Lecture Notes in Computer Science 5229 Commenced Publication in 1973 Founding and Former Series Editors: Gerhard Goos, Juris Hartmanis, and Jan van Leeuwen Editorial Board David Hutchison Lancaster University, UK Takeo Kanade Carnegie Mellon University, Pittsburgh, PA, USA Josef Kittler University of Surrey, Guildford, UK Jon M. Kleinberg Cornell University, Ithaca, NY, USA Alfred Kobsa University of California, Irvine, CA, USA Friedemann Mattern ETH Zurich, Switzerland John C. Mitchell Stanford University, CA, USA Moni Naor Weizmann Institute of Science, Rehovot, Israel Oscar Nierstrasz University of Bern, Switzerland C. Pandu Rangan Indian Institute of Technology, Madras, India Bernhard Steffen University of Dortmund, Germany Madhu Sudan Massachusetts Institute of Technology, MA, USA Demetri Terzopoulos University of California, Los Angeles, CA, USA Doug Tygar University of California, Berkeley, CA, USA Gerhard Weikum Max-Planck Institute of Computer Science, Saarbruecken, Germany Rafail Ostrovsky Roberto De Prisco Ivan Visconti (Eds.) Security and Cryptography for Networks 6th International Conference, SCN 2008 Amalfi, Italy, September 10-12, 2008 Proceedings 13 Volume Editors Rafail Ostrovsky University of California, Los Angeles Department of Computer Science Box 951596, 3732D BH, Los Angeles, CA, 90095-1596, USA E-mail: rafail@cs.ucla.edu Roberto De Prisco Università di Salerno Dipartimento di Informatica ed Applicazioni via Ponte don Melillo, 84084 Fisciano (SA), Italy E-mail: robdep@dia.unisa.it Ivan Visconti Università di Salerno Dipartimento di Informatica ed Applicazioni via Ponte don Melillo, 84084 Fisciano (SA), Italy E-mail: visconti@dia.unisa.it Library of Congress Control Number: 2008933864 CR Subject Classification (1998): E.3, C.2, D.4.6, K.4.1, K.4.4, K.6.5, F.2 LNCS Sublibrary: SL 4 – Security and Cryptology ISSN 0302-9743 ISBN-10 3-540-85854-7 Springer Berlin Heidelberg New York ISBN-13 978-3-540-85854-6 Springer Berlin Heidelberg New York This work is subject to copyright. All rights are reserved, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, re-use of illustrations, recitation, broadcasting, reproduction on microfilms or in any other way, and storage in data banks. Duplication of this publication or parts thereof is permitted only under the provisions of the German Copyright Law of September 9, 1965, in its current version, and permission for use must always be obtained from Springer. Violations are liable to prosecution under the German Copyright Law. Springer is a part of Springer Science+Business Media springer.com © Springer-Verlag Berlin Heidelberg 2008 Printed in Germany Typesetting: Camera-ready by author, data conversion by Scientific Publishing Services, Chennai, India Printed on acid-free paper SPIN: 12512393 06/3180 543210 Preface The 6th Conference on Security and Cryptography for Networks (SCN 2008) was held in Amalfi, Italy, on September 10–12, 2008. The first four editions of the conference where held in Amalfi, while, two years ago, the fifth edition was held in the nearby Maiori. This year we moved back to the traditional location. Security and privacy are increasing concerns in computer networks such as the Internet. The availability of fast, reliable, and cheap electronic communica- tion offers the opportunity to perform, electronically and in a distributed way, a wide range of transactions of a most diverse nature. The conference brought together researchers in the fields of cryptography and security in communication networks with the goal of fostering cooperation and exchange of ideas. The main topics of the conference this year included anonymity, implementations, authen- tication, symmetric-key cryptography, complexity-based cryptography, privacy, cryptanalysis, cryptographic protocols, digital signatures, public-key cryptogra- phy, hash functions, identification. The international Program Committee consisted of 24 members who are top experts in the conference fields. The PC received 71 submissions and selected 26 papers for presentation at the conference. These proceedings include the 26 accepted papers and the abstract of the invited talk by Shai Halevi. The PC selected papers on the basis of originality, quality and relevance to the conference scope. Due to the high number of submissions, paper selection was a difficult task and many good papers had to be rejected. Each paper was refereed by three or four reviewers. We thank the members of the PC for the effort invested in the selection process. We also gratefully acknowledge the help of the external reviewers who evaluated submissions in their area of expertise. The names of these reviewers are listed on page VIII, and we apologize for any inadvertent omissions or mistakes. Finally, we would like to thank the authors of all submitted papers and the conference participants, who ultimately made this conference possible. September 2008 R. Ostrovsky R. De Prisco I. Visconti SCN 2008 September 10–12, 2008, Amalfi, Italy Program Chair Rafail Ostrovsky University of California, Los Angeles, USA General Chairs Roberto De Prisco Universit`adiSalerno,Italy Ivan Visconti Universit`adiSalerno,Italy Program Committee Carlo Blundo Universit`adiSalerno,Italy Xavier Boyen Voltage Inc, USA Ran Canetti IBM, USA Dario Catalano Universit`a di Catania, Italy Ronald Cramer CWI & Leiden University, The Netherlands Serge Fehr CWI, The Netherlands Juan Garay Bell Labs - Alcatel-Lucent, USA Rosario Gennaro IBM, USA Jens Groth University College London, UK Yuval Ishai Technion and UCLA, Israel and USA Jonathan Katz University of Maryland, USA Eyal Kushilevitz Technion, Israel Ueli Maurer ETH Zurich, Switzerland Daniele Micciancio UCSD, USA Phong Nguyen ENS, France Tatsuaki Okamoto NTT Laboratories, Japan Rafail Ostrovsky (chair) UCLA, USA Giuseppe Persiano Universit`adiSalerno,Italy Benny Pinkas University of Haifa, Israel Tal Rabin IBM, USA Leonid Reyzin Boston University, USA Adi Rosen CNRS and University of Paris 11, France Adam Smith Pennsylvania State University, USA Ivan Visconti Universit`adiSalerno,Italy VIII Organization Referees Divesh Aggarwal Zuzana Beerliova Charles Bouillaguet Suresh Chari Debbie Cook C´ecile Delerabl´ee Mario Di Raimondo Orr Dunkelman Dario Fiore Sebastian Gajek David Galindo Peter Gaˇzi Craig Gentry Sharon Goldberg Amir Herzberg Alejandro Hevia Dennis Hofheinz Susan Hohenberger Emeline Hufschmitt Charanjit Jutla Bhavana Kanukurthi Aggelos Kiayias Eike Kiltz Vladimir Kolesnikov Ga¨etan Leurent Anna Lysyanskaya Vadim Lyubashevsky Alexander May Lorenz Minder David Molnar Christopher Portmann Emmanuel Prouff Dominik Raub Mike Rosulek Amit Sahai Christian Schaffner Nigel Smart Stefano Tessaro Carmine Ventre Enav Weinreb Daniel Wichs Vassilis Zikas Cliff Changchun Zou Table of Contents Invited Talk Storage Encryption: A Cryptographer’s View (Abstract) 1 Shai Halevi Session 1: Implementations Implementing Two-Party Computation Efficiently with Security against Malicious Adversaries 2 Yehuda Lindell, Benny Pinkas, and Nigel P. Smart CLL: A Cryptographic Link Layer for Local Area Networks 21 Yves Igor Jerschow, Christian Lochert, Bj¨orn Scheuermann, and Martin Mauve Faster Multi-exponentiation through Caching: Accelerating (EC)DSA Signature Verification 39 Bodo M¨oller and Andy Rupp Session 2: Protocols I Privacy Preserving Data Mining within Anonymous Credential Systems 57 Aggelos Kiayias, Shouhuai Xu, and Moti Yung Improved Privacy of the Tree-Based Hash Protocols Using Physically Unclonable Function 77 Julien Bringer, Herv´e Chabanne, and Thomas Icart Session 3: Encryption I Two Generic Constructions of Probabilistic Cryptosystems and Their Applications 92 Guilhem Castagnos Cramer-Shoup Satisfies a Stronger Plaintext Awareness under a Weaker Assumption 109 Isamu Teranishi and Wakaha Ogata Session 4: Encryption II General Certificateless Encryption and Timed-Release Encryption 126 Sherman S.M. Chow, Volker Roth, and Eleanor G. Rieffel X Table of Contents Efficient Certificate-Based Encryption in the Standard Model 144 Joseph K. Liu and Jianying Zhou Session 5: Primitives An Improved Robust Fuzzy Extractor 156 Bhavana Kanukurthi and Leonid Reyzin On Linear Secret Sharing for Connectivity in Directed Graphs 172 Amos Beimel and Anat Paskin Session 6: Signatures Expressive Subgroup Signatures 185 Xavier Boyen and C´ecile Delerabl´ee Anonymous Proxy Signatures 201 Georg Fuchsbauer and David Pointcheval Multisignatures Using Proofs of Secret Key Possession, as Secure as the Diffie-Hellman Problem 218 Ali Bagherzandi and Stanislaw Jarecki Session 7: Hardware and Cryptanalysis Using Normal Bases for Compact Hardware Implementations of the AES S-Box 236 Svetla Nikova, Vincent Rijmen, and Martin Schl¨affer A New Analysis of the McEliece Cryptosystem Based on QC-LDPC Codes 246 Marco Baldi, Marco Bodrato, and Franco Chiaraluce Full Cryptanalysis of LPS and Morgenstern Hash Functions 263 Christophe Petit, Kristin Lauter, and Jean-Jacques Quisquater A New DPA Countermeasure Based on Permutation Tables 278 Jean-S´ebastien Coron Session 8: Protocols II Simplified Submission of Inputs to Protocols 293 Douglas Wikstr¨om Unconditionally Reliable and Secure Message Transmission in Directed Networks Revisited 309 Arpita Patra, Ashish Choudhary, and C. Pandu Rangan Table of Contents XI Session 9: Encryption III Linear Bandwidth Naccache-Stern Encryption 327 Benoˆıt Chevallier-Mames, David Naccache, and Jacques Stern Immunising CBC Mode against Padding Oracle Attacks: A Formal Security Treatment 340 Kenneth G. Paterson and Gaven J. Watson Constructing Strong KEM from Weak KEM (or How to Revive the KEM/DEM Framework) 358 Joonsang Baek, David Galindo, Willy Susilo, and Jianying Zhou Session 10: Key Exchange New Anonymity Notions for Identity-Based Encryption 375 Malika Izabach`ene and David Pointcheval A Universally Composable Group Key Exchange Protocol with Minimum Communication Effort 392 Jun Furukawa, Frederik Armknecht, and Kaoru Kurosawa An Identity-Based Key Agreement Protocol for the Network Layer 409 Christian Schridde, Matthew Smith, and Bernd Freisleben Author Index 423 Storage Encryption: A Cryptographer’s View Shai Halevi IBM Research, Hawthorne, NY, USA shaih@alum.mit.edu Abstract. Encryption is the bread-and-butter of cryptography, with well-established notions of security and a large variety of schemes to meet these notions. So what is left for researchers in cryptography to look at when it comes to encrypting storage? In this talk I will cover cryptogra- phy issues that arise when introducing encryption to real-world storage systems, with some examples drawn from the work of the IEEE 1619 standard committee that deals with standardizing aspects of storage en- cryption. The issues that I plan to touch upon include: Encryption Schemes and Modes-of-Operation: The use of “authen- ticated” vs. “transparent” encryption, “wide block” vs. “narrow block” transparent encryption modes, and other considerations. Issues with Key-Management and IV-Management: How to avoid nonce collision when your nonces are only 96-bit long, why you may want to use deterministic encryption for key-wrapping, what is the difference between key-wrapping and KEM/DEM, and related questions. Self-Encryption of Keys: Can an encryption scheme remain secure when used to encrypt its own secret key? It turns out that this require- ment sometimes comes up when encrypting storage. I will talk about several aspects of this problem, including the not-so-bad, the bad, and the ugly. R. Ostrovsky, R. De Prisco, and I. Visconti (Eds.): SCN 2008, LNCS 5229, p. 1, 2008. c  Springer-Verlag Berlin Heidelberg 2008 [...]... parameters s1 and s2 , and using both the ROM and standard model versions of the protocol The run times, in seconds, are presented in Table 1, and are reported for each step of the protocol Timings are performed using the standard Linux system timing facilities, and are as such only indicative The wall time is measured using the standard time function and the system and user times are measured using the getrusage... P1 chooses random garbled values for all wires and uses them for constructing tables for all gates It sends these tables (i.e., the garbled circuit) to P2 , and in addition provides P2 with the garbled values and the c values of P1 ’s inputs, and with the permutations π used to encode the output wires of the circuit P2 uses invocations of oblivious transfer to learn the garbled values and c values... vol 576, pp 129–140 Springer, Heidelberg (1992) 19 Standards for Efficient Cryptography, SEC 1: Elliptic Curve Cryptography, http://www.secg.org/download/aid-385/sec1 final.pdf 20 SECG Standards for Efficient Cryptography, SEC 2: Recommended elliptic curve domain parameters, http://www.secg.org 21 Schnorr, C.P.: Efficient identification and signatures for smart cards In: Brassard, G (ed.) CRYPTO 1989 LNCS,... Zq , A ← [r]P , B ← [r]Q and sends A and B to Ver sends s, t to Pro checks whether C = [s]P + [t]V and sends z ← bs + r and w to Ver accepts if [z]P = [s]U + A, [z]Q = [s]V + B and W = [w]P Fig 4 ROM and non-ROM zero-knowledge proof of knowledge of DDH tuple CLL: A Cryptographic Link Layer for Local Area Networks Yves Igor Jerschow, Christian Lochert, Bj¨rn Scheuermann, and Martin Mauve o Institute... therefore grows by about 4ns2 gates, which in our case translate to 2560 gates for s2 = 40, and 3840 gates for s2 = 60 We managed to optimize this construction Implementing Two-Party Computation 15 by using a variant of structured Gaussian elimination in order to reuse gates As a result, for the case of s2 = 40, the augmented circuit produced in Stage 0 has over one thousand gates and over one thousand... holds Therefore it is preferable to prove security in the standard model, namely without using any random oracle This is surprising since for more traditional cryptographic constructions, such as encryption schemes or signature schemes, the random oracle constructions are almost always twice as efficient in practice compared to the most efficient standard model schemes known Part of the reason for the extreme... requires P1 to perform 10 multiplications, and P2 to perform 8 multiplications (This is without considering the zero-knowledge proofs, which are performed once in the protocol.) The security of the above scheme is fully proven in [10], with the only exception that here a KDF is used to derive a random string in order to mask (i.e., encrypt) the x0 and x1 values (in [10] it is assumed that x0 and x1 can be... [20] We performed a set of experiments which examined the system using a circuit which evaluates the function x > y for inputs x and y of n = 16 bits in length The standard circuit (using simple 2-to-1 gates) for this problem consists of 61 2-to-1 gates and 93 internal wires We optimized this circuit by replacing it with a circuit consisting of 48 internal wires and fifteen 3-to-1 gates and one 2-to-1... {jerschow,lochert,scheuermann,mauve}@cs.uni-duesseldorf.de Abstract Ethernet and IP form the basis of the vast majority of LAN installations But these protocols do not provide comprehensive security mechanisms, and thus give way for a plethora of attack scenarios In this paper, we introduce a layer 2/3 security extension for LANs, the Cryptographic Link Layer (CLL) CLL provides authentication and confidentiality to the hosts in the LAN... including ARP and DHCP handshakes It is transparent to existing protocol implementations, especially to the ARP module and to DHCP clients and servers Beyond fending off external attackers, CLL also protects from malicious behavior of authenticated clients We discuss the CLL protocol, motivate the underlying design decisions, and finally present implementations of CLL for both Windows and Linux Their performance . (Eds.) Security and Cryptography for Networks 6th International Conference, SCN 2008 Amalfi, Italy, September 10-12, 2008 Proceedings 13 Volume Editors Rafail Ostrovsky University of California,. Encryption is the bread -and- butter of cryptography, with well-established notions of security and a large variety of schemes to meet these notions. So what is left for researchers in cryptography to. and efficient protocols for providing security for Yao’s protocol against malicious adversaries, namely the protocol of Lindell and Pinkas [13] which is proved to be secure ac- cording to a standard