On the Need for Provably Secure Distance Bounding
|
|
- Hester Harrington
- 5 years ago
- Views:
Transcription
1 On the Need for Provably Secure Distance Bounding Ioane Boureanu Ecole Polytechnique Fédérale de Lausanne (EPFL) ESC2013
2 Outline 1 Topic and Aim 2 Intro to Distance-Bounding Distance-Bounding 3 DB Security Threats 4 Security Flaws PRF (unfortunate) choices Unnecessary PK & Unfortunate Encryption Choices 5 Secure DB?
3 Outline 1 Topic and Aim 2 Intro to Distance-Bounding Distance-Bounding 3 DB Security Threats 4 Security Flaws PRF (unfortunate) choices Unnecessary PK & Unfortunate Encryption Choices 5 Secure DB?
4 Message Generic Many formal and informal security results on distance-bounding (DB) are flawed. Specific The PRF assumption does NOT protect against distance fraud or MiM! PK-techniques are NOT enough against terrorist fraud! Certain instances of symmetric encryption schemes used inside DB lead to MiM attacks!
5 Outline 1 Topic and Aim 2 Intro to Distance-Bounding Distance-Bounding 3 DB Security Threats 4 Security Flaws PRF (unfortunate) choices Unnecessary PK & Unfortunate Encryption Choices 5 Secure DB?
6 Distance-Bounding Distance-Bounding (DB) Protocols DB Essentials introduced by Brands and Chaum in [2] cryptographically enhanced verification of an upper-bound distance between a prover tag P and a verifier reader V (i.e., attempting to detect delays and other frauds in the prover s responses) implemented versions of DB protocols have only proven to be efficient in preventing relay attacks [3].
7 Distance-Bounding Distance-Bounding (DB) Protocols Why do we care then? see secure remote unlocking (e.g., [5]) distance-bounding protocols should be designed to resist against more generic attacks and formal models and proofs have some shortfalls!
8 Distance-Bounding Distance-Bounding (DB) Protocols Why do we care then? see secure remote unlocking (e.g., [5]) distance-bounding protocols should be designed to resist against more generic attacks and formal models and proofs have some shortfalls!
9 Distance-Bounding Distance-Bounding (DB) Protocols An Idea of Most DB (generalising, e.g., [7, 6]) Verifier V shared secret x Prover P shared secret x Initialisation phase messages V messages P a := f x (messages P, messages V ) Distance-bounding phase for i = 1 to n Start Clock c i r i := F(c i, a i, x i ) Stop Clock r i
10 Distance-Bounding Distance-Bounding (DB) Protocols DB relies on a cryptographic exchange, part of which is timed; the round-trip-time is then used to estimate the distance between P and V DB is not a service for secure location (i.e., the verifier/reader is not assisted by base stations in his decisions) DB should be a secure proximity-identification service, using time-of-flight (ToF) measurements
11 Outline 1 Topic and Aim 2 Intro to Distance-Bounding Distance-Bounding 3 DB Security Threats 4 Security Flaws PRF (unfortunate) choices Unnecessary PK & Unfortunate Encryption Choices 5 Secure DB?
12 Attacks Distance Fraud: P V }{{} far away Distance-Bounding Protocols (Extended Abstract). [Brands and Chaum, EUROCRYPT93] the prover is dishonest and far-away, but tries to convince the verifier that he s close [2]
13 Attacks Mafia Fraud: P A V }{{} far away Major Security Problems with the Unforgeable (Feige)-Fiat-Shamir Proofs of Identity and How to Overcome Them [Desmedt SECURICOM 1988] an intruder exploits an honest prover and an honest verifier to show that the latter is close to the former, when this is not the case;
14 Attacks MiM Attack: P A V }{{} far away MiM intruder, in presence of possibly several provers and several verifiers, tries to mount an attack in which he gains the privileges of one of the provers
15 Attacks Terrorist Fraud P A V }{{} far away Major Security Problems with the Unforgeable (Feige)-Fiat-Shamir Proofs of Identity and How to Overcome Them [Desmedt SECURICOM 1988] a corrupted/coerced prover collaborates with an attacker to prove that the former is close to a far-away verifier the terrorist would not disclose his secret key
16 Other Attacks Distance Highjacking Fraud Distance Hijacking Attacks on Distance Bounding Protocols [Cremers-Rasmussen-Čapkun IEEE S&P 2012] a mixture of distance fraud and terrorist fraud a far-away dishonest prover is abusing several provers who are close to a verifier V in order to prove that he is close to V
17 Other Attacks Distance Highjacking Fraud Distance Hijacking Attacks on Distance Bounding Protocols [Cremers-Rasmussen-Čapkun IEEE S&P 2012] a mixture of distance fraud and terrorist fraud a far-away dishonest prover is abusing several provers who are close to a verifier V in order to prove that he is close to V Impersonation Fraud A Formal Approach to Distance Bounding RFID Protocols [Dürholz-Fischlin-Kasper-Onete ISC 2011] one corrupted prover tries to pass as another prover
18 Outline 1 Topic and Aim 2 Intro to Distance-Bounding Distance-Bounding 3 DB Security Threats 4 Security Flaws PRF (unfortunate) choices Unnecessary PK & Unfortunate Encryption Choices 5 Secure DB?
19 DB Instability most of the (in)security results = attack strategies, NOT security proofs in security models some security models [4] contain incorrect proofs/arguments:! replacing a PRF by a random function at a place where the adversary has access to the PRF key or at a place where the PRF key is simultaneously used at other places in the protocol other problems (e.g., PK not enough to deter TF & symm. encryptions used inside may lead to MiM attacks )
20 DB Instability most of the (in)security results = attack strategies, NOT security proofs in security models some security models [4] contain incorrect proofs/arguments:! replacing a PRF by a random function at a place where the adversary has access to the PRF key or at a place where the PRF key is simultaneously used at other places in the protocol other problems (e.g., PK not enough to deter TF & symm. encryptions used inside may lead to MiM attacks )
21 DB Instability most of the (in)security results = attack strategies, NOT security proofs in security models some security models [4] contain incorrect proofs/arguments:! replacing a PRF by a random function at a place where the adversary has access to the PRF key or at a place where the PRF key is simultaneously used at other places in the protocol other problems (e.g., PK not enough to deter TF & symm. encryptions used inside may lead to MiM attacks )
22 PRF (unfortunate) choices Trapdoor PRFs in DB Idea out of a PRF G, construct another PRF F with f (trapdoor)=special_value for f F
23 PRF (unfortunate) choices Trapdoor PRFs in DB Idea to prove the PRF assumption is not enough for DB On the Pseudorandom Function Assumption in (Secure) Distance-Bounding Protocols [Boureanu-Mitrokotsa-Vaudenay Latincrypt 2012] out of a PRF G, construct another PRF F with f (trapdoor)=special_value for f F
24 PRF (unfortunate) choices Trapdoor PRFs in DB Idea to prove the PRF assumption is not enough for DB On the Pseudorandom Function Assumption in (Secure) Distance-Bounding Protocols [Boureanu-Mitrokotsa-Vaudenay Latincrypt 2012] out of a PRF G, construct another PRF F with f (trapdoor)=special_value for f F Result distance-frauds exhibited on several DB protocols mafia-frauds exhibited on several DB protocols
25 PRF (unfortunate) choices Trapdoor PRFs in DB Idea to prove the PRF assumption is not enough for DB On the Pseudorandom Function Assumption in (Secure) Distance-Bounding Protocols [Boureanu-Mitrokotsa-Vaudenay Latincrypt 2012] out of a PRF G, construct another PRF F with f (trapdoor)=special_value for f F Formal Intuition Result f k (x) = { σ(k, x), if x correctpad(k) g k (x), otherwise. distance-frauds exhibited on several DB protocols mafia-frauds exhibited on several DB protocols
26 PRF (unfortunate) choices Trapdoor PRFs DF and MiM Attacks Example: The TDB [1] Protocol Verifier V MiM attack Prover P shared key s G m shared key s G m Initialisation phase N V {0, 1} m N P NP {0, 1} m N V DF attack For j = 1,..., m For j = 1,..., m For i = 1,..., n For j = 1,..., m compute r i,j based on f s(n P, N V ) compute r i,j based on f s(n P, N V ) Distance-bounding phase for i = 1 to m Pick c i [1, n] Start Clock c i r ci,i Stop Clock verify the responses and that t i 2 t max Out V (...)
27 PRF (unfortunate) choices Trapdoor PRFs DF and MiM Attacks Frequent Instance of TDB n = k = 3, G = F 2 the 3 m response-matrix of the form: r 1,1 r 1,m R 1 = r 2,1... r2,m s 1 r 1,1 r 2,1 s m r 1,m r 2,m
28 PRF (unfortunate) choices Trapdoor PRFs DF and MiM Attacks DF Attack on TDB Let g be a PRF from {0, 1} 2m to itself. Take the PRF f as follows: { s s, f s (N P, N V ) = g s (N P, N V ), if N P = s otherwise Let P choose N P =s the R 1 matrix has all its rows equal to s for all c i the response will be the i-th bit of the secret key s P can win a DF!!! the PRF assumption is not enough for the security of the TDB protocols against DF! TDB
29 PRF (unfortunate) choices Trapdoor PRFs DF and MiM Attacks MiM Attack on TDB Let a g s (N P, N V ) = (α, β, γ) be PRF instance. I Let f be as follows: (α, β, γ, β g s(α)), f s(n P, N V ) = s s, if N V is not of the form α (g s(α) lsb m (s)) 2 and (α, β, γ) = g s(n P, N V ) if N V = α (g s(α) lsb m (s)), 2 for some α (cnf. to previous notations, r 1 = (α, β) and r 2 = (γ, β g s (α))) TDB
30 PRF (unfortunate) choices Trapdoor PRFs DF and MiM Attacks MiM Attack on TDB STEP 1: the attacker A impersonates first V to P A sends an arbitrary N V, so P calculates some subsecret vectors (α, β, γ, ψ ) for (α, β, γ, β g s (α)) A sends many challenges equal to 1, c i = 1, e.g., for i {1,..., m 2 } A gets the first half of the first subsecret-vector r 1 =(α, β), i.e., A obtains α A sends P many challenges equal to 3, some c i = 3 responses to the latest challenges are equal to r 1 +r 2 +s = (α, β) (γ, β g s (α)) s = (α γ, g s (α)) s A knows g s (α) lsb m (s) 2 A can form N V = α (g s(α) lsb m (s)) 2 TDB II
31 PRF (unfortunate) choices Trapdoor PRFs DF and MiM Attacks MiM Attack on TDB STEP 2: the attacker A impersonates again V to P A makes this new session N V equal to N V above injecting any challenges to the prover, A knows (due to the built-in PRF) that P s responses are the bits of s A will eventually learn the whole of the secret key and he will be subsequently able to impersonate this prover in any circumstance.!! the PRF assumption is not enough for the security of the TDB protocols against MiM! III TDB
32 PRF (unfortunate) choices Other Results based on Programmed PRFs On the Pseudorandom Function Assumption in (Secure) Distance-Bounding Protocols [Boureanu-Mitrokotsa-Vaudenay Latincrypt 2012] protocol distance fraud man-in-the-middle attack TDB Avoine-Lauradoux-Martin [ACM WiSec 2011] Dürholz-Fischlin-Kasper-Onete [ISC 2011] Hancke-Kuhn [Securecomm 2005] Avoine-Tchamkerten [ISC 2009] Reid-Nieto-Tang-Senadji [ASIACCS 2007] Swiss-Knife Kim-Avoine-Koeune- Standaert-Pereira [ICISC 2008]
33 Unnecessary PK & Unfortunate Encryption Choices The Bussard-Bagga (BB) Protocols [Bussard-Bagga IFIP SEC 2005] Verifier public key: y Prover secret key: x z k,ze initialization phase pick k, v, v, e = Enc k (x), e = (ux k) mod p 1 z k,i = commit(k i, v i ) z e,i = commit(e i, v i ) where commit(b, v) = g b h v mod p with g, h of Z p and z = comm((k + e) mod (p 1), v); z = i (z k,i z e,i ) 2i 1, v = i (v i + v i )2i 1 pick c i start clock stop clock check openable commitments check timers c i r i ri = distance bounding phase for i = 1 to n { ki if c i = 0 e i if c i = 1 termination { phase γ vi if c γ i = i = 0 v i if c i = 1 PoK(x)... Out V
34 Unnecessary PK & Unfortunate Encryption Choices On the Instances & Follow-ups of Bussard-Bagga BB instances to protect against terrorist fraud addition modulo p 1 DBPK-Log: Enc k (x) = x k mod p 1 modular addition with random factor DBPK-Log: Enc k (x; u) = (u, ux k mod p 1) BB s children e.g., Reid et al. protocol with Enc k (x) as per the above
35 Unnecessary PK & Unfortunate Encryption Choices On the Instances & Follow-ups of Bussard-Bagga BB instances to protect against terrorist fraud addition modulo p 1 DBPK-Log: Enc k (x) = x k mod p 1 modular addition with random factor DBPK-Log: Enc k (x; u) = (u, ux k mod p 1) BB s children e.g., Reid et al. protocol with Enc k (x) as per the above
36 Unnecessary PK & Unfortunate Encryption Choices On the Instances & Follow-ups of Bussard-Bagga BB instances to protect against terrorist fraud addition modulo p 1 DBPK-Log: Enc k (x) = x k mod p 1 modular addition with random factor DBPK-Log: Enc k (x; u) = (u, ux k mod p 1) BB s children e.g., Reid et al. protocol with Enc k (x) as per the above
37 Unnecessary PK & Unfortunate Encryption Choices On the Instances & Follow-ups of Bussard-Bagga BB instances to protect against terrorist fraud addition modulo p 1 DBPK-Log: Enc k (x) = x k mod p 1 modular addition with random factor DBPK-Log: Enc k (x; u) = (u, ux k mod p 1) BB s children e.g., Reid et al. protocol with Enc k (x) as per the above
38 Unnecessary PK & Unfortunate Encryption Choices On the Instances & Follow-ups of Bussard-Bagga BB instances to protect against terrorist fraud addition modulo p 1 DBPK-Log: Enc k (x) = x k mod p 1 modular addition with random factor DBPK-Log: Enc k (x; u) = (u, ux k mod p 1) BB s children e.g., Reid et al. protocol with Enc k (x) as per the above
39 Unnecessary PK & Unfortunate Encryption Choices A Terrorist-Fraud Attack on BB [BBMSV, Inscrypt 2012] Verifier V Adversary A Prover P Initialization phase A guesses the future value c 1 and compute the commitments: set z k,i := commit(k i, v i ), z e,i := commit(e i, v i ) for all i > 1 set z k,1 := commit(k 1, v i ) if c 1 = 0 (z e,1 is a free variable) set z e,1 := commit(e 1, v i ) if c 1 = 1 (z k,1 is a free variable) solve z = i (z k,i z e,i ) 2i 1 in the remaining free variable for i = 1 to m z := i (z k,i z e,i ) 2i 1 z k,i,z e,i Distance-bounding phase for i = 1 to m c if i i = 1 and c1 incorrect, abort { r i k ri := i if c i = 0 e i if c i = 1 Commitment opening phase for { i = 1 to m γ i γi := v i if c i = 0 v i if c i = 1 z z = g ux h v mod p Proof of knowledge phase PoK verify z prove x, v for z
40 Unnecessary PK & Unfortunate Encryption Choices TF on BB (Cont d) it succeeds with prob. 1 2 (or even 1 if the verifier allows an error in the first round) the proof-of-knowledge is zero-knowledge and x is not used anywhere else the adversary learns no information about x it is a valid terrorist fraud it can be transformed in a DF P can take k i = e i, i = 2,..., m if x is even, P can select k = e = x 2 and u = 1 and we have r i = k i = e i for every i. if x is odd, P can select k = x 1 2, e = x+1 2, and u = 1 so that r i = k i = e i for i 2.
41 Unnecessary PK & Unfortunate Encryption Choices MiM Attacks on Bussard-Bagga s Children The Bussard-Bagga and Other Distance-Bounding Protocols under Man-in-the-Middle Attacks [Bay-Boureanu-Mitrokotsa-Spulber-Vaudenay Inscrypt 2012] MiM attacks, exploiting the different instantiations of the symmetric encryption inside Bussard-Bagga s followers, e.g., in Reid et al. later
42 Outline 1 Topic and Aim 2 Intro to Distance-Bounding Distance-Bounding 3 DB Security Threats 4 Security Flaws PRF (unfortunate) choices Unnecessary PK & Unfortunate Encryption Choices 5 Secure DB?
43 Problem 1: Integrate Time in the Communication Model all communication are subject to a transmission speed limit! information is broadcast, local on a growing sphere adversary is also local (maybe several adversaries) adversary can impersonate and change the message destination honest people only see messages for which they are destinator all communication is subject to random noise with caveat: adversary sees message with no noise (better equipment) if time allows, honest participants see message with no noise (error correction)
44 Problem 1: Integrate Time in the Communication Model all communication are subject to a transmission speed limit! information is broadcast, local on a growing sphere adversary is also local (maybe several adversaries) adversary can impersonate and change the message destination honest people only see messages for which they are destinator all communication is subject to random noise with caveat: adversary sees message with no noise (better equipment) if time allows, honest participants see message with no noise (error correction)
45 Problem 1: Integrate Time in the Communication Model all communication are subject to a transmission speed limit! information is broadcast, local on a growing sphere adversary is also local (maybe several adversaries) adversary can impersonate and change the message destination honest people only see messages for which they are destinator all communication is subject to random noise with caveat: adversary sees message with no noise (better equipment) if time allows, honest participants see message with no noise (error correction)
46 Problem 1: Integrate Time in the Communication Model all communication are subject to a transmission speed limit! information is broadcast, local on a growing sphere adversary is also local (maybe several adversaries) adversary can impersonate and change the message destination honest people only see messages for which they are destinator all communication is subject to random noise with caveat: adversary sees message with no noise (better equipment) if time allows, honest participants see message with no noise (error correction)
47 Problem 1: Integrate Time in the Communication Model all communication are subject to a transmission speed limit! information is broadcast, local on a growing sphere adversary is also local (maybe several adversaries) adversary can impersonate and change the message destination honest people only see messages for which they are destinator all communication is subject to random noise with caveat: adversary sees message with no noise (better equipment) if time allows, honest participants see message with no noise (error correction)
48 Problem 1: Integrate Time in the Communication Model all communication are subject to a transmission speed limit! information is broadcast, local on a growing sphere adversary is also local (maybe several adversaries) adversary can impersonate and change the message destination honest people only see messages for which they are destinator all communication is subject to random noise with caveat: adversary sees message with no noise (better equipment) if time allows, honest participants see message with no noise (error correction)
49 Problem 2: Find a General Threat Model distance fraud: P(x) far from all V (x) s want to make one V (x) accept (interaction with other P(x ) and V (x ) possible anywhere) also captures distance hijacking man-in-the-middle: learning phase: A interacts with many P s and V s attack phase: P(x) s far away from V (x) s, A interacts with them and possible P(x ) s and V (x ) s A wants to make one V (x) accept also captures impersonation collusion fraud: P(x) far from all V (x) s interacts with A and makes one V (x) accept, but View(A) does not give any advantage to mount a man-in-the-middle attack
50 Problem 2: Find a General Threat Model distance fraud: P(x) far from all V (x) s want to make one V (x) accept (interaction with other P(x ) and V (x ) possible anywhere) also captures distance hijacking man-in-the-middle: learning phase: A interacts with many P s and V s attack phase: P(x) s far away from V (x) s, A interacts with them and possible P(x ) s and V (x ) s A wants to make one V (x) accept also captures impersonation collusion fraud: P(x) far from all V (x) s interacts with A and makes one V (x) accept, but View(A) does not give any advantage to mount a man-in-the-middle attack
51 Problem 2: Find a General Threat Model distance fraud: P(x) far from all V (x) s want to make one V (x) accept (interaction with other P(x ) and V (x ) possible anywhere) also captures distance hijacking man-in-the-middle: learning phase: A interacts with many P s and V s attack phase: P(x) s far away from V (x) s, A interacts with them and possible P(x ) s and V (x ) s A wants to make one V (x) accept also captures impersonation collusion fraud: P(x) far from all V (x) s interacts with A and makes one V (x) accept, but View(A) does not give any advantage to mount a man-in-the-middle attack
52 Problem 2: Find a General Threat Model distance fraud: P(x) far from all V (x) s want to make one V (x) accept (interaction with other P(x ) and V (x ) possible anywhere) also captures distance hijacking man-in-the-middle: learning phase: A interacts with many P s and V s attack phase: P(x) s far away from V (x) s, A interacts with them and possible P(x ) s and V (x ) s A wants to make one V (x) accept also captures impersonation collusion fraud: P(x) far from all V (x) s interacts with A and makes one V (x) accept, but View(A) does not give any advantage to mount a man-in-the-middle attack
53 Problem 2: Find a General Threat Model distance fraud: P(x) far from all V (x) s want to make one V (x) accept (interaction with other P(x ) and V (x ) possible anywhere) also captures distance hijacking man-in-the-middle: learning phase: A interacts with many P s and V s attack phase: P(x) s far away from V (x) s, A interacts with them and possible P(x ) s and V (x ) s A wants to make one V (x) accept also captures impersonation collusion fraud: P(x) far from all V (x) s interacts with A and makes one V (x) accept, but View(A) does not give any advantage to mount a man-in-the-middle attack
54 Problem 2: Find a General Threat Model distance fraud: P(x) far from all V (x) s want to make one V (x) accept (interaction with other P(x ) and V (x ) possible anywhere) also captures distance hijacking man-in-the-middle: learning phase: A interacts with many P s and V s attack phase: P(x) s far away from V (x) s, A interacts with them and possible P(x ) s and V (x ) s A wants to make one V (x) accept also captures impersonation collusion fraud: P(x) far from all V (x) s interacts with A and makes one V (x) accept, but View(A) does not give any advantage to mount a man-in-the-middle attack
55 Problem 3: Crypto Assumptions to Make Proofs Correct PRF masking: a bitstring a is chosen by the verifier and sent encrypted using the PRF [M = a PRF x ( )] circular keying: if A makes a query (y i, a i, b i ), the oracle answers (a i x ) + (b i f x (y i )) A cannot distinguish if x = x or x and x are independent caveat: for all c 1,..., c q s.t. c 1 b c q b q = 0, we must have c 1 a c q a q = 0
56 Problem 3: Crypto Assumptions to Make Proofs Correct PRF masking: a bitstring a is chosen by the verifier and sent encrypted using the PRF [M = a PRF x ( )] circular keying: if A makes a query (y i, a i, b i ), the oracle answers (a i x ) + (b i f x (y i )) A cannot distinguish if x = x or x and x are independent caveat: for all c 1,..., c q s.t. c 1 b c q b q = 0, we must have c 1 a c q a q = 0
57 The SKI Protocol Verifier secret: x Prover secret: x initialization phase N P pick NP M,N pick M, N V V a 1 a 2 = M f x (N P, N V ) a 1 a 2 = M f x (N P, N V ) pick c i {1, 2, 3} start clock stop clock check τ responses check timers f is a circular-keying secure PRF distance bounding phase for i = 1 to n c i r i ri = Out V a 1,i if c i = 1 a 2,i if c i = 2 x i a 1,i a 2,i if c i = 3
58 SKI Security Theorem If f is a circular-keying secure PRF and V requires at least τ correct rounds, there is no DF with Pr[success] B(n, τ, 3 4 ) there is no MiM with Pr[success] B(n, τ, 2 3 ) for all CF such that Pr[CF succeeds] p there is an assosiated MiM such that p Pr[MiM(View A ) succeeds CF succeeds] B(n, τ, ρ) = n ( n i i=τ ) ρ i (1 ρ) n i ( 1+ 1 p ) 2
59 SKI Security Theorem If f is a circular-keying secure PRF and V requires at least τ correct rounds, there is no DF with Pr[success] B(n, τ, 3 4 ) there is no MiM with Pr[success] B(n, τ, 2 3 ) for all CF such that Pr[CF succeeds] p there is an assosiated MiM such that p Pr[MiM(View A ) succeeds CF succeeds] B(n, τ, ρ) = n ( n i i=τ ) ρ i (1 ρ) n i ( 1+ 1 p ) 2
60 SKI Security Theorem If f is a circular-keying secure PRF and V requires at least τ correct rounds, there is no DF with Pr[success] B(n, τ, 3 4 ) there is no MiM with Pr[success] B(n, τ, 2 3 ) for all CF such that Pr[CF succeeds] p there is an assosiated MiM such that p Pr[MiM(View A ) succeeds CF succeeds] B(n, τ, ρ) = n ( n i i=τ ) ρ i (1 ρ) n i ( 1+ 1 p ) 2
61 Conclusion several proposed protocols from the literature are insecure several security proofs from the literature are incorrect SKI offers provable security
62 Conclusion several proposed protocols from the literature are insecure several security proofs from the literature are incorrect SKI offers provable security
63 Conclusion several proposed protocols from the literature are insecure several security proofs from the literature are incorrect SKI offers provable security
64 Thank you!
65 A Generic MiM Attack [7, 6] Non-Narrow DB Attacker Verifier V Adversary A Prover P shared key x Initialisation phase shared key x flaws V and P establish the session key a a := f x(c, N V, N P ) a := f x(c, N V, N P ) Distance bounding phase for i = 1 to m I Pick c i U {0, 1} Start Clock Stop Clock verify responses, check t i 2 t max i i,..., m c i r i to c i Out V (...) c i =c i δ i r i to c i Out V (...)
66 A Generic MiM Attack [7, 6] Non-Narrow DB Attacker this non-narrow attacker A can find the jth bit of the key x, i.e., : x j = r j r j Out V II depending on the protocol, this A can be more or less succesful
67 A Generic MiM Attack [7, 6] Reid et al. Encryption Failure DBPK enc Reid s. consider E k (x) = x k mod n in Reid et al., with x Z n, k U Z n, n fixed with m bits (i.e., e = x k mod n) e = x k + cn, (1) where c = 1 k>x For e 0 = lsb(e), we have { x 0 k 0, if x k, e 0 = x 0 k 0 n 0, if x < k. or, e 0 = x 0 k 0 c n 0.
68 A Generic MiM Attack [7, 6] Ex.: n odd, lsb(x) I n 0 = 1 (2) e 0 = x 0 k 0 c where c = 1 k>x MiM attack (x + 1) p = Pr[c = 1] = Pr[k > x] = 1 n x > n/2 most of c s are 0 x 0 is the majority of the obtained e 0 k 0 A tries N sessions, i.e.,: Bit i = e 0 k 0 = x 0 c i, i {1,..., N}, A uses a majority function to find x 0 such as { x 0, if x > n Majority(Bit 1,..., Bit N ) 2, n
69 A Generic MiM Attack [7, 6] Ex.: n odd, lsb(x) II MiM attack so, Pr[Bit i = x 0 1 x<n/2 ] = 1/2 + p 1/2. so, by the Chernoff bound bound, Pr [ Maj(Bit 1,..., Bit N ) = x 0 1 x<n/2 ] 1 e 2N(p 1/2) 2. take N (1/2 (x + 1)/n) 2 to deduce x 0 by the guess 1 x<n/2.
70 A Generic MiM Attack [7, 6] MiM Attacks on DB Cont d the other cases for the attack for other encryption functions are similar! other protocols can be attacked in this fashion MiM attack!! secure encryption functions may not be enough for the security of the DB protocols against MiM!
71 The Reid et al. Protocol MiM attack Verifier secret: x pick N V k = f x (P V N V N P ) e = Enc k (x) Prover secret: x initialization phase V,N V pick NP P,N P k = fx (P V N V N P ) e = Enc k (x) pick c i start clock stop clock check responses check timers distance bounding phase for i = 1 to n c i r i ri = Out V { ki if c i = 0 e i if c i = 1
72 PRFs D O : Black-Box Oracle Queries to Distinguish Let F be a family of functions from D R, b be a bit. 1: Parameters: sec. param. s; poly; a ppt. alg. D; l := l(s), L := L(s), l, L > 1; D = {0, 1} l, R = {0, 1} L ; 2: view D := 3: while (no special end-query) 4: x D(view D ; r D ); x D 5: y O(x); y R 6: view D := view D {y} 7: end while trapdoor PRFs
73 PRFs The PRF Game PRF b F,D 1: Parameters: sec. param. s; l := l(s), L := L(s), l, L > 1; D = {0, 1} l, R = {0, 1} L ; a family F := F(s) of fct. in D R ; a ppt. alg. D, a bit b. 2: f 0 U [D R] // pick a random function from D to R 3: f 1 U F //sample a function from the family 4: b D O f b 5: return b trapdoor PRFs
74 PRFs The PRF assumption Consider the parameters before. We say that the family F is a PRF or that the family F respects the PRF assumption if for any ppt. algorithm D, Pr[Out(PRF F,D 0 ) = 1] Pr[Out(PRF F,D) 1 = 1] < negl(s), where negl is a function over natural numbers eventually lower than the inverse of any polynomial and the probability is taken over the random coins of D. trapdoor PRFs
75 G. Avoine, C. Lauradoux, and B. Martin. How Secret-sharing can Defeat Terrorist Fraud. In Proceedings of the 4th ACM Conference on Wireless Network Security WiSec 11, Hamburg, Germany, June ACM, ACM Press. S. Brands and D. Chaum. Distance-Bounding Protocols (Extended Abstract). In Proceedings of EUROCRYPT 93, pages , Lofthus, Norway, May S. Drimer and S. J. Murdoch. Keep your enemies close: distance bounding against smartcard relay attacks. In Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium, pages 7:1 7:16, Berkeley, CA, USA, USENIX Association. U. Dürholz, M. Fischlin, M. Kasper, and C. Onete.
76 A Formal Approach to Distance Bounding RFID Protocols. In Proceedings of the 14 th Information Security Conference ISC 2011, LNCS, pages SPRINGER, Ford. Safe and Secure SecuriCode TM Keyless Entry J. Reid, J. M. Gonzalez Nieto, T. Tang, and B. Senadji. Detecting Relay Attacks with Timing-based Protocols. In Proceedings of the 2nd ACM Symposium on Information, Computer and Communications Security, ASIACCS 07, pages ACM, Y.-J. Tu and S. Piramuthu. RFID Distance Bounding Protocols. In Proceedings of the First International EURASIP Workshop on RFID Technology, 2007.
On the Need for Provably Secure Distance Bounding
On the Need for Provably Secure Distance Bounding Serge Vaudenay ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE http://lasec.epfl.ch/ SV 2012 distance bounding CIoT 2012 1 / 39 1 Introduction to Distance-Bounding
More informationTowards Secure Distance Bounding
Towards Secure Distance Bounding Ioana Boureanu, Katerina Mitrokotsa, Serge Vaudenay ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE http://lasec.epfl.ch/ SV 2013 distance bounding FSE 2013 1 / 48 1 Why Distance-Bounding?
More informationA Prover-Anonymous and Terrorist-Fraud Resistant Distance-Bounding Protocol
A Prover-Anonymous and Terrorist-Fraud Resistant Distance-Bounding Protocol Xavier Bultel 1 Sébastien Gambs 2 David Gerault 1 Pascal Lafourcade 1 Cristina Onete 3 Jean-Marc Robert 4 1 University Clermont
More informationOptimal Proximity Proofs
Optimal Proximity Proofs Ioana Boureanu 1 and Serge Vaudenay 2 1 Akamai Technologies Limited EMEA HQ, UK http://people.itcarlson.com/ioana 2 EPFL Lausanne, Switzerland http://lasec.epfl.ch Abstract. Provably
More informationarxiv: v1 [cs.cr] 22 May 2014
Distance-bounding facing both mafia and distance frauds: Technical report Rolando Trujillo-Rasua 1, Benjamin Martin 2, and Gildas Avoine 2,3 arxiv:1405.5704v1 [cs.cr] 22 May 2014 1 Interdisciplinary Centre
More informationEfficient Public-Key Distance Bounding
Efficient Public-Key Distance Bounding HNDN KILINÇ ND SERGE VUDENY 1 1. Introduction of Distance Bounding 2. Formal Definitions for Security and Privacy 3. Weak uthenticated Key greement 4. Our Protocols:
More informationOn selecting the nonce length in distance-bounding protocols
On selecting the nonce length in distance-bounding protocols Aikaterini Mitrokotsa, Pedro Peris-Lopez 2, Christos Dimitrakakis and Serge Vaudenay EPFL 2 Carlos III University of Madrid Email: {katerina.mitrokotsa,christos.dimitrakakis,serge.vaudenay}@epfl.ch,
More informationThe Poulidor Distance-Bounding Protocol
The Poulidor Distance-Bounding Protocol Rolando Trujillo-Rasua 1, Benjamin Martin, and Gildas Avoine 1 Universitat Rovira i Virgili Department of Computer Engineering and Mathematics Catalonia, Spain rolando.trujillo@urv.cat
More informationBreaking and Fixing the HB+DB protocol
Breaking and Fixing the HB+DB protocol Ioana Boureanu 1, David Gerault 2, Pascal Lafourcade 2, and Cristina Onete 3 1 University of Surrey SCCS i.boureanu@surrey.ac.uk 2 University Clermont Auvergne LIMOS
More informationMAFIA fraud is a man-in-the-middle attack against an
5690 IEEE TRANSACTIONS ON WIRELESS COMMUNICATIONS, VOL. 13, NO. 10, OCTOBER 2014 Distance Bounding Facing Both Mafia and Distance Frauds Rolando Trujillo-Rasua, Benjamin Martin, and Gildas Avoine Abstract
More informationDRAFT. Distance-Bounding Protocols: Verification without Time and Location. Sjouke Mauw CSC/SnT University of Luxembourg
Distance-Bounding Protocols: Verification without Time and Location Sjouke Mauw CSC/SnT University of Luxembourg sjouke.mauw@uni.lu Zach Smith CSC University of Luxembourg zach.smith@uni.lu Jorge Toro-Pozo
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationLecture 14: Secure Multiparty Computation
600.641 Special Topics in Theoretical Cryptography 3/20/2007 Lecture 14: Secure Multiparty Computation Instructor: Susan Hohenberger Scribe: Adam McKibben 1 Overview Suppose a group of people want to determine
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2018 Identification Identification Non- Repudiation Consider signature- based C- R sk ch=r res = Sig(vk,ch) Bob can prove to police
More informationBlock Ciphers/Pseudorandom Permutations
Block Ciphers/Pseudorandom Permutations Definition: Pseudorandom Permutation is exactly the same as a Pseudorandom Function, except for every key k, F k must be a permutation and it must be indistinguishable
More informationNotes on Zero Knowledge
U.C. Berkeley CS172: Automata, Computability and Complexity Handout 9 Professor Luca Trevisan 4/21/2015 Notes on Zero Knowledge These notes on zero knowledge protocols for quadratic residuosity are based
More informationModern symmetric-key Encryption
Modern symmetric-key Encryption Citation I would like to thank Claude Crepeau for allowing me to use his slide from his crypto course to mount my course. Some of these slides are taken directly from his
More informationCPSC 467b: Cryptography and Computer Security
Outline Authentication CPSC 467b: Cryptography and Computer Security Lecture 18 Michael J. Fischer Department of Computer Science Yale University March 29, 2010 Michael J. Fischer CPSC 467b, Lecture 18
More informationCryptography and Security Final Exam
Cryptography and Security Final Exam Solution Serge Vaudenay 29.1.2018 duration: 3h no documents allowed, except one 2-sided sheet of handwritten notes a pocket calculator is allowed communication devices
More informationOn The (In)security Of Fischlin s Paradigm
On The (In)security Of Fischlin s Paradigm Prabhanjan Ananth 1, Raghav Bhaskar 1, Vipul Goyal 1, and Vanishree Rao 2 1 Microsoft Research India prabhanjan.va@gmail.com,{rbhaskar,vipul}@microsoft.com 2
More informationLecture Notes 20: Zero-Knowledge Proofs
CS 127/CSCI E-127: Introduction to Cryptography Prof. Salil Vadhan Fall 2013 Lecture Notes 20: Zero-Knowledge Proofs Reading. Katz-Lindell Ÿ14.6.0-14.6.4,14.7 1 Interactive Proofs Motivation: how can parties
More informationSecurity Protocols and Application Final Exam
Security Protocols and Application Final Exam Solution Philippe Oechslin and Serge Vaudenay 25.6.2014 duration: 3h00 no document allowed a pocket calculator is allowed communication devices are not allowed
More informationOutline Proxy Re-Encryption NTRU NTRUReEncrypt PS-NTRUReEncrypt Experimental results Conclusions. NTRUReEncrypt
NTRUReEncrypt An Efficient Proxy Re-Encryption Scheme based on NTRU David Nuñez, Isaac Agudo, and Javier Lopez Network, Information and Computer Security Laboratory (NICS Lab) Universidad de Málaga, Spain
More informationPAPER An Identification Scheme with Tight Reduction
IEICE TRANS. FUNDAMENTALS, VOL.Exx A, NO.xx XXXX 200x PAPER An Identification Scheme with Tight Reduction Seiko ARITA, Member and Natsumi KAWASHIMA, Nonmember SUMMARY There are three well-known identification
More informationCryptography and Security Final Exam
Cryptography and Security Final Exam Serge Vaudenay 29.1.2018 duration: 3h no documents allowed, except one 2-sided sheet of handwritten notes a pocket calculator is allowed communication devices are not
More informationOn The (In)security Of Fischlin s Paradigm
On The (In)security Of Fischlin s Paradigm PRABHANJAN ANANTH Microsoft Research India prabhanjan.va@gmail.com RAGHAV BHASKAR Microsoft Research India rbhaskar@microsoft.com VIPUL GOYAL Microsoft Research
More informationNo#ons of Privacy: ID- Hiding, Untrace- ability, Anonymity & Deniability
No#ons of Privacy: ID- Hiding, Untrace- ability, Anonymity & Deniability Paris, 19/03/2014 CIDRE Cristina Onete Meet the girl Need authentication Marie-Claire Cris%na Onete 19/03/2014 2 Secure Authentication
More informationCryptographical Security in the Quantum Random Oracle Model
Cryptographical Security in the Quantum Random Oracle Model Center for Advanced Security Research Darmstadt (CASED) - TU Darmstadt, Germany June, 21st, 2012 This work is licensed under a Creative Commons
More informationCPA-Security. Definition: A private-key encryption scheme
CPA-Security The CPA Indistinguishability Experiment PrivK cpa A,Π n : 1. A key k is generated by running Gen 1 n. 2. The adversary A is given input 1 n and oracle access to Enc k, and outputs a pair of
More informationNon-Interactive ZK:The Feige-Lapidot-Shamir protocol
Non-Interactive ZK: The Feige-Lapidot-Shamir protocol April 20, 2009 Remainders FLS protocol Definition (Interactive proof system) A pair of interactive machines (P, V ) is called an interactive proof
More informationSemantic Security of RSA. Semantic Security
Semantic Security of RSA Murat Kantarcioglu Semantic Security As before our goal is to come up with a public key system that protects against more than total break We want our system to be secure against
More informationKatz, Lindell Introduction to Modern Cryptrography
Katz, Lindell Introduction to Modern Cryptrography Slides Chapter 12 Markus Bläser, Saarland University Digital signature schemes Goal: integrity of messages Signer signs a message using a private key
More informationAn Identification Scheme Based on KEA1 Assumption
All rights are reserved and copyright of this manuscript belongs to the authors. This manuscript has been published without reviewing and editing as received from the authors: posting the manuscript to
More informationEntity Authentication
Entity Authentication Sven Laur swen@math.ut.ee University of Tartu Formal Syntax Entity authentication pk (sk, pk) Gen α 1 β 1 β i V pk (α 1,...,α i 1 ) α i P sk (β 1,...,β i 1 ) Is it Charlie? α k The
More informationLecture 3: Interactive Proofs and Zero-Knowledge
CS 355 Topics in Cryptography April 9, 2018 Lecture 3: Interactive Proofs and Zero-Knowledge Instructors: Henry Corrigan-Gibbs, Sam Kim, David J. Wu So far in the class, we have only covered basic cryptographic
More information(Convertible) Undeniable Signatures without Random Oracles
Convertible) Undeniable Signatures without Random Oracles Tsz Hon Yuen 1, Man Ho Au 1, Joseph K. Liu 2, and Willy Susilo 1 1 Centre for Computer and Information Security Research School of Computer Science
More informationParallel Coin-Tossing and Constant-Round Secure Two-Party Computation
Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation Yehuda Lindell Dept. of Computer Science and Applied Math. The Weizmann Institute of Science Rehovot 76100, Israel. lindell@wisdom.weizmann.ac.il
More informationInteractive protocols & zero-knowledge
Interactive protocols & zero-knowledge - interactive protocols formalize what can be recognized by polynomial time restricted verifiers in arbitrary protocols - generalizes NP - zero-knowledge formalizes
More informationAuthentication. Chapter Message Authentication
Chapter 5 Authentication 5.1 Message Authentication Suppose Bob receives a message addressed from Alice. How does Bob ensure that the message received is the same as the message sent by Alice? For example,
More informationRound-Efficient Multi-party Computation with a Dishonest Majority
Round-Efficient Multi-party Computation with a Dishonest Majority Jonathan Katz, U. Maryland Rafail Ostrovsky, Telcordia Adam Smith, MIT Longer version on http://theory.lcs.mit.edu/~asmith 1 Multi-party
More informationLecture 18: Message Authentication Codes & Digital Signa
Lecture 18: Message Authentication Codes & Digital Signatures MACs and Signatures Both are used to assert that a message has indeed been generated by a party MAC is the private-key version and Signatures
More informationAnalysis - "Post-Quantum Security of Fiat-Shamir" by Dominic Unruh
Analysis - "Post-Quantum Security of Fiat-Shamir" by Dominic Unruh Bruno Produit Institute of Computer Science University of Tartu produit@ut.ee December 19, 2017 Abstract This document is an analysis
More informationLecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem
CS 276 Cryptography Oct 8, 2014 Lecture 11: Non-Interactive Zero-Knowledge II Instructor: Sanjam Garg Scribe: Rafael Dutra 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian
More informationLecture 16 Chiu Yuen Koo Nikolai Yakovenko. 1 Digital Signature Schemes. CMSC 858K Advanced Topics in Cryptography March 18, 2004
CMSC 858K Advanced Topics in Cryptography March 18, 2004 Lecturer: Jonathan Katz Lecture 16 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Digital Signature Schemes In this lecture, we introduce
More informationRandom Oracles in a Quantum World
Random Oracles in a Quantum World AsiaISG Research Seminars 2011/2012 Özgür Dagdelen, Marc Fischlin (TU Darmstadt) Dan Boneh, Mark Zhandry (Stanford University) Anja Lehmann (IBM Zurich) Christian Schaffner
More informationInteractive protocols & zero-knowledge
Interactive protocols & zero-knowledge - interactive protocols formalize what can be recognized by polynomial time restricted verifiers in arbitrary protocols - generalizes NP - zero-knowledge formalizes
More informationCryptographic Protocols Notes 2
ETH Zurich, Department of Computer Science SS 2018 Prof. Ueli Maurer Dr. Martin Hirt Chen-Da Liu Zhang Cryptographic Protocols Notes 2 Scribe: Sandro Coretti (modified by Chen-Da Liu Zhang) About the notes:
More informationWinter 2011 Josh Benaloh Brian LaMacchia
Winter 2011 Josh Benaloh Brian LaMacchia Fun with Public-Key Tonight we ll Introduce some basic tools of public-key crypto Combine the tools to create more powerful tools Lay the ground work for substantial
More informationThe odd couple: MQV and HMQV
The odd couple: MQV and HMQV Jean-Philippe Aumasson 1 / 49 Summary MQV = EC-DH-based key agreement protocol, proposed by Menezes, Qu and Vanstone (1995), improved with Law and Solinas (1998), widely standardized
More informationConstant-round Leakage-resilient Zero-knowledge from Collision Resistance *
Constant-round Leakage-resilient Zero-knowledge from Collision Resistance * Susumu Kiyoshima NTT Secure Platform Laboratories, Tokyo, Japan kiyoshima.susumu@lab.ntt.co.jp August 20, 2018 Abstract In this
More informationYALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467a: Cryptography and Computer Security Notes 23 (rev. 1) Professor M. J. Fischer November 29, 2005 1 Oblivious Transfer Lecture Notes 23 In the locked
More informationEXAM IN. TDA352 (Chalmers) - DIT250 (GU) 18 January 2019, 08:
CHALMERS GÖTEBORGS UNIVERSITET EXAM IN CRYPTOGRAPHY TDA352 (Chalmers) - DIT250 (GU) 18 January 2019, 08:30 12.30 Tillåtna hjälpmedel: Typgodkänd räknare. Annan minnestömd räknare får användas efter godkännande
More informationCryptography CS 555. Topic 23: Zero-Knowledge Proof and Cryptographic Commitment. CS555 Topic 23 1
Cryptography CS 555 Topic 23: Zero-Knowledge Proof and Cryptographic Commitment CS555 Topic 23 1 Outline and Readings Outline Zero-knowledge proof Fiat-Shamir protocol Schnorr protocol Commitment schemes
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 19 November 8, 2017 CPSC 467, Lecture 19 1/37 Zero Knowledge Interactive Proofs (ZKIP) ZKIP for graph isomorphism Feige-Fiat-Shamir
More informationPruning and Extending the HB + Family Tree
Pruning and Extending the HB + Family Tree Henri Gilbert, Matt Robshaw, and Yannick Seurin Orange Labs unrestricted Outline HB + [Juels and Weis 05]: strengths and weaknesses Cryptanalysis of HB + variants
More informationClassical Verification of Quantum Computations
Classical Verification of Quantum Computations Urmila Mahadev UC Berkeley September 12, 2018 Classical versus Quantum Computers Can a classical computer verify a quantum computation? Classical output (decision
More informationLecture 6. 2 Adaptively-Secure Non-Interactive Zero-Knowledge
CMSC 858K Advanced Topics in Cryptography February 12, 2004 Lecturer: Jonathan Katz Lecture 6 Scribe(s): Omer Horvitz John Trafton Zhongchao Yu Akhil Gupta 1 Introduction In this lecture, we show how to
More informationA Strong Identity Based Key-Insulated Cryptosystem
A Strong Identity Based Key-Insulated Cryptosystem Jin Li 1, Fangguo Zhang 2,3, and Yanming Wang 1,4 1 School of Mathematics and Computational Science, Sun Yat-sen University, Guangzhou, 510275, P.R.China
More informationNon-interactive Designated Verifier Proofs and Undeniable Signatures
Non-interactive Designated Verifier Proofs and Undeniable Signatures Caroline Kudla and Kenneth G. Paterson Information Security Group Royal Holloway, University of London, UK {c.j.kudla,kenny.paterson}@rhul.ac.uk
More informationL7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015
L7. Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang, 5 March 2015 1 Outline The basic foundation: multiplicative group modulo prime The basic Diffie-Hellman (DH) protocol The discrete logarithm
More informationCTR mode of operation
CSA E0 235: Cryptography 13 March, 2015 Dr Arpita Patra CTR mode of operation Divya and Sabareesh 1 Overview In this lecture, we formally prove that the counter mode of operation is secure against chosen-plaintext
More informationPairing-Based Identification Schemes
Pairing-Based Identification Schemes David Freeman Information Theory Research HP Laboratories Palo Alto HPL-2005-154 August 24, 2005* public-key cryptography, identification, zero-knowledge, pairings
More informationCryptanalysis of a Zero-Knowledge Identification Protocol of Eurocrypt 95
Cryptanalysis of a Zero-Knowledge Identification Protocol of Eurocrypt 95 Jean-Sébastien Coron and David Naccache Gemplus Card International 34 rue Guynemer, 92447 Issy-les-Moulineaux, France {jean-sebastien.coron,
More informationLecture 15 & 16: Trapdoor Permutations, RSA, Signatures
CS 7810 Graduate Cryptography October 30, 2017 Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures Lecturer: Daniel Wichs Scribe: Willy Quach & Giorgos Zirdelis 1 Topic Covered. Trapdoor Permutations.
More informationDistance-Bounding Protocols: Verification without Time and Location
Distance-Bounding Protocols: Verification without Time and Location Sjouke Mauw 1,2 Zach Smith 1 Jorge Toro-Pozo 1 Rolando Trujillo-Rasua 2 1 CSC / 2 SnT, University of Luxembourg 6, ave. de la Fonte,
More informationSome ZK security proofs for Belenios
Some ZK security proofs for Belenios Pierrick Gaudry CNRS, INRIA, Université de Lorraine January 30, 2017 The purpose of this document is to justify the use of ZK proofs in Belenios. Most of them are exactly
More informationLecture 11: Hash Functions, Merkle-Damgaard, Random Oracle
CS 7880 Graduate Cryptography October 20, 2015 Lecture 11: Hash Functions, Merkle-Damgaard, Random Oracle Lecturer: Daniel Wichs Scribe: Tanay Mehta 1 Topics Covered Review Collision-Resistant Hash Functions
More informationVI. The Fiat-Shamir Heuristic
VI. The Fiat-Shamir Heuristic - as already seen signatures can be used and are used in practice to design identification protocols - next we show how we can obtain signatures schemes from - protocols using
More informationLecture 10 - MAC s continued, hash & MAC
Lecture 10 - MAC s continued, hash & MAC Boaz Barak March 3, 2010 Reading: Boneh-Shoup chapters 7,8 The field GF(2 n ). A field F is a set with a multiplication ( ) and addition operations that satisfy
More informationConcurrent Non-malleable Commitments from any One-way Function
Concurrent Non-malleable Commitments from any One-way Function Margarita Vald Tel-Aviv University 1 / 67 Outline Non-Malleable Commitments Problem Presentation Overview DDN - First NMC Protocol Concurrent
More informationLecture 6. Winter 2018 CS 485/585 Introduction to Cryptography. Constructing CPA-secure ciphers
1 Winter 2018 CS 485/585 Introduction to Cryptography Lecture 6 Portland State University Jan. 25, 2018 Lecturer: Fang Song Draft note. Version: February 4, 2018. Email fang.song@pdx.edu for comments and
More informationLecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004
CMSC 858K Advanced Topics in Cryptography February 5, 2004 Lecturer: Jonathan Katz Lecture 4 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Summary The focus of this lecture is efficient public-key
More informationComputational security & Private key encryption
Computational security & Private key encryption Emma Arfelt Stud. BSc. Software Development Frederik Madsen Stud. MSc. Software Development March 2017 Recap Perfect Secrecy Perfect indistinguishability
More informationLectures 2+3: Provable Security
Lectures 2+3: Provable Security Contents 1 Motivation 1 2 Syntax 3 3 Correctness 5 4 Security Definitions 6 5 Important Cryptographic Primitives 8 6 Proofs of Security 10 7 Limitations of Provable Security
More informationFrom 5-pass MQ-based identification to MQ-based signatures
From 5-pass MQ-based identification to MQ-based signatures Ming-Shing Chen 1,2, Andreas Hülsing 3, Joost Rijneveld 4, Simona Samardjiska 5, Peter Schwabe 4 National Taiwan University 1 / Academia Sinica
More informationIntroduction to cryptology (GBIN8U16) More on discrete-logarithm based schemes
Introduction to cryptology (GBIN8U16) More on discrete-logarithm based schemes Pierre Karpman pierre.karpman@univ-grenoble-alpes.fr https://www-ljk.imag.fr/membres/pierre.karpman/tea.html 2018 03 13 More
More informationImproved ID-based Authenticated Group Key Agreement Secure Against Impersonation Attack by Insider
All rights are reserved and copyright of this manuscript belongs to the authors. This manuscript has been published without reviewing and editing as received from the authors: posting the manuscript to
More informationIntroduction to Cryptography Lecture 13
Introduction to Cryptography Lecture 13 Benny Pinkas June 5, 2011 Introduction to Cryptography, Benny Pinkas page 1 Electronic cash June 5, 2011 Introduction to Cryptography, Benny Pinkas page 2 Simple
More informationHomework 7 Solutions
Homework 7 Solutions Due: March 22, 2018 CS 151: Intro. to Cryptography and Computer Security 1 Fun with PRFs a. F a s = F 0 k(x) F s (x) is not a PRF, for any choice of F. Consider a distinguisher D a
More informationScribe for Lecture #5
CSA E0 235: Cryptography 28 January 2016 Scribe for Lecture #5 Instructor: Dr. Arpita Patra Submitted by: Nidhi Rathi 1 Pseudo-randomness and PRG s We saw that computational security introduces two relaxations
More informationLecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension
CS 294 Secure Computation February 16 and 18, 2016 Lecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension Instructor: Sanjam Garg Scribe: Alex Irpan 1 Overview Garbled circuits
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 18 November 3, 2014 CPSC 467, Lecture 18 1/43 Zero Knowledge Interactive Proofs (ZKIP) Secret cave protocol ZKIP for graph isomorphism
More informationFraud within Asymmetric Multi-Hop Cellular Networks
Financial Cryptography 2005 EPFL, Lausanne, Switzerland ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE Wireless networks Single-hop cellular network Multi-hop network Multi-hop cellular network Asymmetric multi-hop
More informationApplied cryptography
Applied cryptography Identity-based Cryptography Andreas Hülsing 19 November 2015 1 / 37 The public key problem How to obtain the correct public key of a user? How to check its authenticity? General answer:
More informationOutline. Provable Security in the Computational Model. III Signatures. Public-Key Encryption. Outline. David Pointcheval.
Provable Security in the Computational Model III Signatures David Pointcheval Ecole normale supérieure, CNRS & INRI Public-Key Encryption Signatures 2 dvanced Security for Signature dvanced Security Notions
More informationLecture 10. Public Key Cryptography: Encryption + Signatures. Identification
Lecture 10 Public Key Cryptography: Encryption + Signatures 1 Identification Public key cryptography can be also used for IDENTIFICATION Identification is an interactive protocol whereby one party: prover
More informationDigital Signature Schemes and the Random Oracle Model. A. Hülsing
Digital Signature Schemes and the Random Oracle Model A. Hülsing Today s goal Review provable security of in use signature schemes. (PKCS #1 v2.x) PAGE 1 Digital Signature Source: http://hari-cio-8a.blog.ugm.ac.id/files/2013/03/dsa.jpg
More informationTHE RANK METHOD AND APPLICATIONS TO POST- QUANTUM CRYPTOGRAPHY
THE RANK METHOD AND APPLICATIONS TO POST- QUANTUM CRYPTOGRAPHY Mark Zhandry - Stanford University Joint work with Dan Boneh Classical Cryptography Post-Quantum Cryptography All communication stays classical
More informationCS151 Complexity Theory. Lecture 13 May 15, 2017
CS151 Complexity Theory Lecture 13 May 15, 2017 Relationship to other classes To compare to classes of decision problems, usually consider P #P which is a decision class easy: NP, conp P #P easy: P #P
More information1/p-Secure Multiparty Computation without an Honest Majority and the Best of Both Worlds
1/p-Secure Multiparty Computation without an Honest Majority and the Best of Both Worlds Amos Beimel Department of Computer Science Ben Gurion University Be er Sheva, Israel Eran Omri Department of Computer
More informationCryptanalysis and improvement of an ID-based ad-hoc anonymous identification scheme at CT-RSA 05
Cryptanalysis and improvement of an ID-based ad-hoc anonymous identification scheme at CT-RSA 05 Fangguo Zhang 1 and Xiaofeng Chen 2 1 Department of Electronics and Communication Engineering, Sun Yat-sen
More informationQuestion 1. The Chinese University of Hong Kong, Spring 2018
CSCI 5440: Cryptography The Chinese University of Hong Kong, Spring 2018 Homework 2 Solutions Question 1 Consider the following encryption algorithm based on the shortlwe assumption. The secret key is
More informationQuestion 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +
Homework #2 Question 2.1 Show that 1 p n + μ n is non-negligible 1. μ n + 1 p n > 1 p n 2. Since 1 p n is non-negligible so is μ n + 1 p n Question 2.1 Show that 1 p n - μ n is non-negligible 1. μ n O(
More informationA survey on quantum-secure cryptographic systems
A survey on quantum-secure cryptographic systems Tomoka Kan May 24, 2018 1 Abstract Post-quantum cryptography refers to the search for classical cryptosystems which remain secure in the presence of a quantum
More informationBEYOND POST QUANTUM CRYPTOGRAPHY
BEYOND POST QUANTUM CRYPTOGRAPHY Mark Zhandry Stanford University Joint work with Dan Boneh Classical Cryptography Post-Quantum Cryptography All communication stays classical Beyond Post-Quantum Cryptography
More informationFrom Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited
From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited Julien Cathalo 1, Jean-Sébastien Coron 2, and David Naccache 2,3 1 UCL Crypto Group Place du Levant 3, Louvain-la-Neuve, B-1348, Belgium
More informationAn efficient variant of Boneh-Gentry-Hamburg's identity-based encryption without pairing
University of Wollongong Research Online Faculty of Engineering and Information Sciences - Papers: Part A Faculty of Engineering and Information Sciences 2015 An efficient variant of Boneh-Gentry-Hamburg's
More informationInteractive Zero-Knowledge with Restricted Random Oracles
Interactive Zero-Knowledge with Restricted Random Oracles Moti Yung 1 and Yunlei Zhao 2 1 RSA Laboratories and Department of Computer Science, Columbia University, New York, NY, USA. moti@cs.columbia.edu
More informationHomework 3 Solutions
5233/IOC5063 Theory of Cryptology, Fall 205 Instructor Prof. Wen-Guey Tzeng Homework 3 Solutions 7-Dec-205 Scribe Amir Rezapour. Consider an unfair coin with head probability 0.5. Assume that the coin
More informationThe Gap-Problems: a New Class of Problems for the Security of Cryptographic Schemes
Proceedings of the 2001 International Workshop on Practice and Theory in Public Key Cryptography (PKC 2001) (13 15 february 2001, Cheju Islands, South Korea) K. Kim Ed. Springer-Verlag, LNCS 1992, pages
More information