Results 1-20 of 22.
Bookmark and Share    
Full Text
Peer Reviewed
See detailNon-interactive Zero Knowledge Proofs in the Random Oracle Model
Iovino, Vincenzo UL; Visconti, Ivan

in Codes, Cryptology and Information Security (2019)

The Fiat-Shamir (FS) transform is a well known and widely used technique to convert any constant-round public-coin honest-verifier zero-knowledge (HVZK) proof or argument system CIPC=(Prov,Ver) in a non ... [more ▼]

The Fiat-Shamir (FS) transform is a well known and widely used technique to convert any constant-round public-coin honest-verifier zero-knowledge (HVZK) proof or argument system CIPC=(Prov,Ver) in a non-interactive zero-knowledge (NIZK) argument system NIZK=(NIZK.Prove, NIZK.Verify). The FS transform is secure in the random oracle (RO) model and is extremely efficient: it adds an evaluation of the RO for every message played by Ver. While a major effort has been done to attack the soundness of the transform when the RO is instantiated with a ``secure'' hash function, here we focus on a different limitation of the FS transform that exists even when there is a secure instantiation of the random oracle: the soundness of NIZK holds against polynomial-time adversarial provers only. Therefore even when CIPC is a proof system, NIZK is only an argument system. In this paper we propose a new transform from 3-round public-coin HVZK proof systems for several practical relations to NIZK proof systems in the RO model. Our transform outperforms the FS transform protecting the honest verifier from unbounded adversarial provers with no restriction on the number of RO queries. The protocols our transform can be applied to are the ones for proving membership to the range of a one-way group homomorphism as defined by [Maurer - Design, Codes and Cryptography 2015] except that we additionally require the function to be endowed with a trapdoor and other natural properties. For instance, we obtain new efficient instantiations of NIZK proofs for relations related to quadratic residuosity and the RSA function. As a byproduct, with our transform we obtain essentially for free the first efficient non-interactive zap (i.e., 1-round non-interactive witness indistinguishable proof system for several practical languages in the non-programmable RO model and in an ideal-PUF model. Our approach to NIZK proofs can be seen as an abstraction of the celebrated work of [Feige, Lapidot and Shamir - FOCS 1990]. [less ▲]

Detailed reference viewed: 20 (3 UL)
Full Text
Peer Reviewed
See detailOn the Relation Between SIM and IND-RoR Security Models for PAKEs with Forward Secrecy
Lopez Becerra, José Miguel UL; Iovino, Vincenzo UL; Ostrev, Dimiter UL et al

in E-Business and Telecommunications - 2019 (2019)

Password-based Authenticated Key-Exchange (PAKE) protocols allow the establishment of secure communication entirely based on the knowledge of a shared password. Over the last two decades, we have ... [more ▼]

Password-based Authenticated Key-Exchange (PAKE) protocols allow the establishment of secure communication entirely based on the knowledge of a shared password. Over the last two decades, we have witnessed the debut of a number of prominent security models for PAKE protocols, whose aim is to capture the desired security properties that such protocols must satisfy when executed in the presence of an active adversary. These models are usually classified into (i) indistinguishability-based (IND-based) or (ii) simulation-based (SIM-based). However, the relation between these two security notions is unclear and mentioned as a gap in the literature. In this work, we prove that SIM-BMP security from Boyko et al. (EUROCRYPT 2000) implies IND-RoR security from Abdalla et al. (PKC 2005) and that IND-RoR security is equivalent to a slightly modified version of SIM-BMP security. We also investigate whether IND-RoR security implies (unmodified) SIM-BMP security. The results obtained also hold when forward secrecy is incorporated into the security models in question. [less ▲]

Detailed reference viewed: 47 (3 UL)
Full Text
Peer Reviewed
See detailTightly-Secure PAK(E)
Lopez Becerra, José Miguel UL; Iovino, Vincenzo UL; Ostrev, Dimiter UL et al

in Cryptology and Network Security (2017, December 02)

We present a security reduction for the PAK protocol instantiated over Gap Diffie-Hellman Groups that is tighter than previously known reductions. We discuss the implications of our results for concrete ... [more ▼]

We present a security reduction for the PAK protocol instantiated over Gap Diffie-Hellman Groups that is tighter than previously known reductions. We discuss the implications of our results for concrete security. Our proof is the first to show that the PAK protocol can provide meaningful security guarantees for values of the parameters typical in today’s world. [less ▲]

Detailed reference viewed: 151 (35 UL)
Full Text
Peer Reviewed
See detailUsing Selene to Verify your Vote in JCJ
Iovino, Vincenzo UL; Rial Duran, Alfredo UL; Roenne, Peter UL et al

in Workshop on Advances in Secure Electronic Voting (VOTING'17) (2017, April 07)

Detailed reference viewed: 149 (28 UL)
Full Text
See detailOn the Relation Between SIM and IND-RoR Security Models for PAKEs
Lopez Becerra, José Miguel UL; Iovino, Vincenzo UL; Skrobot, Marjan UL

Presentation (2017, March 09)

Security models for PAKE protocols aim to capture the desired security properties that such protocols must satisfy when executed in the presence of an active adversary. They are usually classified into i ... [more ▼]

Security models for PAKE protocols aim to capture the desired security properties that such protocols must satisfy when executed in the presence of an active adversary. They are usually classified into i) indistinguishability-based (IND-based) or ii) simulation-based (SIM-based). The relation between these two security notions is unclear and mentioned as a gap in the literature. In this work, we prove that the SIM-based model of Boyko, Mackenzie and Patel [EUROCRYPT00] and the IND-based model of Abdalla, Fouque and Pointcheval are equivalent, in the sense that a protocol proven secure in one model is also secure in the other model. [less ▲]

Detailed reference viewed: 36 (3 UL)
Full Text
Peer Reviewed
See detailOn the Relation Between SIM and IND-RoR Security Models for PAKEs
Lopez Becerra, José Miguel UL; Iovino, Vincenzo UL; Ostrev, Dimiter UL et al

in Proceedings of the International Conference on Security and Cryptography (2017)

Password-based Authenticated Key-Exchange (PAKE) protocols allow users, who need only to share a password, to compute a high-entropy shared session key despite passwords being taken from a dictionary ... [more ▼]

Password-based Authenticated Key-Exchange (PAKE) protocols allow users, who need only to share a password, to compute a high-entropy shared session key despite passwords being taken from a dictionary. Security models for PAKE protocols aim to capture the desired security properties that such protocols must satisfy when executed in the presence of an active adversary. They are usually classified into i) indistinguishability-based (IND-based) or ii) simulation-based (SIM-based). The relation between these two security notions is unclear and mentioned as a gap in the literature. In this work, we prove that SIM-BMP security from Boyko et al.~(EUROCRYPT 2000) implies IND-RoR security from Abdalla et al.~(PKC 2005) and that IND-RoR security implies a slightly modified version of SIM-BMP security. We also investigate whether IND-RoR security implies (unmodified) SIM-BMP security. [less ▲]

Detailed reference viewed: 95 (13 UL)
Full Text
Peer Reviewed
See detailPrivacy-Preserving Verifiability: A Case for an Electronic Exam Protocol
Giustolisi, Rosario; Iovino, Vincenzo UL; Lenzini, Gabriele UL

in Giustolisi, Rosario; Iovino, Vincenzo; Lenzini, Gabriele (Eds.) Privacy-Preserving Verifiability: A Case for an Electronic Exam Protocol (2017)

We introduce the notion of privacy-preserving verifiability for security protocols. It holds when a protocol admits a verifiability test that does not reveal, to the verifier that runs it, more pieces of ... [more ▼]

We introduce the notion of privacy-preserving verifiability for security protocols. It holds when a protocol admits a verifiability test that does not reveal, to the verifier that runs it, more pieces of information about the protocol’s execution than those required to run the test. Our definition of privacy-preserving verifiability is general and applies to cryptographic protocols as well as to human security protocols. In this paper we exemplify it in the domain of e-exams. We prove that the notion is meaningful by studying an existing exam protocol that is verifiable but whose verifiability tests are not privacy-preserving. We prove that the notion is applicable: we review the protocol using functional encryption so that it admits a verifiability test that preserves privacy to our definition. We analyse, in ProVerif, that the verifiability holds despite malicious parties and that the new protocol maintains all the security properties of the original protocol, so proving that our privacy-preserving verifiability can be achieved starting from existing security. [less ▲]

Detailed reference viewed: 118 (11 UL)
Full Text
Peer Reviewed
See detailOn the power of Public-key Function-Private Functional Encryption
Iovino, Vincenzo UL; Tang, Qiang; Zebrowski, Karol

in IET Information Security (2017)

In the public-key setting, known constructions of function-private functional encryption (FPFE) were limited to very restricted classes of functionalities like inner-product [Agrawal et al. - PKC 2015 ... [more ▼]

In the public-key setting, known constructions of function-private functional encryption (FPFE) were limited to very restricted classes of functionalities like inner-product [Agrawal et al. - PKC 2015]. Moreover, its power has not been well investigated. In this paper, we construct FPFE for general functions and explore its powerful applications, both for general and specific functionalities. One key observation entailed by our results is that Attribute-based Encryption with function privacy implies FE, a notable fact that sheds light on the importance of the function privacy property for FE. [less ▲]

Detailed reference viewed: 61 (5 UL)
Full Text
Peer Reviewed
See detailControlled Homomorphic Encryption: Definition and Construction
Desmedt, Yvo; Iovino, Vincenzo UL; Persiano, Giuseppe et al

in FC 2017 International Workshops - WAHC'17 - 5th Workshop on Encrypted Computing and Applied Homomorphic Cryptography (2017)

In this work we put forth the notion of a Controllable Homomorphic Encryption scheme (CHES), a new primitive that includes features of both FHEs and FunctEs. In a CHES it is possible (similarly to a FHE ... [more ▼]

In this work we put forth the notion of a Controllable Homomorphic Encryption scheme (CHES), a new primitive that includes features of both FHEs and FunctEs. In a CHES it is possible (similarly to a FHE) to homomorphically evaluate a ciphertext Ct = Enc(m) and a circuit C therefore obtaining Enc(C(m)) but only if (similarly to a FunctE) a token for C has been received from the owner of the secret key. We discuss difficulties in constructing a CHES and then show a construction based on any FunctE. As a byproduct our CHES also represents a FunctE supporting the re-encryption functionality and in that respect improves existing solutions. [less ▲]

Detailed reference viewed: 137 (7 UL)
Full Text
Peer Reviewed
See detailReceiver and Sender Deniable Functional Encryption
De Caro, Angelo; Iovino, Vincenzo UL; O'Neill, Adam

in IET Information Security (2017)

Deniable encryption, first introduced by Canetti et al. (CRYPTO 1997), allows equivocation of encrypted communication. In this work we generalize its study to functional encryption (FE). Our results are ... [more ▼]

Deniable encryption, first introduced by Canetti et al. (CRYPTO 1997), allows equivocation of encrypted communication. In this work we generalize its study to functional encryption (FE). Our results are summarized as follows: We first put forward and motivate the concept of receiver deniable FE, for which we consider two models. In the first model, as previously considered by O'Neill et al. (CRYPTO 2011) in the case of identity-based encryption, a receiver gets assistance from the master authority to generate a fake secret key. In the second model, there are ``normal'' and ``deniable'' secret keys, and a receiver in possession of a deniable secret key can produce a fake but authentic-looking normal key on its own. In the first model, we show a compiler from any FE scheme for the general circuit functionality to a FE scheme having receiver deniability. In addition we show an efficient receiver deniable FE scheme for Boolean Formulae from bilinear maps. In the second (multi-distributional) model, we present a specific FE scheme for the general circuit functionality having receiver deniability. To our knowledge, a scheme in the multi-distributional model was not previously known even for the special case of identity-based encryption. Finally, we construct the first sender (non-multi-distributional) deniable FE scheme. [less ▲]

Detailed reference viewed: 168 (5 UL)
Full Text
Peer Reviewed
See detailUpdatable Functional Encryption
Arriaga, Afonso; Iovino, Vincenzo UL; Tang, Qiang

in Paradigms in Cryptology – Mycrypt 2016. Malicious and Exploratory Cryptology (2016, December)

Functional encryption (FE) allows an authority to issue tokens associated with various functions, allowing the holder of some token for function f to learn only f(𝖣)f(D) from a ciphertext that encrypts ... [more ▼]

Functional encryption (FE) allows an authority to issue tokens associated with various functions, allowing the holder of some token for function f to learn only f(𝖣)f(D) from a ciphertext that encrypts 𝖣D . The standard approach is to model f as a circuit, which yields inefficient evaluations over large inputs. Here, we propose a new primitive that we call updatable functional encryption (UFE), where instead of circuits we deal with RAM programs, which are closer to how programs are expressed in von Neumann architecture. We impose strict efficiency constrains in that the run-time of a token 𝖯⎯⎯⎯P¯ on ciphertext 𝖢𝖳CT is proportional to the run-time of its clear-form counterpart (program 𝖯P on memory 𝖣D ) up to a polylogarithmic factor in the size of 𝖣D , and we envision tokens that are capable to update the ciphertext, over which other tokens can be subsequently executed. We define a security notion for our primitive and propose a candidate construction from obfuscation, which serves as a starting point towards the realization of other schemes and contributes to the study on how to compute RAM programs over public-key encrypted data. [less ▲]

Detailed reference viewed: 37 (3 UL)
Full Text
Peer Reviewed
See detailOn the Power of Rewinding Simulators in Functional Encryption
De Caro, Angelo; Iovino, Vincenzo UL

in Designs, Codes and Cryptography (2016)

In a seminal work, Boneh, Sahai and Waters (BSW, for short) [TCC'11] showed that for functional encryption the indistinguishability notion of security (IND-Security) is weaker than simulation-based ... [more ▼]

In a seminal work, Boneh, Sahai and Waters (BSW, for short) [TCC'11] showed that for functional encryption the indistinguishability notion of security (IND-Security) is weaker than simulation-based security (SIM-Security), and that SIM-Security is in general impossible to achieve. This has opened up the door to a plethora of papers showing feasibility and new impossibility results. Nevertheless, the quest for better definitions that (1) overcome the limitations of IND-Security and (2) the known impossibility results, is still open. In this work, we explore the benefits and the limits of using {\em efficient rewinding black-box simulators} to argue security. To do so, we introduce a new simulation-based security definition, that we call {\em rewinding simulation-based security} (RSIM-Security), that is weaker than the previous ones but it is still sufficiently strong to not meet pathological schemes as it is the case for IND-Security (that is implied by the RSIM). This is achieved by retaining a strong simulation-based flavour but adding more rewinding power to the simulator having care to guarantee that it can not learn more than what the adversary would learn in any run of the experiment. What we found is that for RSIM the BSW impossibility result does not hold and that IND-Security is {\em equivalent} to RSIM-Security for {\em Attribute-Based Encryption} in the {\em standard model}. Nevertheless, we prove that there is a setting where rewinding simulators are of no help. The adversary can put in place a strategy that forces the simulator to rewind continuously. [less ▲]

Detailed reference viewed: 106 (15 UL)
Full Text
Peer Reviewed
See detailOn the power of Public-key Function-Private Functional Encryption
Iovino, Vincenzo UL; Tang, Qiang UL; Zebrowski, Karol

in 15th International Conference on Cryptology and Network Security (2016)

In the public-key setting, known constructions of function-private functional encryption (FPFE) were limited to very restricted classes of functionalities like inner-product [Agrawal et al. - PKC 2015 ... [more ▼]

In the public-key setting, known constructions of function-private functional encryption (FPFE) were limited to very restricted classes of functionalities like inner-product [Agrawal et al. - PKC 2015]. Moreover, its power has not been well investigated. In this paper, we construct FPFE for general functions and explore its powerful applications, both for general and specific functionalities. As warmup, we construct from FPFE a natural generalization of a signature scheme endowed with functional properties, that we call functional anonymous signature (FAS) scheme. In a FAS, Alice can sign a circuit C chosen from some distribution D to get a signature s and can publish a verification key that allows anybody holding a message m to verify that (1) s is a valid signature of Alice for some (possibly unknown to him) circuit C and (2) C(m)=1. Beyond unforgeability the security of FAS guarantees that the signature s hide as much information as possible about C except what can be inferred from knowledge of D. Then, we show that FPFE can be used to construct in a black-box way functional encryption schemes for randomized functionalities (RFE). %Previous constructions of (public-key) RFE relied on iO [Goyal et al. - TCC 2015]. As further application, we show that specific instantiations of FPFE can be used to achieve adaptively-secure CNF/DNF encryption for bounded degree formulae (BoolEnc). Though it was known how to implement BoolEnc from inner-product encryption (IPE) [Katz et al. - EUROCRYPT 2008], as already observed by Katz et al. this reduction only works for selective security and completely breaks down for adaptive security; however, we show that the reduction works if the IPE scheme is function-private. Finally, we present a general picture of the relations among all these related primitives. One key observation is that Attribute-based Encryption with function privacy implies FE, a notable fact that sheds light on the importance of the function privacy property for FE. [less ▲]

Detailed reference viewed: 113 (12 UL)
Full Text
Peer Reviewed
See detailUpdatable Functional Encryption
Delerue Arriaga, Afonso UL; Iovino, Vincenzo UL; Tang, Qiang

in Paradigms in Cryptology - Mycrypt 2016. Malicious and Exploratory Cryptology, Second International Conference, Mycrypt 2016, Kuala Lumpur, Malaysia, December 1-2, 2016, Revised Selected Papers (2016)

Functional encryption (FE) allows an authority to issue tokens associated with various functions, allowing the holder of some token for function f to learn only f(D) from a ciphertext that encrypts D. The ... [more ▼]

Functional encryption (FE) allows an authority to issue tokens associated with various functions, allowing the holder of some token for function f to learn only f(D) from a ciphertext that encrypts D. The standard approach is to model f as a circuit, which yields inefficient evaluations over large inputs. Here, we propose a new primitive that we call updatable functional encryption (UFE), where instead of circuits we deal with RAM programs, which are closer to how programs are expressed in von Neumann architecture. We impose strict efficiency constrains in that the run-time of a token P' on ciphertext CT is proportional to the run-time of its clear-form counterpart (program P on memory D) up to a polylogarithmic factor in the size of D, and we envision tokens that are capable to update the ciphertext, over which other tokens can be subsequently executed. We define a security notion for our primitive and propose a candidate construction from obfuscation, which serves as a starting point towards the realization of other schemes and contributes to the study on how to compute RAM programs over public-key encrypted data. [less ▲]

Detailed reference viewed: 97 (6 UL)
Full Text
Peer Reviewed
See detailOn the Possibility of Non-Interactive E-Voting in the Public-key Setting
Giustolisi, Rosario; Iovino, Vincenzo UL; Rønne, Peter

in Financial Cryptography and Data Security, FC 2016 International Workshops, BITCOIN, VOTING, and WAHC, Christ Church, Barbados, February 26, 2016, Revised Selected Papers (2016)

In 2010 Hao, Ryan and Zielinski proposed a simple decentralized e-voting protocol that only requires 2 rounds of communication. Thus, for k elections their protocol needs 2k rounds of communication ... [more ▼]

In 2010 Hao, Ryan and Zielinski proposed a simple decentralized e-voting protocol that only requires 2 rounds of communication. Thus, for k elections their protocol needs 2k rounds of communication. Observing that the first round of their protocol is aimed to establish the public-keys of the voters, we propose an extension of the protocol as a non-interactive e-voting scheme in the public-key setting (NIVS) in which the voters, after having published their public-keys, can use the corresponding secret-keys to participate in an arbitrary number of one-round elections. We first construct a NIVS with a standard tally function where the number of votes for each candidate is counted. Further, we present constructions for two alternative types of elections. Specifically in the first type (dead or alive elections) the tally shows if at least one voter cast a vote for the candidate. In the second one (elections by unanimity), the tally shows if all voters cast a vote for the candidate. Our constructions are based on bilinear groups of prime order. As definitional contribution we provide formal computational definitions for privacy and verifiability of NIVSs. We conclude by showing intriguing relations between our results, secure computation, electronic exams and conference management systems [less ▲]

Detailed reference viewed: 109 (17 UL)
Full Text
Peer Reviewed
See detailDeniable Functional Encryption
De caro, Angelo; Iovino, Vincenzo UL; O'Neill, Adam

in Public-key Cryptography - PKC 2016, 19th IACR International Conference on Practice and Theory in Public-Key Cryptography, Taipei, Taiwan, March 6-9, 2016, Proceedings, Part I (2016)

Deniable encryption, first introduced by Canetti et al. (CRYPTO 1997), allows a sender and/or receiver of encrypted communication to produce fake but authentic-looking coins and/or secret keys that “open” ... [more ▼]

Deniable encryption, first introduced by Canetti et al. (CRYPTO 1997), allows a sender and/or receiver of encrypted communication to produce fake but authentic-looking coins and/or secret keys that “open” the communication to a different message. Here we initiate its study for the more general case of functional encryption (FE), as introduced by Boneh et al. (TCC 2011), wherein a receiver in possession of a key k can compute from any encryption of a message x the value F (k, x) according to the scheme’s functionality F . Our results are summarized as follows: We put forth and motivate the concept of deniable FE, for which we consider two models. In the first model, as previously considered by O’Neill et al. (CRYPTO 2011) in the case of identity-based encryption, a receiver gets assistance from the master authority to generate a fake secret key. In the second model, there are “normal” and “deniable” secret keys, and a receiver in possession of a deniable secret key can produce a fake but authentic-looking normal key on its own. This parallels the “multi-distributional” model of deniability previously considered for public-key encryption. In the first model, we show that any FE scheme for the general circuit functionality (as several recent candidate construction achieve) can be converted into an FE scheme having receiver deniability, without introducing any additional assumptions. In addition we show an efficient receiver deniable FE for Boolean Formulae from bilinear maps. In the second (multi-distributional) model, we show a specific FE scheme for the general circuit functionality having receiver deniability. This result additionally assumes differing-inputs obfuscation and relies on a new technique we call delayed trapdoor circuits. To our knowledge, a scheme in the multi-distributional model was not previously known even in the simpler case of identity-based encryption. Finally, we show that receiver deniability for FE implies some form of simulation security, further motivating study of the latter and implying optimality of our results. [less ▲]

Detailed reference viewed: 195 (21 UL)
See detail(Universal) Unconditional Verifiability in E-Voting without Trusted Parties
Gallegos-Garcia, Gina; Iovino, Vincenzo UL; Roenne, Peter UL et al

E-print/Working paper (2016)

Detailed reference viewed: 67 (3 UL)
Peer Reviewed
See detailMergeable Functional Encryption
Iovino, Vincenzo UL; Żebrowski, Karol

Scientific Conference (2015, September 11)

Detailed reference viewed: 69 (12 UL)
Full Text
Peer Reviewed
See detailSelene: Voting with Transparent Verifiability and Coercion-Mitigation
Ryan, Peter UL; Roenne, Peter UL; Iovino, Vincenzo UL

in Abstract book of 1st Workshop on Advances in Secure Electronic Voting (2016), 2015

Detailed reference viewed: 293 (33 UL)
Full Text
See detailOn the Possibility of Non-Interactive E-Voting in the Public-key Setting
Giustolisi, Rosario; Iovino, Vincenzo UL; Roenne, Peter UL

in IACR Cryptology ePrint Archive (2015), 2015

Detailed reference viewed: 90 (8 UL)