Combinatorial Designs and Cryptography, Revisited (original) (raw)
Encryption methods based on combinatorial designs
1986
We explore the use of some combinatorial designs for possible use as secret codes. We are motivated to use designs as (1) combinatorial designs are often hard to find, (2) the algorithms for encryption ond decryption are of reasonable length, (3) combinatorial designs have very large numbers of designs in each equivalence class lending themselves readily to selection using a secret key. Disciplines Physical Sciences and Mathematics Publication Details Sarvate, DG and Seberry, J, Encryption methods based on combinatorial designs Ars Combinatoria, 21A, 1986, 237-246. This journal article is available at Research Online: http://ro.uow.edu.au/infopapers/1019 Encryption Methods Bllsed on Combinlltorilll Designs Dinesh G. Sarvate and Jennifer Seberry Ba3:ser Department of COmputer Sciera , UnlYe"Hy of Sydney NSW,2006, Australia.
The combinatorics of cryptographic key establishment
One of the most important processes involved in securing a cryptographic system is establishing the keys on which the system will rely. In this article we review the significant contribution of combinatorial mathematics to the development of the theory of cryptographic key establishment. We will describe relevant applications, review current research and, where appropriate, identify areas where further research is required.
Some Applications of Bounds for Designs to the Cryptography
Lecture Notes in Computer Science, 1999
Recent years have seen numerous examples when designs play an important role in the study of such topics in cryptography as secrecy and authen- tication codes, secret sharing schemes, correlation-immune and resilient functions. In this paper we give applications of some methods and results from the design theory, especially bounding the optimal size of the designs and codes, to cryptography.
Constructions, Lower Bounds, and New Directions in Cryptography and Computational Complexity
In the first part of the thesis we show black-box separations in public and private-key cryptography. Our main result answers in the negative the question of whether we can base Identity Based Encryption (IBE) on Trapdoor Permutations. Furthermore, we make progress towards the black-box separation of IBE from the Decisional Diffie-Hellman assumption. We also show It is a great privilege to study Theory at the University of Toronto. I was also privileged to have an incredible advisor and PhD committee. I'm most thankful to Charles Rackoff for his invaluable research supervision, countless discussions, very close attention to my work, and insightful comments. In addition, Charlie is among the most open and liberal-minded individuals I have met in academia, which made this process more interesting. I'm also grateful to the other members of my committee Allan Borodin, Stephen Cook, and Toniann Pitassi for always been there with useful remarks, research suggestions, and encouragement. Many thanks to my external thesis reviewer Eric Allender for his detailed remarks and suggestions.
Secret sharing schemes and combinatorial designs
1993
If there are participants involved in a group wanting to recover a secret, then how canbackslashcan\backslashcanbackslash we share the secret? Tlre purpose of this paper is to propose ideal threshold schemes in terms of combinatorial designs. We associate our scheme with threshold scheme expressed as a matrix and investigate the combinatorial properties of ideal schemes with threshold access structure. It is shown that their existence is equivalent to the existence of combinatorial designs. Also, assuming the existence of ideal schemes, we show the condition for the number of blocks of ideal schemes to be expressed by the cardinality of the divisible group. keyword: threhold scheme, secret sharing, block design, matroid 853 1993 80-87
Chosen ciphertext security with optimal overhead. IACR ePrint Archive 2008/374
2016
Abstract. Every public-key encryption scheme has to incorporate a certain amount of randomness into its ciphertexts to provide semantic security against chosen ciphertext attacks (IND-CCA). The difference between the length of a ciphertext and the embedded message is called the ciphertext overhead. While a generic brute-force adversary running in 2t steps gives a theoretical lower bound of t bits on the ciphertext over-head for IND-CPA security, the best known IND-CCA secure schemes demand roughly 2t bits even in the random oracle model. Is the t-bit gap essential for achieving IND-CCA security? We close the gap by proposing an IND-CCA secure scheme whose ci-phertext overhead matches the generic lower bound up to a small con-stant. Our scheme uses a variation of a four-round Feistel network in the random oracle model and hence belongs to the family of OAEP-based schemes. Maybe of independent interest is a new efficient method to encrypt long messages exceeding the length of the perm...
Pseudorandom functions revisited: the cascade construction and its concrete security
Proceedings of 37th Conference on Foundations of Computer Science, 1996
Pseudorandom finction families are a powerficl crypto-graphic primitive, yielding, in particular, simple solutions for the main problems in private key cryptography. Their exis-tence based on general assumptions (namely, the existence oj one-wayfinctions) has been ...
On Selective-Opening Attacks against Encryption Schemes
Lecture Notes in Computer Science, 2014
At FOCS'99, Dwork et al. put forth the notion of 'selective-opening attacks' (SOAs, for short). In the literature, security against such attacks has been formalized via indistinguishability-based and simulation-based notions, respectively called IND-SO-CPA security and SIM-SO-CPA security. Furthermore, the IND-SO-CPA notion has been studied under two flavors-weak-IND-SO-CPA and full-IND-SO-CPA security. At Eurocrypt'09, Bellare et al. showed the first positive results on SOA security of encryption schemes: 1) any lossy encryption scheme is weak-IND-SO-CPA secure; 2) any lossy encryption scheme with efficient openability is SIM-SO-CPA secure. Despite rich further work on SOA security, the (un)feasibility of full-IND-SO-CPA remains a major open problem in the area of SOA security. The elusive nature of the full-IND-SO-CPA notion of security is attributed to a specific aspect of the security game, namely, the challenger requiring to perform a super-polynomial time task. Not only do we not know whether there exists a scheme that is full-IND-SO-CPA secure, but we also do not know concrete attacks against popular schemes such as the ElGamal and Cramer-Shoup schemes in the full-IND-SO-CPA model. The contribution of our work is threefold. 1. Motivated by the difficulty in understanding (un)feasibility of the full-IND-SO-CPA notion, we study a variant of this notion that is closer in spirit to the IND-CPA notion but still embodies the security captured by the full-IND-SO-CPA notion. We observe that the weak form of our variation does not introduce any significant change to the weak-IND-SO-CPA notion; that is, the weak form of our notion is equivalent to the weak-IND-SO-CPA notion. 2. Interestingly, we can show that a large class of encryption schemes can be proven insecure for the full form of our notion. The large class includes most known constructions of weak-IND-SO-CPA secure schemes and SIM-SO-CPA secure schemes and also popular schemes like the ElGamal and Cramer-Shoup schemes. 3. Our third contribution studies the complexity of SIM-SO-CPA security. Complementing the result of Bellare et al., we show that lossiness is not necessary to achieve SIM-SO-CPA security. More specifically, we Work partially done while visiting UCLA. present a SIM-SO-CPA scheme that is not a lossy encryption scheme (regardless of efficient openability). Since SIM-SO-CPA security implies weak-IND-SO-CPA security, it follows as a corollary that the converses of both the implications proved by Bellare et al. do not hold. Furthermore, as a corollary of our techniques, on a slightly unrelated but useful note, we obtain that lossiness is not required to obtain non-committing encryption. Previously, at Eurocrypt'09, Fehr et al. showed a construction of a non-committing encryption scheme from trapdoor permutations and this scheme was, as noted by the authors, possibly not lossy. Our scheme amounts to the first construction of a non-committing encryption scheme that is provably not lossy.
Advances in Cryptology – EUROCRYPT 2012, 2012
This paper considers-for the first time-the concept of keyalternating ciphers in a provable security setting. Key-alternating ciphers can be seen as a generalization of a construction proposed by Even and Mansour in 1991. This construction builds a block cipher P X from an n-bit permutation P and two n-bit keys k0 and k1, setting P X k 0 ,k 1 (x) = k1 ⊕ P (x ⊕ k0). Here we consider a (natural) extension of the Even-Mansour construction with t permutations P1,. .. , Pt and t + 1 keys, k0,. .. , kt. We demonstrate in a formal model that such a cipher is secure in the sense that an attacker needs to make at least 2 2n/3 queries to the underlying permutations to be able to distinguish the construction from random. We argue further that the bound is tight for t = 2 but there is a gap in the bounds for t > 2, which is left as an open and interesting problem. Additionally, in terms of statistical attacks, we show that the distribution of Fourier coefficients for the cipher over all keys is close to ideal. Lastly, we define a practical instance of the construction with t = 2 using AES referred to as AES 2. Any attack on AES 2 with complexity below 2 85 will have to make use of AES with a fixed known key in a non-black box manner. However, we conjecture its security is 2 128 .