Abstract: Protocols for secure two-party computation enable a pair of parties to compute a function of their inputs while preserving security properties such as privacy, correctness and independence of inputs. Recently, a number of protocols have been proposed for the efficient construction of two-party computation secure in the presence of malicious adversaries (where security is proven under the standard simulationbased ideal/real model paradigm for defining security). In this paper, we present a protocol for this task that follows the methodology of using cut-and-choose to boost Yao's protocol to be secure in the presence of malicious adversaries. Relying on specific assumptions (DDH), we construct a protocol that is significantly more efficient and far simpler than the protocol of Lindell and Pinkas (Eurocrypt 2007) that follows the same methodology. We provide an exact, concrete analysis of the efficiency of our scheme and demonstrate that (at least for not very small circuits) our protocol is more efficient than any other known today.

Abstract: We show a general framework for constructing passwordbased authenticated key exchange protocols with optimal round complexity - one message per party, sent simultaneously - in the standard model, assuming a common reference string. When our framework is instantiated using bilinear-map cryptosystems, the resulting protocol is also (reasonably) efficient. Somewhat surprisingly, our framework can be adapted to give protocols in the standard model that are universally composable while still using only one (simultaneous) round.

Abstract: Application-level protocol specifications (i.e., how a protocol should behave) are helpful for network security management, including intrusion detection and intrusion prevention. The knowledge of protocol specifications is also an effective way of detecting malicious code. However, current methods for obtaining unknown protocol specifications highly rely on manual operations, such as reverse engineering which is a major instrument for extracting application-level specifications but is time-consuming and laborious. Several works have focus their attentions on extracting protocol messages from real-world trace automatically, and leave protocol state machine unsolved. In this paper, we propose Veritas, a system that can automatically infer protocol state machine from real-world network traces. The main feature of Veritas is that it has no prior knowledge of protocol specifications, and our technique is based on the statistical analysis on the protocol formats. We also formally define a new model - probabilistic protocol state machine (P-PSM), which is a probabilistic generalization of protocol state machine. In our experiments, we evaluate a text-based protocol and two binary-based protocols to test the performance of Veritas. Our results show that the protocol state machines that Veritas infers can accurately represent 92% of the protocol flows on average. Our system is general and suitable for both text-based and binary-based protocols. Veritas can also be employed as an auxiliary tool for analyzing unknown behaviors in real-world applications.

Abstract: Universal composability (a.k.a. UC security) provides very strong security guarantees for protocols that run in complex real-world environments. In particular, security is guaranteed to hold when the protocol is run concurrently many times with other secure and possibly insecure protocols. Commitment schemes are a basic building block in many cryptographic constructions, and as such universally composable commitments are of great importance in constructing UC-secure protocols. In this paper, we construct highly efficient UC-secure commitments from the standard DDH assumption, in the common reference string model. Our commitment stage is non-interactive, has a common reference string with O(1) group elements, and has complexity of O(1) exponentiations for committing to a group element (to be more exact, the effective cost is that of 23 1/3 exponentiations overall, for both the commit and decommit stages). We present a construction that is secure in the presence of static adversaries, and a construction that is secure in the presence of adaptive adversaries with erasures, where the latter construction has an effective additional cost of just 5 1/3 exponentiations.

Abstract: The Norwegian government will run a trial of internet remote voting during the 2011 local government elections. A new cryptographic voting protocol will be used, where so-called return codes allow voters to verify that their ballots will be counted as cast. This paper discusses a slightly simplified version of the cryptographic protocol. The description and analysis of the simplified protocol contains most of the ideas and concepts used to build and analyse the full protocol. In particular, the simplified protocol uses the full protocol's novel method for generating the return codes. The security of the protocol relies on a novel hardness assumption similar to Decision Diffie-Hellman. While DDH is a claim that a random subgroup of a non-cyclic group is indistinguishable from the whole group, our assumption is related to the indistinguishability of certain special subgroups. We discuss this question in some detail.

Abstract: Cryptographic assumptions regarding tamper proof hardware tokens have gained increasing attention. Even if the tamperproof hardware is issued by one of the parties, and hence not necessarily trusted by the other, many tasks become possible: Tamper proof hardware is sufficient for universally composable protocols, for information-theoretically secure protocols, and even allow to create software which can only be used once (One-Time-Programs). However, all known protocols employing tamper-proof hardware are either indirect, i.e., additional computational assumptions must be used to obtain general two party computations or a large number of devices must be used. In this work we present the first protocol realizing universally composable two-party computations (and even trusted One-Time-Programs) with information-theoretic security using only one single tamper-proof device issued by one of the mutually distrusting parties.

Abstract: Secure set intersection protocols are the core building block for a manifold of privacy-preserving applications. In a recent work, Hazay and Lindell (ACM CCS 2008) introduced the idea of using trusted hardware tokens for the set intersection problem, devising protocols which improve over previous (in the standard model of two-party computation) protocols in terms of efficiency and secure composition. Their protocol uses only a linear number of symmetrickey computations and the amount of data stored in the token does not depend on the sizes of the sets. The security proof of the protocol is in the universal composability model and is based on the strong assumption that the token is trusted by both parties. In this paper we revisit the idea and model of hardware-based secure set intersection, and in particular consider a setting where tokens are not necessarily trusted by both participants to additionally cover threats like side channel attacks, firmware trapdoors and malicious hardware. Our protocols are very efficient and achieve the same level of security as those by Hazay and Lindell for trusted tokens. For untrusted tokens, our protocols ensure privacy against malicious adversaries, and correctness facing covert adversaries.

Abstract: The authentication and key agreement (AKA) protocol of Universal Mobile Telecommunication System (UMTS), which is proposed to solve the vulnerabilities found in Global System for Mobile Communications (GSM) systems, is still vulnerable to redirection and man-in-the-middle attacks. An adversary can mount these attacks to eavesdrop or mischarge the subscribers in the system. In this paper, we propose a secure AKA (S-AKA) protocol to cope with these problems. The S-AKA protocol can reduce bandwidth consumption and the number of messages required in authenticating mobile subscribers. We also give the formal proof of the S-AKA protocol to guarantee its robustness.

Abstract: Current advances in semiconductor technology have made it possible to implant a network of biosensors inside the human body for health monitoring. In the context of a body area network (BAN), the confidentiality and integrity of the sensitive health information is particularly important. In this paper, we present an ECG (electrocardiogram)-signal-based key establishment protocol to secure the communication between every sensor and the control unit before the physiological data are transferred to external networks for remote analysis or diagnosis. The uniqueness of ECG signal guarantees that our protocol can provide long, random, distinctive and temporal variant keys. Biometric Encryption technique is applied to achieve the mutual authentication and derive a non-linkable session key between every sensor and the control unit. The correctness of the proposed key establishment protocol is formally verified based on SVO logic. Security analysis shows that our protocol can guarantee data confidentiality, authenticity and integrity. Performance analysis shows that it is a lightweight protocol.

Abstract: Security protocols are the basis of security in networks. Therefore, it is essential to ensure that these protocols function correctly. However, it is difficult to design security protocols that are immune to malicious attack, since good analysis techniques are lacking. In this paper, the current main analysis techniques using Colored Petri Nets (CP-Nets) for analysis of security protocols are introduced. Based on the techniques, a new method using CP-Nets for the analysis of security protocols is presented. Specially, in the new method, an intruder CP-Net model is presented that provides an open-ended base for the integration of multiple attack tactics. This is a viable approach to overcome the state space explosion problem. Furthermore, the automated analysis tools CPN Tools is used. The Andrew secure RPC protocol is chosen to illustrate how a security protocol is analyzed using the new method. After model checking, an attack is found which the same as the one found by Gavin Lowe. These are stunning confirmations of the validity of the new method for analyzing security protocols.

Abstract: Secure computation protocols inherently involve multiple rounds of interaction among the parties where, typically a party has to keep a state about what has happened in the protocol so far and then \emph{wait} for the other party to respond. We study if this is inherent. In particular, we study the possibility of designing cryptographic protocols where the parties can be completely stateless and compute the outgoing message by applying a single fixed function to the incoming message (independent of any state). The problem of designing stateless secure computation protocols can be reduced to the problem of designing protocols satisfying the notion of reset table computation introduced by Canetti, Goldreich, Gold wasser and Micali (FOCS'01) and widely studied thereafter. The current start of art in reset table computation allows for construction of protocols which provide security only when a \emph{single predetermined} party is reset table \cite{GoyalSa09}. An exception is for the case of the zero-knowledge functionality for which a protocol in which both parties are reset table was recently obtained by Deng, Goyal and Sahai (FOCS'09). The fundamental question left open in this sequence of works is, whether fully-reset table computation is possible, when:\begin{enumerate}\item An adversary can corrupt any number of parties, and\item The adversary can reset any party to its original state during the execution of the protocol and can restart the protocol. \end{enumerate}In this paper, we resolve the above problem by constructing secure protocols realizing \emph{any} efficiently computable multi-party functionality in the plain model under standard cryptographic assumptions. First, we construct a Fully-Reset table Simulation Sound Zero-Knowledge (ss-rs-rZK) protocol. Next, based on these ss-rs-rZK protocols, we show how to compile any semi-honest secure protocol into a protocol secure against fully resetting adversaries. Next, we study a seemingly unrelated open question: ``Does there exist a functionality which, in the concurrent setting, is impossible to securely realize using BB simulation but can be realized using NBB simulation ? & quot;. We resolve the above question in the affirmative by giving an example of such a (reactive) functionality. Somewhat surprisingly, this is done by making a connection to the existence of a fully reset table simulation sound zero-knowledge protocol.

Abstract: WS-Business Activity specification defines two coordination protocols in order to ensure a consistent agreement on the outcome of long-running distributed applications. We use the model checker Uppaal to analyse the Business Agreement with Coordination Completion protocol type. Our analyses show that the protocol, as described in the standard specification, violates correct operation by reaching invalid states for all underlying communication media except for the perfect FIFO. Based on this result, we propose changes to the protocol. A further investigation of the modified protocol suggests that messages should be received in the same order as they are sent so that a correct protocol behaviour is preserved. Another important property of communication protocols is that all parties always reach their final states. Based on the verification with different communication models, we prove that our enhanced protocol satisfies this property for asynchronous, unreliable, order-preserving communication whereas the original protocol does not.

Abstract: In the field of computer science, communications protocols (such as computer network protocols) are hardened (secured) against reverse engineering attacks by hackers using a software tool which is applied to a high level definition of the protocol. The tool converts the definition to executable form, such as computer source code, and also applies reverse-engineering countermeasures to the protocol definition as now expressed in source code, to prevent hackers from recovering useful details of the protocol. This conversion process also allows preservation of backwards version compatibility of the protocol definition.

Abstract: The security of key exchange and secure channel protocols, such as TLS, has been studied intensively. However, only few works have considered what happens when the established keys are actuallyused -- to run some protocol securely over the established "channel". We call this a vertical protocol composition, and it is truly commonplace in today's communication with the diversity of VPNs and secure browser sessions. In fact, it is normal that we have several layers of secure channels: For instance, on top of a VPN-connection, a browser may establish another secure channel (possibly with a different end point). Even using the same protocol several times in such a stack of channels is not unusual: An application may very well establish another TLS channel over an established one. We call this self-composition. In fact, there is nothing that tells us that all these compositions are sound, i.e., that the combination cannot introduce attacks that the individual protocols in isolation do not have. In this work, we prove a composability result in the symbolic model that allows for arbitrary vertical composition (including self-composition). It holds for protocols from any suite of channel and application protocols that fulfills a number of sufficient preconditions. These preconditions are satisfied for many practically relevant protocols such as TLS.

Abstract: Security protocols have been analysed focusing on a variety of properties to withstand the Dolev-Yao attacker. The Multi-Attacker treat model allows each protocol participant to behave maliciously intercepting and forging messages. Each principal may then behave as a Dolev-Yao attacker while neither colluding nor sharing knowledge with anyone else. This feature rules out the applicability of existing equivalence results in the Dolev-Yao model. The analysis of security protocols under the Multi-Attacker threat model brings forward yet more insights, such as retaliation attacks and anticipation attacks, which formalise currently realistic scenarios of principals competing each other for personal profit. They are variously demonstrated on a classical protocol, Needham-Schroeder's, and on a modern deployed protocol, Google's SAML-based single sign-on protocol. The general threat model for security protocols based on set-rewriting that was adopted in AVISPA (Armando et al. 2005) is extended to formalise the Multi-Attacker. The state-of-the-art model checker SATMC (Armando and Compagna, Int J Inf Secur 6(1):3---32, 2007) is then used to automatically validate the protocols under the new threats, so that retaliation and anticipation attacks can automatically be found. The tool support scales up to the Multi-Attacker threat model at a reasonable price both in terms of human interaction effort and of computational time.

Abstract: Universal composability and concurrent general composition consider a setting where secure protocols are run concurrently with each other and with arbitrary other possibly insecure protocols. Protocols that meet the definition of universal composability are guaranteed to remain secure even when run in this strongly adversarial setting. In the case of an honest majority, or where there is a trusted setup phase of some kind (like a common reference string or the key-registration public-key infrastructure of Barak et al. in FOCS 2004), it has been shown that any functionality can be securely computed in a universally composable way. On the negative side, it has also been shown that in the plain model where there is no trusted setup at all, there are large classes of functionalities which cannot be securely computed in a universally composable way without an honest majority. In this paper, we extend these impossibility results for universal composability. We study a number of public-key models and show for which models the impossibility results of universal composability hold and for which they do not. We also consider a setting where the inputs to the protocols running in the network are fixed before any execution begins. The majority of our results are negative and we show that the known impossibility results for universal composability in the case of no honest majority extend to many other settings.

Abstract: We introduce the notion of resource-fair protocols. Informally, this property states that if one party learns the output of the protocol, then so can all other parties, as long as they expend roughly the same amount of resources. As opposed to previously proposed definitions related to fairness, our definition follows the standard simulation paradigm and enjoys strong composability properties. In particular, our definition is similar to the security definition in the universal composability (UC) framework, but works in a model that allows any party to request additional resources from the environment to deal with dishonest parties that may prematurely abort. In this model we specify the ideally fair functionality as allowing parties to “invest resources” in return for outputs, but in such an event offering all other parties a fair deal. (The formulation of fair dealings is kept independent of any particular functionality, by defining it using a “wrapper.”) Thus, by relaxing the notion of fairness, we avoid a well-known impossibility result for fair multi-party computation with corrupted majority; in particular, our definition admits constructions that tolerate arbitrary number of corruptions. We also show that, as in the UC framework, protocols in our framework may be arbitrarily and concurrently composed. Turning to constructions, we define a “commit-prove-fair-open” functionality and design an efficient resource-fair protocol that securely realizes it, using a new variant of a cryptographic primitive known as “time-lines.” With (the fairly wrapped version of) this functionality we show that some of the existing secure multi-party computation protocols can be easily transformed into resource-fair protocols while preserving their security.

Abstract: A majority of the existing privacy-friendly RFID protocols use the output of a cryptographic hash function in place of real identity of an RFID tag to ensure anonymity and untraceability. In order to provide unique identification for the tags, these protocols assume that the hash functions are collision resistant. We show that, under this assumption on the hash functions, a substantial number of the existing protocols suffer from a trace ability problem that causes differentiating a tag from another. We propose a scalable privacy-friendly RFID protocol and describe its design and implementation issues. Our protocol substitutes the hash functions used for identification with anonymous tickets, thus avoiding the aforementioned trace ability problem. The anonymous tickets are reusable. They nevertheless identify the tags uniquely, at any given point in time. The query and search algorithm of our proposed protocol is of O(1) time complexity, and it imposes small storage overhead on the back-end database. We show that the protocol is scalable, and compare its storage and computational requirements to some existing protocols. We formally prove the security requirements of our protocol, and mechanically analyze some of its requirements using the model checker OFMC.

Abstract: The recent trend in distributed automation and control systems has been towards event-triggered system architectures such as UML and IEC 61499. Although existing communication protocols (e.g., Ethernet) can support high-level communication within these systems, there is contention as to which low-level protocol to use, or if any exist that meet the requirements of being event-triggered and hard real-time. This paper proposes a new way to measure communication performance. The goal of the new measurement method is to stress the necessity that a real-time communication protocol needs to be both efficient and fair. This is illustrated by comparing three communication strategies: Controller Area Network (CAN), Time-Triggered CAN (TTCAN) and Escalating Priority CAN (EPCAN). The first two represent the extremes between event-triggered and time-triggered communication strategies; the third is introduced to illustrate the benefits of a new event-based communication protocol proposed by the authors.

Abstract: User-private information retrieval (UPIR) is the art of retrieving information without telling the information holder who you are. UPIR is sometimes called anonymous keyword search. This article discusses a UPIR protocol in which the users form a peer-to-peer network over which they collaborate in protecting the privacy of each other. The protocol is known as P2P UPIR. It will be explained why the P2P UPIR protocol may have a flaw in the protection of the privacy of the client in front of the server. Two alternative variations of the protocols are discussed. One of these will prove to resolve the privacy flaw discovered in the original protocol. Hence the aim of this article is to propose a modification of the P2P UPIR protocol. It is justified why the projective planes are still the optimal configurations for P2P UPIR for the modified protocol.

Abstract: We put forward a framework for the modular design and analysis of multi-party protocols. Our framework is called “GNUC” (with the recursive meaning “GNUC’s Not UC”), already alluding to the similarity to Canetti’s Universal Composability (UC) framework. In particular, like UC, we offer a universal composition theorem, as well as a theorem for composing protocols with joint state. We deviate from UC in several important aspects. Specifically, we have a rather different view than UC on the structuring of protocols, on the notion of polynomial-time protocols and attacks, and on corruptions. We will motivate our definitional choices by explaining why the definitions in the UC framework are problematic, and how we overcome these problems. Our goal is to offer a framework that is largely compatible with UC, such that previous results formulated in UC carry over to GNUC with minimal changes. We exemplify this by giving explicit formulations for several important protocol tasks, including authenticated and secure communication, as well as commitment and secure function evaluation.

Abstract: An efficient practical feasible protocol for quantum secure dialogue by using single photons is proposed. Comparing with the previous protocols, in the proposed protocol, no classical message has to exchanged during the decoding of the secret messages, so the present scheme is not only overcome the drawback ”information leakage”, it possesses the characters of security and maximum efficiency. The other highlight of our protocol is that, in this method one party is able to first read the message received from the other party before sending another message back in reply.

Abstract: This paper introduces the Adopted-Pet (AP) protocol, an automatic (i.e. requiring no human interaction) secure pairing protocol, adequate for the pairing between a passive RFID tag and a reader. Most pairing protocols rely for their security on a certain advantage that the legitimate devices have over any malicious users. Such advantages include proximity (employing near-field communication) or secret keys that are either produced with the assistance of, or verified by, the legitimate user. The advantage exploited by our novel AP protocol is the amount of uninterrupted time spent by the two devices in the proximity (although not requiring near-field communication) of each-other. We discuss several implementation configurations, all based on pseudo-random bit generators, employing short-length LFSRs, and requiring no more than 2000 transistors. This makes the protocol ideally suited for low-cost passive RFID tags. For each configuration we show that the AP protocol is highly secure against occasional malicious entities.

Abstract: Authentication of products and humans is one of the main applications of RFID technology. In this paper, we present a novel cryptographic authentication protocol that is fully secure and it fills the security holes imposed by RFID technology. Our proposed authentication protocol has a significantly lower cost in terms of computation, memory and communication as compared to most of the existing RFID protocols. We compare our protocol with the existing protocols by implementing all these authentication protocols first time on a passive, computation capable RFID tag developed by Intel known as WISP.