Roberto Metere,Changyu Dong

DOI: https://doi.org/10.1007/978-3-319-65127-9_22

2017-05-17

Abstract:Aiming for strong security assurance, recently there has been an increasing interest in formal verification of cryptographic constructions. This paper presents a mechanised formal verification of the popular Pedersen commitment protocol, proving its security properties of correctness, perfect hiding, and computational binding. To formally verify the protocol, we extended the theory of EasyCrypt, a framework which allows for reasoning in the computational model, to support the discrete logarithm and an abstraction of commitment protocols. Commitments are building blocks of many cryptographic constructions, for example, verifiable secret sharing, zero-knowledge proofs, and e-voting. Our work paves the way for the verification of those more complex constructions.

Cryptography and Security

Shuai Han,Tibor Jager,Eike Kiltz,Shengli Liu,Jiaxin Pan,Doreen Riepel,Sven Schaege

DOI: https://doi.org/10.1007/978-3-030-84259-8_23

2021-01-01

Abstract:We construct the first authenticated key exchange protocols that achieve tight security in the standard model. Previous works either relied on techniques that seem to inherently require a random oracle, or achieved only "Multi-Bit-Guess" security, which is not known to compose tightly, for instance, to build a secure channel. Our constructions are generic, based on digital signatures and key encapsulation mechanisms (KEMs). The main technical challenges we resolve is to determine suitable KEM security notions which on the one hand are strong enough to yield tight security, but at the same time weak enough to be efficiently instantiable in the standard model, based on standard techniques such as universal hash proof systems. Digital signature schemes with tight multi-user security in presence of adaptive corruptions are a central building block, which is used in all known constructions of tightly-secure AKE with full forward security. We identify a subtle gap in the security proof of the only previously known efficient standard model scheme by Bader et al. (TCC 2015). We develop a new variant, which yields the currently most efficient signature scheme that achieves this strong security notion without random oracles and based on standard hardness assumptions.

Ang Gao

DOI: https://doi.org/10.4156/jdcta.vol4.issue8.17

2010-01-01

Abstract:In wireless ad hoc networks environment, Bellovin and Merritt first developed a password-based Encrypted Key Exchange (EKE) protocol against offline dictionary attacks using both symmetric and public-key cryptography independent of the public key infrastructure (PKI). In this paper, we first discover that there exist some weaknesses in EKE protocol that is subjected to imposter attacks based on the analysis result of BAN logic that we apply in EKE protocol. In order to remedy the flaws, we propose an improved scheme—Provable Password-Authenticated Key Exchange (PPAKE) protocol that generates the session key’s timestamp, and verifies the authenticity of public key against imposter attack without online trusted third parties. The proposed protocol is also proven to be secure and trustworthy by BAN logic analysis. In comparison with other schemes, our measurements show that our proposed PPAKE protocol is more safety and requires less computations cost suitable for wireless ad hoc networks.

David Basin,Cas Cremers

DOI: https://doi.org/10.1007/978-3-642-15205-4_1

2010-01-01

Abstract:We present a symbolic framework, based on a modular operational semantics, for formalizing different notions of compromise relevant for the analysis of cryptographic protocols. The framework’s rules can be combined in different ways to specify different adversary capabilities, capturing different practically-relevant notions of key and state compromise. We have extended an existing security-protocol analysis tool, Scyther, with our adversary models. This is the first tool that systematically supports notions such as weak perfect forward secrecy, key compromise impersonation, and adversaries capable of state-reveal queries. We also introduce the concept of a protocol-security hierarchy, which classifies the relative strength of protocols against different forms of compromise. In case studies, we use Scyther to automatically construct protocol-security hierarchies that refine and correct relationships between protocols previously reported in the cryptographic literature.

Shaoquan Jiang,Yeow Meng Chee,San Ling,Huaxiong Wang,Chaoping Xing

DOI: https://doi.org/10.1016/j.ic.2022.104866

IF: 1.24

2022-01-01

Information and Computation

Abstract:A deniable secure key exchange protocol allows two parties to agree on a common secret while achieving two seemingly contradictory functionalities: authentication and deniability. The former requires each party to confirm the identity of the other while the latter requires any attacker (e.g., participant or eavesdropper) be unable to prove to a third party an honest party's participation. Designing an efficient secure key exchange with deniability is a challenging problem. In this paper, we first formalize the deniability model by requiring information theoretic deniability with an eavesdropping attack. The information theoretic deniability has the advantage that it can hold forever without any computational assumption. An eavesdropping attack (Di Raimondo et al., CCS'06) allows an attacker to apply eavesdropped transcripts into an active attack session. This gives an attacker more power to make the victim undeniable as he does not know the randomness of the transcript. We then propose an efficient, provably deniable secure framework of key exchange. Our deniability holds non-adaptively in the eavesdropping model. However, if we consider a model without an eavesdropping attack (which is practical in many scenarios), then our framework is proven adaptively deniable. This is important since no previous key exchange protocols can satisfy our adaptive and information theoretical deniability. We give a concrete realization for our framework that is more efficient than SKEME (Krawczyk, NDSS'96).

Keita Emura,Akira Kanaoka,Satoshi Ohta,Takeshi Takahashi

DOI: https://doi.org/10.48550/arXiv.1403.7014

2014-05-08

Abstract:Various techniques need to be combined to realize anonymously authenticated communication. Cryptographic tools enable anonymous user authentication while anonymous communication protocols hide users' IP addresses from service providers. One simple approach for realizing anonymously authenticated communication is their simple combination, but this gives rise to another issue; how to build a secure channel. The current public key infrastructure cannot be used since the user's public key identifies the user. To cope with this issue, we propose a protocol that uses identity-based encryption for packet encryption without sacrificing anonymity, and group signature for anonymous user authentication. Communications in the protocol take place through proxy entities that conceal users' IP addresses from service providers. The underlying group signature is customized to meet our objective and improve its efficiency. We also introduce a proof-of-concept implementation to demonstrate the protocol's feasibility. We compare its performance to SSL communication and demonstrate its practicality, and conclude that the protocol realizes secure, anonymous, and authenticated communication between users and service providers with practical performance.

Networking and Internet Architecture,Cryptography and Security

Zhenfu Cao,Ivan Visconti,Zongyang Zhang

DOI: https://doi.org/10.1016/j.ipl.2011.06.004

IF: 0.851

2011-01-01

Information Processing Letters

Abstract:Security under man-in-the-middle attacks is extremely important when protocols are executed on asynchronous networks, as the Internet. Focusing on interactive proof systems, one would like also to achieve unconditional soundness, so that proving a false statement is not possible even for a computationally unbounded adversarial prover. Motivated by such requirements, in this paper we address the problem of designing constant-round protocols in the plain model that enjoy simultaneously non-malleability (i.e., security against man-in-the-middle attacks) and unconditional soundness (i.e., they are proof systems).

Hai Huang,Zhenfu Cao

DOI: https://doi.org/10.1002/sec.238

IF: 1.968

2010-01-01

Security and Communication Networks

Abstract:This paper investigates the security model for authenticated key exchange protocols. We further enhance the enhanced Canetti-Krawczyk (eCK) model by introducing a notion called strong key compromise impersonation (SKCI) resilience which is first identified in this paper. SKCI resilience guarantees that the adversary cannot masquerade as another party B to communicate with party A even if the static private key and the ephemeral private key of party A are compromised. We point out that the three-pass authenticated key exchange protocol generically transformed from the two-pass one secure in the eCK model cannot resist the SKCI attack. Finally, we introduce a new authenticated key exchange protocol SIG-DH+ and prove that it satisfies our new definition. Copyright (C) 2010 John Wiley & Sons, Ltd.

Jesus Diaz,David Arroyo,Francisco B. Rodriguez

DOI: https://doi.org/10.48550/arXiv.1201.1134

2012-09-06

Abstract:In this work we present and formally analyze CHAT-SRP (CHAos based Tickets-Secure Registration Protocol), a protocol to provide interactive and collaborative platforms with a cryptographically robust solution to classical security issues. Namely, we focus on the secrecy and authenticity properties while keeping a high usability. In this sense, users are forced to blindly trust the system administrators and developers. Moreover, as far as we know, the use of formal methodologies for the verification of security properties of communication protocols isn't yet a common practice. We propose here a methodology to fill this gap, i.e., to analyse both the security of the proposed protocol and the pertinence of the underlying premises. In this concern, we propose the definition and formal evaluation of a protocol for the distribution of digital identities. Once distributed, these identities can be used to verify integrity and source of information. We base our security analysis on tools for automatic verification of security protocols widely accepted by the scientific community, and on the principles they are based upon. In addition, it is assumed perfect cryptographic primitives in order to focus the analysis on the exchange of protocol messages. The main property of our protocol is the incorporation of tickets, created using digests of chaos based nonces (numbers used only once) and users' personal data. Combined with a multichannel authentication scheme with some previous knowledge, these tickets provide security during the whole protocol by univocally linking each registering user with a single request. [..]

Cryptography and Security

CL Lin,HA Wen,T Hwang,HM Sun

2004-01-01

IEICE Transactions on Fundamentals of Electronics Communications and Computer Sciences

Abstract:We will propose a key-agreement-type three-party password-authenticated key exchange protocol. The proposed protocol is quite efficient and, among the same type of protocols, is the first to be formally proven to be secure. A three-party formal model for security proof is proposed based on [25] and [26]. We construct a simulator in this model to show that our proposed protocol is secure under reasonable and well-defined cryptographic primitives.

Tibor Jager,Florian Kohlar,Sven Schäge,Jörg Schwenk

DOI: https://doi.org/10.1007/s00145-016-9248-2

2017-01-18

Journal of Cryptology

Abstract:<h3 class="a-plus-plus">Abstract</h3> <p class="a-plus-plus">Transport Layer Security (TLS) is the most important cryptographic protocol in use today. However, finding a cryptographic security proof for the complete, unaltered protocol has proven to be a challenging task. We give the first such proof in the standard model for the core cryptographic protocol underlying TLS cipher suites based on ephemeral Diffie–Hellman key exchange (TLS-DHE). This includes the cipher suite <span class="a-plus-plus emphasis fontcategory-non-proportional">TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA</span>, which is mandatory in TLS 1.0 and TLS 1.1. It is impossible to prove the TLS Handshake secure in the classical security models of Bellare–Rogaway and Canetti–Krawczyk. The reason for this is that the final <span class="a-plus-plus emphasis fontcategory-non-proportional">Finished</span> messages of the TLS Handshake are encrypted with the session key, which provides an opportunity to distinguish real keys from random values. Therefore we start with proving the security of a truncated version of the TLS Handshake protocol, which has also been considered in previous work on TLS, and give the first proof of this variant in the standard model. Then we define the new notion of authenticated and confidential channel establishment (ACCE), which allows the monolithic analysis of protocols for which a modular security proof is not possible. We show that the combination of the TLS-DHE Handshake protocol and the TLS Record Layer encryption is secure in this model. Since the conference publication of this paper, the notion of ACCE has found many further applications, for example to the analysis of further TLS cipher suites (Krawczyk et al., Crypto 2013; Li et al., PKC 2014), advanced mechanisms like secure renegotiation of TLS session keys (Giesen et al., CCS 2013), and other practical protocols like EMV channel establishment (Brzuska et al., CCS 2013), SSH (Bergsma et al., CCS 2014), and QUIC (Lychev et al., S&amp;P 2015).</p>

computer science, theory & methods,engineering, electrical & electronic,mathematics, applied

Remi A. Chou,Matthieu R. Bloch

2024-11-09

Abstract:We consider multi-user commitment models that capture the problem of enabling multiple bidders to simultaneously submit auctions to verifiers while ensuring that i) verifiers do not obtain information on the auctions until bidders reveal them at a later stage; and, ii) bidders cannot change their auction once committed. Specifically, we assume that bidders and verifiers have access to a noiseless channel as well as a noisy multiple-access channel or broadcast channel, where inputs are controlled by the bidders and outputs are observed by verifiers. In the case of multiple bidders and a single verifier connected by a non-redundant multiple-access channel, we characterize the commitment capacity region when bidders are not colluding. When the bidders are colluding, we derive an achievable region and a tight converse for the sum rate. In both cases our proposed achievable commitment schemes are constructive. In the case of a single bidder and multiple verifiers connected by a non-redundant broadcast channel, in which verifiers could drop out of the network after auctions are committed, we also characterize the commitment capacity. Our results demonstrate how commitment schemes can benefit from multi-user protocols, and develop resilience when some verifiers may become unavailable.

Information Theory,Cryptography and Security

WANG Sheng-Bao,Zhenfu Cao,DONG Xiao-Lei

2007-01-01

Chinese Journal of Computers

Abstract:This paper presents an identity-based key agreement protocols that are provably secure without random oracles(namely,in the standard model).It is inspired by a new identity-based encryption scheme first proposed by Gentry.This paper details how this key agreement can be used in either escrowed or escrowless mode.All the proposed protocols are compared performance(with respect to computational and communication efficiencies) to all known protocols that are only proven secure in the random oracle model.

Tomoyuki Morimae,Barak Nehoran,Takashi Yamakawa

DOI: https://doi.org/10.1007/978-3-031-68394-7_3

2024-09-06

Abstract:We show the following unconditional results on quantum commitments in two related yet different models: 1. We revisit the notion of quantum auxiliary-input commitments introduced by Chailloux, Kerenidis, and Rosgen (Comput. Complex. 2016) where both the committer and receiver take the same quantum state, which is determined by the security parameter, as quantum auxiliary inputs. We show that computationally-hiding and statistically-binding quantum auxiliary-input commitments exist unconditionally, i.e., without relying on any unproven assumption, while Chailloux et al. assumed a complexity-theoretic assumption, ${\bf QIP}\not\subseteq{\bf QMA}$. On the other hand, we observe that achieving both statistical hiding and statistical binding at the same time is impossible even in the quantum auxiliary-input setting. To the best of our knowledge, this is the first example of unconditionally proving computational security of any form of (classical or quantum) commitments for which statistical security is impossible. As intermediate steps toward our construction, we introduce and unconditionally construct post-quantum sparse pseudorandom distributions and quantum auxiliary-input EFI pairs which may be of independent interest. 2. We introduce a new model which we call the common reference quantum state (CRQS) model where both the committer and receiver take the same quantum state that is randomly sampled by an efficient setup algorithm. We unconditionally prove that there exist statistically hiding and statistically binding commitments in the CRQS model, circumventing the impossibility in the plain model. We also discuss their applications to zero-knowledge proofs, oblivious transfers, and multi-party computations.

Quantum Physics,Cryptography and Security

Rowdy Chotkan,Bart Cox,Vincent Rahli,Jérémie Decouchant

2024-08-15

Abstract:Reliable communication is a fundamental distributed communication abstraction that allows any two nodes of a network to communicate with each other. It is necessary for more powerful communication primitives, such as broadcast and consensus. Using different authentication models, two classical protocols implement reliable communication in unknown and sufficiently connected networks. In the first one, network links are authenticated, and processes rely on dissemination paths to authenticate messages. In the second one, processes generate digital signatures that are flooded in the network. This work considers the hybrid system model that combines authenticated links and authenticated processes. We additionally aim to leverage the possible presence of trusted nodes and trusted components in networks, which have been assumed in the scientific literature and in practice. We first extend the two classical reliable communication protocols to leverage trusted nodes. We then propose DualRC, a novel algorithm that enables reliable communication in the hybrid authentication model by manipulating both dissemination paths and digital signatures, and leverages the possible presence of trusted nodes (e.g., network gateways) and trusted components (e.g., Intel SGX enclaves). We provide correctness verification algorithms to assess whether our algorithms implement reliable communication for all nodes on a given network.

Distributed, Parallel, and Cluster Computing

D DOLEV,AC YAO

DOI: https://doi.org/10.1109/tit.1983.1056650

IF: 2.5

1983-01-01

IEEE Transactions on Information Theory

Abstract:Recently the use of public key encryption to provide secure network communication has received considerable attention. Such public key systems are usually effective against passive eavesdroppers, who merely tap the lines and try to decipher the message. It has been pointed out, however, that an improperly designed protocol could be vulnerable to an active saboteur, one who may impersonate another user or alter the message being transmitted. Several models are formulated in which the security of protocols can be discussed precisely. Algorithms and characterizations that can be used to determine protocol security in these models are given.

Lei Zhang

DOI: https://doi.org/10.1007/978-3-642-37682-5_16

2012-01-01

Abstract:Key agreement protocols are one of the fundamental primitives in cryptography. In this paper, we formalize the security model for certificateless one-way and two-party authenticated key agreement protocols and propose a concrete certificateless one-way and two-party authenticated key agreement protocol. The security of our protocol is proven under the computational Diffie-Hellman, square computational Diffie-Hellman and gap bilinear Diffie-Hellman assumptions. As for efficiency, the protocol requires only one pass and has low communication overhead.

Giacomo Mauro D'Ariano,Dennis Kretschmann,Dirk Schlingemann,Reinhard F. Werner

DOI: https://doi.org/10.1103/PhysRevA.76.032328

2007-10-15

Abstract:Bit commitment protocols whose security is based on the laws of quantum mechanics alone are generally held to be impossible. In this paper we give a strengthened and explicit proof of this result. We extend its scope to a much larger variety of protocols, which may have an arbitrary number of rounds, in which both classical and quantum information is exchanged, and which may include aborts and resets. Moreover, we do not consider the receiver to be bound to a fixed "honest" strategy, so that "anonymous state protocols", which were recently suggested as a possible way to beat the known no-go results are also covered. We show that any concealing protocol allows the sender to find a cheating strategy, which is universal in the sense that it works against any strategy of the receiver. Moreover, if the concealing property holds only approximately, the cheat goes undetected with a high probability, which we explicitly estimate. The proof uses an explicit formalization of general two party protocols, which is applicable to more general situations, and a new estimate about the continuity of the Stinespring dilation of a general quantum channel. The result also provides a natural characterization of protocols that fall outside the standard setting of unlimited available technology, and thus may allow secure bit commitment. We present a new such protocol whose security, perhaps surprisingly, relies on decoherence in the receiver's lab.

Quantum Physics

Linxi Zhang,Nan Zhao,Changxing Pei,Long Wang

DOI: https://doi.org/10.1109/iccnc.2017.7876114

2017-01-01

Abstract:Quantum cryptography is believed to be unbreakable in theory because of the laws of quantum mechanics. Numerous experiments have demonstrated the feasibility of quantum cryptography and a complete proof of the unconditional security of some main schemes. However, in practice all devices need trusting by each other firstly during the process of quantum key distribution(QKD). For identifying the reliability, we propose a quantum bit commitment protocol that can be regarded as the primitive of authentication protocol in QKD networks. In this protocol we complete bit commitment merely by one agent, and prove the security of the schemes. Compared with other protocols, our schemes have less requirement for additional hardware and lower complexity in implementation.

Junhan Yang,Tianjie Cao

DOI: https://doi.org/10.1166/sl.2013.2960

2013-01-01

Sensor Letters

Abstract:In this paper, a novel three-party authenticated key exchange protocol is proposed based onkey encapsulation sensor mechanism. It consists of two components: an efficient 2-party CL-KEM based authentication and key exchange protocol and a 3-party MAC based key exchange protocol. Fortunately, the present protocol is probably secure in the standard model. It achieves both forward security and mutual authentication. It is also secure against key compromise impersonation attacks.