## CryptoDB

### Zhenfu Cao

#### Publications

Year
Venue
Title
2020
ASIACRYPT
The tight security bound of the KAC (Key-Alternating Cipher) construction whose round permutations are independent from each other has been well studied. Then a natural question is how the security bound will change when we use fewer permutations in a KAC construction. In CRYPTO 2014, Chen et al. proved that 2-round KAC with a single permutation (2KACSP) has the same security level as the classic one (i.e., 2-round KAC). But we still know little about the security bound of incompletely-independent KAC constructions with more than 2 rounds. In this paper,we will show that a similar result also holds for 3-round case. More concretely, we prove that 3-round KAC with a single permutation (3KACSP) is secure up to $\varTheta(2^{\frac{3n}{4}})$ queries, which also caps the security of 3-round KAC. To avoid the cumbersome graphical illustration used in Chen et al.'s work, a new representation is introduced to characterize the underlying combinatorial problem. Benefited from it, we can handle the knotty dependence in a modular way, and also show a plausible way to study the security of $r$KACSP. Technically, we abstract a type of problems capturing the intrinsic randomness of $r$KACSP construction, and then propose a high-level framework to handle such problems. Furthermore, our proof techniques show some evidence that for any $r$, $r$KACSP has the same security level as the classic $r$-round KAC in random permutation model.
2019
CRYPTO
RIPEMD-160 is an ISO/IEC standard and has been applied to generate the Bitcoin address with SHA-256. Due to the complex dual-stream structure, the first collision attack on reduced RIPEMD-160 presented by Liu, Mendel and Wang at Asiacrypt 2017 only reaches 30 steps, having a time complexity of $2^{70}$. Apart from that, several semi-free-start collision attacks have been published for reduced RIPEMD-160 with the start-from-the-middle method. Inspired from such start-from-the middle structures, we propose two novel efficient collision attack frameworks for reduced RIPEMD-160 by making full use of the weakness of its message expansion. Those two frameworks are called dense-left-and-sparse-right (DLSR) framework and sparse-left-and-dense-right (SLDR) framework. As it turns out, the DLSR framework is more efficient than SLDR framework since one more step can be fully controlled, though with extra $2^{32}$ memory complexity. To construct the best differential characteristics for the DLSR framework, we carefully build the linearized part of the characteristics and then solve the corresponding nonlinear part using a guess-and-determine approach. Based on the newly discovered differential characteristics, we provide colliding messages pairs for the first practical collision attacks on 30 and 31 (out of 80) steps of RIPEMD-160 with time complexity $2^{35.9}$ and $2^{41.5}$ respectively. In addition, benefiting from the partial calculation, we can attack 33 and 34 (out of 80) steps of RIPEMD-160 with time complexity $2^{67.1}$ and $2^{74.3}$ respectively. When applying the SLDR framework to the differential characteristic used in the Asiacrypt 2017 paper, we significantly improve the time complexity by a factor of $2^{13}$. However, it still cannot compete with the results obtained from the DLSR framework. To the best of our knowledge, these are the best collision attacks on reduced RIPEMD-160 with respect to the number of steps, including the first colliding message pairs for 30 and 31 steps of RIPEMD-160.
2019
TOSC
RIPEMD-160 is a hash function published in 1996, which shares similarities with other hash functions designed in this time-period like MD4, MD5 and SHA-1. However, for RIPEMD-160, no (semi-free-start) collision attacks on the full number of steps are known. Hence, it is still used, e.g., to generate Bitcoin addresses together with SHA-256, and is an ISO/IEC standard. Due to its dual-stream structure, even semifree- start collision attacks starting from the first step only reach 36 steps, which were firstly shown by Mendel et al. at Asiacrypt 2013 and later improved by Liu, Mendel and Wang at Asiacrypt 2017. Both of the attacks are based on a similar freedom degree utilization technique as proposed by Landelle and Peyrin at Eurocrypt 2013. However, the best known semi-free-start collision attack on 36 steps of RIPEMD-160 presented at Asiacrypt 2017 still requires 255.1 time and 232 memory. Consequently, a practical semi-free-start collision attack for the first 36 steps of RIPEMD-160 still requires a significant amount of resources. Considering the structure of these previous semi-free-start collision attacks for 36 steps of RIPEMD-160, it seems hard to extend it to more steps. Thus, we develop a different semi-free-start collision attack framework for reduced RIPEMD-160 by carefully investigating the message expansion of RIPEMD-160. Our new framework has several advantages. First of all, it allows to extend the attacks to more steps. Second, the memory complexity of the attacks is negligible. Hence, we were able to mount semi-free-start collision attacks on 36 and 37 steps of RIPEMD-160 with practical time complexity 241 and 249 respectively. Additionally, we describe semi-free-start collision attacks on 38 and 40 (out of 80) steps of RIPEMD-160 with time complexity 252 and 274.6, respectively. To the best of our knowledge, these are the best semi-free-start collision attacks for RIPEMD-160 starting from the first step with respect to the number of steps, including the first practical colliding message pairs for 36 and 37 steps of RIPEMD-160.
2016
PKC
2016
ASIACRYPT
2015
EPRINT
2015
EPRINT
2015
EPRINT
2014
EPRINT
2010
EPRINT
In a proxy re-encryption scheme, a semi-trusted proxy can transform a ciphertext under Alice's public key into another ciphertext that Bob can decrypt. However, the proxy cannot access the plaintext. Due to its transformation property, proxy re-encryption can be used in many applications, such as encrypted email forwarding. In this paper, by using the techniques of Canetti-Hohenberger and Kurosawa-Desmedt, we propose a new single-use unidirectional proxy re-encryption scheme. Our proposal is secure against chosen ciphertext attack (CCA) and collusion attack in the standard model.
2010
PKC
2010
EPRINT
Since there always exists some users whose private keys are stolen or expired in practice, it is important for identity based encryption (IBE) system to provide a solution for revocation. The current most efficient revocable IBE system has a private key of size $\mathcal{O}(\log n)$ and update information of size $\mathcal{O}(r \log(\frac{n}{r}))$ where $r$ is the number of revoked users. We describe a new revocable IBE systems where the private key only contains two group elements and the update information size is $\mathcal{O}(r)$. To our best knowledge, the proposed constructions serve as the most efficient revocable IBE constructions in terms of space cost. Besides, this construction also provides a generic methodology to transform a non-monotonic attribute based encryption into a revocable IBE scheme. This paper also demonstrates how the proposed method can be employed to present an efficient revocable hierarchical IBE scheme.
2010
EPRINT
Ciphertext-Policy Attribute-Based Encryption(CP-ABE) is a system for realizing complex access control on encrypted data, in which attributes are used to describe a user's credentials and a party encrypting data determines a policy over attributes for who can decrypt. In CP-ABE schemes, access policy is attached to the ciphertext to be the input of the decryption algorithm. An access policy can be expressed in terms of monotone boolean formula or monotone access structure, and can be realized by a linear secret-sharing scheme(LSSS). In recent provably secure and efficient CP-ABE schemes, the LSSS induced from monotone span program(MSP) is used, where the LSSS is a matrix whose rows are labeled by attributes. And a general algorithm for converting a boolean formula into corresponding LSSS matrix is described recently. However, when there are threshold gates in the access structure, the number of rows of the LSSS matrix generated by the algorithm will be unnecessary large, and consequently the ciphertext size is unnecessary large. In this paper, we give a more general and efficient algorithm that the number of rows of the LSSS matrix is as small as possible. And by some tricks, the boolean formula acts as the label function, so that only the boolean formula needs to be attached to the ciphertext, which decreases the communication cost drastically.
2009
ASIACRYPT
2009
PKC
2008
EPRINT
Key agreement protocols are essential for secure communications in open and distributed environments. The protocol design is, however, extremely error-prone as evidenced by the iterative process of fixing discovered attacks on published protocols. We revisit an efficient identity-based (ID-based) key agreement protocol due to Ryu, Yoon and Yoo. The protocol is highly efficient and suitable for real-world applications despite offering no resilience against key-compromise impersonation (K-CI). We then show that the protocol is, in fact, insecure against reflection attacks. A slight modification to the protocol is proposed, which results in significant benefits for the security of the protocol without compromising on its efficiency. Finally, we prove the improved protocol secure in a widely accepted model.
2008
EPRINT
We introduce a new cryptographic primitive which is the signature analogue of fuzzy identity based encryption(IBE). We call it fuzzy identity based signature(IBS). It possesses similar error-tolerance property as fuzzy IBE that allows a user with the private key for identity $\omega$ to decrypt a ciphertext encrypted for identity $\omega'$ if and only if $\omega$ and $\omega'$ are within a certain distance judged by some metric. A fuzzy IBS is useful whenever we need to allow the user to issue signature on behalf of the group that has certain attributes. Fuzzy IBS can also be applied to biometric identity based signature. To our best knowledge, this primitive was never considered in the identity based signature before. We give the definition and security model of the new primitive and present the first practical implementation based on Sahai-Waters construction\cite{6} and the two level hierarchical signature of Boyen and Waters\cite{9}. We prove that our scheme is existentially unforgeable against adaptively chosen message attack without random oracles.
2008
EPRINT
A proxy re-encryption (PRE) scheme allows a proxy to transform a ciphertext under Alice's public key into a ciphertext under Bob's public key on the same message. In 2006, Green and Ateniese extended the above notion to identity-based proxy re-encryption (IB-PRE), and proposed two open problems \cite{GA06}: building 1. IB-PRE schemes which are CCA-secure in the standard model; 2. multi-use CCA-secure IB-PRE schemes. Chu and Tzeng proposed two identity-based proxy re-encryption schemes afterwards in \cite{CT07}, aiming at solving the two open problems. However, in this paper, we show that they don't solve these two open problems by revealing a security flaw in their solution. Furthermore, we propose an improvement which is a solution to the open problems.
2008
EPRINT
In recent years, a great deal of ID-based authenticated key exchange protocols have been proposed. However, many of them have been broken or have no security proof. The main issue is that without static private key it is difficult for simulator to fully support the SessionKeyReveal and EphemeralKeyReveal queries. Some proposals which have purported to be provably secure just hold in relatively weak model, which does not fully support above-mentioned two queries. For protocols to be proven secure in more desirable model, people must make use of the stronger gap [15] assumption, which means that the computational problem remains hard even in the presence of an effective decision oracle. However, the gap assumption may not be acceptable at all, since the decision oracle, which the proofs rely on, may not exist in real world. Cash, Kiltz and Shoup [14] recently proposed a new computational problem called twin Diffie-Hellman problem, a nice feature of which not enjoyed by ordinary Diffie-Hellman problem is that the twin Diffie-Hellman problem remains hard, even with access to a decision oracle that recognizes solutions to the problem. At the heart of their method is the "trapdoor test" that allows us to implement an effective decision oracle for the twin Diffie-Hellman problem, without knowing the corresponding discrete logarithm. In this paper,we present a new ID-based authenticated key exchange (ID-AKE) protocol based on the trapdoor test technique. Compared with previous ID-AKE protocols, our proposal is based on the Bilinear Diffie-Hellman (BDH) assumption, which is more standard than Gap Bilinear Diffie-Hellman (GBDH) assumption, on which previous protocols are based. Moreover, our scheme is shown to be secure in the enhanced Canetti-Krawczyk (eCK) model, which is the currently strongest AKE security model.
2008
EPRINT
Currently, there are a lot of authenticated key exchange (AKE) protocols in literature. However, the security proofs of this kind of protocols have been established to be a non-trivial task. The main issue is that without static private key it is difficult for simulator to fully support the SessionKeyReveal and EphemeralKeyReveal queries. Some proposals which have been proven secure either just hold in relatively weak models which do not fully support above-mentioned two queries or make use of the stronger gap assumption. In this paper, using a new technique named twin Diffie-Hellman problem proposed by Cash, Kiltz and Shoup, we present a new AKE protocol based on the computational Diffie-Hellman (CDH) assumption, which is more standard than gap Diffie-Hellman (GDH) assumption. Moreover, our scheme is shown to be secure in strong security definition, the enhanced Canetti-Krawczyk (eCK) model introduced by LaMacchia, Lauter and Mityagin, which better supports the adversaries' queries than previous models.
2007
EPRINT
In 1999, Naor and Pinkas \cite {NP99} presented a useful protocol called oblivious polynomial evaluation(OPE). In this paper, the cryptanalysis of the OPE protocol is presented. It's shown that the receiver can successfully get the sender's secret polynomial $P$ after executing the OPE protocol only once, which means the privacy of the sender can be violated and the security of the OPE protocol will be broken. It's also proven that the complexity of the cryptanalysis is the same with the corresponding protocols cryptanalyzed.
2007
EPRINT
In this paper, we propose a new method for designing public key cryptosystems based on general non-commutative rings. The key idea of our proposal is that for a given non-commutative ring, we can define polynomials and take them as the underlying work structure. By doing so, it is easy to implement Diffie-Helman-like key exchange protocol. And consequently, ElGamal-like cryptosystems can be derived immediately. Moreover, we show how to extend our method to non-commutative groups (or semi-groups).
2007
EPRINT
In SAC'05, Strangio proposed protocol ECKE-1 as an efficient elliptic curve Diffie-Hellman two-party key agreement protocol using public key authentication. In this letter, we show that despite the author's claims protocol ECKE-1 is vulnerable to key-compromise impersonation attacks. We also present an improved protocol --- ECKE-1N, which can withstand such attacks. The improved protocol's performance is comparable to the well-known MQV protocol and maintains the same remarkable list of security properties.
2007
EPRINT
Identity-based encryption (IBE) schemes are usually used in multiple-PKG environments --- on the one hand, each administrative domain (e.g., a relatively small and close organization) maintains its own private key generator (PKG); on the other hand, encryption across domains becomes a prevalent requirement. In this paper, we present a new IBE scheme using bilinear pairings. Compared with the famous IBE scheme of Boneh and Franklin, we show that ours is more practical in the multiple-PKG environment. We prove that our scheme meets chosen ciphertext security in the random oracle model, assuming the intractability of the standard Bilinear Diffie-Hellman (BDH) problem. As an application of our IBE scheme, we also propose an escrowed ElGamal scheme which possesses certain good properties in practice.
2007
EPRINT
In a proxy re-encryption scheme, a semi-trusted proxy, with some additional information, can transform a ciphertext under Alice's public key into a new ciphertext under Bob's public key on the same message, but cannot learn any information about the messages encrypted under the public key of either Alice or Bob. In this paper, we propose two new unidirectional proxy re-encryption schemes, where a proxy can transform a ciphertext for Alice into a new ciphertext for Bob, but not vice versa. Note that, unidirectional proxy re-encryption is more powerful than bidirectional one, since a bidirectional scheme can always be implemented by an unidirectional one. Furthermore, these two schemes can be proved \emph{in the standard model}, chosen-ciphertext secure based on Decisional Bilinear Inverse Diffie-Hellman assumption and master key secure based on Extended Discrete Logarithm assumption. To our best knowledge, our proposals are the first fully secure (CCA-secure and master key secure) proxy re-encryption schemes in the standard model.
2007
EPRINT
We construct a short group signature which is proven secure without random oracles. By making certain reasonable assumptions and applying the technique of non-interactive proof system, we prove that our scheme is full anonymity and full traceability. Compared with other related works, such as BW06, BW07, ours is more practical due to the short size of both public key and group signature.
2007
EPRINT
There are several essential features in key agreement protocols such as key escrow (essential when confidentiality, audit trail and legal interception are required) and perfect forward secrecy (i.e., the security of a session key established between two or more entities is guaranteed even when the private keys of the entities are compromised). Majority of the existing escrowable identity-based key agreement protocols, however, only provide partial forward secrecy. Therefore, such protocols are unsuitable for real-word applications that require a stronger sense of forward secrecy --- perfect forward secrecy. In this paper, we propose an efficient perfect forward secure identity-based key agreement protocol in the escrow mode. We prove the security of our protocol in the random oracle model, assuming the intractability of the Gap Bilinear Diffie-Hellman (GBDH) problem. Security proofs are invaluable tools in assuring protocol implementers about the security properties of protocols. We note, however, that many existing security proofs of previously published identity-based protocols entail lengthy and complicated mathematical proofs. In this paper, our proof adopts a modular approach and, hence, simpler to follow.
2007
EPRINT
Since the first password-based authenticated key exchange (PAKE) was proposed, it has enjoyed a considerable amount of interest from the cryptographic research community. To our best knowledge, most of proposed PAKEs based on Diffie-Hellman key exchange need some public information, such as generators of a finite cyclic group. However, in a client-server environment, not all servers use the same public information, which demands clients authenticate those public information before beginning PAKE. It is cumbersome for users. What's worse, it may bring some secure problems with PAKE, such as substitution attack. To remove these problems, in this paper, we present an efficient password-based authenticated key exchange protocol without any public information. We also provide a formal security analysis in the non-concurrent setting, including basic security, mutual authentication, and forward secrecy, by using the random oracle model.
2007
EPRINT
To construct a suitable and secure proxy re-signature scheme is not an easy job, up to now, there exist only three schemes, one is proposed by Blaze et al. at EUROCRYPT 1998, and the others are proposed by Ateniese and Hohenbergerat ACM CCS 2005. However, none of these schemes is proved in the standard model (i.e., do not rely on the random oracle heuristic). In this paper, based on Waters' approach, we first propose a multi-use bidirectional proxy re-signature scheme, denoted as $S_{mb}$, which is existentially unforgeable in the standard model. And then, we extend $S_{mb}$ to be a multi-use bidirectional ID-based proxy re-signature scheme, denoted by $S_{id-mb}$, which is also existentially unforgeable in the standard model. Both of these two proposed schemes are computationally efficient, and their security bases on the Computational Diffie-Hellman (CDH) assumption.
2006
EPRINT
Two variants of CA-based public key authentication framework are proposed in this paper. The one is termed as public key cryptosystem without certificate management center (PKCwCMC) and the other is termed as proxy signature based authentication framework (PS-based AF). Moreover, we give an implementation of the former based on quadratic residue theory and an implementation of the latter from RSA. Both of the two variants can be looked as lite-CA based authentication frameworks since the workload and deployment of CAs in these systems are much lighter and easier than those of in the traditional CA-based PKC.
2006
EPRINT
We present the first provably secure ID-based key agreement protocol, inspired by the ID-based encryption scheme of Gentry, in the standard (non-random-oracle) model. We show how this key agreement can be used in either escrowed or escrowless mode. We also give a protocol which enables users of separate private key generators to agree on a shared secret key. All our proposed protocols have comparable performance to all known protocols that are proven secure in the random oracle model.
2006
EPRINT
The focus of this paper is to design an efficient and secure solution addressing the key escrow problem in ID-based signature schemes, i.e., the Private Key Generator (PKG) knows the user's private key, which damages the essential requirement--non-repudiation" property of signature schemes. In this paper, we proposed two ID-based threshold signature schemes, which both reach Girault's trusted level 3, and in which there exists only one PKG in our ID-based threshold signature schemes. In particular, the second scheme has another good property: it does not require trusting any particular party at any time. Compared with the previous schemes, our schemes do not need to compute pairings, which make them be more efficient than those schemes. Furthermore, our ID-based signature schemes increase the availability of the signing agency and the difficulty for the adversary to learn the private key.
2005
EPRINT
To achieve secure data communications, two parties should be authenticated by each other and agree on a secret session key by exchanging messages over an insecure channel. In this paper, based on the bilinear pairing, we present a new two-party authenticated key agreement protocol, and use the techniques from provable security to examine the security of our protocol within Bellare-Rogaway model.
2005
EPRINT
ID-based encryption allows for a sender to encrypt a message to an identity without access to a public key certificate. Based on the bilinear pairing, Boneh and Franklin proposed the first practical ID-based encryption scheme and used the padding technique of Fujisaki-Okamto to extend it to be a chosen ciphertext secure version. In this letter, we would like to use another padding technique to propose a new ID-based encryption scheme secure against chosen ciphertext attacks. The security of our scheme is based on the Gap bilinear Diffie-Hellman assumption in the random oracle model.
2004
EPRINT
Proxy signature is an important cryptographic primitive and has been suggested in numerous applications. In this paper, we present an attack on the aggregate-signature-based proxy signature schemes, then point out there are two flaws in BPW notion of security for proxy signature. Furthermore, we give arguments for partial delegation with warrant proxy signature schemes. We construct a new proxy signature scheme and prove that it is secure against existentially forgery on adaptively chosen-message attacks and adaptively chosen-warrant attacks under the random oracle model.