Our Contributions. The main contributions of this paper are our novel design method for ciphers with efficient fault-detecting implementations and the concrete authenticated encryp- tion scheme Friet implemented with a new permutation Friet-P designed with our method. Moreover, we provide a design rationale for the permutation, per- formance evaluations in software and hardware including comparison with other relevant permutations, results of fault detection experiments and an evaluation of the impact of our method on leakage.
Our Contributions. We provide definitions and constant-round protocols for key agreement from noisy pass-strings that: – Have well specified composition properties via the UC framework [Can01]. Instead of imposing entropy requirements or other requirements on the dis- tribution of pass-strings, our protocols are secure as long as the adversary cannot guess a pass-string value that is sufficiently close. There is no requirement, for example, that the amount of pass-string entropy is greater than the number of errors; in fact, one of our protocols is suitable for iris scans. Moreover, our pro- tocols prevent off-line attacks, so each adversarial attempt to get close to the correct pass-string requires an on-line interaction by the adversary. Thus, for example, our protocols can be meaningfully run with pass-strings whose entropy is only 30 bits—something not possible with any prior protocols for the noisy case.
Our Contributions. Our main contribution is a compiler that enjoys all of the above properties. Our compiler transforms any two given protocols BAAuth, XXXxx in the authenticated and sabotaged settings, respectively, into a protocol Juggernaut with crypto-agnostic security with optimal resilience ts + 2ti < n, ti ≤ ts < n . Furthermore, Juggernaut uses BAAuth, XXXxx in a black-box manner, Juggernaut has an additive factor of just O(λn2) bits of communication over BAAuth, XXXxx. Our protocol optimizes for the practical authenticated case: if BAAuth is early stopping, then so is Juggernaut in the authenticated setting. Moreover, if BAAuth is a randomized protocol with expected round complexity R, then Juggernaut has expected round complexity O(R) in the authenticated setting. Therefore, our protocol effectively provides crypto-agnostic security to an authenticated protocol for free. Along the way, we propose two new graded consensus gadgets with O(λn2) bit complexity and constant (worst-case) round complexity that provide partial security guarantees in one world (authenticated resp. sabotaged) and full security in the other (sabotaged resp. authenticated) that may be of independent interest. Using our compiler, we propose two concrete protocols, one deterministic and one randomized. Our deterministic protocol has O(λn2) bit complexity in all cases, has O(f ) round complexity for f actual failures in the authenticated case and uses O(n) rounds in the sabotaged case. Our randomized protocol has O(λn2) expected bit complexity and constant expected round complexity in the authenticated case, and uses O(λ2n2) bits and O(λ + f ) rounds in the sabotaged case.
Our Contributions. In this work, we present a provably secure and minimal cost SAS-AKA scheme which re-uses public key pairs across protocol sessions and thus presents a lower-cost but non-PFS alternative to the perfect-forward secret SAS-AKA protocols of [10,12]. Our SAS-AKA relies on a non-malleable commitments just like the SAS-AKA schemes of [20,9,12], but unlike the previous schemes it is built directly on CCA-secure encryption, and it relies on encryption not just for key-establishment but also for authentication se- curity. As a consequence, the new SAS-AKA is somewhat simpler than the previous SAS-AKA’s which were built on top of the three-round SAS-MCA’s of [9,12], and in particular it does not need to use universal hash functions. However, the most impor- tant contribution of the new SAS-AKA scheme is that it remains secure if each player uses a permanent public key, and hence shares a state across all protocol sessions it executes. This leads to two minimal-cost 3-round non-PFS SAS-AKA protocols where the same public/private key pair or the same Xxxxxx-Xxxxxxx random contribution is re-used across protocol instances. Specifically, when instantiated with the hash-based commitment and the CCA-secure OAEP-RSA, this implies a 3-round SAS-AKA pro- tocol secure under the RSA assumption in ROM, with the cost of a single RSA encryp- tion for the responder and a single RSA decryption for the initiator. When instantiated with the randomness-reusing CCA-secure version of ElGamal [3] this implies a 3-round SAS-AKA protocol secure under the DH assumption in ROM, with the cost of one ex- ponentiation per player. In other words, the costs of the SAS-AKA protocols implied by our result are (for the first time) essentially the same as the costs of the correspond- ing basic unauthenticated key agreement protocols. By contrast, previously known PFS SAS-AKA protocols require two exponentiations per player if they are based on DH [12,10] or a generation of fresh public/private RSA key pair for each protocol instance if the general result of [12] is instantiated with an RSA-based key agreement. We note that the SAS-MCA/AKA protocol we show secure is very similar to the SAS-AKA protocols of [20,9,12], and it is indeed only a new variant of the same three- round commitment-based SAS-MA protocol analyzed in [20], which also forms a start- ing point for protocols of [9,12]. However, prior to our work there was no argument that such SAS-AKA scheme remains secure when players re-use their pu...
Our Contributions. We focus on the abstract problem of secret-key agreement between two parties holding instances w, wj of correlated random variables W, Wj that are guaranteed to be close but not necessarily identical. Specifically, we assume that w and wj are within distance t in some underlying metric space. Our definitions as well as some of our results hold for arbitrary metric spaces, while other results assume specific metrics. We restrict our attention to noninteractive protocols defined by procedures (Gen, Rep) that operate as follows. The first party, holding w, computes (R, P ) Gen(w) and sends P to the second party; this second party computes Rj Rep(wj, P ). (If the parties share a long-term key SKExt then Gen, Rep take this key as additional input.) The basic requirements, informally, are Correctness: R = Rj whenever wj is within distance t of w.
Our Contributions. First, this paper performs a systematic analysis of the causes of the information sharing problem among government agencies, and it identifies the unique trust management requirements for effective information sharing among government agencies. Second, this paper proposes an innovative interest-based trust model and a novel information sharing protocol, where a family of information sharing policies are integrated, and information exchange and trust negotiation are interleaved with and interdependent upon each other. Third, an implementation of this protocol is presented using the emerging technology of XML Web Services. The implementation is totally compatible with the FEA reference models and can be directly integrated into existing E-Government systems. We believe the proposed trust model and information sharing protocol may dramatically improve the effectiveness of information sharing among government agencies and reduce the deficiencies in countering terrorism attacks.
Our Contributions. In our PAKA, the patient Ui can remotely log in the physical server PS jk who is under the jurisdiction of the medical server MS j . Ui and MS j need to register at the registration center MRS in advance. And in AKA progress, MS j authenticatesUi , and sendsUi ’s login request to PS jk . After verifying the validity of MS j ’s message, PS jk directly sends message to Ui . Hereafter, Ui and PS jk not only realize mutual authentication but also establish a session key. Compared with [16], the PAKA protocol not only needs lower computational consumption and communication consumption, but also can provide the following security features. • First, the PAKA protocol can provide user’s anonymity to protect patient’s privacy by randomized pseudonym. The medical server and physical server only verify that the authenticated patient is a legal patient, but do not know his true identity. Hence, our PAKA protocol is practical in the privacy enhanced scenarios. • Second, the PAKA protocol can realize authentication and key agreement among the mobile terminal patients, different remote medical servers and physical servers only by using hashing and XOR operations, both of which require little computation and energy cost, storage overhead for mobile terminals patients. A patient can login in several different medical servers to obtain different medical services by using only one single username and a password without repeated registration problem. The whole protocol still adopts the classic three handshakes of ‘request-challenge-response’ and does not increase interaction numbers and communication overload. Compared with other exiting protocols in TMIS (showed in Table 2), the PAKA protocol is more lightweight and efficient. Hence, it is very suitable for computation-limited mobile devices. • Third, the PAKA protocol can provide three-factor authentication including the smart card (something the user has), password (something the user knows) and biometric key (something the user is). Because biometric key is difficult to lose, forget, copy, share, guess or break, it is believed to be a reliable authentication factor [17], [18]. In our PAKA protocol, the smart card is used to authenticate the cardholder. Only the entered identity, password and biometric key all are correct, then the smart card can be activated and interact with the remote medical servers to help patient with authentication. The biometric key is obtained by a fuzzy extractor which can output the same random ...
Our Contributions. In this paper (full version in [2]) we propose a new CGKA protocol called CoCoA (for COncurrent COntinuous group key Agreement ) which is designed specifically to allow for efficient concurrent group operations. In contrast to past CGKA
Our Contributions. In this paper we present the Contributory Broadcast Encryption (CBE) prim- itive, which is a hybrid of GKA and BE. The new cryptographic primitive is motivated by the emerging communication and computation platforms. In CBE, a group of members contribute to the public group encryption key, and a sender can securely broadcast to any subset of the group members chosen in an ad hoc way. Specifically, our main contributions can be summarized as follows. First, we present a model of CBE and formalize its security definitions. CBE incorporates the underlying ideas of GKA and BE. In the set-up stage of a CBE scheme, a group of members interact via open networks to negotiate a common encryption key while each member holds a different secret decryption key. Using the common encryption key, anyone can encrypt any message to any subset of the group members and only the intended receivers can decrypt. Unlike GKA, CBE allows the sender to exclude some members from reading the ciphertexts.
Our Contributions. In this paper we propose a new CGKA protocol called CoCoA (for COncurrent COntinuous group key Agreement ) which is designed specifically to allow for efficient concurrent group operations. In contrast to past CGKA protocols, update operations may require more than 2 rounds (in the worst case log(n) rounds). However, even when all n users update their keys concurrently in log(n) rounds, the total communication complexity of any user is only roughly (log(n))2 (constant size) ciphertexts. This circumvents [9] as their lower-bound only holds for updates that complete in at most 2 rounds. So, for the price of more interaction CoCoA can greatly decrease the actual bandwidth consumed. To emphasize this even more, consider the cost of transitioning from a fully blanked tree to a fully unblanked one. We believe this to be a particularly interesting case as it captures the transition from any freshly created group into a bandwidth-optimal one. The faster/cheaper this transition can be completed, the faster an execution can begin optimal complexity behaviour. TreeKEM [7], the CGKA scheme used in the MLS messaging protocol, needs n/2 rounds with receiver complexity, i.e. number of ciphertexts downloaded per user, Ω(n log(n)). The protocol in [9], in turn, would be able to unblank the whole tree in 2 rounds with linear sender and recipient communication per user. In contrast, in CoCoA the tree could be unblanked in 1 round with linear sender cost, but only logarithmic recipient cost. For big groups this difference is very significant.