## CryptoDB

### Xuejia Lai

#### Publications

Year
Venue
Title
2015
CRYPTO
2010
EPRINT
Higher order differential cryptanalysis is based on the property of higher order derivatives of Boolean functions that the degree of a Boolean function can be reduced by at least 1 by taking a derivative on the function at any point. We define \emph{fast point} as the point at which the degree can be reduced by at least 2. In this paper, we show that the fast points of a $n$-variable Boolean function form a linear subspace and its dimension plus the algebraic degree of the function is at most $n$. We also show that non-trivial fast point exists in every $n$-variable Boolean function of degree $n-1$, every symmetric Boolean function of degree $d$ where $n \not\equiv d \pmod{2}$ and every quadratic Boolean function of odd number variables. Moreover we show the property of fast points for $n$-variable Boolean functions of degree $n-2$.
2009
ASIACRYPT
2008
EPRINT
Kiltz proposed a practical key encapsulation mechanism(Kiltz07-KEM) which is secure against adaptive chosen ciphertext attacks(IND-CCA2) under the gap hashed Diffie-Hellman(GHDH) assumption\cite{Kiltz2007}. We show a variant of Kiltz07-KEM which is more efficient than Kiltz07-KEM in encryption. The new scheme can be proved to be IND-CCA2 secure under the same assumption, GHDH.
2008
EPRINT
In this paper we propose an attack against multivariate hash functions, which is based on higher order differential cryptanalysis. As a result, this attack can be successful in finding the preimage of the compression function better than brute force and it is easy to make selective forgeries when a MAC is constructed by multivariate polynomials. It gives evidence that families of multivariate hash functions are neither pseudo-random nor unpredictable and one can distinguish a function from random functions, regardless of the finite field and the degree of the polynomials.
2008
EPRINT
This paper reconsiders the security of the rate-1 double block length hash functions, which based on a block cipher with a block length of $n$-bit and a key length of $2n$-bit. Counter-examples and new attacks are presented on this general class of double block length hash functions with rate 1, which disclose there exist uncovered flaws in the former analysis given by Satoh \textit{et al.} and Hirose. Preimage and second preimage attacks are designed to break Hirose's two examples which were left as an open problem. Some refined conditions are proposed for ensuring this general class of the rate-1 hash functions to be optimally secure against the collision attack. In particular, two typical examples, which designed under the proposed conditions, are proven to be indifferentiable from the random oracle in the ideal cipher model. The security results are extended to a new class of double block length hash functions with rate 1, where one block cipher used in the compression function has the key length is equal to the block length, while the other is doubled.
2008
EPRINT
An efficient variant of the ElGamal public key encryption scheme is proposed which is provably secure against adaptive chosen ciphertext attacks(IND-CCA2) under the decisional Diffie-Hellman(DDH) assumption. Compared to the previously most efficient scheme under DDH assumption by Kurosawa and Desmedt [Crypto 2004] it has one group element shorter ciphertexts, 50\% shorter secret keys, 25\% shorter public keys and it is 28.6\% more efficient in terms of encryption speed, 33.3\% more efficient in terms of decryption speed. A new security proof logic is used, which shows directly that the decryption oracle will not help the adversary in the IND-CCA2 game. Compared to the previous security proof, the decryption simulation is not needed in the new logic. This makes the security proof simple and easy to understand.
2008
EPRINT
This paper reconsiders the security of the rate-1 double block length hash functions, which based on a block cipher with a block length of $n$-bit and a key length of $2n$-bit. Counter-examples and new attacks are presented on this general class of double block length hash functions with rate 1, which disclose there exist uncovered flaws in the former analysis given by Satoh \textit{et al.} and Hirose. Preimage and second preimage attacks are designed to break Hirose's two examples which were left as an open problem. Some refined conditions are proposed for ensuring this general class of the rate-1 hash functions to be optimally secure against the collision attack. In particular, two typical examples, which designed under the proposed conditions, are proven to be indifferentiable from the random oracle in the ideal cipher model. The security results are extended to a new class of double block length hash functions with rate 1, where one block cipher used in the compression function has the key length is equal to the block length, while the other is doubled.
2007
EPRINT
Kurosawa and Matsuo\cite{Kurosawa20042} showed that MAC can be removed from DHIES while the underlying symmetric-key encryption(SKE) scheme is secure against adaptive chosen ciphertext attacks(IND-CCA). We construct a variant of DHIES which eliminate the MAC while the SKE scheme is secure against passive attacks(IND-PA). Since IND-PA is the basic requirement of SKE schemes, the new scheme is more flexible than \cite{Kurosawa20042}. Our new scheme can be seen as a combination of a tag-KEM \cite{Abe2005} and a DEM. Our construction offers the first tag-KEM with single element. When the hash function $H$ in the ODH assumption is a non-malleable hash function we can prove that the new scheme is IND-CCA secure under the ODH assumption.
2007
EPRINT
For all current adaptive chosen ciphertext(CCA) secure public key encryption schemes in standard model there are two operations in the decryption algorithm, validity check" and decryption. The decryption algorithm returns the corresponding plaintext if the ciphertext is valid otherwise it returns a rejection symbol $\perp$. We call this paradigm invalid ciphertext rejection". However the validity check" is not necessary for an encryption scheme. Also in this case the adversary will get the information that the ciphertext is "invalid" which he may not know before the decryption query. We propose a new paradigm for constructing CCA secure public key encryption schemes which combines validity check" and decryption together. The decryption algorithm will execute the same operation regardless of the ciphertext's validity. We call this new paradigm uniform decryption". Compared with the "invalid ciphertext rejection" paradigm, the decryption oracle of schemes in the new paradigm will reveal less information. The attacker even can not get whether the queried ciphertext is valid" or not. Moreover the combination of validity check" and the decryption will yield more efficient schemes. Using the new paradigm we construct an efficient public key encryption scheme. Our scheme is more efficient than CS98 in both computation and bandwidth. Compered with KD04 and HK07 the new scheme is more efficient in bandwidth and the same efficient in computation. The new scheme is as efficient as Kiltz07 both in computation and bandwidth. However the new scheme is CCA secure based on DDH assumption which is more flexible than GHDH assumption that Kiltz07 based on. Kurosawa and Desmedt proposed an efficient hybrid scheme named as KD04\cite{Kurosawa2004}. Although the key encapsulation part of KD04(KD04-KEM) is not CCA secure \cite{Hofheinz2006}, the whole scheme can be proved to be CCA secure. We show that if the key derivation function(KDF) of KD04-KEM is a non-malleable hash function it will be a CCA secure KEM in the new paradigm.
2007
EPRINT
M. Abdalla, M. Bellare and P. Rogaway proposed a variation of Diffie-Hellman assumption named as oracle Diffie-Hellman(ODH) assumption. They recommend to use a one-way cryptographic hash function for the ODH assumption. We notice that if the hash function is just one-way then there will be an attack. We show that if the the hash function is non-malleable then the computational version of ODH assumption can be reduced to the computational Diffie-Hellman(CDH) assumption. But we can not reduce the ODH assumption to the decisional Diffie-Hellman(DDH) even if the hash function is non-malleable. It seems that we need a random oracle hash function to reduce the ODH assumption to the DDH assumption.
2007
EPRINT
We propose a security notion named as weak adaptive chosen ciphertext security(IND-WCCA) for hybrid encryption schemes. Although it is weaker than adaptive chosen ciphertext security(IND-CCA), a IND-WCCA secure hybrid encryption scheme can be used in any situations that a IND-CCA secure hybrid encryption scheme used in. We show that IND-WCCA secure hybrid encryption scheme can be constructed from IND-CCA secure KEM and IND-PA secure DEM. Since IND-PA is the basic requirement of symmetric key encryption schemes, IND-WCCA hybrid encryption scheme is very flexible and can use most of the stream ciphers and block ciphers as the DEM part of the scheme. Use the new secure notion we can refine current IND-CCA secure hybrid encryption schemes and get more efficient IND-WCCA secure hybrid encryption schemes.
2007
EPRINT
Nowadays, investigating what construction is better to be a cryptographic hash function is red hot. In TCC'04, Maurer et al. first introduced the notion of indifferentiability as a generalization of the concept of the indistinguishability of two cryptosystems. In AsiaCrypt 06, Chang et al. analyzed the indifferentiability security of some popular block-cipher-based hash functions, such as PGV constructions and MDC-2. In this paper, we investigate Chang et al.'s analysis of PGV constructions and the PBGV double block length constructions. In particular, we point out a more precise adversarial advantage of indifferentiability, by considering the two situations that whether the hash function is either keyed or not. Furthermore, Chang et al. designed attacks on 4 PGV hash functions and PBGV hash function to prove they are differentiable from random oracle with prefix-free padding. We find a limitation in their differentiable attacks and construct our simulations to obtain the controversy results that those schemes are indifferentiable from random oracle with prefix-free padding and some other popular constructions.
2006
EPRINT
KD04 proposed by K. Kurosawa and Y. Desmedt is the most efficient public key encryption scheme provably secure against adaptive chosen ciphertext attack in standard model based on decision diffie-hellman problem. We proposed a simplify version of KD04 which is more efficient than KD04 while still can be proved to be secure against adaptive chosen ciphertext attack in standard model based on decision diffie-hellman problem.
2006
EPRINT
Cramer and Shoup proposed the first provably secure practical public-key encryption scheme in the standard model (CS98). We find new way to construct the secure reduction in which the decryption oracle is not needed yet. Thus we get a simplified version of CS98 which is more efficient than the original scheme, and also provably secure against chosen ciphertext attack in standard model.
2006
ASIACRYPT
2005
EUROCRYPT
2005
EPRINT
In this paper, we present a fast attack algorithm to find two-block collision of hash function MD5. The algorithm is based on the two-block collision differential path of MD5 that was presented by Wang et al. in EUROCRYPT 2005[6]. We found that the derived conditions for the desired differential path in [6] were not sufficient to guarantee the differential path to hold and that some conditions could be relaxed to enlarge the collision set. By using technique of small range searching and omitting the computing steps to check the characteristics in algorithm, we can speed up the attack of MD5 efficiently. Compared with the Advanced Message Modification technique [5,6], the small range searching technique can correct 4 more conditions for the first iteration differential and 3 more conditions for the second iteration differential, thus improving the probability and the complexity to find collisions. The whole attack on the MD5 can be accomplished within 5 hours using a PC with Pen-tium4 1.70GHZ CPU.
2005
FSE
2004
EPRINT
1998
JOFC
1996
FSE
1994
EUROCRYPT
1994
FSE
1993
CRYPTO
1993
FSE
1992
AUSCRYPT
1992
EUROCRYPT
1991
EUROCRYPT
1990
EUROCRYPT

#### Program Committees

Crypto 2018
Asiacrypt 2016
Asiacrypt 2015
Asiacrypt 2014
Eurocrypt 2013
Asiacrypt 2010
Asiacrypt 2009
Asiacrypt 2007
FSE 2006
Asiacrypt 2006 (Program chair)
Asiacrypt 2005
FSE 2005
Crypto 1999
Asiacrypt 1998
Eurocrypt 1998