We revisit the design of Lesamnta-LW, which is one of the three lightweight hash functions specified in ISO/IEC 29192-5:2016. Firstly, we present some updates on the bounds of the number of active S-boxes for the underlying 64-round block cipher. While the designers showed that the Viterbi algorithm ensured 24 active S-boxes after 24 rounds, our tool based on Mixed Integer Linear Programming (MILP) in the framework of Mouha et al. ensures the same number of active S-boxes only after 18 rounds. The tool completely evaluates the tight bound of the number of active S-boxes, and it shows that the bound is 103 for full (64) rounds. We also analyze security of the Shuffle operation in the round function and resistance against linear cryptanalysis. Secondly, we present a new mode for a pseudorandom function (PRF) based on Lesamnta-LW. It is twice as efficient as the previous PRF modes based on Lesamnta-LW. We prove its security both in the standard model and the ideal cipher model.

While standard signatures provide an efficient mechanism for information certification, the lack of privacy protecting measures makes them unsuitable if sensitive or confidential information is being certified. In this paper, we revisit nominative signatures, first introduced by Kim, Park and Won, which provides the functionality and security guarantees required to implement a certification system allowing the user (and not the authority) to control the verifiability of an obtained certificate. Unlike systems based on related primitives, the use of nominative signatures protects the user against authority information leaks and impersonation attacks based on these. We refine the security model of nominative signatures, and propose a new efficient scheme which is provably secure based on the computational Diffie-Hellman problem and the decisional linear problem. To the best of our knowledge, our scheme is the the only nominative signature scheme which is provably secure in the standard model based on standard assumptions. Furthermore, unlike most previous schemes, the proposed scheme provides signatures which hide both the signer and user identity. Hence, through our nominative signature scheme, we achieve an efficient non-transferable user certification scheme with strong security guarantees.

Presently, many identity-based proxy signature (IBPS) schemes have been proposed, but most of them require high computational costs and the proposed security model for IBPS is not enough complete. To overcome this weakness, Gu et al. recently proposed a framework and a detailed security model for IBPS. They also proposed an efficient IBPS scheme and proved the unforgeability of their scheme in the standard model. However, in this letter, we demonstrate that Gu et al.'s scheme fails to satisfy the property of unforgeability because it can not resist the following attacks: after getting a private key, an adversary behaving as a malicious signer can forge a private key on any identity without the help of the private key generator (PKG); after getting a delegation, an adversary behaving as a malicious proxy signer can forge a proxy signing key on any delegation without the agreement of the original signer; after getting a signature, an adversary behaving as a malicious user can forge a signature on any identity without the private key or forge a proxy signature on any warrant without the proxy signing key.

This paper studies Tripartite Key Exchange (3KE) which is a special case of Group Key Exchange. Though general one-round GKE satisfying advanced security properties such as forward secrecy and maximal-exposure-resilience (MEX-resilience) is not known, it can be efficiently constructed with the help of pairings in the 3KE case. In this paper, we introduce the first one-round 3KE which is MEX-resilient in the standard model, though existing one-round 3KE schemes are proved in the random oracle model (ROM), or not MEX-resilient. Each party broadcasts 4 group elements, and executes 14 pairing operations. Complexity is only three or four times larger in computation and communication than the existing most efficient MEX-resilient 3KE scheme in the ROM; thus, our protocol is adequately practical.

Verifiable random functions (VRF), proposed in 1999, and selectively convertible undeniable signature (SCUS) schemes, proposed in 1990, are apparently thought as independent primitives in the literature. In this paper, we show that they are tightly related in the following sense: VRF is exactly SCUS; and the reverse also holds true under a condition. This directly yields several deterministic SCUS schemes based on existing VRF constructions. In addition, we create a new probabilistic SCUS scheme, which is very compact. We build efficient confirmation and disavowal protocols for the proposed SCUS schemes, based on what we call zero-knowledge protocols for generalized DDH and non-DDH. These zero-knowledge protocols are built either sequential, concurrent, or universally composable.

Observing the security of existing identity-based proxy signature schemes was proven in the random oracle model, Cao et al. proposed the first direct construction of identity-based proxy signature secure in the standard model by making use of the identity-based signature due to Paterson and Schuldt. They also provided a security proof to show their construction is secure against forgery attacks without resorting to the random oracles. Unfortunately, in this letter, we demonstrate that their scheme is vulnerable to insider attacks. Specifically, after a private-key extraction query, an adversary, behaving as a malicious original signer or a malicious proxy signer, is able to violate the unforgeability of the scheme.

Recently, Jin, Wen, and Du proposed an identity-based signcryption scheme in the standard model. In this letter, we show that their scheme does not have the indistinguishability against adaptive chosen ciphertext attacks and existential unforgeability against adaptive chosen messages attacks.

In this paper, we design and analyze some new and practical (selectively) convertible undeniable signature (SCUS) schemes in both random oracle and standard model, which enjoy several merits over existing schemes in the literature. In particular, we design the first practical RSA-based SCUS schemes secure in the standard model. On the path, we also introduce two moduli RSA assumptions, including the strong twin RSA assumption, which is the RSA symmetry of the strong twin Diffie-Hellman assumption (Eurocrypt'08).

We explicitly describe and analyse blind hierachical identity-based encryption (blind HIBE) schemes, which are natural generalizations of blind IBE schemes [20]. We then uses the blind HIBE schemes to construct: (1) An identity-based blind signature scheme secure in the standard model, under the computational Diffie-Hellman (CDH) assumption, and with much shorter signature size and lesser communication cost, compared to existing proposals. (2) A new mechanism supporting a user to buy digital information over the Internet without revealing what he/she has bought, while protecting the providers from cheating users.

The purpose of this paper is to study sender authenticated key agreements by a third party, which uses the received parameters to verify the fact that a sender of a message knows his long-term private key. In particular, we propose a standard model for the protocol among three entities for the first time. The security of this protocol depends on the difficulty of solving two new problems related to one-way isomorphisms and the decision co-bilinear Diffie-Hellman problem on multiplicative cyclic groups. It is the first time that the security of a key agreement has been formally proven by using negligible probability. We believe that our contribution gives many applications in the cryptographic community.

This work focuses on a vulnerability of hash functions due to sloppy usages or implementations in the real world. If our cryptographic research community succeeded in the development of a perfectly secure random function as the random oracle, it might be broken in some sense by invalid uses. In this paper, we propose a new variant of the random oracle model in order to analyze the security of cryptographic protocols under the situation of an invalid use of hash functions. Our model allows adversaries to obtain contents of the hash list of input and output pairs arbitrarily. Also, we analyze the security of several prevailing protocols (FDH, OAEP, Cramer-Shoup cryptosystem, Kurosawa-Desmedt cryptosystem, NAXOS) in our model. As the result of analyses, we clarify that FDH and Cramer-Shoup cryptosystem are still secure but others are insecure in our model. This result shows the separation between our model and the standard model.

Unforgeability of digital signatures is closely related to the security of hash functions since hashing messages, such as hash-and-sign paradigm, is necessary in order to sign (arbitrarily) long messages. Recent successful collision finding attacks against practical hash functions would indicate that constructing practical collision resistant hash functions is difficult to achieve. Thus, it is worth considering to relax the requirement of collision resistance for hash functions that is used to hash messages in signature schemes. Currently, the most efficient strongly unforgeable signature scheme in the standard model which is based on the CDH assumption (in bilinear groups) is the Boneh-Shen-Waters (BSW) signature proposed in 2006. In their scheme, however, a collision resistant hash function is necessary to prove its security. In this paper, we construct a signature scheme which has the same properties as the BSW scheme but does not rely on collision resistant hash functions. Instead, we use a target collision resistant hash function, which is a strictly weaker primitive than a collision resistant hash function. Our scheme is, in terms of the signature size and the computational cost, as efficient as the BSW scheme.

Recently, Bellare and Palacio defined the plaintext awareness (PA-ness) in the standard model. In this paper, we study the relationship between the standard model PA-ness and the property about message hiding, that is, IND-CPA. Although these two notions seem to be independent at first glance, we show that PA-ness in the standard model implies the IND-CPA security if the encryption function is oneway. By using this result, we also showed that "PA + Oneway ⇒ IND-CCA2." We also show that the computational PA-ness notion is strictly stronger than the statistical one.

We say that a signature scheme is strongly existentially unforgeable (SEU) if no adversary, given message/signature pairs adaptively, can generate a signature on a new message or a new signature on a previously signed message. We propose a general and efficient conversion in the standard model that transforms a secure signature scheme to SEU signature scheme. In order to construct that conversion, we use a chameleon commitment scheme. Here a chameleon commitment scheme is a variant of commitment scheme such that one can change the committed value after publishing the commitment if one knows the secret key. We define the chosen message security notion for the chameleon commitment scheme, and show that the signature scheme transformed by our proposed conversion satisfies the SEU property if the chameleon commitment scheme is chosen message secure. By modifying the proposed conversion, we also give a general and efficient conversion in the random oracle model, that transforms a secure signature scheme into a SEU signature scheme. This second conversion also uses a chameleon commitment scheme but only requires the key only attack security for it.

Kurosawa-Desmedt public-key encryption scheme is a variation of Cramer-Shoup public-key encryption schemes, which are the first practical schemes secure against adaptive chosen ciphertext attack (IND-CCA) in standard model. We introduce some variants of Kurosawa-Desmedt public-key encryption scheme which are also IND-CCA secure. Furthermore, the variants are either more efficient or less cryptographic assumptions than the original version.

We present and analyze an adaptive chosen ciphertext secure (IND-CCA) identity-based encryption scheme (IBE) based on the well studied Decisional Diffie-Hellman (DDH) assumption. The scheme is provably secure in the standard model assuming the adversary can corrupt up to a maximum of k users adaptively. This is contrary to the Boneh-Franklin scheme which holds in the random-oracle model.

Authenticated Key Establishment (AKE) protocols enable two entities, say a client (or a user) and a server, to share common session keys in an authentic way. In this paper, we review the previous AKE protocols, all of which turn out to be insecure, under the following realistic assumptions: (1) High-entropy secrets that should be stored on devices may leak out due to accidents such as bugs or mis-configureations of the system; (2) The size of human-memorable secret, i.e. password, is short enough to memorize, but large enough to avoid on-line exhaustive search; (3) TRM (Tamper-Resistant Modules) used to store secrets are not perfectly free from bugs and mis-configurations; (4) A client remembers only one password, even if he/she communicates with several different servers. Then, we propose a simple leakage-resilient AKE protocol (cf.[41]) which is described as follows: the client keeps one password in mind and stores one secret value on devices, both of which are used to establish an authenticated session key with the server. The advantages of leakage-resilient AKEs to the previous AKEs are that the former is secure against active adversaries under the above-mentioned assumptions and has immunity to the leakage of stored secrets from a client and a server (or servers), respectively. In addition, the advantage of the proposed protocol to is the reduction of memory size of the client's secrets. And we extend our protocol to be possible for updating secret values registered in server(s) or password remembered by a client. Some applications and the formal security proof in the standard model of our protocol are also provided.

In this paper, we propose a pretty-simple password-authenticated key-exchange protocol, which is proven to be secure in the standard model under the following three assumptions. (1) DDH (Decision Diffie-Hellman) problem is hard. (2) The entropy of the password is large enough to avoid on-line exhaustive search (but not necessarily off-line exhaustive search). (3) MAC is selectively unforgeable against partially chosen message attacks, (which is weaker than being existentially unforgeable against chosen message attacks).