Our Contributions. The main contributions of this paper are our novel design method for ciphers with efficient fault-detecting implementations and the concrete authenticated encryp- tion scheme Friet implemented with a new permutation Friet-P designed with our method. Moreover, we provide a design rationale for the permutation, per- formance evaluations in software and hardware including comparison with other relevant permutations, results of fault detection experiments and an evaluation of the impact of our method on leakage.
Our Contributions. We answer the remaining part of the open question for large inputs and present the first MVBA protocols with expected O(An + λn2) communicated bits. More precisely, ≤ | ∫ O
Our Contributions. We provide definitions and constant-round protocols for key agreement from noisy pass-strings that: – Resist off-line dictionary attacks and thus can handle low-entropy pass- strings, – Can handle a variety of noise types and have high error-tolerance, and – Have well specified composition properties via the UC framework [17]. Instead of imposing entropy requirements or other requirements on the dis- tribution of pass-strings, our protocols are secure as long as the adversary cannot guess a pass-string value that is sufficiently close. There is no requirement, for example, that the amount of pass-string entropy is greater than the number of errors; in fact, one of our protocols is suitable for iris scans. Moreover, our pro- tocols prevent off-line attacks, so each adversarial attempt to get close to the correct pass-string requires an on-line interaction by the adversary. Thus, for example, our protocols can be meaningfully run with pass-strings whose entropy is only 30 bits—something not possible with any prior protocols for the noisy case.
Our Contributions. In this work, we present a provably secure and minimal cost SAS-AKA scheme which re-uses public key pairs across protocol ses- sions and thus presents a lower-cost but non-PFS alternative to the perfect-forward secret SAS-AKA protocols of [9, 11]. Our SAS-AKA relies on a non-malleable com- mitments just like the SAS-AKA schemes of [19, 8, 11], but unlike the previous schemes it is built directly on CCA-secure encryption, and it relies on encryption not just for key-establishment but also for authentication security. As a consequence, the new SAS-AKA is somewhat simpler than the previous SAS-AKA’s which were built on top of the three-round SAS-MCA’s of [8, 11], and in particular it does not need to use universal hash functions.3 However, the most important contribution of the new SAS-AKA scheme is that it remains secure if each player uses a perma- nent public key, and hence shares a state across all protocol sessions it executes. This leads to two minimal-cost 3-round non-PFS SAS-AKA protocols where the same public/private key pair or the same Xxxxxx-Xxxxxxx random contribution is re- used across protocol instances. Specifically, when instantiated with the hash-based commitment and the CCA-secure OAEP-RSA, this implies a 3-round SAS-AKA 3On the other hand, it might help to clarify that even though our SAS-AKA protocol implies also a new SAS-MCA scheme, we do not claim that our scheme is interesting as SAS-MCA, because it relies on a public-key encryption and is therefore much more expensive than the SAS- MCA’s of [8, 11] which can be implemented using only symmetric-key cryptography, at least in ROM. protocol secure under the RSA assumption in ROM, with the cost of a single RSA encryption for the responder and a single RSA decryption for the initiator. When instantiated with the randomness-reusing CCA-secure version of ElGamal [3] this implies a 3-round SAS-AKA protocol secure under the DH assumption in ROM, with the cost of one exponentiation per player. In other words, the costs of the SAS- AKA protocols implied by our result are (for the first time) essentially the same as the costs of the corresponding basic unauthenticated key agreement protocols. By contrast, previously known PFS SAS-AKA protocols require two exponentiations per player if they are based on DH [11, 9] or a generation of fresh public/private RSA key pair for each protocol instance if the general result of [11] is instantiated with an RSA-based key agreement. We note that the SAS-MCA/AK...
Our Contributions. We focus on the abstract problem of secret-key agreement between two parties holding instances w, wj of correlated random variables W, Wj that are guaranteed to be close but not necessarily identical. Specifically, we assume that w and wj are within distance t in some underlying metric space. Our definitions as well as some of our results hold for arbitrary metric spaces, while other results assume specific metrics. We restrict our attention to noninteractive protocols defined by procedures (Gen, Rep) that operate as follows. The first party, holding w, computes (R, P ) ← Gen(w) and sends P to the second party; this second party computes Rj ← Rep(wj, P ). (If the parties share a long-term key SKExt then Gen, Rep take this key as additional input.) The basic requirements, informally, are Correctness: R = Rj whenever wj is within distance t of w.
Our Contributions. You acknowledge that any copyright or other intellectual property rights arising from our activities in preparing the Work for publication (including, without limitation, the development of supporting textual or illustrative material) shall be owned by us.
Our Contributions. This work addresses two problems: (1) The performance and accuracy tradeoffs between exact matching PSI and fuzzy matching PSI protocols. (2) The correctness and privacy problems introduced to PSI by the possibility of poorly defined rows. We address both of these problems in one shot by defining a functionality that computes shared primary keys for two parties’ databases, such that the keys can be used multiple times as inputs to successive efficient PSI protocols, without revealing the keys to the parties. We refer to our stated problem as the private identity agreement functionality, and define it formally. We additionally discuss the security implications of composing our identity agreement functionality and subsequent PSI functionalities. We note that identity agreement is substantially more complex than private set intersection and private record linkage because of the concerns introduced by producing an intermediate output of a larger functionality. After defining the identity agreement problem, we present a novel two-party protocol that solves the problem. We additionally describe a modification to our generic protocol that allows the outputs to naturally compose with DDH-style PSI protocols. Finally we present performance of our prototype implementation. 2 Problem Definition Our setting assumes two parties, each holding some database, that wish to engage in inner-join style queries on their two databases, which we refer to as the private joint-database query functionality F Query. The join will be over some subset of columns, and will be a disjunction i.e. two rows are matched if any of the columns in the join match. In Figure 1 we present the ideal private joint-database query functionality. We consider a scenario in which it is advantageous for the parties to first establish a new database column containing keys for each record, so that this key can be used for many exact-match PSI protocols. We refer to this as the private identity agreement functionality, denoted F ID and described in Figure 2. As we have explained, establishing these keys is a setup phase in a general protocol that realizes F Query. Importantly, the newly established identities should not be revealed to either party, as this could also reveal information about the other party’s input. This makes it impossible to separate the protocol for F ID from the subsequence PSI-style protocols that the parties will use for their joint queries. We must instead modify the PSI-style protoc...
Our Contributions. In this paper, we classify the functions of password authen- tication key exchange scheme based on smart card into two types, essential function and auxiliary function . Then, we propose a strong off-line guessing attack called stealing card and eavesdropping off-line guessing attack, SEG attack for short. After pointing out SEG attack flaws in recent schemes, we raise a strong multi-function scheme with privacy preserving more efficient and secure by comparing with the related research.
Our Contributions. We propose a three round authenticated GKA protocol with efficient proce- dures for group mergers and partitions. The protocol is shown secure against an active adversary (in the standard model) and has a tight security reduc- tion. The protocol is simple (a very natural extension of the 2-party DH key agreement) and thus carries a simple proof of security. It benefits from the following features:
Our Contributions. We completely characterize the feasibility of AA in the best-of-both-worlds setting, by presenting a protocol and a matching impossibility result. • Feasibility result: Let 0 ≤ 𝑡𝑎 < 𝑛/3 ≤ 𝑡𝑠 < 𝑛/2. We present an Approximate Agreement protocol that is secure against 𝑡𝑠 corruptions in a synchronous network and 𝑡𝑎 corruptions in an asynchronous network, as long as 2 · 𝑡𝑠 + 𝑡𝑎 < 𝑛, assuming a setup for digital signatures. By setting 𝑡𝑎 = 0, this is also the first AA protocol that achieves up to 𝑡𝑠 < 𝑛/2 corruptions in the purely synchronous model. • Impossibility result: If 2 · 𝑡𝑠 + 𝑡𝑎 ≥ 𝑛, there is no Approximate Agreement protocol secure against 𝑡𝑠 corruptions in a synchronous network and 𝑡𝑎 corruptions in an asynchronous network, even with setup.