David Galindo - Academia.edu (original) (raw)
Papers by David Galindo
Information Processing Letters, 2008
Token-controlled public key encryption (TCPKE) schemes, introduced in [1], offer many possibiliti... more Token-controlled public key encryption (TCPKE) schemes, introduced in [1], offer many possibilities of application in financial or legal scenarios. Roughly speaking, in a TCPKE scheme messages are encrypted by using a public key together with a secret token, in such a way that the receiver is not able to decrypt this ciphertext until the token is published or released. The communication overhead for releasing the token is small in comparison with the ciphertext size. However, the fact that the same ciphertext could decrypt to different messages under different tokens was not addressed in the original work. In our opinion this is an essential security property that limits the use of this primitive in practice. In this work, we formalize this natural security goal and show that the schemes in [1]are insecure under this notion. In the second place, we propose a very simple and efficient generic construction of TCPKE schemes, starting from any trapdoor partial one-way function. This construction is obtained from a slight but powerful modification of the celebrated Fujisaki-Okamoto transformation [7]. We prove that the resulting schemes satisfy all the required security properties, in the random oracle model. Previous to this work, only particular instantiations of TCPKE schemes were proposed.
We show a simple chosen-ciphertext attack against a public key encryption scheme with non-interac... more We show a simple chosen-ciphertext attack against a public key encryption scheme with non-interactive opening (PKENO) presented by Damgård, Kiltz, Hofheinz and Thorbek in CT-RSA 2008. In a PKENO scheme a receiver can convincingly reveal to a verifier what the result of decrypting a ciphertext C is, without interaction and without compromising the confidentiality of non-opened ciphertexts. A special interesting feature of PKENO is that a verifier can even ask for opening proofs on invalid ciphertexts. Those opening proofs will convince the verifier that the ciphertext was indeed invalid. We show that one of the schemes by Damgård et al. does not achieve the claimed security goal. Next we provide a fix for it. The repaired scheme presents essentially no overhead and is proven secure under the Decisional Bilinear Diffie-Hellman assumption in the standard model.
Identity-based public key cryptography is aimed at simplifying the management of certificates in ... more Identity-based public key cryptography is aimed at simplifying the management of certificates in traditional public key infrastructures by means of using the identity of a user as its public key. The user must identify itself to a trusted authority in order to obtain the secret key corresponding to its identity. The main drawback of this special form of public key cryptography is that it is key escrowed. Certificate-based and certificate-less cryptography have been recently proposed as intermediate paradigms between traditional and identity-based cryptography, seeking to simplify the management of certificates while avoiding the key escrow property of identity-based cryptography. In this work we cryptanalyse the certificate-based and certificate-less encryption schemes presented by Yum and Lee at EuroPKI 2004 and ICCSA 2004 conferences.
We propose a practical scheme based on factoring and semantically secure (IND-CPA) in the standar... more We propose a practical scheme based on factoring and semantically secure (IND-CPA) in the standard model. The scheme is obtained from a modi.cation of the so called RSA-Paillier [5] scheme. This modification is reminiscent of the ones applied by Rabin [22] and Williams [25] to the well-known RSA cryptosystem. Thanks to the special properties of such schemes, we obtain efficiency similar to that of RSA cryptosystem, provably secure encryption (since recovering plaintext from ciphertext is as hard as factoring) and indistinguishability against plaintext attacks. We also construct a new trapdoor permutation based on factoring, which has interest on its own. Semantic security of the scheme is based on an appropiate decisional assumption, named as Decisional Small 2e-Residues assumption. The robustness of this assumption is also discussed. Compared to Okamoto-Uchiyama's scheme [18], the previous IND-CPA cryptosystem in the standard model with onewayness based on factoring, our scheme is drastically more efficient in encryption, and presents higher bandwith, achieving the same expansion factor as Paillier or El Gamal schemes. We believe the new scheme could be an interesting starting point to develop efficient IND-CCA schemes in the standard model with one-wayness based on factoring.
... cryptosystem based on KMOV David Galindo, Sebasti`a Martın, Paz Morillo and Jorge L. Villar D... more ... cryptosystem based on KMOV David Galindo, Sebasti`a Martın, Paz Morillo and Jorge L. Villar Dep. Matem`atica Aplicada IV. ... Its semantic security is based on a new decisionalassump-tion, namely the Decisional Small-xe-Multiples assumption. ...
Journal of Systems and Software, 2008
Certificate-based encryption has been recently proposed as a means to simplify the certificate ma... more Certificate-based encryption has been recently proposed as a means to simplify the certificate management inherent to traditional public key encryption. In this paper, we present an efficient certificate-based encryption scheme which is fully secure in the standard model. Our construction is more efficient (in terms of computational cost and ciphertext size) than any of the previous constructions known without random
At Crypto&amp... more At Crypto'99, Fujisaki and Okamoto (10) presented a nice generic transfor- mation from weak asymmetric and symmetric schemes into an IND-CCA hybrid encryption scheme in the Random Oracle Model. From this transformation, two specific candidates to standardization were designed: EPOC-2 (9) and PSEC- 2 (16), based on Okamoto-Uchiyama and El Gamal primitives, respectively. Since then, several cryptanalysis of EPOC have
International Journal of Information Security, 2005
At Crypto’99, Fujisaki and Okamoto [11] presented a generic transformation from weak secure asymm... more At Crypto’99, Fujisaki and Okamoto [11] presented a generic transformation from weak secure asymmetric and symmetric schemes into an IND-CCA hybrid encryption scheme in the Random Oracle Model, which has been extensively used in several cryptographic scenarios. The work we present here forms part of the careful revision of the provable security techniques initiated by Shoup in [25] insofar as we find some ambiguities in the proof of this generic conversion, which can lead to false claims. Consequently, the original conversion is modified and the class of asymmetric primitives that can be used is shortened. Furthermore, the concept of easily verifiable primitive is formalized, showing its connection with the gap problems introduced in [18]. Using these ideas, a completely new security proof for the modified transformation is given, which is phrased using currently widely accepted techniques. The reduction thereby obtained turns out to be tight, enhancing the concrete security claimed in the original work for the easily verifiable primitives. For the remaining primitives, the concrete security is improved at the cost of stronger assumptions. Finally, the resistance of the new conversion against reject timing attacks is addressed.
The first practical identity based encryption (IBE) scheme was proposed by Boneh and Franklin in ... more The first practical identity based encryption (IBE) scheme was proposed by Boneh and Franklin in [BF03]. In this work we point out that there is a flawed step in the security reduction exhibited by the authors. Fortunately, it is possible to fix it without changing the scheme or the underlying assumption. In the second place, we introduce a variant of the seminal IBE scheme which allows a more efficient security reduction. This variant is simpler, and has more compact ciphertexts than Boneh-Franklin’s proposal, while keeping the computational cost. Finally, we observe that the flawed step pointed out here is present in several works, and that our techniques can be applied to obtain tighter reductions for previous relevant schemes.
This paper aims to find a proper security notion for commitment schemes to give a sound computati... more This paper aims to find a proper security notion for commitment schemes to give a sound computational interpretation of symbolic commitments. We introduce an indistinguishability based security definition of commitment schemes that is equivalent to non-malleability with respect to commitment. Then, we give a construction using tag-based encryption and one-time signatures that is provably secure assuming the existence of trapdoor permutations. Finally, we apply this new machinery to give a sound interpretation of symbolic commitments in the Dolev-Yao model while considering active adversaries.
It has been demonstrated by Bellare, Neven, and Namprempre (Eurocrypt 2004) that identity-based s... more It has been demonstrated by Bellare, Neven, and Namprempre (Eurocrypt 2004) that identity-based signature schemes can be constructed from any PKI-based signature scheme. In this paper we consider the following natural extension: is there a generic construction of “identity-based signature schemes with additional properties” (such as identity-based blind signatures, verifiably encrypted signatures, ...) from PKI-based signature schemes with the same properties? Our results show that this is possible for great number of properties including proxy signatures; (partially) blind signatures; verifiably encrypted signatures; undeniable signatures; forward-secure signatures; (strongly) key insulated signatures; online/offline signatures; threshold signatures; and (with some limitations) aggregate signatures. Using well-known results for PKI-based schemes, we conclude that such identity-based signature schemes with additional properties can be constructed, enjoying some better properties than specific schemes proposed until know. In particular, our work implies the existence of identity-based signatures with additional properties that are provably secure in the standard model, do not need bilinear pairings, or can be based on general assumptions.
Information Processing Letters, 2008
Token-controlled public key encryption (TCPKE) schemes, introduced in [1], offer many possibiliti... more Token-controlled public key encryption (TCPKE) schemes, introduced in [1], offer many possibilities of application in financial or legal scenarios. Roughly speaking, in a TCPKE scheme messages are encrypted by using a public key together with a secret token, in such a way that the receiver is not able to decrypt this ciphertext until the token is published or released. The communication overhead for releasing the token is small in comparison with the ciphertext size. However, the fact that the same ciphertext could decrypt to different messages under different tokens was not addressed in the original work. In our opinion this is an essential security property that limits the use of this primitive in practice. In this work, we formalize this natural security goal and show that the schemes in [1]are insecure under this notion. In the second place, we propose a very simple and efficient generic construction of TCPKE schemes, starting from any trapdoor partial one-way function. This construction is obtained from a slight but powerful modification of the celebrated Fujisaki-Okamoto transformation [7]. We prove that the resulting schemes satisfy all the required security properties, in the random oracle model. Previous to this work, only particular instantiations of TCPKE schemes were proposed.
We show a simple chosen-ciphertext attack against a public key encryption scheme with non-interac... more We show a simple chosen-ciphertext attack against a public key encryption scheme with non-interactive opening (PKENO) presented by Damgård, Kiltz, Hofheinz and Thorbek in CT-RSA 2008. In a PKENO scheme a receiver can convincingly reveal to a verifier what the result of decrypting a ciphertext C is, without interaction and without compromising the confidentiality of non-opened ciphertexts. A special interesting feature of PKENO is that a verifier can even ask for opening proofs on invalid ciphertexts. Those opening proofs will convince the verifier that the ciphertext was indeed invalid. We show that one of the schemes by Damgård et al. does not achieve the claimed security goal. Next we provide a fix for it. The repaired scheme presents essentially no overhead and is proven secure under the Decisional Bilinear Diffie-Hellman assumption in the standard model.
Identity-based public key cryptography is aimed at simplifying the management of certificates in ... more Identity-based public key cryptography is aimed at simplifying the management of certificates in traditional public key infrastructures by means of using the identity of a user as its public key. The user must identify itself to a trusted authority in order to obtain the secret key corresponding to its identity. The main drawback of this special form of public key cryptography is that it is key escrowed. Certificate-based and certificate-less cryptography have been recently proposed as intermediate paradigms between traditional and identity-based cryptography, seeking to simplify the management of certificates while avoiding the key escrow property of identity-based cryptography. In this work we cryptanalyse the certificate-based and certificate-less encryption schemes presented by Yum and Lee at EuroPKI 2004 and ICCSA 2004 conferences.
We propose a practical scheme based on factoring and semantically secure (IND-CPA) in the standar... more We propose a practical scheme based on factoring and semantically secure (IND-CPA) in the standard model. The scheme is obtained from a modi.cation of the so called RSA-Paillier [5] scheme. This modification is reminiscent of the ones applied by Rabin [22] and Williams [25] to the well-known RSA cryptosystem. Thanks to the special properties of such schemes, we obtain efficiency similar to that of RSA cryptosystem, provably secure encryption (since recovering plaintext from ciphertext is as hard as factoring) and indistinguishability against plaintext attacks. We also construct a new trapdoor permutation based on factoring, which has interest on its own. Semantic security of the scheme is based on an appropiate decisional assumption, named as Decisional Small 2e-Residues assumption. The robustness of this assumption is also discussed. Compared to Okamoto-Uchiyama's scheme [18], the previous IND-CPA cryptosystem in the standard model with onewayness based on factoring, our scheme is drastically more efficient in encryption, and presents higher bandwith, achieving the same expansion factor as Paillier or El Gamal schemes. We believe the new scheme could be an interesting starting point to develop efficient IND-CCA schemes in the standard model with one-wayness based on factoring.
... cryptosystem based on KMOV David Galindo, Sebasti`a Martın, Paz Morillo and Jorge L. Villar D... more ... cryptosystem based on KMOV David Galindo, Sebasti`a Martın, Paz Morillo and Jorge L. Villar Dep. Matem`atica Aplicada IV. ... Its semantic security is based on a new decisionalassump-tion, namely the Decisional Small-xe-Multiples assumption. ...
Journal of Systems and Software, 2008
Certificate-based encryption has been recently proposed as a means to simplify the certificate ma... more Certificate-based encryption has been recently proposed as a means to simplify the certificate management inherent to traditional public key encryption. In this paper, we present an efficient certificate-based encryption scheme which is fully secure in the standard model. Our construction is more efficient (in terms of computational cost and ciphertext size) than any of the previous constructions known without random
At Crypto&amp... more At Crypto'99, Fujisaki and Okamoto (10) presented a nice generic transfor- mation from weak asymmetric and symmetric schemes into an IND-CCA hybrid encryption scheme in the Random Oracle Model. From this transformation, two specific candidates to standardization were designed: EPOC-2 (9) and PSEC- 2 (16), based on Okamoto-Uchiyama and El Gamal primitives, respectively. Since then, several cryptanalysis of EPOC have
International Journal of Information Security, 2005
At Crypto’99, Fujisaki and Okamoto [11] presented a generic transformation from weak secure asymm... more At Crypto’99, Fujisaki and Okamoto [11] presented a generic transformation from weak secure asymmetric and symmetric schemes into an IND-CCA hybrid encryption scheme in the Random Oracle Model, which has been extensively used in several cryptographic scenarios. The work we present here forms part of the careful revision of the provable security techniques initiated by Shoup in [25] insofar as we find some ambiguities in the proof of this generic conversion, which can lead to false claims. Consequently, the original conversion is modified and the class of asymmetric primitives that can be used is shortened. Furthermore, the concept of easily verifiable primitive is formalized, showing its connection with the gap problems introduced in [18]. Using these ideas, a completely new security proof for the modified transformation is given, which is phrased using currently widely accepted techniques. The reduction thereby obtained turns out to be tight, enhancing the concrete security claimed in the original work for the easily verifiable primitives. For the remaining primitives, the concrete security is improved at the cost of stronger assumptions. Finally, the resistance of the new conversion against reject timing attacks is addressed.
The first practical identity based encryption (IBE) scheme was proposed by Boneh and Franklin in ... more The first practical identity based encryption (IBE) scheme was proposed by Boneh and Franklin in [BF03]. In this work we point out that there is a flawed step in the security reduction exhibited by the authors. Fortunately, it is possible to fix it without changing the scheme or the underlying assumption. In the second place, we introduce a variant of the seminal IBE scheme which allows a more efficient security reduction. This variant is simpler, and has more compact ciphertexts than Boneh-Franklin’s proposal, while keeping the computational cost. Finally, we observe that the flawed step pointed out here is present in several works, and that our techniques can be applied to obtain tighter reductions for previous relevant schemes.
This paper aims to find a proper security notion for commitment schemes to give a sound computati... more This paper aims to find a proper security notion for commitment schemes to give a sound computational interpretation of symbolic commitments. We introduce an indistinguishability based security definition of commitment schemes that is equivalent to non-malleability with respect to commitment. Then, we give a construction using tag-based encryption and one-time signatures that is provably secure assuming the existence of trapdoor permutations. Finally, we apply this new machinery to give a sound interpretation of symbolic commitments in the Dolev-Yao model while considering active adversaries.
It has been demonstrated by Bellare, Neven, and Namprempre (Eurocrypt 2004) that identity-based s... more It has been demonstrated by Bellare, Neven, and Namprempre (Eurocrypt 2004) that identity-based signature schemes can be constructed from any PKI-based signature scheme. In this paper we consider the following natural extension: is there a generic construction of “identity-based signature schemes with additional properties” (such as identity-based blind signatures, verifiably encrypted signatures, ...) from PKI-based signature schemes with the same properties? Our results show that this is possible for great number of properties including proxy signatures; (partially) blind signatures; verifiably encrypted signatures; undeniable signatures; forward-secure signatures; (strongly) key insulated signatures; online/offline signatures; threshold signatures; and (with some limitations) aggregate signatures. Using well-known results for PKI-based schemes, we conclude that such identity-based signature schemes with additional properties can be constructed, enjoying some better properties than specific schemes proposed until know. In particular, our work implies the existence of identity-based signatures with additional properties that are provably secure in the standard model, do not need bilinear pairings, or can be based on general assumptions.