Insecurity of An Anonymous Authentication For Privacy-preserving IoT Target-driven Applications
|
|
- Collin Burns
- 5 years ago
- Views:
Transcription
1 Insecurity of An Anonymous Authentication For Privacy-preserving IoT Target-driven Applications Xi-Jun Lin and Lin Sun November 8, 03 Abstract: The Internet of Things (IoT) will be formed by smart objects and services interacting autonomously and in real-time. Recently, Alcaide et al. proposed a fully decentralized anonymous authentication protocol for privacy-preserving IoT target-driven applications. Their system is set up by an ad-hoc community of decentralized founding nodes. Nodes can interact, being participants of cyberphysical systems, preserving full anonymity. In this study, we point out that their protocol is insecure. The adversary can cheat the data collectors by impersonating a legitimate user. Key words: Anonymous credential system; Fully decentralized protocol; Threshold cryptography; Zero-knowledge proof of knowledge; Smart community Introduction The Internet of Things (IoT) will be formed by smart objects and services interacting autonomously and in real-time. Recently, Alcaide et al. [] proposed a fully decentralized anonymous authentication protocol for privacy-preserving IoT target-driven applications. Their system is set up by an ad-hoc community of decentralized founding nodes. Nodes can interact, being participants of cyberphysical systems, preserving full anonymity. In Alcaide et al. s protocol, two roles are defined for participant nodes: Users and Data Collectors. Users are the nodes originating the data. They can anonymously and unlinkably authenticate themselves in front of data collectors proving possession of a valid Anonymous Access Credential (AAC) encoding a particular set of attributes. Data collectors are entities responsible for the collection of data from authorized users. Therefore, before collecting the data, the data collector must verify that the user holds a valid AAC encoding a particular set of attributes. The main characteristics of their protocol are: The protocol does not rely on any central organization. The users of the system jointly generate and distribute a private key that is used in a (t, n)-threshold fashion. This allows up to t nodes to be compromised without the key being compromised. X.J.Lin is with the Department of Computer Sciences and Technology, Ocean University of China. Qingdao 00, P.R.China. linxj77@3.com L. Sun is with the College of Liberal Arts, Qingdao University. Qingdao 07, P.R.China. sunlin9@.com
2 Users of the system can obtain an AAC encoding a set of certified attributes and use such an AAC to anonymously and unlinkably authenticate themselves to data collector entities. Data collectors can anonymously authenticate users by means of attribute-based boolean formulas, which can be defined and modified by the data collector itself at any time. Without loss of generality, their protocol is described assuming that users are authenticated based on only two attributes (x, x ), which can be derived from a standard certificate x signed by some trusted external entity (i.e., a certification authority). In the protocol, once verified, the attributes (x, x ) will be encoded into an AAC so that the user can prove possession of those attributes without disclosing their actual value. Any linear boolean formula (or a conjunction of formulas) can be used to anonymously authenticate users as legitimate participants. Such a formula can be represented as the function Φ R (x, x ). As mentioned before, users can prove that the attributes x and x, encoded in a AAC, satisfy Φ R (x, x ) = without revealing the actual attribute values. In this study, we point out that their protocol is insecure. The adversary can cheat the data collectors by impersonating a legitimate user. Alcaide et al. s Protocol Their protocol consists of three phases: Set-Up (where all parameters are generated), User Registration (users obtain AAC) and Credential Proving (users prove possession of a valid AAC to a data collector).. Set-Up In this phase, a community of n users, {U i : i =,, n}, known as founders, comes together to generate all protocol parameters. As a result of this phase, each founder U i holds two tuples: a public tuple: P ub i = (N, ε, V, V, V 3, e, g, s, c, g, g, g 3, q, h, h, h 3, h 4, h 5, h ) equal for all founders. a private tuple: P riv i = (p i, p i, ϕ i (N), d i, v i, v i, v 3i ) different for each founder U i. (N, ε, V, V, V 3, d, v, v, v 3 ) are generated by the founders in a joint and decentralized manner, where d = ε, v = V, v = V, v 3 = V3 (mod ϕ(n)) and N = 4p p + p + p + such that (p, p ) are Sophie Germain primes. q is a prime picked by a
3 super node such that N (q ). (e, g, c, h,, h ) are picked by the super node randomly and broadcasted to the founders. s = g d, g = g v, g = g v, g 3 = g3 v (mod N) are also broadcasted by the super node so that every founder holds them. P riv i = (p i, p i, ϕ i (N), d i, v i, v i, v 3i ) are shares that the founder U i holds of the secret values (p, p, ϕ(n), d, v, v, v 3 ) respectively. At the end of this phase, the founders have computed the necessary cryptographic material to create AACs for valid data holders later on. The detail of this phase which has nothing to do with our attack is omitted here.. User Registration In this phase, a new user U new, holding a valid certificate x, obtains the necessary material from (t + ) founders to construct its own Anonymous Access Credential AAC new, a token that encodes U new s attributes (x, x ) Z e and allows U new to anonymously and unlinkably prove to the data collector to be a legitimate participant. Before U new can participate in the system, it needs to obtain the protocol public parameters. In order to do that, U new simply requests the tuple P ub i from some founder U i and makes P ub new = P ub i. The process that U new must follow to construct AAC new is described as follows. U new picks x 3 R Z e such that gcd(x 3, ε) = and x R Z N, and then computes a = g x 3 3 xe (mod N). Then, it picks b c (mod N) randomly, and then sends ( x, a, b) to the founders. After receiving ( x, a, b), each founder U i verifies x and extracts the attributes (x, x ) from x. Then, it computes a = g x gx a (mod N) and m = (a + b) (mod N). Furthermore, it signs m with its private tuple P riv i and sends σ i (m) to U new. After receiving (t + ) partial signatures σ i (m) from the founders, U new generates the signature v = σ(m). Then, it computes a = g x gx a (mod N) and m = (a + b) (mod N), and then checks whether the equation v ε = m (mod N) holds. If the equation holds, U new obtains its own Anonymous Access Credential AAC new = (x, x, x 3, x, v). AAC new must be kept secretly at all times, only randomized versions of it will be used in the Credential Proving phase. It should be noted that U new must show its certificate to the founders..3 Credential Proving When a user U interacts with a data collector R, U must anonymously and unlinkably prove to R that it holds the appropriate attributes to satisfy the boolean formula Φ R that R uses to authenticate legitimate participants. As the process that U must follow to accomplish such a proof is the key part of the anonymous credential system. Each of the sub-processes is given as follows.. Session values and commitments: every time that U wants to authenticate to the data collector R, U must generate and commit a set of session values, which are secret random values used during a particular authentication operation. This process is given as follows. 3
4 (a) U picks y R Z e, and then computes ˆv = s y v (mod N) ˆm = g y m (mod N) â = g y a (mod N) ˆb = g y b (mod N) Then, it picks w, w, w 3 Z N and computes m = h ˆm hw (mod q) ā = hâ3 hw 4 (mod q) b = hˆb5 h w 3 (mod q) c = mā b (mod q) (In the original paper, ā = hâ hw 3 (mod q). According to the Appendix A.- Theorem [], we correct this typo by replacing it with ā = hâ3 hw 4 (mod q).) (b) U sends and commits the session values (â, m, b, c) to R.. Zero-Knowledge Proofs of Knowledge (ZKPoKs): once U has committed some set of values, U and R engage in a series of four ZKPoKs: In order to authenticate U, every operation that R performs at the end of each ZKPoK must succeed. Whatever data R collects from U must follow these authentication subprocess. ZKPoK: The objective of this ZKPoK is to prove that the private attributes (x, x ) that U holds in its AAC satisfy the boolean formula Φ R (x, x ). Note that Φ R can be any linear boolean formula; however, for simplicity reasons, as an example, the authors use: Φ R (x, x ) = αx + β = x : (α, β) Z α, β being chosen by data collector R. Consequently, U must prove, in a zero-knowledge manner, possession of AAC encoding attributes (x, x ) such that αx + β = x. This ZKPoK is given as follows. U picks r y, r, r 3 R Z e and r R Z N, then computes and sends t = g r y(g g α )r g r 3 3 re (mod N) to R. R picks and responds γ R Z t to U. U computes s y = γy + r y (mod e) s = γx + r (mod e) s 3 = γx 3 + r 3 (mod e) s = g (γy+r y)dive (g g α)(γx +r )dive g (γx 3+r 3 )dive 3 x γ r (mod N) It sends (s y, s, s 3, s ) to R. R checks whether the equation (âg β )γ t = g s y(g g α s )s g 3 3 se (mod N) holds. 4
5 ZKPoK: The goal of this ZKPoK is to prove that all session value commitments generated by U are valid. For that matter, U must prove, in a zero-knowledge manner, knowledge of the secret tuple (y, â, ˆb, ˆm). This ZKPoK is given as follows. U picks r ˆb, r, r, r 3 R Z q. Then, it computes and sends t = (h h 5 ) rˆbh r hr 4 hr 3 (mod q) to R. R picks and responds γ R Z q to U. U computes s ˆb = γˆb + r ˆb s = γw + r s = γw + r s 3 = γw 3 + r 3 It sends (s ˆb, s, s, s 3 ) to R. (In the original paper, (s y, s, s 3, s ) is sent to R, we correct this typo by replacing it with (s ˆb, s, s, s 3 ).) R checks whether the equation ( c(h h 3 ) â ) γ t = (h h 5 ) sˆbh s holds. hs 4 hs 3 (mod q) ZKPoK3: The objective of this ZKPoK is to prove that the signature v encoded in U s AAC is valid. In order to do that, U proves, in a zero-knowledge manner, knowledge of the ε-th root of the h -part, which is equivalent to proving that ˆv is the ε-th root of ˆm. This ZKPoK given below must be executed L times. U picks r, r R Z N. Then, it computes and sends t = h r ε hr R. (mod q) to R picks and responds γ R {0, } to U. U preforms as follows. If γ = 0, let s = r and s = r. If γ =, it computes s (mod N). = r ˆv (mod N) and s = r w (r ˆv ) ε U sends (s, s ) to R. R performs as follows. If γ = 0, it checks whether the equation t = h s ε hs (mod q) holds. If γ =, it checks whether the equation t = m s ε hs (mod q) holds. ZKPoK4: The goal of this ZKPoK is to prove that U knows the session value y involved in ZKPoK - 3. For that matter, U must prove, in a zero-knowledge manner, knowledge of the discrete logarithm with base g of the h 5 -part. This ZKPoK given below must be executed L times. U picks r, r R Z N. Then, it computes and sends t = h gr (mod q) to R. (In the original paper, g is used to compute t, we correct this typo by replacing it with g.) R picks and responds γ R {0, } to U. U preforms as follows. If γ = 0, let s = r and s = r. If γ =, it computes s = r y and s = r w 3c g s. U sends (s, s ) to R. 5
6 R performs as follows. If γ = 0, it checks whether the equation t = h gs 5 h s (mod q) holds. (In the original paper, g is used in the equation, we correct this typo by replacing it with g.) If γ =, it checks whether the equation t = ( b c ) gs h s (mod q) holds. Note that, if and only if the authentication of user U succeeds (i.e., all ZKPoK - 4 are successful), the data collector R collects data from U. 3 Cryptanalysis In this section, we present an attack to point out that an adversary A can cheat the data collector by impersonating a legitimate user. In our attack, A needs not compromise user nodes. It should be noted that if and only if A processes all ZKPoK-4 with a data collector R successfully, A can cheat R into collecting data from it. Suppose that the public parameters are (N, ε, V, V, V 3, e, g, s, c, g, g, g 3, q, h, h, h 3, h 4, h 5, h ), and R s data collection policy is the equation Φ R (x, x ) = αx + β = x : (α, β) Z. In the Credential Proving phase, the adversary A interacts with R anonymously and unlinkably as follows.. Session values and commitments: A picks y R Z e, ˆv, a R Z N and w, w, w 3 R Z N. Then, it computes â = g β ae (mod N) m = h ˆm hw (mod q), where ˆm = ˆv ε (mod N) b = hˆb 5 h w 3 (mod q), where ˆb = g y c (mod N) c = (h h 3 )â(h h 5 ) w (mod q) A sends and commits the session values (â, m, b, c) to R.. Zero-Knowledge Proofs of Knowledge(ZKPoKs): once A has committed its session values, A and R engage in ZKPoK-4 as follows. ZKPoK: A picks s y, s, s 3 R Z e, and computes t = g s y(g g α )s g s 3 3 (mod N). Then, it sends t to R. After receiving γ from R, A computes s = a γ (mod N), and then sends (s y, s, s 3, s ) to R. Correctness: Since â = g β ae (mod N), t = g s y(g g α s )s g 3 3 (mod N) and s = a γ (mod N), we have that (âg β )γ t = ((g β = a eγ t Hence, ZKPoK is preformed successfully. ae )g β )γ t = a eγ g s y(g g α )s g s 3 3 = g s y(g g α )s g s 3 3 s e (mod N)
7 ZKPoK: A picks s, s, s 3 R Z, and computes t = h s hs 4 hs 3 (mod q). Then, it sends t to R. After receiving γ from R, A computes s ˆb = wγ, and then sends (s ˆb, s, s, s 3 ) to R. Correctness: Since c = (h h 3 )â(h h 5 ) w (mod q), t = h s s ˆb = wγ, we have that hs 4 hs 3 ( c(h h 3 ) â ) γ t = ((h h 3 )â(h h 5 ) w (h h 3 ) â ) γ t = (h h 5 ) wγ t Hence, ZKPoK is preformed successfully. = (h h 5 ) wγ h s hs 4 hs 3 = (h h 5 ) sˆbh s hs 4 hs 3 (mod q) (mod q) and ZKPoK3: A picks r, r R Z N and computes t = h r ε hr (mod q). Then, it sends t to R. After receiving γ {0, } from R, A performs as follows. (a) if γ = 0, let s = r and s = r. (b) if γ =, let s = r ˆv (mod N) and s = r w (r ˆv ) ε (mod N) A sends (s, s ) to R. Correctness: Since t = h r ε (mod N), we have that (a) if γ = 0, t = h r ε hr (b) if γ =, we have that hr (mod q) and m = h ˆm hw (mod q), where ˆm = ˆv ε = ε hs hs (mod q) m s ε s h = (h ˆm hw ε s )s h = (h ˆm hw )(r ˆv ) ε h r w (r ˆv ) ε = (h ˆm )(r ˆv ) ε h r = (hˆvε )(r ˆv ) ε h r = h r ε hr = t (mod q) Hence, ZKPoK3 is preformed successfully. ZKPoK4: A picks r, r R Z N and computes t = h gr (mod q). Then, it sends t to R. After receiving γ {0, } from R, A performs as follows. (a) if γ = 0, let s = r and s = r. (b) if γ =, let s = r y and s = r w 3c g s A sends (s, s ) to R. Correctness: Since t = h gr (mod N), we have that (a) if γ = 0, t = h gr (b) if γ =, we have that (mod q) and b = hˆb 5 h w 3 (mod q), where ˆb = g y c = hgs 5 h s (mod q) 7
8 ( b c ) gs h s = ((hˆb 5 h w 3 = ((hˆb 5 h w 3 )c ) gs = hˆbc g s h s )c ) gs h r w 3c g s = h (gy c)c g s = h gy g s = h gy+(r y) = h gr = t (mod q) Hence, ZKPoK4 is preformed successfully. Since all ZKPoK-4 are successful, R authenticates the adversary A as a legitimate user, and then collects data from it. Hence, the protocol is broken. Another main flaw of Alcaide et al. s protocol is given below. In User Registration phase, since the new user U new sends its certificate x in plaintext to the founders, x can be captured by A. Then, A sends ( x, a, b) to the founders by impersonating U new, where a and b are computed by A itself. Since the founders are user nodes, it is reasonable to assume that they are stateless. Hence, they do not know whether x belongs to a user who has already received its AAC. So A can obtain (t + ) partial signatures from the founders, then it can construct a valid AAC. That is, once a user s certificate is sent in plaintext in User Registration phase, the adversary A can obtain this certificate and forge a valid AAC by impersonating this user. With this AAC, A can cheat the data collectors in Credentail Proving phase. 4 Conclusion Recently, Alcaide et al. proposed a fully decentralized anonymous authentication protocol for privacy-preserving IoT target-driven applications. Their system is set up by an ad-hoc community of decentralized founding nodes. Nodes can interact, being participants of cyberphysical systems, preserving full anonymity. In this study, we point out that their protocol is insecure. The adversary can cheat the data collectors by impersonating a legitimate user. References [] A.Alcaide, E.Palomar, J.Montero-Castillo and A.Ribagorda. Anonymous authentication for privacy-preserving IoT target-driven applications. Computers & Security. 37 (03). pp:-3. 8
CPSC 467b: Cryptography and Computer Security
Outline Authentication CPSC 467b: Cryptography and Computer Security Lecture 18 Michael J. Fischer Department of Computer Science Yale University March 29, 2010 Michael J. Fischer CPSC 467b, Lecture 18
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationCryptanalysis and improvement of an ID-based ad-hoc anonymous identification scheme at CT-RSA 05
Cryptanalysis and improvement of an ID-based ad-hoc anonymous identification scheme at CT-RSA 05 Fangguo Zhang 1 and Xiaofeng Chen 2 1 Department of Electronics and Communication Engineering, Sun Yat-sen
More informationPractice Assignment 2 Discussion 24/02/ /02/2018
German University in Cairo Faculty of MET (CSEN 1001 Computer and Network Security Course) Dr. Amr El Mougy 1 RSA 1.1 RSA Encryption Practice Assignment 2 Discussion 24/02/2018-29/02/2018 Perform encryption
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 16 March 19, 2012 CPSC 467b, Lecture 16 1/58 Authentication While Preventing Impersonation Challenge-response authentication protocols
More informationQuestion: Total Points: Score:
University of California, Irvine COMPSCI 134: Elements of Cryptography and Computer and Network Security Midterm Exam (Fall 2016) Duration: 90 minutes November 2, 2016, 7pm-8:30pm Name (First, Last): Please
More informationCryptanalysis of a Group Key Transfer Protocol Based on Secret Sharing: Generalization and Countermeasures
Cryptanalysis of a Group Key Transfer Protocol Based on Secret Sharing: Generalization and Countermeasures Kallepu Raju, Appala Naidu Tentu, V. Ch. Venkaiah Abstract: Group key distribution protocol is
More informationDr George Danezis University College London, UK
Dr George Danezis University College London, UK Identity as a proxy to check credentials Username decides access in Access Control Matrix Sometime it leaks too much information Real world examples Tickets
More informationECash and Anonymous Credentials
ECash and Anonymous Credentials CS/ECE 598MAN: Applied Cryptography Nikita Borisov November 9, 2009 1 E-cash Chaum s E-cash Offline E-cash 2 Anonymous Credentials e-cash-based Credentials Brands Credentials
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 19 November 8, 2017 CPSC 467, Lecture 19 1/37 Zero Knowledge Interactive Proofs (ZKIP) ZKIP for graph isomorphism Feige-Fiat-Shamir
More informationA Strong Identity Based Key-Insulated Cryptosystem
A Strong Identity Based Key-Insulated Cryptosystem Jin Li 1, Fangguo Zhang 2,3, and Yanming Wang 1,4 1 School of Mathematics and Computational Science, Sun Yat-sen University, Guangzhou, 510275, P.R.China
More informationGeorge Danezis Microsoft Research, Cambridge, UK
George Danezis Microsoft Research, Cambridge, UK Identity as a proxy to check credentials Username decides access in Access Control Matrix Sometime it leaks too much information Real world examples Tickets
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 18 November 6, 2017 CPSC 467, Lecture 18 1/52 Authentication While Preventing Impersonation Challenge-response authentication protocols
More informationCryptanalysis of Threshold-Multisignature Schemes
Cryptanalysis of Threshold-Multisignature Schemes Lifeng Guo Institute of Systems Science, Academy of Mathematics and System Sciences, Chinese Academy of Sciences, Beijing 100080, P.R. China E-mail address:
More informationAn Anonymous Authentication Scheme for Trusted Computing Platform
An Anonymous Authentication Scheme for Trusted Computing Platform He Ge Abstract. The Trusted Computing Platform is the industrial initiative to implement computer security. However, privacy protection
More informationOn Security of Two Nonrepudiable Threshold Multi-proxy Multi-signature Schemes with Shared Verification
International Journal of Network Security, Vol.4, No.3, PP.248 253, May 2007 248 On Security of Two Nonrepudiable Threshold Multi-proxy Multi-signature Schemes with Shared Verification Rongxing Lu, Zhenfu
More informationThreshold Undeniable RSA Signature Scheme
Threshold Undeniable RSA Signature Scheme Guilin Wang 1, Sihan Qing 1, Mingsheng Wang 1, and Zhanfei Zhou 2 1 Engineering Research Center for Information Security Technology; State Key Laboratory of Information
More informationRing Group Signatures
Ring Group Signatures Liqun Chen Hewlett-Packard Laboratories, Long Down Avenue, Stoke Gifford, Bristol, BS34 8QZ, United Kingdom. liqun.chen@hp.com Abstract. In many applications of group signatures,
More informationINFORMATION-THEORETICALLY SECURE STRONG VERIFIABLE SECRET SHARING
INFORMATION-THEORETICALLY SECURE STRONG VERIFIABLE SECRET SHARING Changlu Lin State Key Lab. of Information Security, Graduate University of Chinese Academy of Sciences, China Key Lab. of Network Security
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 18 November 3, 2014 CPSC 467, Lecture 18 1/43 Zero Knowledge Interactive Proofs (ZKIP) Secret cave protocol ZKIP for graph isomorphism
More informationAnalysis - "Post-Quantum Security of Fiat-Shamir" by Dominic Unruh
Analysis - "Post-Quantum Security of Fiat-Shamir" by Dominic Unruh Bruno Produit Institute of Computer Science University of Tartu produit@ut.ee December 19, 2017 Abstract This document is an analysis
More informationLecture 10. Public Key Cryptography: Encryption + Signatures. Identification
Lecture 10 Public Key Cryptography: Encryption + Signatures 1 Identification Public key cryptography can be also used for IDENTIFICATION Identification is an interactive protocol whereby one party: prover
More informationSecurity Protocols and Application Final Exam
Security Protocols and Application Final Exam Solution Philippe Oechslin and Serge Vaudenay 25.6.2014 duration: 3h00 no document allowed a pocket calculator is allowed communication devices are not allowed
More informationThe odd couple: MQV and HMQV
The odd couple: MQV and HMQV Jean-Philippe Aumasson 1 / 49 Summary MQV = EC-DH-based key agreement protocol, proposed by Menezes, Qu and Vanstone (1995), improved with Law and Solinas (1998), widely standardized
More informationIntroduction to Cryptography Lecture 13
Introduction to Cryptography Lecture 13 Benny Pinkas June 5, 2011 Introduction to Cryptography, Benny Pinkas page 1 Electronic cash June 5, 2011 Introduction to Cryptography, Benny Pinkas page 2 Simple
More informationPublic-Key Cryptosystems CHAPTER 4
Public-Key Cryptosystems CHAPTER 4 Introduction How to distribute the cryptographic keys? Naïve Solution Naïve Solution Give every user P i a separate random key K ij to communicate with every P j. Disadvantage:
More informationIntroduction to Cryptography. Lecture 8
Introduction to Cryptography Lecture 8 Benny Pinkas page 1 1 Groups we will use Multiplication modulo a prime number p (G, ) = ({1,2,,p-1}, ) E.g., Z 7* = ( {1,2,3,4,5,6}, ) Z p * Z N * Multiplication
More informationCryptography CS 555. Topic 23: Zero-Knowledge Proof and Cryptographic Commitment. CS555 Topic 23 1
Cryptography CS 555 Topic 23: Zero-Knowledge Proof and Cryptographic Commitment CS555 Topic 23 1 Outline and Readings Outline Zero-knowledge proof Fiat-Shamir protocol Schnorr protocol Commitment schemes
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationLecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures
Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures Boaz Barak November 27, 2007 Quick review of homework 7 Existence of a CPA-secure public key encryption scheme such that oracle
More informationCryptography and Security Final Exam
Cryptography and Security Final Exam Serge Vaudenay 17.1.2017 duration: 3h no documents allowed, except one 2-sided sheet of handwritten notes a pocket calculator is allowed communication devices are not
More informationSIGNATURE SCHEMES & CRYPTOGRAPHIC HASH FUNCTIONS. CIS 400/628 Spring 2005 Introduction to Cryptography
SIGNATURE SCHEMES & CRYPTOGRAPHIC HASH FUNCTIONS CIS 400/628 Spring 2005 Introduction to Cryptography This is based on Chapter 8 of Trappe and Washington DIGITAL SIGNATURES message sig 1. How do we bind
More informationNSL Verification and Attacks Agents Playing Both Roles
NSL Verification and Attacks Agents Playing Both Roles Pedro Adão Gergei Bana Abstract Background: [2] and eprint version: [1] 1 The Axioms Equality is a Congruence. The first axiom says that the equality
More informationA FEW E-COMMERCE APPLICATIONS. CIS 400/628 Spring 2005 Introduction to Cryptography. This is based on Chapter 9 of Trappe and Washington
A FEW E-COMMERCE APPLICATIONS CIS 400/628 Spring 2005 Introduction to Cryptography This is based on Chapter 9 of Trappe and Washington E-COMMERCE: SET SET = Secure Electronic Transaction Consider a credit
More informationLecture Notes, Week 10
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467b: Cryptography and Computer Security Week 10 (rev. 2) Professor M. J. Fischer March 29 & 31, 2005 Lecture Notes, Week 10 1 Zero Knowledge Interactive
More informationA Fully-Functional group signature scheme over only known-order group
A Fully-Functional group signature scheme over only known-order group Atsuko Miyaji and Kozue Umeda 1-1, Asahidai, Tatsunokuchi, Nomi, Ishikawa, 923-1292, Japan {kozueu, miyaji}@jaist.ac.jp Abstract. The
More informationBlind Signature Protocol Based on Difficulty of. Simultaneous Solving Two Difficult Problems
Applied Mathematical Sciences, Vol. 6, 202, no. 39, 6903-690 Blind Signature Protocol Based on Difficulty of Simultaneous Solving Two Difficult Problems N. H. Minh, D. V. Binh 2, N. T. Giang 3 and N. A.
More informationAuthentication. Chapter Message Authentication
Chapter 5 Authentication 5.1 Message Authentication Suppose Bob receives a message addressed from Alice. How does Bob ensure that the message received is the same as the message sent by Alice? For example,
More informationA Small Subgroup Attack on Arazi s Key Agreement Protocol
Small Subgroup ttack on razi s Key greement Protocol Dan Brown Certicom Research, Canada dbrown@certicom.com lfred Menezes Dept. of C&O, University of Waterloo, Canada ajmeneze@uwaterloo.ca bstract In
More informationGroup Undeniable Signatures
Group Undeniable Signatures YUH-DAUH LYUU Dept. of Computer Science & Information Engineering and Dept. of Finance National Taiwan University No 1, Sec 4, Roosevelt Rd, Taipei, Taiwan lyuu@csie.ntu.edu.tw
More informationL7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015
L7. Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang, 5 March 2015 1 Outline The basic foundation: multiplicative group modulo prime The basic Diffie-Hellman (DH) protocol The discrete logarithm
More informationTheme : Cryptography. Instructor : Prof. C Pandu Rangan. Speaker : Arun Moorthy CS
1 C Theme : Cryptography Instructor : Prof. C Pandu Rangan Speaker : Arun Moorthy 93115 CS 2 RSA Cryptosystem Outline of the Talk! Introduction to RSA! Working of the RSA system and associated terminology!
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 11 October 7, 2015 CPSC 467, Lecture 11 1/37 Digital Signature Algorithms Signatures from commutative cryptosystems Signatures from
More informationA Knapsack Cryptosystem Based on The Discrete Logarithm Problem
A Knapsack Cryptosystem Based on The Discrete Logarithm Problem By K.H. Rahouma Electrical Technology Department Technical College in Riyadh Riyadh, Kingdom of Saudi Arabia E-mail: kamel_rahouma@yahoo.com
More informationPrivacy and Computer Science (ECI 2015) Day 4 - Zero Knowledge Proofs Mathematics
Privacy and Computer Science (ECI 2015) Day 4 - Zero Knowledge Proofs Mathematics F. Prost Frederic.Prost@ens-lyon.fr Ecole Normale Supérieure de Lyon July 2015 F. Prost Frederic.Prost@ens-lyon.fr (Ecole
More informationA NOVEL APPROACH FOR SECURE MULTI-PARTY SECRET SHARING SCHEME VIA QUANTUM CRYPTOGRAPHY
A NOVEL APPROACH FOR SECURE MULI-PARY SECRE SHARING SCHEME VIA QUANUM CRYPOGRAPHY Noor Ul Ain Dept. of Computing, SEECS National University of Sciences and echnology H-1 Islamabad, Pakistan 13msccsnaain@seecs.edu.pk
More informationSecret Sharing CPT, Version 3
Secret Sharing CPT, 2006 Version 3 1 Introduction In all secure systems that use cryptography in practice, keys have to be protected by encryption under other keys when they are stored in a physically
More informationCIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography
CIS 6930/4930 Computer and Network Security Topic 5.2 Public Key Cryptography 1 Diffie-Hellman Key Exchange 2 Diffie-Hellman Protocol For negotiating a shared secret key using only public communication
More informationNotes on Zero Knowledge
U.C. Berkeley CS172: Automata, Computability and Complexity Handout 9 Professor Luca Trevisan 4/21/2015 Notes on Zero Knowledge These notes on zero knowledge protocols for quadratic residuosity are based
More information5199/IOC5063 Theory of Cryptology, 2014 Fall
5199/IOC5063 Theory of Cryptology, 2014 Fall Homework 2 Reference Solution 1. This is about the RSA common modulus problem. Consider that two users A and B use the same modulus n = 146171 for the RSA encryption.
More informationA DAA Scheme Requiring Less TPM Resources
A DAA Scheme Requiring Less TPM Resources Liqun Chen Hewlett-Packard Laboratories liqun.chen@hp.com Abstract. Direct anonymous attestation (DAA) is a special digital signature primitive, which provides
More informationNo#ons of Privacy: ID- Hiding, Untrace- ability, Anonymity & Deniability
No#ons of Privacy: ID- Hiding, Untrace- ability, Anonymity & Deniability Paris, 19/03/2014 CIDRE Cristina Onete Meet the girl Need authentication Marie-Claire Cris%na Onete 19/03/2014 2 Secure Authentication
More informationAsymmetric Cryptography
Asymmetric Cryptography Chapter 4 Asymmetric Cryptography Introduction Encryption: RSA Key Exchange: Diffie-Hellman General idea: Use two different keys -K and +K for encryption and decryption Given a
More informationChapter 4 Asymmetric Cryptography
Chapter 4 Asymmetric Cryptography Introduction Encryption: RSA Key Exchange: Diffie-Hellman [NetSec/SysSec], WS 2008/2009 4.1 Asymmetric Cryptography General idea: Use two different keys -K and +K for
More informationSome Security Comparisons of GOST R and ECDSA Signature Schemes
Some Security Comparisons of GOST R 34.10-2012 and ECDSA Signature Schemes Trieu Quang Phong Nguyen Quoc Toan Institute of Cryptography Science and Technology Gover. Info. Security Committee, Viet Nam
More informationASYMMETRIC ENCRYPTION
ASYMMETRIC ENCRYPTION 1 / 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters involved. 2 / 1 Recall
More informationConvertible Group Undeniable Signatures
Convertible Group Undeniable Signatures Yuh-Dauh Lyuu 1 and Ming-Luen Wu 2 1 Dept. of Computer Science & Information Engineering and Dept. of Finance, National Taiwan University, Taiwan lyuu@csie.ntu.edu.tw
More informationMulti-key Hierarchical Identity-Based Signatures
Multi-key Hierarchical Identity-Based Signatures Hoon Wei Lim Nanyang Technological University 9 June 2010 Outline 1 Introduction 2 Preliminaries 3 Multi-key HIBS 4 Security Analysis 5 Discussion 6 Open
More informationA PUBLIC-KEY THRESHOLD CRYPTOSYSTEM BASED ON RESIDUE RINGS
A PUBLIC-KEY THRESHOLD CRYPTOSYSTEM BASED ON RESIDUE RINGS STEPHANIE DEACON, EDUARDO DUEÑEZ, AND JOSÉ IOVINO Abstract. We present a generalization of Pedersen s public-key threshold cryptosystem. Pedersen
More informationEntity Authentication
Entity Authentication Sven Laur swen@math.ut.ee University of Tartu Formal Syntax Entity authentication pk (sk, pk) Gen α 1 β 1 β i V pk (α 1,...,α i 1 ) α i P sk (β 1,...,β i 1 ) Is it Charlie? α k The
More informationBlind Collective Signature Protocol
Computer Science Journal of Moldova, vol.19, no.1(55), 2011 Blind Collective Signature Protocol Nikolay A. Moldovyan Abstract Using the digital signature (DS) scheme specified by Belarusian DS standard
More informationAccumulators and U-Prove Revocation
Accumulators and U-Prove Revocation Tolga Acar 1, Sherman S.M. Chow 2, and Lan Nguyen 3 1 Intel Corporation tolga.acar@intel.com 2 Microsoft Research lan.duy.nguyen@microsoft.com 3 Department of Information
More informationImpossibility Results for Universal Composability in Public-Key Models and with Fixed Inputs
Impossibility Results for Universal Composability in Public-Key Models and with Fixed Inputs Dafna Kidron Yehuda Lindell June 6, 2010 Abstract Universal composability and concurrent general composition
More informationOblivious Evaluation of Multivariate Polynomials. and Applications
The Open University of Israel Department of Mathematics and Computer Science Oblivious Evaluation of Multivariate Polynomials and Applications Thesis submitted as partial fulfillment of the requirements
More informationAsymmetric Encryption
-3 s s Encryption Comp Sci 3600 Outline -3 s s 1-3 2 3 4 5 s s Outline -3 s s 1-3 2 3 4 5 s s Function Using Bitwise XOR -3 s s Key Properties for -3 s s The most important property of a hash function
More informationGroup Diffie Hellman Protocols and ProVerif
Group Diffie Hellman Protocols and ProVerif CS 395T - Design and Analysis of Security Protocols Ankur Gupta Secure Multicast Communication Examples: Live broadcast of a match, stock quotes, video conferencing.
More informationExam Security January 19, :30 11:30
Exam Security January 19, 2016. 8:30 11:30 You can score a maximum of 100. Each question indicates how many it is worth. You are NOT allowed to use books or notes, or a (smart) phone. You may answer in
More informationENEE 459-C Computer Security. Message authentication (continue from previous lecture)
ENEE 459-C Computer Security Message authentication (continue from previous lecture) Last lecture Hash function Cryptographic hash function Message authentication with hash function (attack?) with cryptographic
More informationPseudonym and Anonymous Credential Systems. Kyle Soska 4/13/2016
Pseudonym and Anonymous Credential Systems Kyle Soska 4/13/2016 Moving Past Encryption Encryption Does: Hide the contents of messages that are being communicated Provide tools for authenticating messages
More informationNon-Interactive Zero-Knowledge Proofs of Non-Membership
Non-Interactive Zero-Knowledge Proofs of Non-Membership O. Blazy, C. Chevalier, D. Vergnaud XLim / Université Paris II / ENS O. Blazy (XLim) Negative-NIZK CT-RSA 2015 1 / 22 1 Brief Overview 2 Building
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2018 Identification Identification Non- Repudiation Consider signature- based C- R sk ch=r res = Sig(vk,ch) Bob can prove to police
More informationLecture 10: Zero-Knowledge Proofs
Lecture 10: Zero-Knowledge Proofs Introduction to Modern Cryptography Benny Applebaum Tel-Aviv University Fall Semester, 2011 12 Some of these slides are based on note by Boaz Barak. Quo vadis? Eo Romam
More informationPublic Key Authentication with One (Online) Single Addition
Public Key Authentication with One (Online) Single Addition Marc Girault and David Lefranc France Télécom R&D 42 rue des Coutures F-14066 Caen, France {marc.girault,david.lefranc}@francetelecom.com Abstract.
More informationAnonymous Credential Schemes with Encrypted Attributes
Anonymous Credential Schemes with Encrypted Attributes Bart Mennink (K.U.Leuven) joint work with Jorge Guajardo (Philips Research) Berry Schoenmakers (TU Eindhoven) Conference on Cryptology And Network
More informationQuantum Cryptography
Quantum Cryptography (Notes for Course on Quantum Computation and Information Theory. Sec. 13) Robert B. Griffiths Version of 26 March 2003 References: Gisin = N. Gisin et al., Rev. Mod. Phys. 74, 145
More informationBroadcast and Verifiable Secret Sharing: New Security Models and Round-Optimal Constructions
Broadcast and Verifiable Secret Sharing: New Security Models and Round-Optimal Constructions Dissertation submitted to the Faculty of the Graduate School of the University of Maryland, College Park in
More information1 Secure two-party computation
CSCI 5440: Cryptography Lecture 7 The Chinese University of Hong Kong, Spring 2018 26 and 27 February 2018 In the first half of the course we covered the basic cryptographic primitives that enable secure
More informationGroup Undeniable Signatures
Group Undeniable Signatures YUH-DAUH LYUU Department of Computer Science & Information Engineering and Department of Finance National Taiwan University No 1, Sec 4, Roosevelt Rd, Taipei, Taiwan lyuu@csie.ntu.edu.tw
More informationSession-Key Generation using Human Passwords Only
Session-Key Generation using Human Passwords Only Oded Goldreich Department of Computer Science Weizmann Institute of Science Rehovot, Israel. oded@wisdom.weizmann.ac.il Yehuda Lindell Department of Computer
More informationRemote Electronic Voting can be Efficient, Verifiable and Coercion-Resistant
Remote Electronic Voting can be Efficient, Verifiable and Coercion-Resistant Roberto Araújo, Amira Barki, Solenn Brunet and Jacques Traoré 1st Workshop on Advances in Secure Electronic Voting Schemes VOTING
More informationA New Proxy Signature Scheme for a Specified Group of Verifiers
A New Proxy Signature Scheme for a Specified Group of Verifiers Min-Shiang Hwang Cheng-Chi Lee Shiang-Feng Tzeng Department of Computer Science and Information Engineering Asia University No. 500, Lioufeng
More informationCryptography and Security Final Exam
Cryptography and Security Final Exam Serge Vaudenay 29.1.2018 duration: 3h no documents allowed, except one 2-sided sheet of handwritten notes a pocket calculator is allowed communication devices are not
More informationImproved Zero-knowledge Protocol for the ISIS Problem, and Applications
Improved Zero-knowledge Protocol for the ISIS Problem, and Applications Khoa Nguyen, Nanyang Technological University (Based on a joint work with San Ling, Damien Stehlé and Huaxiong Wang) December, 29,
More informationCut-and-Choose Yao-Based Secure Computation in the Online/Offline and Batch Settings
Cut-and-Choose Yao-Based Secure Computation in the Online/Offline and Batch Settings Yehuda Lindell Bar-Ilan University, Israel Technion Cryptoday 2014 Yehuda Lindell Online/Offline and Batch Yao 30/12/2014
More informationUniversal Accumulators with Efficient Nonmembership Proofs
Universal Accumulators with Efficient Nonmembership Proofs Jiangtao Li 1, Ninghui Li 2, and Rui Xue 3 1 Intel Corporation jiangtao.li@intel.com 2 Purdue University ninghui@cs.purdue.edu 3 University of
More informationDefinition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University
Number Theory, Public Key Cryptography, RSA Ahmet Burak Can Hacettepe University abc@hacettepe.edu.tr The Euler Phi Function For a positive integer n, if 0
More informationCryptography and Security Midterm Exam
Cryptography and Security Midterm Exam Serge Vaudenay 23.11.2017 duration: 1h45 no documents allowed, except one 2-sided sheet of handwritten notes a pocket calculator is allowed communication devices
More informationImproved ID-based Authenticated Group Key Agreement Secure Against Impersonation Attack by Insider
All rights are reserved and copyright of this manuscript belongs to the authors. This manuscript has been published without reviewing and editing as received from the authors: posting the manuscript to
More informationIntroduction to Modern Cryptography. Benny Chor
Introduction to Modern Cryptography Benny Chor Hard Core Bits Coin Flipping Over the Phone Zero Knowledge Lecture 10 (version 1.1) Tel-Aviv University 18 March 2008. Slightly revised March 19. Hard Core
More informationConstructing Provably-Secure Identity-Based Signature Schemes
Constructing Provably-Secure Identity-Based Signature Schemes Chethan Kamath Indian Institute of Science, Bangalore November 23, 2013 Overview Table of contents Background Formal Definitions Schnorr Signature
More informationQuantum Wireless Sensor Networks
Quantum Wireless Sensor Networks School of Computing Queen s University Canada ntional Computation Vienna, August 2008 Main Result Quantum cryptography can solve the problem of security in sensor networks.
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 11 February 21, 2013 CPSC 467b, Lecture 11 1/27 Discrete Logarithm Diffie-Hellman Key Exchange ElGamal Key Agreement Primitive Roots
More informationLectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols
CS 294 Secure Computation January 19, 2016 Lectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols Instructor: Sanjam Garg Scribe: Pratyush Mishra 1 Introduction Secure multiparty computation
More informationDynamic Universal Accumulators for DDH Groups and Their Application to Attribute-Based Anonymous Credential Systems
Dynamic Universal Accumulators for DDH Groups and Their Application to Attribute-Based Anonymous Credential Systems Man Ho Au Patrick P. Tsang Willy Susilo Yi Mu Dartmouth Computer Science Technical Report
More informationChapter 7: Signature Schemes. COMP Lih-Yuan Deng
Chapter 7: Signature Schemes COMP 7120-8120 Lih-Yuan Deng lihdeng@memphis.edu Overview Introduction Security requirements for signature schemes ElGamal signature scheme Variants of ElGamal signature scheme
More informationCHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30
CHALMERS GÖTEBORGS UNIVERSITET CRYPTOGRAPHY TDA35 (Chalmers) - DIT50 (GU) 11 April 017, 8:30-1:30 No extra material is allowed during the exam except for pens and a simple calculator (not smartphones).
More informationLemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).
1 Background 1.1 The group of units MAT 3343, APPLIED ALGEBRA, FALL 2003 Handout 3: The RSA Cryptosystem Peter Selinger Let (R, +, ) be a ring. Then R forms an abelian group under addition. R does not
More informationSecurity Analysis of Some Batch Verifying Signatures from Pairings
International Journal of Network Security, Vol.3, No.2, PP.138 143, Sept. 2006 (http://ijns.nchu.edu.tw/) 138 Security Analysis of Some Batch Verifying Signatures from Pairings Tianjie Cao 1,2,3, Dongdai
More informationExtending Dolev-Yao with Assertions
Extending Dolev-Yao with Assertions Vaishnavi Sundararajan Chennai Mathematical Institute FOSAD 2015 August 31, 2015 (Joint work with R Ramanujam and S P Suresh) Vaishnavi S Extending Dolev-Yao with Assertions
More informationA Security Model for Anonymous Credential Systems
A Security Model for Anonymous Credential Systems Andreas Pashalidis and Chris J. Mitchell Information Security Group Royal Holloway, University of London E-mail: {A.Pashalidis,C.Mitchell}@rhul.ac.uk corrected
More information