Free ebooks ==> www.Ebook777.com LNCS 8383 Hugo Krawczyk (Ed.) Public-Key Cryptography – PKC 2014 17th International Conference on Practice and Theory in Public-Key Cryptography Buenos Aires, Argentina, March 26–28, 2014, Proceedings 123 www.Ebook777.com Free ebooks ==> www.Ebook777.com Lecture Notes in Computer Science Commenced Publication in 1973 Founding and Former Series Editors: Gerhard Goos, Juris Hartmanis, and Jan van Leeuwen Editorial Board David Hutchison Lancaster University, UK Takeo Kanade Carnegie Mellon University, Pittsburgh, PA, USA Josef Kittler University of Surrey, Guildford, UK Jon M Kleinberg Cornell University, Ithaca, NY, USA Alfred Kobsa University of California, Irvine, CA, USA Friedemann Mattern ETH Zurich, Switzerland John C Mitchell Stanford University, CA, USA Moni Naor Weizmann Institute of Science, Rehovot, Israel Oscar Nierstrasz University of Bern, Switzerland C Pandu Rangan Indian Institute of Technology, Madras, India Bernhard Steffen TU Dortmund University, Germany Demetri Terzopoulos University of California, Los Angeles, CA, USA Doug Tygar University of California, Berkeley, CA, USA Gerhard Weikum Max Planck Institute for Informatics, Saarbruecken, Germany www.Ebook777.com 8383 Hugo Krawczyk (Ed.) Public-Key Cryptography – PKC 2014 17th International Conference on Practice and Theory in Public-Key Cryptography Buenos Aires, Argentina, March 26-28, 2014 Proceedings 13 Volume Editor Hugo Krawczyk IBM T.J.Watson Research Center 1101 Kitchawan Road, Yorktown Heights, NY 10598, USA E-mail: hugokraw@us.ibm.com ISSN 0302-9743 e-ISSN 1611-3349 ISBN 978-3-642-54630-3 e-ISBN 978-3-642-54631-0 DOI 10.1007/978-3-642-54631-0 Springer Heidelberg New York Dordrecht London Library of Congress Control Number: 2014932835 CR Subject Classification (1998): LNCS Sublibrary: SL – Security and Cryptology © International Association for Cryptologic Research 2014 This work is subject to copyright All rights are reserved by the Publisher, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed Exempted from this legal reservation are brief excerpts in connection with reviews or scholarly analysis or material supplied specifically for the purpose of being entered and executed on a computer system, for exclusive use by the purchaser of the work Duplication of this publication or parts thereof is permitted only under the provisions of the Copyright Law of the Publisher’s location, in ist current version, and permission for use must always be obtained from Springer Permissions for use may be obtained through RightsLink at the Copyright Clearance Center Violations are liable to prosecution under the respective Copyright Law The use of general descriptive names, registered names, trademarks, service marks, etc in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use While the advice and information in this book are believed to be true and accurate at the date of publication, neither the authors nor the editors nor the publisher can accept any legal responsibility for any errors or omissions that may be made The publisher makes no warranty, express or implied, with respect to the material contained herein Typesetting: Camera-ready by author, data conversion by Scientific Publishing Services, Chennai, India Printed on acid-free paper Springer is part of Springer Science+Business Media (www.springer.com) Free ebooks ==> www.Ebook777.com Preface PKC 2014, the 17th Annual IACR International Conference on Practice and Theory of Public-Key Cryptography, was held in Buenos Aires, Argentina, during March 26–28, 2014 The conference, sponsored by the International Association for Cryptologic Research (IACR), focuses on all technical aspects of public-key cryptography - including theory, design, analysis, cryptanalysis, implementation and applications This was the first PKC to be held in South America These proceedings contain 38 papers selected by the Program Committee from a total of 145 submissions - the second highest number in the conference’s history The many high-quality submissions made it easy to build a good program but also required rejecting good papers Each submission was judged by at least three reviewers, or four in the case of submissions by Program Committee members The selection process included five weeks of focused independent review followed by five weeks of lengthy discussions At the end of the 10-week review period the reports and discussions produced over 38,000 lines of text, a testament to the dedication and thoroughness of the Program Committee members This wonderful work would have been impossible without the collaboration of 150 members of our community that served as external reviewers To them and all the members of the Program Committee I am truly grateful My sincere gratitude goes also to the hundreds of authors that submitted their excellent work - without them there wouldn’t be a conference The program also featured two excellent invited lectures: “Post-Snowden Cryptography” by Adi Shamir and “Multilinear Maps and Obfuscation” by Shai Halevi On behalf of the Program Committee, I would like to thank Adi and Shai for kindly accepting our invitation The work of a program chair and a successful conference depend on many people that deserve special thanks Ariel Waissbein and Juan Garay, the conference general chairs, did a wonderful job organizing the event and managing its many complexities Shai Halevi’s excellent submission and review software was pivotal for the smooth management of the review process, and he was kind enough to patiently answer my many questions A special mention goes to the PKC steering committee for their organization of the PKC conferences for so many years and for giving us the opportunity to bring cryptography to this part of the planet Finally, I want to thank our sponsors: Argentina’s Ministry of Science, Technology and Productive Innovation, Fundaci´ on Sadosky, IBM Research, and Microsoft Research February 2014 Hugo Krawczyk www.Ebook777.com PKC 2014 The 17th IACR International Conference on Practice and Theory of Public-Key Cryptography Buenos Aires, Argentina March 26–28, 2014 Sponsored by the International Association of Cryptologic Research General Chair Ariel Waissbein General Co-chair Juan A Garay Yahoo Labs, USA Program Chair Hugo Krawczyk IBM T.J Watson Research Center, USA Program Committee Michel Abdalla Masayuki Abe Paulo Barreto Alexandra Boldyreva Colin Boyd David Cash Jung Hee Cheon Nelly Fazio Sanjam Garg Dov Gordon Jens Groth ´ Ecole Normale Sup´erieure and CNRS, France NTT, Japan University of S˜ao Paulo, Brazil Georgia Institute of Technology, USA NTNU, Norway and QUT, Australia Rutgers University, USA Seoul National University, Korea City College of CUNY, USA IBM Research, USA Applied Communication Sciences, USA University College London, UK VIII PKC 201 Nadia Heninger Amir Herzberg Alejandro Hevia Susan Hohenberger Stanislaw Jarecki Aggelos Kiayias Vladimir Kolesnikov Kaoru Kurosawa Tanja Lange Allison Lewko Vadim Lyubashevsky Mark Manulis Ilya Mironov Antonio Nicolosi Jesper Buus Nielsen Kenny Paterson Benny Pinkas Elizabeth Quaglia Mariana Raykova Dominique Unruh Yevgeniy Vahlis Hoeteck Wee Daniel Wichs University of Pennsylvania, USA Bar Ilan University, Israel University of Chile, Chile Johns Hopkins University, USA UC Irvine, USA University of Athens, Greece Bell Labs, USA Ibaraki University, Japan Technische University of Eindhoven, The Netherlands Microsoft Research New England, USA ´ Inria and Ecole Normale Sup´erieure, France University of Surrey, UK Microsoft Research Silicon Valley, USA Stevens Institute of Technology, USA Aarhus University, Denmark Royal Holloway - University of London, UK Bar Ilan University, Israel ´ Ecole Normale Sup´erieure, France IBM Research and SRI, USA University of Tartu, Estonia AT&T Labs, USA George Washington University, USA Northeastern University, USA External Reviewers Gora Adj Martin Albrecht Prabhanjan Ananth Diego F Aranha Chung Hun Baek Manuel Barbosa Mihir Bellare Fabrice Benhamouda Daniel J Bernstein Joppe Bos Charles Bouillaguet Elette Boyle Angelo De Caro Andrea Cerulli Pyrros Chaidos Nishanth Chandran Melissa Chase Jie Chen Dong-Pyo Chi Chongwon Cho Tung Chou Dana Dachman-Soled Daniel Dadush Ivan Damgaard Bernardo Machardo David Leo Ducas Fr´ed´eric Dupuis Konrad Durnoga Stefan Dziembowski Robert Enderlein Michele Feltz Marc Fischlin Eduarda Freire Jun Furukawa Steven Galbraith Nethanel Gelernter Rosario Gennaro Yossi Gilad Niv Gilboa Danilo Gligoroski Sasha Golovnev Alonso Gonzalez Louis Goubin Vipul Goyal Divya Gupta Tim Guneysu Shai Halevi Fabrice Ben Hamouda Kristiyan Haralambiev Carmit Hazay Francisco Rodr´ıguez Henr´ıquez Ryo Hiromasa PKC 201 Dennis Hofheinz Hyunsook Hong Yuval Ishai Ioana Elisabeta Ivan Abhishek Jain Min Young Jun Charanjit Jutla Franziskus Kiefer Eike Kiltz Jinsu Kim Min Kyu Kim Miran Kim Sungwook Kim Taechan Kim Susumu Kiyoshima Takeshi Koshiba Veronika Kuchta Abishek Kumarasubramanian Rasmus Winther Lauritsen Chang Min Lee Moon Sung Lee Nikos Leonardos Tancrede Lepoint Benoˆıt Libert Huijia (Rachel) Lin Helger Lipmaa Feng-Hao Liu Alex Malozemoff Takahiro Matsuda Alexander May Sarah Meiklejohn IX Daniele Micciancio Pratyay Mukherjee Ryo Nishimaki Gregory Neven Attrapadung Nuttapong Adam O’Neill Miyako Ohkubo Yossi Oren Jung Youl Park Anat Paskin-Cherniavsky Chris Peikert Milinda Perera Ludovic Perret Christopher Petit Le Trieu Phong Bertram Poettering Joop van de Pol Carla R`afols Ananth Raghunathan Tom Ristenpart Ben Riva Arnab Roy Katerina Samari Alessandra Scafuro Christian Schaffner Dominique Schroeder Jacob Schuldt Sven Schăage Gil Segev Minjae Seo Haya Shulman Dale Sibborn Ben Smith Yongsoo Song Douglas Stebila Damien Stehle Ron Steinfeld Falko Strenzke Michael Sudkevitch Katsuyuki Takashima Qiang Tang Sidharth Telang Aris Tentes Stefano Tessaro Enrico Thomae Mehdi Tibouchi Roberto Trifiletti Boaz Tsaban Yiannis Tselekounis Manolis Tzortzakis Damien Vergnaud Ivan Visconti Alfredo Rial Shota Yamada Bo-Yin Yang Arkady Yerukhimovich Kazuki Yoneyama Aaram Yun Thomas Zacharias Mark Zhandry Bingsheng Zhang Miaomiao Zhang Hong-Sheng Zhou PKC Steering Committee Ronald Cramer Yvo Desmedt Hideki Imai David Naccache Tatsuaki Okamoto David Pointcheval CWI, Amsterdam&Mathematical Institute and Leiden University, The Netherlands University of Texas at Dallas, USA Chuo University and Research Center for Information Security (RCIS), AIST, Japan ´ Ecole Normale Sup´erieure, France NTT Labs, Japan ´ Ecole Normale Sup´erieure, France X PKC 201 Moti Yung (Secretary) Yuliang Zheng (Chair) Google Inc., and Columbia University, USA University of North Carolina at Charlotte, USA Sponsoring Institutions Fundaci´on Sadosky, Argentina IBM Research, USA Microsoft Research, USA Ministry of Science, Technology and Productive Innovation, Argentina Free ebooks ==> www.Ebook777.com Table of Contents Chosen Ciphertext Security Simple Chosen-Ciphertext Security from Low-Noise LPN Eike Kiltz, Daniel Masny, and Krzysztof Pietrzak Leakage-Flexible CCA-secure Public-Key Encryption: Simple Construction and Free of Pairing Baodong Qin and Shengli Liu 19 A Black-Box Construction of a CCA2 Encryption Scheme from a Plaintext Aware (sPA1) Encryption Scheme Dana Dachman-Soled 37 Chosen Ciphertext Security via UCE Takahiro Matsuda and Goichiro Hanaoka 56 Re-encryption Proxy Re-encryption from Lattices Elena Kirshanova Re-encryption, Functional Re-encryption, and Multi-hop Re-encryption: A Framework for Achieving Obfuscation-Based Security and Instantiations from Lattices Nishanth Chandran, Melissa Chase, Feng-Hao Liu, Ryo Nishimaki, and Keita Xagawa 77 95 Verifiable Outsourcing Verifiable Set Operations over Outsourced Databases Ran Canetti, Omer Paneth, Dimitrios Papadopoulos, and Nikos Triandopoulos 113 Verifiable Oblivious Storage Daniel Apon, Jonathan Katz, Elaine Shi, and Aishwarya Thiruvengadam 131 Achieving Privacy in Verifiable Computation with Multiple Servers – Without FHE and without Pre-processing Prabhanjan Ananth, Nishanth Chandran, Vipul Goyal, Bhavana Kanukurthi, and Rafail Ostrovsky www.Ebook777.com 149 672 Y Li et al asymmetric perfect forward secrecy and TLS_DHE_PSK is secure with (classical) perfect forward secrecy Informally, our results say that TLS-PSK guarantees confidentiality and integrity of all messages exchange between client and server, unless the adversary has learned the pre-shared key or corrupted one of the parties to learn the application/session key In TLS_DHE_PSK the communication remains confidential even if the adversary corrupts the pre-shared secret later on In contrast, in TLS_RSA_PSK the communication remains confidential even if the adversary manages to corrupt the pre-shared key or the server’s long-term key later on, but not both of them Double PRFs and Forward Secrecy To prove TLS_RSA_PSK and TLS_DHE_PSK, we introduce a variant of pseudo-random functions (PRFs), called double pseudo-random function (DPRF) Roughly, a DPRF takes as input two keys only one of which is generated randomly and kept secret from the attacker (as in classical PRFs) However, when the adversary makes its queries, not only the message but also the other key can entirely be specified by the adversary Our notion of DPRF nicely abstracts the crucial mechanism in TLS-PSK that is required to guarantee (asymmetric) perfect forward secrecy In our security proofs, we assume that TLS’s key derivation function provides a suitable DPRF in the standard model Existing results on the security of HMAC support this assumption for TLS 1.1 when the pre-shared key has a specific bit length Our new DPRF notion may be of independent interest beyond the scope of this work Note also, that for the TLS_PSK and TLS_DHE_PSK ciphersuites we neither have to rely on non-standard assumptions like the PRF-ODH assumption of JKSS to give a proof nor on idealized setup assumptions like the random oracle model We can show that TLS_RSA_PSK is secure under our basic notion of ACCE security without any assumption on the public key encryption system used in TLS This is because under the basic ACCE definition security can be derived solely from secrecy of the pre-shared keys However, if we want to prove the ACCE security of TLS_RSA_PSK with asymmetric perfect forward secrecy in the standard model we need to assume that the public key encryption scheme is IND-CCA secure2 , similar to [22,19] Thus, we not consider TLS-RSA with RSA-PKCS encryption as it is currently used in practice We remark that [22] were also able to prove security of the classical TLS ciphersuites based on RSA key transport with RSA-PKCS encryption in the random oracle model It would be interesting to show that the results of KPW on TLS-RSA can be transferred to show that TLS-PSK with RSA-PKCS based key transport provides asymmetric perfect forward secrecy in the random oracle model Limitations In our work, we give a dedicated security analysis for TLS-PSK We believe that it is possible to give a more modularized analysis, similar to KPW [22] who analyzed the classical ciphersuites of TLS by abstracting the handshake phase into a Constrained-CCA-secure (CCCA) KEM that is combined with a secure authenticated encryption scheme The benefit of the KPW analysis is re-usability: once the security proof is established for a generic KPW call this TLS-CCA On the Security of the Pre-shared Key Ciphersuites of TLS 673 CCCA-secure KEM, all that remains is to show that each of the ciphersuites indeed provides such a KEM Security Assumptions To state our results, we will rely on standard security definitions for the Decisional Diffie-Hellman assumption (DDH), collision-resistant cryptographic hash functions, IND-CCA secure public key encryption schemes, (plain) pseudo-random functions (PRF), and stateful length-hiding authenticated encryption (sLHAE) schemes as recently defined in [30] However, we will sometimes also rely on a new class of PRFs called double pseudo-random functions Double Pseudo-Random Functions Double pseudo-random functions can be thought of as a class of pseudo-random functions with two keys Let DPRF : KDPRF1 × KDPRF2 × MDPRF → RDPRF denote a family of deterministic functions, where KDPRF1 , KDPRF2 is the key space, MDPRF is the domain and RDPRF is the range of PRF Intuitively, security requires that the output of the DPRF is indistinguishable from random as long as one key remains hidden from the adversary even if the adversary is able to adaptively specify the second key and the input message To formalize security we consider the following security game played between a challenger C and an adversary A Let RFDPRF (·, ·) denote an oracle implemented by C, which takes as input a key kj ∈ KDPRFj (where j is specified by the adversary via an Init query) and message m ∈ MDPRF and outputs a random value z ∈ RDPRF The adversary first runs Init(j) with j ∈ {1, 2} to specify the key kj ∈ KDPRFj that he wants to manipulate $ The challenger C samples ˆb ← {0, 1}, and sets u = (j mod 2) + If ˆb = 0, the challenger samples ku ∈R KDPRFu and assigns RFDPRF (·, ·) to either DPRF(·, k2 , ·) or DPRF(k1 , ·, ·) depending on the value of u For instance, if u = then the random function RFDPRF is assigned to DPRF(·, k2 , ·), and the A is allowed to specify k1 arbitrarily in each query If ˆb = 1, the challenger assigns RFDPRF to RF(·, ·) which is a truly random function that takes as input key kj and message m and outputs a value in the same range RDPRF as DPRF(·, ·, ·) The adversary may adaptively make queries kj,i , mi for ≤ i ≤ q to oracle RFDPRF and receives the result of RFDPRF (kj,i , mi ), where kj,i denotes the i-th key kj chosen by A Finally, A outputs its guess ˆb ∈ {0, 1} of ˆb If ˆb = ˆb , A wins Definition We say that DPRF is a (t, )-secure double pseudo-random function, if any adversary running in time t has at most an advantage of to distinguish the DPRF from a truly random function, i.e Pr ˆb = ˆb ≤ 1/2 + The number of allowed queries q is upper bounded by t 674 Y Li et al A Brief Introduction to TLS-PSK This section describes the three sets of ciphersuites specified in TLSPSK: TLS_PSK, TLS_RSA_PSK and TLS_DHE_PSK In each of these ciphersuites, the master secret is computed using pre-shared keys which are symmetric keys shared in advance among the communicating parties The main differences are in the way the master secret is computed The following description is valid for all TLS_PSK versions We only describe the cryptographically relevant messages and only those that deviate from the classical TLS ciphersuites A detailed description can be found in the full version Client m1 : ClientHello Server m2 : ServerHello m3 : ServerCertificate m4 : ServerKeyExchange m5 : ServerHelloDone m6 : ClientKeyExchange m7 : ChangeCipherSpec m8 : ClientFinished m9 : ChangeCipherSpec m10 : ServerFinished pre-accept phase: post-accept phase: Stateful Symmetric Encryption Fig Handshake in TLS-PSK ServerCertificate For TLS_PSK and TLS_DHE_PSK, the message is not included In TLS_RSA_PSK certS contains a public key that is bound to the server’s identity ServerKeyExchange Since clients and servers may have pre-shared keys with many different parties, in the ServerKeyExchange message m4 , the server provides a PSK identity hint pointing to the PSK used for authentication However, for ephemeral Diffie-Hellman key exchange, the Diffie-Hellman (DH) key exchange parameters are also contained in the ServerKeyExchange messages including information on the DH group (e.g a large prime number p ∈ {0, 1}poly(κ), where κ is the security parameter, and a generator g for a prime-order q subgroup of Z∗p ), and the DH share TS (TS = g tS , where tS is a random value in Zq ) (We implictly assume that the client checks whether the received parameters are valid, in particular if TS is indeed in the group generated by g.) ClientKeyExchange Message m6 is called ClientKeyExchange We describe the contents of this message for the ciphersuites TLS_DHE_PSK, TLS_PSK and TLS_RSA_PSK separately: – For TLS_PSK, the message is not included – For ephemeral Diffie-Hellman key exchange TLS_DHE_PSK, it contains the Diffie-Hellman share TC of the client, i.e TC = g tC – For the RSA-based key exchange TLS_RSA_PSK the client selects a 46-byte random value R and sends a 2-byte version number V and the 46-byte random value R encrypted under the server’s RSA public key to the server Also, the client sends an identifier for the pre-shared key it is going to use when communicating with the server This information is called PSK identity On the Security of the Pre-shared Key Ciphersuites of TLS 675 Computing the Master Secret According to the original specification, released as RFC 4279 [14], the key derivation function of TLS, denoted here as PRFTLS , is used when constructing the master secret PRFTLS takes as input a secret, a seed, and an identifying label and produces an output of arbitrary length We first describe the generic computation of the master secret ms for all ciphersuites using pre-shared keys Then, a detailed description of all cases (TLS_PSK, TLS_DHE_PSK, and TLS_RSA_PSK) is provided The master secret ms is computed as follows: ms := PRFTLS (pms, label1 ||rC ||rS ) (1) – TLS_PSK case: For TLS_PSK, the client/server is able to compute the master secret ms using the pre-master secret pms, from which all further secret values are derived If the PSK is N bytes long, the pms consists of the 2-byte representation (uint16) of the integer value N, N zero bytes, the 2-byte representation of N once again, and the PSK itself, i.e pms := N ||0 0||N ||PSK Since the first half of pms is constant for any PSK we get for TLS_PSK that the entire security of PRFTLS only relies on the second half of pms – TLS_DHE_PSK case: Let Z be the value produced for DH-based ciphersuites, i.e Z =g tS tC = TCtS = TStC The pms consists of a concatenation of four values: the uint16 lenZ indicating the length of Z, Z itself, the uint16 lenP SK showing the length of the PSK, and the PSK itself: pms := lenZ ||Z||lenP SK ||PSK – TLS_RSA_PSK case: First, the pre-master secret concatenates the uint16 constant C = 48, the 2-byte version number V, a 46-byte random value R, the uint16 lenP SK containing the length of the PSK, and the PSK itself, i.e pms := C||V||R||lenP SK ||PSK 3.1 On the Security of PRFTLS In our security proof of TLS_PSK, we assume that the pseudo-random function of TLS (PRFTLS ) that is used for the computation of the master-secret constitutes a secure PRF in the standard model when applied with pms as the key However to prove (asymmetric) perfect forward secrecy in TLS_DHE_PSK and TLS_RSA_PSK, we assume that PRFTLS constitutes a secure DPRF (in the standard model) where the key space of the DPRF consists of the key space of the pre-shared key and the key space of the freshly generated RSA or Diffie-Hellman secret Unfortunately, existing results not directly prove that PRFTLS as used in TLS-PSK is a secure DPRF Nevertheless, they might in some cases serve as a strong indicator of the security of PRFTLS We provide a more detailed analysis of the plausibility of this assumption in the full version ACCE Protocols In this section, we present an extension of the formal security model for two party authenticated and confidential channel establishment (ACCE) protocols introduced by JKSS [17] to also cover scenarios with pre-shared, symmetric keys Additionally, we extend the model to also address PKI-related attacks that exploit 676 Y Li et al that the adversary does not have to prove knowledge of the secret key when registering a new public key [5] (In [25] such attacks are generally called strong-key substitution attacks.) For better comparison with JKSS we will subsequently use boxes to highlight state variables that are essentially new in our model In this model, while emulating the real-world capabilities of an active adversary, we provide an ‘execution environment’ for adversaries following the tradition of the seminal work of Bellare and Rogaway [3] and its extensions [4,8,21,23,17] Let K0 = {0, 1}κ be the key space of the session key and K1 = {0, 1}κ be the key space of the pre-shared keys Execution Environment In the following let , d ∈ N be positive integers In the execution environment, we fix a set of honest parties {P1 , , P } Each party is either identified by index i in the security experiment or a unique, fixed-length string idi (which might appear in the protocol flows) To cover authentication with symmetric keys, we extend the state of each party to also include pre-shared keys Each party holds (symmetric) pre-shared keys with all other parties We denote with PSKi,j = PSKj,i the symmetric key shared between parties Pi and Pj Each party Pi with i ∈ {1, , } also has access to a long-term public/private key pair (pki , ski ) Formally, each party maintains the state variables given in Table Table Internal States of Parties Variable ski PSKi τi fi Description stores the secret key of a public key pair (pki , ski ) a vector which contains an entry PSKi,j per party Pj denotes, that ski was corrupted after the τi -th query of A a vector denoting the freshness of all pre-shared keys, containing one entry fi,j ∈ {exposed, fresh} for each entry in PSKi The first two variables, ski and PSKi , are used to store keys that are used in the protocol execution while the remaining variables are solely used to define security (When defining security the latter are additionally managed and updated by the challenger.) The variables of each party Pi will be initialized according to the following rules: – The long-term key pair (pki , ski ) and pre-shared key vector PSKi are chosen randomly from the key space For all parties Pi , Pj with i, j ∈ {1, , } and with i = j, and pre-shared keys PSKi it holds that PSKi,j = PSKj,i and PSKi,i := ∅ – All entries in fi are set to fresh – τi is set to τi := ∞, which means that all parties are initially not corrupted In the following, we will call party Pi uncorrupted iff τi = ∞ Thus, we not consider a dedicated variable that holds the corruption state of the secret key On the Security of the Pre-shared Key Ciphersuites of TLS 677 ski Each honest party Pi can sequentially and concurrently execute the protocol multiple times This is modeled by a collection of oracles {πis : i ∈ [ ], s ∈ [d]} Oracle πis behaves as party Pi carrying out a process to execute the s-th protocol instance with some partner Pj (which is determined during the protocol execution) All oracles of Pi have access to the long-term keys ski and PSKi with j ∈ {1, , } Moreover, we assume each oracle πis maintains a list of independent internal state variables with the semantics given in Table The variables Φsi , Table Internal States of Oracles Variable Φsi Pidsi ρsi s Ki = (kenc , kdec ) Stsi = (u, v, ste , std , C) Tsi kstsi bsi Description denotes πis ’s execution-state in {negotiating, accept, reject} stores the identity of the intended communication partner denotes the role ρsi ∈ {Client, Server} stores the application keys Ksi stores the current states of the sLHAE scheme records the transcript of messages sent and received by πis denotes the freshness kstsi ∈ {exposed, fresh} of the session key stores a bit b ∈ {0, 1} used to define security Pidsi , ρsi , Ksi , ste , std , and Tsi are used by the oracles to execute the protocol The remaining variables are only used to define security The variables of each oracle πis will be initialized by the following rules: – – – – – Φsi Ksi The execution-state Φsi is set to negotiating The variable kstsi is set to fresh The bit bsi is chosen at random The counters u, v are initialized to All other variables are set to only contain the empty string ∅ At some point, each oracle πis completes the execution with a decision state ∈ {accept, reject} Furthermore, we will always assume (for simplicity) that = ∅ if an oracle has not reached accept-state (yet) Matching Conversations To formalize the notion that two oracles engage in an on-line communication, we define partnership via matching conversations as proposed by Bellare and Rogaway [3] We use the variant by JKSS Definition We say that an oracle πis has a matching conversation to oracle πjt , if – πis has sent all protocol messages and Ttj is a prefix of Tsi , or – πjt has sent all protocol messages and Tsi = Ttj To keep our definition of ACCE protocols general we not consider protocolspecific definitions of partnership like for example [22] who define partnership of TLS sessions using only the first three messages exchanged in the handshake phase 678 Y Li et al Adversarial Model An adversary A in our model is a PPT taking as input the security parameter 1κ and the public information (e.g generic description of above environment), which may interact with these oracles by issuing the following queries Sendpre (πis , m): This query sends message m to oracle πis The oracle will respond with the next message m∗ (if there is any) that should be sent according to the protocol specification and its internal states After answering a Sendpre query, the variables (Φsi , Pidsi , ρsi , Ksi , Tis ) will be updated depending on the protocol specification This query is essentially defined as in JKSS RegisterParty(μ, pkμ , [psk]): This query allows A to register a new party with a new identity μ and a static public key (pkμ ) to be used for party Pμ In response, if the same identity μ is already registered (either via a RegisterPartyquery or μ ∈ [ ]), a failure symbol ⊥ is returned Otherwise, a new party Pμ is added with the static public key pkμ The secret key skμ is set to a constant The parties registered by this query are considered corrupted and controlled by the adversary If RegisterParty is the τ -th query of the adversary, Pμ is initialized with τμ = τ If the adversary also provides a pre-shared key psk, then this key will be implemented for every party Pi with i ∈ [ ] as key $ PSKi,μ Otherwise, the simulator chooses a random key psk ← {0, 1}κ and sets PSKi,μ = PSKμ,i := psk for all parties Pi before outputting psk The corresponding entries fi,μ in the vectors of the other parties Pi with i ∈ [ ] are set to exposed Via this query we extend the ACCE model of JKSS to also model key registration RevealKey(πis ): Oracle πis responds to a RevealKey-query with the contents of variable Ksi , the application keys At the same time the challenger sets kstsi = exposed If at the point when A issues this query there exists another oracle πjt having matching conversation to πis , then we also set ksttj = exposed for πjt This query slightly deviates from JKSS.4 Corrupt(Pi , [Pj ]): Depending on the second input parameter, oracle πi1 responds with certain long-term secrets of party Pi This query extends the corruption capabilities of JKSS to symmetric keys – If A queries Corrupt(Pi ) or Corrupt(Pi , ∅)5 , oracle πi1 returns the long-term secret key ski of party Pi If this query is the τ -th query issued by A, then we say that Pi is τ -corrupted and πi1 sets τi := τ – If A queries Corrupt(Pi , Pj ), oracle πi1 returns the symmetric pre-shared key PSKi,j stored in PSKi and sets fi,j := exposed – If A queries Corrupt(Pi , ), oracle πi1 returns the vector PSKi and sets fi,j := exposed for all entries fi,∗ ∈ fi This is just for simplicity Modeling different pre-shared keys between the registered party and every other party is equivalent to registering multiple parties with a single shared key each JKSS implicitly located the specification of when to set ksttj = exposed into the security definition The party Pi is not adversarially controlled On the Security of the Pre-shared Key Ciphersuites of TLS 679 Encrypt(πis , m0 , m1 , len, H): This query takes as input two messages m0 and m1 , length parameter len, and header data H If Φsi = accept then πis returns ⊥ Otherwise, it proceeds as depicted in Figure 2, depending on the random bit $ bsi ← {0, 1} sampled by πis at the beginning of the game and the internal state variables of πis This query is essentially defined as in JKSS Decrypt(πis , C, H): This query takes as input a ciphertext C and header data H If πis has Φsi = ‘accept’ then πis returns ⊥ Otherwise, it proceeds as depicted in Figure This query is essentially defined as in JKSS Encrypt(πis , m0 , m1 , len, H): u := u + $ (0) ρ , len, H, m0 , ste ) (C (0) , ste ) ← StE.Enc(kenc $ (1) (1) ρ (C , ste ) ← StE.Enc(kenc , len, H, m1 , ste ) If C (0) = ⊥ or C (1) = ⊥ then return ⊥ (b) (Cu , Hu , ste ) := (C (b) , H, ste ) Return Cu Decrypt(πis , C, H): v := v + If bsi = 0, then return ⊥ ρ (m, std ) = StE.Dec(kdec , H, C, std ) If v > u or C = Cv or H = Hv , then phase := If phase = then return m ρ ρ , kdec , C denote the values stored in the internal variables of πis Here u, v, bsi , ρ, kenc Fig Encrypt and Decrypt oracles in the ACCE security experiment Definition (Correctness) We say that an ACCE protocol Π is correct, if for any two oracles πis , πjt that have matching conversations with Pidsi = j and Pidtj = i and Φsi = accept and Φtj = accept it always holds that Ksi = Ktj Secure ACCE Protocols We define security via an experiment played between a challenger C and an adversary A Security Game Assume there is a global variable pinfo which stores the role information of each party for the considered protocol Π.6 In the game, the following steps are performed: Given the security parameter κ, C implements the collection of oracles {πis : i, j ∈ [ ], s ∈ [d]} with respect to Π and pinfo In this process, C generates long-term keys PSKi for all parties i ∈ [ ] Next it additionally generates longterm key pairs (pki , ski ) for all parties i ∈ [ ] that require them (e.g if the corresponding party is a server in the TLS_RSA_PSK protocol) Finally, C gives all identifiers {idi }, all public keys (if any), and pinfo to A Next the adversary may start issuing Sendpre , RevealKey, Corrupt, Encrypt, Decrypt, and RegisterParty queries At the end of the game, the adversary outputs a triple (i, s, b ) and terminates This information is simply used to determine which party also holds asymmetric key pairs besides the shared symmetric keys 680 Y Li et al In the following, we provide a general security definition for ACCE protocols It will subsequently be referred to when formalizing specific definitions for ACCE protocols that provide no forward secrecy, perfect forward secrecy or asymmetric perfect forward secrecy We have tried to keep the details of the execution environment and the definition of security close to that of JKSS Intuitively, our security definition mainly differs from JKSS in that it considers adversaries that also have access to the new RegisterParty query and the extended Corrupt query Definition (ACCE Security) We say that an adversary (t, )-breaks an ACCE protocol, if A runs in time t, and at least one of the following two conditions holds: When A terminates, then with probability at least there exists an oracle πis such that – πis ‘accepts’ with Pidsi = j when A issues its τ0 -th query, and – both Pi and the intended partner Pj are not corrupted throughout the security game and – πis has internal state kstsi = fresh, and – there is no unique oracle πjt such that πis has a matching conversation to πjt If an oracle πis accepts in the above sense, then we say that πis accepts maliciously When A terminates and outputs a triple (i, s, b ) such that – πis ‘accepts – with a unique oracle πjt such that πis has a matching conversation to πjt – when A issues its τ0 -th query, and – A did not issue a RevealKey-query to oracle πis nor to πjt , i.e kstsi = fresh, and – Pi is τi -corrupted and Pj is τj -corrupted, then the probability that b equals bsi is bounded by |Pr[bsi = b ] − 1/2| ≥ If adversary A outputs (i, s, b ) with b = bsi and the above conditions are met, we say that A answers the encryption-challenge correctly We say that the ACCE protocol is (t, )-secure, if there exists no adversary that (t, )-breaks it Let us now define security more concretely We consider three levels of forward secrecy We start with a basic security definition for protocols that not provide any form of forward secrecy Definition (ACCE Security without Forward Secrecy) We say that an ACCE protocol is (t, )-secure without forward secrecy (NoFS), if it is (t, )-secure with respect to Definition and τi = τj = ∞ The party Pj is not adversarially corrupted, i.e j ∈ [ ] This means that Pj has not been registered by a RegisterParty query Otherwise A may obtain all corresponding secure keys and trivially make oracle πis accept On the Security of the Pre-shared Key Ciphersuites of TLS 681 The next definition considers PFS in the classical sense for both, client and server, as in JKSS Definition (ACCE Security with Perfect Forward Secrecy) We say that an ACCE protocol is (t, )-secure with perfect forward secrecy (PFS), if it is (t, )secure with respect to Definition and τi , τj ≥ τ0 In the following, we provide our new definition of asymmetric perfect forward secrecy which is similar to that of classical perfect forward secrecy except that only the client is allowed to be corrupted after it has accepted Definition (ACCE Security with Asymmetric Perfect Forward Secrecy) We say that an ACCE protocol is (t, )-secure with asymmetric perfect forward secrecy (APFS), if it is (t, )-secure with respect to Definition and it holds that τi = ∞ and τj ≥ τ0 if πis has internal state ρ = Server or τi ≥ τ0 and τj = ∞ if πis has internal state ρ = Client Security Analysis of Pre-shared Key Ciphersuites for Transport Layer Security In this section, we present our results for each of the TLS-PSK ciphersuites Due to space restrictions, the proofs are given in the full version Theorem Let μ be the output length of PRFTLS and let λ be the length of the nonces Assume that PRFTLS is a (t, PRF )-secure PRF when keyed with the premaster secret pms := N ||0 0||N ||PSK or the master secret ms Suppose the hash function H is (t, H )-secure, and the sLHAE scheme is (t, StE )-secure Then for any adversary that (t , tls )-breaks the TLS_PSK protocol in the sense of Definition with t ≈ t it holds that tls ≤ (d )2 +3 2λ−1 DPRF +3 PRF +2 H + +6 2μ−1 StE Theorem Let μ be the output length of PRFTLS and let λ be the length of the nonces Assume that PRFTLS is a (t, DPRF )-secure DPRF when keyed with the premaster secret pms := lenZ ||Z||lenP SK ||PSK (that consists of the pre-shared secret PSK and the Diffie-Hellman value Z) Assume that PRFTLS is a (t, PRF )-secure PRF when keyed with the master secret ms Suppose the hash function H is (t, H )secure, the DDH-problem is (t, DDH)-hard in the group G used to compute Z, and the sLHAE scheme is (t, StE )-secure Then for any adversary that (t , tls )-breaks the TLS_DHE_PSK protocol in the sense of Definition with t ≈ t we get tls ≤ (d )2 +3 2λ−1 DPRF +3 PRF +2 H + + 2μ−1 DDH +6 StE Theorem Let μ be the output length of PRFTLS and let λ be the length of the nonces Assume that PRFTLS is a (t, DPRF )-secure DPRF when keyed with the premaster secret pms := C||V||R||lenP SK ||PSK (that consists of the pre-shared key 682 Y Li et al PSK and the random key R that is exchanged between client and server) Assume that PRFTLS is a (t, PRF )-secure PRF when keyed with the master secret ms Suppose the hash function H is (t, H )-secure, the public key encryption scheme PKE is (t, PKE )-secure (IND-CCA) Suppose that the sLHAE scheme is (t, StE )-secure Then for any adversary that (t , tls )-breaks the TLS_RSA_PSK protocol (where the key transport mechanism is implemented via PKE) in the sense of Definition with t ≈ t it holds that tls ≤ (d )2 2λ−1 + PKE +3 DPRF +3 PRF +2 H + 2μ−1 +6 StE Technical Overview of the Security Proofs At a high level, the security proofs are similar to that of JKSS From a technical standpoint, the security proof of TLS_PSK is simpler than that of the classical ciphersuites of TLS as security only relies on the secrecy of the pre-shared secrets Roughly, in the proofs of the classical TLS ciphersuites one additionally has to establish that the key exchange mechanism produces a shared secret in the first place To prove TLS_RSA_PSK and TLS_DHE_PSK we exploit the DPRF-security of PRFTLS The challenge is to show that the master secret is indistinguishable from random although the adversary may reveal the pre-shared secret or a freshly generated ephemeral secret Intuitively, if only one of these values remains unrevealed by the adversary, then at least one input key to the DPRF PRFTLS is (indistinguishable from) random Therefore, PRFTLS computes a random-looking master secret which in turn can be used to derive secure application keys Acknowledgements We would like to thank Kenny Paterson and the anonymous referees for their valuable comments and suggestions References Badra, M., Urien, P.: Toward SSL integration in SIM smartcards In: WCNC, pp 889–893 IEEE (2004) Bellare, M., Rogaway, P.: Random oracles are practical: A paradigm for designing efficient protocols In: Denning, D.E., Pyle, R., Ganesan, R., Sandhu, R.S., Ashby, V (eds.) ACM Conference on Computer and Communications Security, pp 62–73 ACM (1993) Bellare, M., Rogaway, P.: Entity authentication and key distribution In: Stinson, D.R (ed.) CRYPTO 1993 LNCS, vol 773, pp 232–249 Springer, Heidelberg (1994) Blake-Wilson, S., Johnson, D., Menezes, A.: Key agreement protocols and their security analysis In: Darnell, M (ed.) Cryptography and Coding 1997 LNCS, vol 1355, pp 30–45 Springer, Heidelberg (1997) Blake-Wilson, S., Menezes, A.: Unknown key-share attacks on the Station-toStation (STS) protocol In: Imai, H., Zheng, Y (eds.) PKC 1999 LNCS, vol 1560, pp 154–170 Springer, Heidelberg (1999) Bleichenbacher, D.: Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS #1 In: Krawczyk, H (ed.) CRYPTO 1998 LNCS, vol 1462, pp 1–12 Springer, Heidelberg (1998) On the Security of the Pre-shared Key Ciphersuites of TLS 683 BouncyCastle Software Developers Bouncy Castle Crypto APIs (2013), http://www.bouncycastle.org/ Canetti, R., Krawczyk, H.: Analysis of key-exchange protocols and their use for building secure channels In: Pfitzmann, B (ed.) EUROCRYPT 2001 LNCS, vol 2045, pp 453–474 Springer, Heidelberg (2001) Chen, C., Tang, S., Mitchell, C.J.: Building general-purpose security services on EMV payment cards In: Keromytis, A.D., Di Pietro, R (eds.) SecureComm 2012 LNICST, vol 106, pp 29–44 Springer, Heidelberg (2013) 10 Dacosta, I., Ahamad, M., Traynor, P.: Trust no one else: Detecting MITM attacks against SSL/TLS without third-parties In: Foresti, S., Yung, M., Martinelli, F (eds.) ESORICS 2012 LNCS, vol 7459, pp 199–216 Springer, Heidelberg (2012) 11 Dierks, T., Allen, C.: The TLS Protocol Version 1.0 RFC 2246 (Proposed Standard) Obsoleted by RFC 4346, updated by RFCs 3546, 5746 (January 1999) 12 Dierks, T., Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.1 RFC 4346 (Proposed Standard) Obsoleted by RFC 5246, updated by RFCs 4366, 4680, 4681, 5746 (April 2006) 13 Dierks, T., Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.2 RFC 5246 (Proposed Standard) Updated by RFCs 5746, 5878 (August 2008) 14 Eronen, P., Tschofenig, H.: Pre-Shared Key Ciphersuites for Transport Layer Security (TLS) RFC 4279 (Proposed Standard) (December 2005) 15 German Federal Office for Information Security (BSI) TR-03112, Das eCard-APIFramework (2005), https://www.bsi.bund.de/ContentBSI/ Publikationen/TechnischeRichtlinien/tr03112/index_htm.html 16 Gajek, S., Manulis, M., Pereira, O., Sadeghi, A.-R., Schwenk, J.: Universally Composable Security Analysis of TLS In: Baek, J., Bao, F., Chen, K., Lai, X (eds.) ProvSec 2008 LNCS, vol 5324, pp 313–327 Springer, Heidelberg (2008) 17 Jager, T., Kohlar, F., Schäge, S., Schwenk, J.: On the security of TLS-DHE in the standard model In: Safavi-Naini, R., Canetti, R (eds.) CRYPTO 2012 LNCS, vol 7417, pp 273–293 Springer, Heidelberg (2012) 18 Jonsson, J., Kaliski Jr., B.S.: On the security of RSA encryption in TLS In: Yung, M (ed.) CRYPTO 2002 LNCS, vol 2442, pp 127–142 Springer, Heidelberg (2002) 19 Kohlar, F., Schäge, S., Schwenk, J.: On the security of TLS-DH and TLS-RSA in the standard model IACR Cryptology ePrint Archive, 2013:367 (2013) 20 Kohlar, F., Schwenk, J., Jensen, M., Gajek, S.: Secure bindings of SAML assertions to TLS sessions In: ARES, pp 62–69 IEEE Computer Society (2010) 21 Krawczyk, H.: HMQV: A high-performance secure Diffie-Hellman protocol In: Shoup, V (ed.) CRYPTO 2005 LNCS, vol 3621, pp 546–566 Springer, Heidelberg (2005) 22 Krawczyk, H., Paterson, K.G., Wee, H.: On the security of the TLS protocol: A systematic analysis In: Canetti, R., Garay, J.A (eds.) CRYPTO 2013, Part I LNCS, vol 8042, pp 429–448 Springer, Heidelberg (2013) 23 LaMacchia, B.A., Lauter, K., Mityagin, A.: Stronger security of authenticated key exchange In: Susilo, W., Liu, J.K., Mu, Y (eds.) ProvSec 2007 LNCS, vol 4784, pp 1–16 Springer, Heidelberg (2007) 24 Mavrogiannopoulos, N., Josefsson, S.: The GnuTLS Transport Layer Security library, http://gnutls.org (last updated March 22, 2013) 25 Menezes, A., Smart, N.P.: Security of signature schemes in a multi-user setting Des Codes Cryptography 33(3), 261–274 (2004) 26 Meyer, C., Schwenk, J.: Lessons learned from previous SSL/TLS attacks - a brief chronology of attacks and weaknesses IACR Cryptology ePrint Archive, 2013:49 (2013) 684 Y Li et al 27 Morrissey, P., Smart, N.P., Warinschi, B.: The TLS handshake protocol: A modular analysis Journal of Cryptology 23(2), 187–223 (2010) 28 OpenSSL The OpenSSL project (2013), http://www.openssl.org 29 Urien, L.C.P., Martin, P.: EMV support for TLS-PSK draft-urien-tls-psk-emv-02 (February 2011) 30 Paterson, K.G., Ristenpart, T., Shrimpton, T.: Tag size does matter: Attacks and proofs for the TLS record protocol In: Lee, D.H., Wang, X (eds.) ASIACRYPT 2011 LNCS, vol 7073, pp 372–389 Springer, Heidelberg (2011) 31 Urien, P.: Introducing TLS-PSK authentication for EMV devices In: Smari, W.W., McQuay, W.K (eds.) CTS, pp 371–377 IEEE (2010) Author Index Albrecht, Martin R 429, 446 Ananth, Prabhanjan 149 Apon, Daniel 131 Armknecht, Frederik 556 Attrapadung, Nuttapong 275 Hohenberger, Susan Hu, Gengran 399 Barbulescu, Razvan 221 Bellare, Mihir 520 Bi, Jingguo 185 Bă ohl, Florian 483 Bos, Joppe W 203 Bouvier, Cyril 221 Boyle, Elette 501 Jarecki, Stanislaw 611 Jeljeli, Hamza 221 Joye, Marc 592 Canard, S´ebastien 167 Canetti, Ran 113 Catalano, Dario 538 Chandran, Nishanth 95, 149 Chase, Melissa 95 Cho, Chongwon 650 Coron, Jean-S´ebastien 185, 311 Costello, Craig 203 Dachman-Soled, Dana 37, 329, 574 Davies, Gareth T 483 Detrey, J´er´emie 221 Escala, Alex 239, 630 Faug`ere, Jean-Charles 185, 429, 446 Fiore, Dario 538 Fitzpatrick, Robert 429, 446 Fuchsbauer, Georg 329, 520 Gagliardoni, Tommaso 556 Garg, Sanjam 650 Gaudry, Pierrick 221 Gennaro, Rosario 538 Goldwasser, Shafi 501 Goyal, Vipul 149 Groth, Jens 630 Hanaoka, Goichiro 56, 275 Herranz, Javier 239 Hofheinz, Dennis 483 Ishiguro, Tsukasa Ivan, Ioana 501 293 411 Kanukurthi, Bhavana 149 Katz, Jonathan 131 Katzenbeisser, Stefan 556 Kiltz, Eike Kirshanova, Elena 77 Kiyomoto, Shinsaku 411 Kohlar, Florian 669 Kunihiro, Noboru 275 Langlois, Adeline 345 Lepoint, Tancr`ede 311 Li, Yong 669 Libert, Benoˆıt 239, 592 Ling, San 345 Liu, Feng-Hao 95 Liu, Shengli 19 Masny, Daniel Matsuda, Takahiro 56 Miele, Andrea 203 Miyake, Yutaka 411 Mohassel, Payman 329 Nguyen, Khoa 345 Nguyen, Phong Q 185 Nielsen, Jesper Buus 362 Nishimaki, Ryo 95 Nizzardo, Luca 538 O’Neill, Adam 329 Ostrovsky, Rafail 149, 650 Pan, Yanbin 399 Paneth, Omer 113 Papadopoulos, Dimitrios 113 686 Author Index Paterson, Kenneth G 465 Perret, Ludovic 429, 446 Peter, Andreas 556 Peters, Thomas 592 Pietrzak, Krzysztof Pointcheval, David 167 Qin, Baodong Thom´e, Emmanuel 221 Tibouchi, Mehdi 311 Todo, Yosuke 446 Triandopoulos, Nikos 113 Venturi, Daniele Videau, Marion 362 221 19 Wang, Huaxiong 345 Waters, Brent 293 Wilson, David A 257 R` afols, Carla 239 Renault, Guenaăel 185 Sanders, Olivier 167 Schă age, Sven 669 Schuldt, Jacob C.N 465 Schwenk, Jă org 669 Seurin, Yannick 380 Shi, Elaine 131 Sibborn, Dale L 465 Takagi, Tsuyoshi 411 Tessaro, Stefano 257 Thiruvengadam, Aishwarya Xagawa, Keita 95, 446 Yamada, Shota 275 Yang, Zheng 669 Yung, Moti 592 131 Zeitoun, Rina 185 Zhang, Feng 399 Zimmermann, Paul 221 Zottarel, Angela 362 ... Germany www.Ebook777.com 8383 Hugo Krawczyk (Ed.) Public- Key Cryptography – PKC 2014 17th International Conference on Practice and Theory in Public- Key Cryptography Buenos Aires, Argentina, March 26-28,... Related -Key Security Related Randomness Attacks for Public Key Encryption Kenneth G Paterson, Jacob C.N Schuldt, and Dale L Sibborn Encryption Schemes Secure under Related -Key and Key- Dependent... symmetric cryptography, including encryption [1] and authentication [2,3,4] Public- key primitives seem considerably harder to achieve In particular, it is still an open problem to construct a public- key