Our Contributions Sample Clauses
Our Contributions. The main contributions of this paper are our novel design method for ciphers with efficient fault-detecting implementations and the concrete authenticated encryp- tion scheme Friet implemented with a new permutation Friet-P designed with our method. Moreover, we provide a design rationale for the permutation, per- formance evaluations in software and hardware including comparison with other relevant permutations, results of fault detection experiments and an evaluation of the impact of our method on leakage.
Our Contributions. We provide definitions and constant-round protocols for key agreement from noisy pass-strings that: – Have well specified composition properties via the UC framework [Can01]. Instead of imposing entropy requirements or other requirements on the dis- tribution of pass-strings, our protocols are secure as long as the adversary cannot guess a pass-string value that is sufficiently close. There is no requirement, for example, that the amount of pass-string entropy is greater than the number of errors; in fact, one of our protocols is suitable for iris scans. Moreover, our pro- tocols prevent off-line attacks, so each adversarial attempt to get close to the correct pass-string requires an on-line interaction by the adversary. Thus, for example, our protocols can be meaningfully run with pass-strings whose entropy is only 30 bits—something not possible with any prior protocols for the noisy case.
Our Contributions. Our main contribution is a compiler that enjoys all of the above properties. Our compiler transforms any two given protocols BAAuth, XXXxx in the authenticated and sabotaged settings, respectively, into a protocol Juggernaut with crypto-agnostic security with optimal resilience ts + 2ti < n, ti ≤ ts < n . Furthermore, Juggernaut uses BAAuth, XXXxx in a black-box manner, Juggernaut has an additive factor of just O(λn2) bits of communication over BAAuth, XXXxx. Our protocol optimizes for the practical authenticated case: if BAAuth is early stopping, then so is Juggernaut in the authenticated setting. Moreover, if BAAuth is a randomized protocol with expected round complexity R, then Juggernaut has expected round complexity O(R) in the authenticated setting. Therefore, our protocol effectively provides crypto-agnostic security to an authenticated protocol for free. Along the way, we propose two new graded consensus gadgets with O(λn2) bit complexity and constant (worst-case) round complexity that provide partial security guarantees in one world (authenticated resp. sabotaged) and full security in the other (sabotaged resp. authenticated) that may be of independent interest. Using our compiler, we propose two concrete protocols, one deterministic and one randomized. Our deterministic protocol has O(λn2) bit complexity in all cases, has O(f ) round complexity for f actual failures in the authenticated case and uses O(n) rounds in the sabotaged case. Our randomized protocol has O(λn2) expected bit complexity and constant expected round complexity in the authenticated case, and uses O(λ2n2) bits and O(λ + f ) rounds in the sabotaged case.
Our Contributions. We focus on the abstract problem of secret-key agreement between two parties holding instances w, wj of correlated random variables W, Wj that are guaranteed to be close but not necessarily identical. Specifically, we assume that w and wj are within distance t in some underlying metric space. Our definitions as well as some of our results hold for arbitrary metric spaces, while other results assume specific metrics. We restrict our attention to noninteractive protocols defined by procedures (Gen, Rep) that operate as follows. The first party, holding w, computes (R, P ) Gen(w) and sends P to the second party; this second party computes Rj Rep(wj, P ). (If the parties share a long-term key SKExt then Gen, Rep take this key as additional input.) The basic requirements, informally, are Correctness: R = Rj whenever wj is within distance t of w.
Our Contributions. In this work, we present a provably secure and minimal cost SAS-AKA scheme which re-uses public key pairs across protocol ses- sions and thus presents a lower-cost but non-PFS alternative to the perfect-forward secret SAS-AKA protocols of [9, 11]. Our SAS-AKA relies on a non-malleable com- mitments just like the SAS-AKA schemes of [19, 8, 11], but unlike the previous schemes it is built directly on CCA-secure encryption, and it relies on encryption not just for key-establishment but also for authentication security. As a consequence, the new SAS-AKA is somewhat simpler than the previous SAS-AKA’s which were built on top of the three-round SAS-MCA’s of [8, 11], and in particular it does not need to use universal hash functions.3 However, the most important contribution of the new SAS-AKA scheme is that it remains secure if each player uses a perma- nent public key, and hence shares a state across all protocol sessions it executes. This leads to two minimal-cost 3-round non-PFS SAS-AKA protocols where the same public/private key pair or the same Xxxxxx-Xxxxxxx random contribution is re- used across protocol instances. Specifically, when instantiated with the hash-based commitment and the CCA-secure OAEP-RSA, this implies a 3-round SAS-AKA 3On the other hand, it might help to clarify that even though our SAS-AKA protocol implies also a new SAS-MCA scheme, we do not claim that our scheme is interesting as SAS-MCA, because it relies on a public-key encryption and is therefore much more expensive than the SAS- MCA’s of [8, 11] which can be implemented using only symmetric-key cryptography, at least in ROM. protocol secure under the RSA assumption in ROM, with the cost of a single RSA encryption for the responder and a single RSA decryption for the initiator. When instantiated with the randomness-reusing CCA-secure version of ElGamal [3] this implies a 3-round SAS-AKA protocol secure under the DH assumption in ROM, with the cost of one exponentiation per player. In other words, the costs of the SAS- AKA protocols implied by our result are (for the first time) essentially the same as the costs of the corresponding basic unauthenticated key agreement protocols. By contrast, previously known PFS SAS-AKA protocols require two exponentiations per player if they are based on DH [11, 9] or a generation of fresh public/private RSA key pair for each protocol instance if the general result of [11] is instantiated with an RSA-based key agreement. We note that the SAS-MCA/AK...
Our Contributions. We propose a three round authenticated GKA protocol with efficient proce- dures for group mergers and partitions. The protocol is shown secure against an active adversary (in the standard model) and has a tight security reduc- tion. The protocol is simple (a very natural extension of the 2-party DH key agreement) and thus carries a simple proof of security. It benefits from the following features:
1) Relevance to ad hoc networks: This protocol is well suited to ad hoc 1 Preliminary version of our protocol was published at TSPUC 2005 [3] which used Yung’s compiler for authentication. networks as it requires no special ordering of the participants. For each execution of the protocol, a random participant can be chosen as the group leader. It is robust as loss of messages from some participants towards the leader, does not prevent other participants from calculating the group key. It has efficient Merge and Partition procedures to handle dynamism in ad hoc networks and also provide a mechanism to change the group leader in each session. Also the bulk of the computation can be assigned to more powerful devices, as most ad hoc networks are expected to be composed of devices of unequal computing power.
2) Simple and Efficient: The protocol along with the merge and partition procedures is simple and efficient. It has a simple yet tightest proof of secu- rity in the standard model under the Decisional Xxxxxx-Xxxxxxx Assumption.
Our Contributions. We present dtsPBC with iteration extended with imme- diate multiactions, called discrete time stochastic and immediate Petri Box Calculus (dtsiPBC), which is a discrete time analog of sPBC. The latter calculus has iteration and immediate multiactions within the context of a continuous time domain. The step operational semantics is constructed with the use of labeled probabilistic transition systems. The denotational semantics is defined in terms of a subclass of labeled discrete time stochastic and immediate PNs (LDTSPNs with immediate transitions, LDTSIPNs), based on the extension of DTSPNs with transition labeling and immediate transitions, called dtsi-boxes. The consistency of both semantics is demonstrated. The corresponding stochastic process, the underlying SMC, is constructed and investigated, with the purpose of performance evaluation, which is the same for both semantics. In addition, the alternative solution methods are developed, based on the underlying DTMC. Further, we propose step stochastic bisimulation equivalence allowing one to identify algebraic processes with similar behaviour that are however differentiated by the semantics of the calculus. We examine the interrelations of the proposed relation with other equivalences of the algebra. We describe how step stochastic bisimulation equivalence can be used to reduce transition systems of expressions and their underlying SMCs while preserving the qualitative and the quantitative characteristics. We prove that the mentioned equivalence guarantees identity of the stationary behaviour and the residence time properties in the equivalence classes. This implies coincidence of performance indices, based on steady-state probabilities of the modeled stochastic systems. The equiva- lences possessing the property can be used to reduce the state space of a system and thus simplify its performance evaluation, which is usually a complex problem due to the state space explosion. We present a case study of a system with two processors and a common shared memory explaining how to model concurrent systems within the calculus and analyze their performance, as well as how to reduce the systems behaviour while preserving their performance indices and making easier the perfor- xxxxx evaluation. Finally, we consider differences and similarities between dtsiPBC and other SPAs to determine the advantages of our calculus. The salient point of dtsiPBC is a combination of immediate multiactions, discrete stochastic tim...
Our Contributions. In this paper (full version in [2]) we propose a new CGKA protocol called CoCoA (for COncurrent COntinuous group key Agreement ) which is designed specifically to allow for efficient concurrent group operations. In contrast to past CGKA
Our Contributions. In this paper we propose a new CGKA protocol called CoCoA (for COncurrent COntinuous group key Agreement ) which is designed specifically to allow for efficient concurrent group operations. In contrast to past CGKA protocols, update operations may require more than 2 rounds (in the worst case log(n) rounds). However, even when all n users update their keys concurrently in log(n) rounds, the total communication complexity of any user is only roughly (log(n))2 (constant size) ciphertexts. This circumvents [9] as their lower-bound only holds for updates that complete in at most 2 rounds. So, for the price of more interaction CoCoA can greatly decrease the actual bandwidth consumed. To emphasize this even more, consider the cost of transitioning from a fully blanked tree to a fully unblanked one. We believe this to be a particularly interesting case as it captures the transition from any freshly created group into a bandwidth-optimal one. The faster/cheaper this transition can be completed, the faster an execution can begin optimal complexity behaviour. TreeKEM [7], the CGKA scheme used in the MLS messaging protocol, needs n/2 rounds with receiver complexity, i.e. number of ciphertexts downloaded per user, Ω(n log(n)). The protocol in [9], in turn, would be able to unblank the whole tree in 2 rounds with linear sender and recipient communication per user. In contrast, in CoCoA the tree could be unblanked in 1 round with linear sender cost, but only logarithmic recipient cost. For big groups this difference is very significant.
Our Contributions. Our contribution in [109] is to present a generalised implementation of the MaxShift algorithm as proposed by [27] — MaxShiftM — employing the Hamming distance model [55] to perform Fixed Length Approximate String Matching (FLASM). Our implementation overcomes the limitation of ℓ ≤ w of a naïve implementation, meaning the length of a factor can be longer than the computer word size. And in [4] we make use of Xxxxx’ algorithm [95] for approximate pattern matching, employing the edit distance model [28], and tailor it to solving the FLASM problem. We have released both algorithms bundled in an open-source C++ software library — libFLASM — which we provide with example applications and documentation. In this thesis we demonstrate practical applications of the algorithms in biological as well as general purpose contexts.