considered up to now. Dynamic (randomised) components could make symmetric ciphers more resistant against statistical and algebraic attacks. In this paper, after some theoretical investigation we present a family of parametric n × n, binary matrices Aα, n = 4t, such that for 4t many α ∈ Fn2 the matrices Aα, A3α ⊕ I and A7α ⊕ I are non-singular. With the aid of the proposed family of matrices, some well-known diffusion layers including the cyclic AES-like matrices and some recursive MDS diffusion layers could be made dynamic, at little extra cost in software. Then, we provide new families of MDS matrices which could be used as dynamic diffusion layers, using the proposed family of matrices. The implementation cost of every member in the presented families of MDS diffusion layers (except one cyclic family) is equal to its inverse. The proposed diffusion layers have a suitable implementation cost on a variety of modern processors.","PeriodicalId":350332,"journal":{"name":"Int. J. Appl. Cryptogr.","volume":"47 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2020-05-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114735680","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2020-05-04DOI: 10.1504/ijact.2020.10027563
Narcisse Bang Mbiang, Emmanuel Fouotsa, Diego F. Aranha
Due to recent advances in the computation of finite fields discrete logarithms, the Barreto-Lynn-Scott family of elliptic curves of embedding degree 48 became suitable for instantiating pairing-based cryptography at the 256-bit security level. Observing the uncertainty around determining the constants that govern the best approach for computing discrete logarithms, Scott and Guillevic consider pairing-friendly elliptic curves of embedding degree higher than 50, and discovered a new family of elliptic curves with embedding degree 54. This work aims at investigating the theoretical and practical cost of both the Miller algorithm and the final exponentiation in the computation of the optimal ate pairing on the two aforementioned curves. Both our theoretical results, based on the operation counts of base-field operations, and our experimental observations collected from a real implementation, confirm that BLS48 curves remain the faster curve in the computation of the optimal ate pairing at the 256-bit security level.
{"title":"Computing the optimal ate pairing over elliptic curves with embedding degrees 54 and 48 at the 256-bit security level","authors":"Narcisse Bang Mbiang, Emmanuel Fouotsa, Diego F. Aranha","doi":"10.1504/ijact.2020.10027563","DOIUrl":"https://doi.org/10.1504/ijact.2020.10027563","url":null,"abstract":"Due to recent advances in the computation of finite fields discrete logarithms, the Barreto-Lynn-Scott family of elliptic curves of embedding degree 48 became suitable for instantiating pairing-based cryptography at the 256-bit security level. Observing the uncertainty around determining the constants that govern the best approach for computing discrete logarithms, Scott and Guillevic consider pairing-friendly elliptic curves of embedding degree higher than 50, and discovered a new family of elliptic curves with embedding degree 54. This work aims at investigating the theoretical and practical cost of both the Miller algorithm and the final exponentiation in the computation of the optimal ate pairing on the two aforementioned curves. Both our theoretical results, based on the operation counts of base-field operations, and our experimental observations collected from a real implementation, confirm that BLS48 curves remain the faster curve in the computation of the optimal ate pairing at the 256-bit security level.","PeriodicalId":350332,"journal":{"name":"Int. J. Appl. Cryptogr.","volume":"22 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2020-05-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124463319","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2020-05-03DOI: 10.1504/ijact.2020.10029197
M. Nandi, Tapas Pandit
In 2011, Yamada et al. proposed CPA to CCA-secure conversions for attribute-based encryption (ABE) based on the properties, verifiability and delegation. Later, the verifiability-based conversion was generalised from ABE to predicate encryption (PE) by Yamada et al. (2012) and Nandi et al. (2017). We observe that for bilinear-pairing based PE schemes, the cost of CCA-decryption blows up to the double of the cost of CPA-decryption due to verifiability testing. Therefore, the conversion based on delegation is mostly acceptable whenever a delegation-based conversion is available for the primitive PE scheme. In this paper, we investigate a generic delegation-based conversion from CPA to CCA-secure predicate encryption schemes. Our conversion generalises the delegation-based conversion of Yamada et al. (2011) from ABE to PE. We show that our conversion captures many subclasses of PE, e.g., (hierarchical) inner-product encryption, (doubly-)spatial encryption and functional encryption for regular languages.
{"title":"Delegation-based conversion from CPA to CCA-secure predicate encryption","authors":"M. Nandi, Tapas Pandit","doi":"10.1504/ijact.2020.10029197","DOIUrl":"https://doi.org/10.1504/ijact.2020.10029197","url":null,"abstract":"In 2011, Yamada et al. proposed CPA to CCA-secure conversions for attribute-based encryption (ABE) based on the properties, verifiability and delegation. Later, the verifiability-based conversion was generalised from ABE to predicate encryption (PE) by Yamada et al. (2012) and Nandi et al. (2017). We observe that for bilinear-pairing based PE schemes, the cost of CCA-decryption blows up to the double of the cost of CPA-decryption due to verifiability testing. Therefore, the conversion based on delegation is mostly acceptable whenever a delegation-based conversion is available for the primitive PE scheme. In this paper, we investigate a generic delegation-based conversion from CPA to CCA-secure predicate encryption schemes. Our conversion generalises the delegation-based conversion of Yamada et al. (2011) from ABE to PE. We show that our conversion captures many subclasses of PE, e.g., (hierarchical) inner-product encryption, (doubly-)spatial encryption and functional encryption for regular languages.","PeriodicalId":350332,"journal":{"name":"Int. J. Appl. Cryptogr.","volume":"17 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2020-05-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127313762","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2017-09-04DOI: 10.1504/IJACT.2017.10007291
Megha Agrawal, D. Chang, S. K. Sanadhya
In authenticated encryption schemes, there are two techniques for handling long ciphertexts while working within the constraints of a low buffer size: releasing unverified plaintext (RUP) or producing intermediate tags (PIT). In this paper, in addition to the two techniques, we propose another way to handle a long ciphertext with a low buffer size by storing and releasing only one (generally, or only few) intermediate state without releasing or storing any part of an unverified plaintext and without need of generating any intermediate tag. In this paper we explain this generalised technique using our new construction sp-AELM. sp-AELM is a sponge-based authenticated encryption scheme that provides support for limited memory devices. We also provide its security proof for privacy and authenticity in an ideal permutation model, using a code-based game playing framework. Furthermore, we also present two more variants of sp-AELM that serve the same purpose and are more efficient than sp-AELM. The ongoing CAESAR competition has nine submissions which are based on the sponge construction. We apply our generalised technique of storing single intermediate state to all these submissions, to determine their suitability with a crypto module having limited memory. Our findings show that only ASCON and one of the PRIMATE's modes (namely GIBBON) satisfy the limited memory constraint using this technique, while the remaining schemes (namely, Artemia, ICEPOLE, Ketje, Keyak, NORX, Π-cipher, STRIBOB and two of the PRIMATEs modes: APE and HANUMAN) are not suitable for this scenario directly.
{"title":"A new authenticated encryption technique for handling long ciphertexts in memory constrained devices","authors":"Megha Agrawal, D. Chang, S. K. Sanadhya","doi":"10.1504/IJACT.2017.10007291","DOIUrl":"https://doi.org/10.1504/IJACT.2017.10007291","url":null,"abstract":"In authenticated encryption schemes, there are two techniques for handling long ciphertexts while working within the constraints of a low buffer size: releasing unverified plaintext (RUP) or producing intermediate tags (PIT). In this paper, in addition to the two techniques, we propose another way to handle a long ciphertext with a low buffer size by storing and releasing only one (generally, or only few) intermediate state without releasing or storing any part of an unverified plaintext and without need of generating any intermediate tag. In this paper we explain this generalised technique using our new construction sp-AELM. sp-AELM is a sponge-based authenticated encryption scheme that provides support for limited memory devices. We also provide its security proof for privacy and authenticity in an ideal permutation model, using a code-based game playing framework. Furthermore, we also present two more variants of sp-AELM that serve the same purpose and are more efficient than sp-AELM. The ongoing CAESAR competition has nine submissions which are based on the sponge construction. We apply our generalised technique of storing single intermediate state to all these submissions, to determine their suitability with a crypto module having limited memory. Our findings show that only ASCON and one of the PRIMATE's modes (namely GIBBON) satisfy the limited memory constraint using this technique, while the remaining schemes (namely, Artemia, ICEPOLE, Ketje, Keyak, NORX, Π-cipher, STRIBOB and two of the PRIMATEs modes: APE and HANUMAN) are not suitable for this scenario directly.","PeriodicalId":350332,"journal":{"name":"Int. J. Appl. Cryptogr.","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2017-09-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116304376","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2017-09-04DOI: 10.1504/IJACT.2017.10007296
Yiteng Feng, Guomin Yang, Joseph K. Liu
With cloud storage, users can store their data files on a remote cloud server with a high quality on-demand cloud service and are able to share their data with other users. Since cloud servers usually are not regarded as fully trusted and the cloud data can be shared amongst users, the integrity checking of the remote files has become an important issue. A number of remote data integrity checking protocols have been proposed in the literature to allow public auditing of cloud data by a third party auditor (TPA). However, user privacy is not taken into account in most of the existing protocols. We believe that preserving the anonymity (i.e., identity privacy) of the data owner is also very important in many applications. In this paper, we propose a new remote integrity checking scheme which allows the cloud server to protect the identity information of the data owner against the TPA. We also define a formal security model to capture the requirement of user anonymity, and prove the anonymity of the proposed scheme. Moreover, we improve the existing security model for data privacy against the TPA, and show that an extended version of our protocol is secure under the strengthened security model.
{"title":"A new public remote integrity checking scheme with user and data privacy","authors":"Yiteng Feng, Guomin Yang, Joseph K. Liu","doi":"10.1504/IJACT.2017.10007296","DOIUrl":"https://doi.org/10.1504/IJACT.2017.10007296","url":null,"abstract":"With cloud storage, users can store their data files on a remote cloud server with a high quality on-demand cloud service and are able to share their data with other users. Since cloud servers usually are not regarded as fully trusted and the cloud data can be shared amongst users, the integrity checking of the remote files has become an important issue. A number of remote data integrity checking protocols have been proposed in the literature to allow public auditing of cloud data by a third party auditor (TPA). However, user privacy is not taken into account in most of the existing protocols. We believe that preserving the anonymity (i.e., identity privacy) of the data owner is also very important in many applications. In this paper, we propose a new remote integrity checking scheme which allows the cloud server to protect the identity information of the data owner against the TPA. We also define a formal security model to capture the requirement of user anonymity, and prove the anonymity of the proposed scheme. Moreover, we improve the existing security model for data privacy against the TPA, and show that an extended version of our protocol is secure under the strengthened security model.","PeriodicalId":350332,"journal":{"name":"Int. J. Appl. Cryptogr.","volume":"57 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2017-09-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132673561","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2017-09-04DOI: 10.1504/IJACT.2017.10007295
S. Ghosh, Dhiman Saha, A. Sengupta, D. R. Chowdhury
Fault attacks are one of the most effective side-channel attacks on symmetric key ciphers. Over the years a variety of countermeasure techniques have been proposed to prevent this kind of attack. A...
{"title":"Preventing fault attacks using fault randomisation with a case study on AES","authors":"S. Ghosh, Dhiman Saha, A. Sengupta, D. R. Chowdhury","doi":"10.1504/IJACT.2017.10007295","DOIUrl":"https://doi.org/10.1504/IJACT.2017.10007295","url":null,"abstract":"Fault attacks are one of the most effective side-channel attacks on symmetric key ciphers. Over the years a variety of countermeasure techniques have been proposed to prevent this kind of attack. A...","PeriodicalId":350332,"journal":{"name":"Int. J. Appl. Cryptogr.","volume":"49 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2017-09-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114808834","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2017-09-04DOI: 10.1504/IJACT.2017.10007294
Yuu Ishida, Junji Shikata, Yohei Watanabe
Key revocation functionality is important for identity-based encryption (IBE) to manage users dynamically. Revocable IBE (RIBE) realises such revocation functionality with scalability. In PKC 2013, Seo and Emura first considered decryption key exposure resistance (DKER) as a new realistic threat, and proposed the first RIBE scheme with DKER. Their RIBE scheme is adaptively secure against chosen plaintext attacks (CPA), and there is no concrete RIBE scheme adaptively secure against chosen ciphertext attacks (CCA) even without DKER so far. In this paper, we first propose three constructions of adaptively CCA-secure RIBE schemes with DKER. The first and second schemes are based on an existing transformation, which is called a BCHK transformation, that a CPA-secure hierarchical IBE scheme can be transformed into a CCA-secure scheme. The third scheme is constructed via the KEM/DEM framework. Specifically, we newly propose a revocable identity-based key encapsulation mechanism (RIB-KEM), and we show a generic construction of a CCA-secure RIBE scheme from the RIB-KEM and a data encapsulation mechanism (DEM). The third scheme is more efficient than the first and second ones in terms of the ciphertext size.
{"title":"CCA-secure revocable identity-based encryption schemes with decryption key exposure resistance","authors":"Yuu Ishida, Junji Shikata, Yohei Watanabe","doi":"10.1504/IJACT.2017.10007294","DOIUrl":"https://doi.org/10.1504/IJACT.2017.10007294","url":null,"abstract":"Key revocation functionality is important for identity-based encryption (IBE) to manage users dynamically. Revocable IBE (RIBE) realises such revocation functionality with scalability. In PKC 2013, Seo and Emura first considered decryption key exposure resistance (DKER) as a new realistic threat, and proposed the first RIBE scheme with DKER. Their RIBE scheme is adaptively secure against chosen plaintext attacks (CPA), and there is no concrete RIBE scheme adaptively secure against chosen ciphertext attacks (CCA) even without DKER so far. In this paper, we first propose three constructions of adaptively CCA-secure RIBE schemes with DKER. The first and second schemes are based on an existing transformation, which is called a BCHK transformation, that a CPA-secure hierarchical IBE scheme can be transformed into a CCA-secure scheme. The third scheme is constructed via the KEM/DEM framework. Specifically, we newly propose a revocable identity-based key encapsulation mechanism (RIB-KEM), and we show a generic construction of a CCA-secure RIBE scheme from the RIB-KEM and a data encapsulation mechanism (DEM). The third scheme is more efficient than the first and second ones in terms of the ciphertext size.","PeriodicalId":350332,"journal":{"name":"Int. J. Appl. Cryptogr.","volume":"103 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2017-09-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128508483","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2017-09-04DOI: 10.1504/IJACT.2017.10007292
K. Kurosawa, L. T. Phong
Many identity-based encryption schemes under the k-LIN assumption contain 2k + 1 group elements in the ciphertext overhead and private keys. In this paper, we push the limit further by constructing an IBE scheme under the k-LIN assumption with 2k group elements in the ciphertext overhead and private keys. The schemes have variants with shorter public parameters under the k-SCasc assumption, which is a close assumption to k-LIN. Furthermore, via additional refinements, we also put efforts in reducing the public parameter size of our schemes, under either k-LIN or k-SCasc. While we mainly consider securities in the standard model for our schemes, we also show how to make relatively more efficient schemes secure in the random oracle model. Our technique additionally expands to the scheme of Boneh et al. (CRYPTO 2013) to yield more efficient function-private IBE under the 2-LIN (aka, DLIN) assumption. Overall, the shortened size in ciphertexts and private keys inherently leads to fewer exponentiations and pairings in encryption and decryption, and hence yields schemes with better computational efficiency.
{"title":"IBE and function-private IBE under linear assumptions with shorter ciphertexts and private keys, and extensions","authors":"K. Kurosawa, L. T. Phong","doi":"10.1504/IJACT.2017.10007292","DOIUrl":"https://doi.org/10.1504/IJACT.2017.10007292","url":null,"abstract":"Many identity-based encryption schemes under the k-LIN assumption contain 2k + 1 group elements in the ciphertext overhead and private keys. In this paper, we push the limit further by constructing an IBE scheme under the k-LIN assumption with 2k group elements in the ciphertext overhead and private keys. The schemes have variants with shorter public parameters under the k-SCasc assumption, which is a close assumption to k-LIN. Furthermore, via additional refinements, we also put efforts in reducing the public parameter size of our schemes, under either k-LIN or k-SCasc. While we mainly consider securities in the standard model for our schemes, we also show how to make relatively more efficient schemes secure in the random oracle model. Our technique additionally expands to the scheme of Boneh et al. (CRYPTO 2013) to yield more efficient function-private IBE under the 2-LIN (aka, DLIN) assumption. Overall, the shortened size in ciphertexts and private keys inherently leads to fewer exponentiations and pairings in encryption and decryption, and hence yields schemes with better computational efficiency.","PeriodicalId":350332,"journal":{"name":"Int. J. Appl. Cryptogr.","volume":"6 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2017-09-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124323460","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2017-09-04DOI: 10.1504/IJACT.2017.10007290
Tarun Kumar Bansal, D. Chang, S. K. Sanadhya
OAEP and other similar schemes, proven secure in random-oracle model, require one or more hash functions with an output size larger than those of the standard hash functions. In this paper, we show that by using the popular Sponge construction in the OAEP framework, we can eliminate the need for such a hash function. We provide a new scheme in the OAEP framework and call our scheme Sponge-based asymmetric encryption padding (SpAEP). The scheme SpAEP is based on two functions: Sponge and SpongeWrap, and requires only standard output sizes proposed and standardised for Sponge functions. Our scheme is CCA2 secure for any trapdoor one-way permutation in the ideal permutation model for arbitrary length messages. Our scheme utilises the versatile Sponge function to enhance the capability and efficiency of the OAEP framework. Prior to this work, the only scheme proven secure in the ideal permutation model was OAEP-3R. However this scheme is not efficient in practice as it utilises a full domain permutation which is hard to find and construct efficiently in practice. Therefore, the author of OAEP-3R provided another version of OAEP-3R but in random oracle model. Our scheme SpAEP utilises the ideal permutation model in a novel manner which makes SpAEP efficient and practical to construct a public key encryption. We also propose a key encapsulation mechanism for hybrid encryption using SpAEP with any trapdoor one-way permutation.
{"title":"Sponge-based CCA2 secure asymmetric encryption for arbitrary length message (extended version)","authors":"Tarun Kumar Bansal, D. Chang, S. K. Sanadhya","doi":"10.1504/IJACT.2017.10007290","DOIUrl":"https://doi.org/10.1504/IJACT.2017.10007290","url":null,"abstract":"OAEP and other similar schemes, proven secure in random-oracle model, require one or more hash functions with an output size larger than those of the standard hash functions. In this paper, we show that by using the popular Sponge construction in the OAEP framework, we can eliminate the need for such a hash function. We provide a new scheme in the OAEP framework and call our scheme Sponge-based asymmetric encryption padding (SpAEP). The scheme SpAEP is based on two functions: Sponge and SpongeWrap, and requires only standard output sizes proposed and standardised for Sponge functions. Our scheme is CCA2 secure for any trapdoor one-way permutation in the ideal permutation model for arbitrary length messages. Our scheme utilises the versatile Sponge function to enhance the capability and efficiency of the OAEP framework. Prior to this work, the only scheme proven secure in the ideal permutation model was OAEP-3R. However this scheme is not efficient in practice as it utilises a full domain permutation which is hard to find and construct efficiently in practice. Therefore, the author of OAEP-3R provided another version of OAEP-3R but in random oracle model. Our scheme SpAEP utilises the ideal permutation model in a novel manner which makes SpAEP efficient and practical to construct a public key encryption. We also propose a key encapsulation mechanism for hybrid encryption using SpAEP with any trapdoor one-way permutation.","PeriodicalId":350332,"journal":{"name":"Int. J. Appl. Cryptogr.","volume":"31 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2017-09-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129473995","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: