Abstract: The recently proposed universally composable security framework for analyzing security of cryptographic protocols provides very strong security guarantees. In particular, a protocol proven secure in this framework is guaranteed to maintain its security even when run concurrently with arbitrary other protocols. It has been shown that if a majority of the parties are honest, then universally composable protocols exist for essentially any cryptographic task in the plain model (i.e., with no set-up assumptions beyond that of authenticated communication). When honest majority is not guaranteed, general feasibility results are known only when given a trusted set-up, such as in the common reference string model. Only little was known regarding the existence of universally composable protocols in the plain model without honest majority, and in particular regarding the important special case of two-party protocols. We study the feasibility of universally composable two-party function evaluation in the plain model. Our results show that in this setting, very few functions can be securely computed in the framework of universal composability. We demonstrate this by providing broad impossibility results that apply to large classes of deterministic and probabilistic functions. For some of these classes, we also present full characterizations of what can and cannot be securely realized in the framework of universal composability. Specifically, our characterizations are for the classes of deterministic functions in which (a) both parties receive the same output, (b) only one party receives output, and (c) only one party has input.

Abstract: This paper considers the problem of password-authenticated key exchange (PAKE) in a client-server setting, where the server authenticates using a stored password file, and it is desirable to maintain some degree of security even if the server is compromised A PAKE scheme is said to be resilient to server compromise if an adversary who compromises the server must at least perform an offline dictionary attack to gain any advantage in impersonating a client (Of course, offline dictionary attacks should be infeasible in the absence of server compromise) One can see that this is the best security possible, since by definition the password file has enough information to allow one to play the role of the server, and thus to verify passwords in an offline dictionary attack While some previous PAKE schemes have been proven resilient to server compromise, there was no known general technique to take an arbitrary PAKE scheme and make it provably resilient to server compromise This paper presents a practical technique for doing so which requires essentially one extra round of communication and one signature computation/ verification We prove security in the universal composability framework by (1) defining a new functionality for PAKE with resilience to server compromise, (2) specifying a protocol combining this technique with a (basic) PAKE functionality, and (3) proving (in the random oracle model) that this protocol securely realizes the new functionality

Abstract: We introduce the notion of resource-fair protocols. Informally, this property states that if one party learns the output of the protocol, then so can all other parties, as long as they expend roughly the same amount of resources. As opposed to similar previously proposed definitions, our definition follows the standard simulation paradigm and enjoys strong composability properties. In particular, our definition is similar to the security definition in the universal composability (UC) framework, but works in a model that allows any party to request additional resources from the environment to deal with dishonest parties that may prematurely abort. In this model we specify the ideally fair functionality as allowing parties to invest resources in return for outputs, but in such an event offering all other parties a fair deal. (The formulation of fair dealings is kept independent of any particular functionality, by defining it using a wrapper.) Thus, by relaxing the notion of fairness, we avoid a well-known impossibility result for fair multi-party computation with corrupted majority; in particular, our definition admits constructions that tolerate arbitrary number of corruptions. We also show that, as in the UC framework, protocols in our framework may be arbitrarily and concurrently composed. Turning to constructions, we define a commit-prove-fair-open functionality and design an efficient resource-fair protocol that securely realizes it, using a new variant of a cryptographic primitive known as time-lines. With (the fairly wrapped version of) this functionality we show that some of the existing secure multi-party computation protocols can be easily transformed into resource-fair protocols while preserving their security.

Abstract: Key agreement protocols are frequently based on the Diffie-Hellman protocol but require authenticating the protocol messages in two ways. This can be made by a cross-authentication protocol. Such protocols, based on the assumption that a channel which can authenticate short strings is available (SAS-based), have been proposed by Vaudenay. In this paper, we survey existing protocols and we propose a new one. Our proposed protocol requires three moves and a single SAS to be authenticated in two ways. It is provably secure in the random oracle model. We can further achieve security with a generic construction (e.g. in the standard model) at the price of an extra move. We discuss applications such as secure peer-to-peer VoIP.

Abstract: We present the currently simplest, most efficient, optimally resilient, adaptively secure, and proactive threshold RSA scheme. A main technical contribution is a new rewinding strategy for analysing threshold signature schemes. This new rewinding strategy allows to prove adaptive security of a proactive threshold signature scheme which was previously assumed to be only statically secure. As a separate contribution we prove that our protocol is secure in the UC framework.

Abstract: We introduce the notion of resource-fair protocols. Informally, this property states that if one party learns the output of the protocol, then so can all other parties, as long as they expend roughly the same amount of resources. As opposed to similar previously proposed definitions, our definition follows the standard simulation paradigm and enjoys strong composability properties. In particular, our definition is similar to the security definition in the universal composability (UC) framework, but works in a model that allows any party to request additional resources from the environment to deal with dishonest parties that may prematurely abort. In this model we specify the ideally fair functionality as allowing parties to “invest resources” in return for outputs, but in such an event offering all other parties a fair deal. (The formulation of fair dealings is kept independent of any particular functionality, by defining it using a “wrapper.”) Thus, by relaxing the notion of fairness, we avoid a well-known impossibility result for fair multi-party computation with corrupted majority; in particular, our definition admits constructions that tolerate arbitrary number of corruptions. We also show that, as in the UC framework, protocols in our framework may be arbitrarily and concurrently composed. Turning to constructions, we define a “commit-prove-fair-open” functionality and design an efficient resource-fair protocol that securely realizes it, using a new variant of a cryptographic primitive known as “time-lines.” With (the fairly wrapped version of) this functionality we show that some of the existing secure multi-party computation protocols can be easily transformed into resource-fair protocols while preserving their security.

Abstract: In this paper, we present a scalable and secure protocol for key revocation in wireless sensor networks. The protocol guarantees an authenticated distribution of new keys that is efficient in terms of storage, communication and computing overhead. The proposed protocol reduces the number and the size of rekeying messages. It achieves the necessary level of confidentiality and authenticity of rekeying messages by only using symmetric ciphers and one-way functions. Hence, the protocol results scalable, and particularly attractive for large and/or highly dynamic groups.

Abstract: This paper presents a secure constant-round password-based group key exchange protocol in the common reference string model. Our protocol is based on the group key exchange protocol by Burmester and Desmedt and on the 2-party password-based authenticated protocols by Gennaro and Lindell, and by Katz, Ostrovsky, and Yung. The proof of security is in the standard model and based on the notion of smooth projective hash functions. As a result, it can be instantiated under various computational assumptions, such as decisional Diffie-Hellman, quadratic residuosity, and N-residuosity.

Abstract: We propose simple, realistic protocols for polling that allow the responder to plausibly repudiate his response, while at the same time allow accurate statistical analysis of poll results. The protocols use simple physical objects (envelopes or scratch-off cards) and can be performed without the aid of computers. One of the main innovations of this work is the use of techniques from theoretical cryptography to rigorously prove the security of a realistic, physical protocol. We show that, given a few properties of physical envelopes, the protocols are unconditionally secure in the universal composability framework.

Abstract: We propose a novel protocol for quantum secure direct communication with cluster states. In this protocol, the two legitimate users, Alice and Bob, can directly transmit the secret messages by using the Bell-basis measurement and Z-basis measurement, respectively, in classical communication. Since our quantum secure direct communication protocol is based on the cluster state, it is easily processed by a one-way quantum computer.

Abstract: Many routing protocols have been proposed for sensor network, but most of them have not designed with security as a goal. Sensor protocol for information via negotiation (SPIN) protocol is a basic data centric routing protocol of sensor networks. In this paper, we present the design of secure-SPIN, a secure extension for the SPIN protocol. We divide secure-SPIN into three phases and use some cryptographic functions that require small memory and processing power to create an efficient, practical protocol. Then we give security analyses of this protocol. It shows that this secure protocol may increase the data communication security in wireless sensor networks.

Abstract: We present communication efficient secure protocols for a variety of linear algebra problems. Our main building block is a protocol for computing Gaussian Elimination on encrypted data. As input for this protocol, Bob holds a k x k matrix M, encrypted with Alice's key. At the end of the protocol run, Bob holds an encryption of an upper-triangular matrix M' such that the number of nonzero elements on the diagonal equals the rank of M. The communication complexity of our protocol is roughly O(k 2 ). Building on Oblivious Gaussian elimination, we present secure protocols for several problems: deciding the intersection of linear and affine subspaces, picking a random vector from the intersection, and obliviously solving a set of linear equations. Our protocols match known (insecure) communication complexity lower bounds, and improve the communication complexity of both Yao's garbled circuits and that of specific previously published protocols.

Abstract: We present communication efficient secure protocols for a variety of linear algebra problems. Our main building block is a protocol for computing Gaussian Elimination on encrypted data. As input for this protocol, Bob holds a k × k matrix M, encrypted with Alice's key. At the end of the protocol run, Bob holds an encryption of an upper-triangular matrix M ′ such that the number of nonzero elements on the diagonal equals the rank of M. The communication complexity of our protocol is roughly O(k2). Building on Oblivious Gaussian elimination, we present secure protocols for several problems: deciding the intersection of linear and affine subspaces, picking a random vector from the intersection, and obliviously solving a set of linear equations. Our protocols match known (insecure) communication complexity lower bounds, and improve the communication complexity of both Yao's garbled circuits and that of specific previously published protocols.

Abstract: Considering a protocol of Tseng, we show that a group key agreement protocol that resists attacks by malicious insiders in the authenticated broadcast model, loses this security when it is transfered into an unauthenticated point-to-point network with the protocol compiler introduced by Katz and Yung We develop a protocol framework that allows to transform passively secure protocols into protocols that provide security against malicious insiders and active adversaries in an unauthenticated point-to-point network and, in contrast to existing protocol compilers, does not increase the number of rounds Our protocol particularly uses the session identifier to achieve the security By applying the framework to the Burmester-Desmedt protocol we obtain a new 2 round protocol that is provably secure against active adversaries and malicious participants

Abstract: We study the problem of secure key establishment. We critically examine the security models of Bellare and Rogaway (1993) and Canetti and Krawczyk (2001) in the computational complexity approach, as these models are central in the understanding of the provable security paradigm. We show that the partnership definition used in the three-party key distribution (3PKD) protocol of Bellare and Rogaway (1995) is flawed, which invalidates the proof for the 3PKD protocol. We present an improved protocol with a new proof of security. We identify several variants of the key sharing requirement (i.e., two entities who have completed matching sessions, partners, are required to accept the same session key). We then present a brief discussion about the key sharing requirement. We identify several variants of the Bellare and Rogaway (1993) model. We present a comparative study of the relative strengths of security notions between the several variants of the Bellare-Rogaway model and the Canetti-Krawczyk model. In our comparative study, we reveal a drawback in the Bellare, Pointcheval, and Rogaway (2000) model with the protocol of Abdalla and Pointcheval (2005) as a case study. We prove a revised protocol of Boyd (1996) secure in the Bellare-Rogaway model. We then extend the model in order to allow more realistic adversary capabilities by incorporating the notion of resetting the long-term compromised key of some entity. This allows us to detect a known weakness of the protocol that cannot be captured in the original model. We also present an alternative protocol that is efficient in both messages and rounds. We prove the protocol secure in the extended model. We point out previously unknown flaws in several published protocols and a message authenticator of Bellare, Canetti, and Krawczyk (1998) by refuting claimed proofs of security. We also point out corresponding flaws in their existing proofs. We propose fixes to these protocols and their proofs. In some cases, we present new protocols with full proofs of security. We examine the role of session key construction in key establishment protocols, and demonstrate that a small change to the way that session keys are constructed can have significant benefits. Protocols that were proven secure in a restricted Bellare-Rogaway model can then be proven secure in the full model. We present a brief discussion on ways to construct session keys in key establishment protocols and also prove the protocol of Chen and Kudla (2003) secure in a less restrictive Bellare-Rogaway model. To complement the computational complexity approach, we provide a formal specification and machine analysis of the Bellare-Pointcheval-Rogaway model using an automated model checker, Simple Homomorphism Verification Tool (SHVT). We demonstrate that structural flaws in protocols can be revealed using our framework. We reveal previously unknown flaws in the unpublished preproceedings version of the protocol due to Jakobsson and Pointcheval (2001) and several published protocols with only heuristic security arguments. We conclude this thesis with a listing of some open problems that were encountered in the study.

Abstract: The vulnerability and importance of computers, robots, internet etc, demand the employment of exceedingly reliable methods in the design of secure systems. Security protocols are one of the most important design parameters. History has proven security protocols to be vulnerable even after they enjoyed circumspect design and meticulous review by experts. We posit that understanding the subtle issues in security protocols is important when designing a protocol. In particular, understanding a penetrator and the knowledge of different attack strategies that a penetrator can apply are among the most important issues that affect the design of security protocols. We describe the notion of a penetrator and specify his characteristics. Our purpose is to emphasize the design criteria of an authentication protocol through the use of some nice and subtle attacks that existed in the literature in the field of the design of security protocols.

Abstract: Client-to-client password authenticated key exchange (C2C-PAKE) protocol deals with the authenticated key exchange process between two clients, who only share their passwords with their own servers. Jin Wook Byun et al. first divided this scenario into two kinds called single-server C2C-PAKE protocol and cross-realm C2C-PAKE protocol respectively. Recently, Abdalla et al. proposed a generic construction for single-server C2C-PAKE protocol and presented a concrete example with security proof. But, no similar results about cross-realm C2C-PAKE protocol exist. In fact, all existing cross-realm C2C-PAKE protocols are found insecure. To counter flaws and provide a secure cross-realm C2C-PAKE protocol, in this paper, we introduce a formal model and corresponding security definitions. Then, a new cross-realm C2C-PAKE protocol is presented with security proof.

Abstract: For a data transfer, security is negotiated via a control channel operating in accordance with a first protocol. The data is transmitted responsive to the security negotiation on a data channel operating in accordance with a second protocol. For example, a described implementation involves using a security control protocol and a separate secure data transfer protocol that operate cooperatively, but independently, to provide flexible application layer security with highly efficient data transfers.

Abstract: We construct the first mix-net that is secure against adaptive adversaries corrupting any minority of the mix-servers and any set of senders. The mix-net is based on the Paillier cryptosystem and analyzed in the universal composability model without erasures under the decisional composite residuosity assumption, the strong RSA-assumption, and the discrete logarithm assumption. We assume the existence of ideal functionalities for a bulletin board, key generation, and coin-flipping

Abstract: Algorithmic progress and future technological advances threaten today’s cryptographic protocols. This may allow adversaries to break a protocol retrospectively by breaking the underlying complexity assumptions long after the execution of the protocol. Longterm secure protocols, protocols that after the end of the execution do not reveal any information to a then possibly unlimited adversary, could meet this threat. On the other hand, in many applications, it is necessary that a protocol is secure not only when executed alone, but within arbitrary contexts. The established notion of universal composability (UC) captures this requirement. This is the first paper to study protocols which are simultaneously long-term secure and universally composable. We show that the usual set-up assumptions used for UC protocols (e.g., a common reference string) are not sufficient to achieve long-term secure and composable protocols for commitments or zero-knowledge protocols. We give practical alternatives (e.g., signature cards) to these usual setupassumptions and show that these enable the implementation of the important primitives commitment and zero-knowledge protocols.

Abstract: Client-to-client password authenticated key exchange (C2C-PAKE) protocol deals with the authenticated key exchange process between two clients, who only share their passwords with their own servers. Jin Wook Byun et al. first divided this scenario into two kinds called single-server C2C-PAKE protocol and cross-realm C2C-PAKE protocol respectively. Recently, Abdalla et al. proposed a generic construction for single-server C2C-PAKE protocol and presented a concrete example with security proof. But, no similar results about cross-realm C2C-PAKE protocol exist. In fact, all existing cross-realm C2C-PAKE protocols are found insecure. To counter flaws and provide a secure cross-realm C2C-PAKE protocol, in this paper, we introduce a formal model and corresponding security definitions. Then, a new cross-realm C2C-PAKE protocol is presented with security proof.

Abstract: Simulatable security is a security notion for multi-party protocols that implies strong composability features. The main definitional flavours of simulatable security are standard simulatability, universal simulatability, and black-box simulatability. All three come in "computational," "statistical" and "perfect" subflavours indicating the considered adversarial power. Universal and black-box simulatability, in all of their subflavours, are already known to guarantee that the concurrent composition even of a polynomial number of secure protocols stays secure. We show that computational standard simulatability does not allow for secure concurrent composition of polynomially many protocols, but we also show that statistical standard simulatability does. The first result assumes the existence of an interesting cryptographic tool (namely time-lock puzzles), and its proof employs a cryptographic multi-party computation in an interesting and unconventional way.

Abstract: In light of Lucamarini–Mancini's secure deterministic communication without entanglement [Phys. Rev. Lett94, (2005) 140501], by introducing an additional operation for encoding and additional classical information for decoding, we propose a new secure deterministic bidirectional communication protocol without using entanglement. In our protocol, two legitimate users can simultaneously exchange their different secret messages in a direct way with a set of communication devices. The proposed protocol is asymptotically secure in the limit of transmitting long messages.

Abstract: Privacy concerns in many aspects of electronic communication trigger the need to re-examine - with privacy in mind - familiar security services, such as authentication and key agreement. An Affiliation-Hiding Group Key Agreement (AH-AGKA) protocol (also known as Group Secret Handshake) allows a set of participants, each with a certificate issued by the same authority, to establish a common authenticated secret key. In contrast to standard AGKA protocols, an AH-AGKA protocol has the following privacy feature: If Alice, who is a member of a group G, participates in an AH-AGKA protocol, none of the other protocol participants learn whether Alice is a member of G, unless these participants are themselves members of group G. Such protocols are useful in suspicious settings where a set of members of a (perhaps secret) group need to authenticate each other and agree on a common secret key, without revealing their affiliations to outsiders. In this paper we strengthen the prior definition of AH-AGKA so that the security and privacy properties are maintained under any composition of protocol instances. We also construct two novel AH-AGKA protocols secure in this new and stronger model under the RSA and Gap Diffie-Hellman assumptions, respectively. Each protocol involves only two communication rounds and few exponentiations per player (e.g., no bilinear map operations). Interestingly, these costs are essentially the same as those of the underlying (unauthenticated) group key agreement protocol. Finally, our protocols, unlike prior results, retain their security and privacy properties without the use of one-time certificates.

Abstract: A secure image protocol that can be used as a substitute or additional security layer during the login process or during high-risk transactions. In a first embodiment, the secure image protocol of the present invention is used to provide a secure login. In a second embodiment, the secure image protocol of the present invention is instead used during a login session, and, more particularly, during times when the user requests a high-risk transaction, wherein the secure image protocol provides an extra layer of security during the high-risk transaction.

Abstract: We present a group membership protocol specially designed for next generation communication systems for real-time safety-critical applications such as FlexRay and FTT-CAN. The proposed protocol imposes an overhead of two bits per processor per communication cycle, when the system is in a quiescent state, and is able to tolerate benign failures of up to half of the group members between consecutive executions. Additionally, it removes a faulty processor within two communication cycles in the worst case and reintegrates a processor at the latest two communication cycles after it recovers. Compared with protocols developed for similar systems, it is as tolerant as the most robust protocol with a traffic overhead slightly higher than the most efficient protocol, which is much less robust.

Abstract: Considering a protocol of Tseng, we show that a group key agreement protocol that resists attacks by malicious insiders in the authenticated broadcast model, loses this security when it is transfered into an unauthenticated point-to-point network with the protocol compiler introduced by Katz and Yung. We develop a protocol framework that allows to transform passively secure protocols into protocols that provide security against malicious insiders and active adversaries in an unauthenticated point-to-point network and, in contrast to existing protocol compilers, does not increase the number of rounds. Our protocol particularly uses the session identifier to achieve the security. By applying the framework to the Burmester-Desmedt protocol we obtain a new 2 round protocol that is provably secure against active adversaries and malicious participants.