Volume 6, Issue 3-4

Abstract. Since their introduction, the notions of indistinguishability and non-malleability have been changed and extended by different authors to support different goals. In this paper, we propose new flavors of these notions, investigate their relative strengths with respect to previous notions, and provide the full picture of relationships (i.e., implications and separations) among the security notions for public-key encryption schemes. We take into account the two general security goals of indistinguishability and non-malleability, each in the message space, key space, and hybrid message-key space to find six specific goals, a couple of them, namely complete indistinguishability and key non-malleability , are new. Then for each pair of goals, coming from the indistinguishability or non-malleability classes, we prove either an implication or a separation, completing the full picture of relationships among all these security notions. The implications and separations are respectively supported by formal proofs (i.e., reductions) in the concrete-security framework and by counterexamples.

Abstract. At Eurocrypt 2004, Bellare and Kohno presented the concept of a regular hash function. For a hash function to be regular, every hash value must have the same number of preimages in the domain. The findings of their paper remained unchallenged for over six years, and made their way into several research papers and textbooks. In their paper, Bellare and Kohno claim that regular hash functions are more resistant against the birthday attack than random hash functions. We counter their arguments, by showing that the success probability of the birthday attack against a regular hash function can be made arbitrarily close to that of a random hash function (for the same number of trials). Our analysis uses the fact that the choices of the attacker can be limited to any subset of the domain. Furthermore, we prove that it is not possible to construct a hash function that is regular for only a small fraction of subsets of the domain. In order to avoid these problems, we propose to model hash functions as random functions. Compared to regular functions, we argue that the statistics of random functions are more similar to hash functions used in practice, regardless of how the attacker chooses the domain points.

Abstract. The parameter ρ of a complete family of pairing-friendly elliptic curves represents how suitable some given elliptic curves are in pairing-based cryptographic schemes. The superiority of the curves depends on how close ρ is to 1. Especially, the situation is ideal. We study whether a complete family of pairing-friendly elliptic curves has a ρ-value 1 or not. In this paper, we consider the original idea of Brezing and Weng that we put a parameter for constructing families of elliptic curves as cyclotomic polynomials. We show that the ρ-values cannot be 1 in many cases.