Our Contribution. We propose a new lightweight authen- tication and key agreement (LAKA) scheme for SMI from the perspective of SENs and the main contributions are: • LAKA supports mutual authentication, key establishment, anonymity, integrity, and realizing its practicality in the SMI. The scheme requires less computational cost as it is built upon the ECC, symmetric encryption, hash function and message authentication code. • We analyze the security strength of LAKA and utilize AVISPA (i.e., automated verification of Internet security protocol and application) tool to formally prove that the SMI is semantically secure with the help of our scheme.
Our Contribution. Our group key agreement protocol is provably secure against a powerful active adversary who controls all communication flows in the network and even executes an unbounded number of concurrent instances of the protocol. We provide a rigorous proof of security under the well-known Decisional Xxxxxx-Xxxxxxx (DDH) assumption in a formal security model which improves that of Bresson et al. [12]. Furthermore, in contrast with other asymmetric protocols [6, 11] with provable security, our group key agreement protocol provides perfect forward secrecy; i.e., disclosure of long-term secret keys does not compromise the security of previously established session keys. Despite meeting all these strong notions of security, our construction is surprisingly simple and provides a practical solution for group key agreement in a mobile environment similar to our setting. In a protocol execution involving mobile hosts, a bottleneck arises when the number of public-key cryptography operations that need to be performed by a mobile host increases accordingly as group size grows. It is therefore of prime importance for a group key agreement protocol to offer a low, fixed amount of computations to its mobile participants. To this end our protocol shifts much of the computational burden to the server with sufficient computational power. By allowing this computational asymmetry among protocol participants (as also can be observed in the previous works [6, 11]), the computational cost of a mobile participant of our protocol is reduced to two modular exponentiations (plus one signature generation and verification) without respect to the number of participants. In addition our group key agreement protocol is very efficient in terms of the number of communication rounds; it requires only three rounds of communication among participants. Keeping the number of communication rounds constant is critical for efficient and scalable group key agreement particularly over a wide area network, where the dominant source of delay is the communication time spent in the network rather than the computational time needed for cryptographic operations [1, 22]. As an additional contribution, we propose a refinement of the standard security model of Bresson et al. [12], which we believe to be an issue of independent interest. As shown in Section 5, our refinement greatly simplifies the security proof of the compiler presented by Xxxx and Yung [23] even in the presence of a stronger adversary.
Our Contribution. We consider collapseability of tree hashing. We will make full use of Xxxx’x frame- work [8] in order to argue what conditions a tree hashing mode must meet in order to be collapseable. First, in Sect. 4 we consider the basic problem of tree hashing for fixed length messages. For messages of a certain fixed length n, we recursively define a tree hash function TH n. It is defined based on a split function split (n) ∈ {1,..., n−1} −− that prescribes how the final digest is derived from two tree hashes TH split(n) and TH n split(n) applied to the first split (n) and last n split (n) message blocks. Then, in Sect. 5, we detail how the result can be extended to variable length hashing using domain separation. In this case, it is assumed that processing of message blocks and chaining values is properly domain-separated in the way the mode calls its compression function. One way in doing so is by appending a 0 to message blocks and a 1 to chaining values. Intuitively, this makes it impossible to replace the chaining value of a subtree with a message block with the same value. We prove that the resulting variable length tree hash function is collapsing. This is done by extending trees with ‘empty’ blocks in such a way that we can reduce collapseability of the variable length mode to that of the fixed length mode. Finally, in Sect. 6, we consider a second way to turn the fixed length construc- tion into a variable length hashing mode: length encoding. Here, we allow any tree hashing mode, but the block length of the message will be included by using a final compression function call. This approach makes the final compression functions disjoint for different message lengths, and using previous techniques and the composition results of Xxxx, we likewise manage to prove collapseability. All three collapseability results come with a security bound that expresses the adversarial advantage relative to the collapseability of the underlying com- pression function, as well as with a complexity analysis of the resulting modes.
Our Contribution. We give an affirmative answer to the above question. At the core of our solution, we present a new efficient private-setup free construction for reasonably fair common coin that are pluggable in many ex- isting ABA protocols [15,30,18]; more interestingly, we formalize and construct an efficient (reasonably fair) leader election with perfect agreement such that it can be directly plugged in all existing VBA protocols [12,3,28] to remove private setup. In greater detail, our technical contribution is three-fold: O O O – We give an AVSS construction satisfying the classic CR93 notion [15] with only bulletin PKI (and discrete logarithm assumption), and it costs only (n2) messages and (λn2) bits when sharing λ-bit secret. To our knowledge, this is the first private-setup free AVSS that attains (λn2) communication complexity, and prior art either relies on private setup [6,23] or incurs at least O(λn3) bits [11,7] (except a very recent work [4], yet it still has an extra log n factor than ours). O O O – We implement private-setup free ABAs with expected (n3) message complexity and (λn3) communication complexity with only bulletin PKI. As illustrated in Table 1, it closes the (n) gap between the message and the communication complexities in the earlier private-setup free ABA protocols such as CKLS02 [11], while preserving other benefits such as the maximal n/3 resilience and the optimal expected constant running time. Even comparing with a very recent work due to Xxxxxxx et al. [2] that presents a more efficient VBA construction and improves ABA as a by-product,2 our approach still realizes a log n factor improvement. O The crux of our design is a novel efficient construction for the reasonably fair common coin in the bulletin PKI setting (conditioned on the random oracle model), with using the more efficient AVSS protocol and verifiable random function. This private-setup free common coin costs only (λn3) bits and constant asynchronous rounds. O O O – We further present how to efficiently instantiate private-setup free VBAs (i.e., multi-valued Byzan- tine agreement with external validity) in the asynchronous setting. For λn-bit input, the resulting VBA realizes the maximal n/3 resilience and optimal expected constant running time, with cost- ing expected (n3) messages and (λn3) bits. As shown in Table 1, this construction closes the (log n) gap between the message and the communication complexities of VBA protocols. In addi- tion, as a by-product, our VBA const...
Our Contribution. The contributions of this paper are manifold. First, in Sect. 3, we describe a security model for leakage resilient duplexing. To do so, we start from the “ideal equivalent” of the keyed duplex of Daemen et al. [15], called an ideal extendable input function (IXIF), and present an adjusted version AIXIF. AIXIF is semantically equivalent to the IXIF if there is no leak- age, but it allows to properly model leakage resilience of the keyed duplex. The model of leakage resilience of the duplex is now conceptually simple: as we argue in detail in Sect. 3.4, we consider a scheme leakage resilient if no attacker can distinguish a keyed duplex that leaks for every query from the random AIXIF. Here, we focus on non-adaptive leakage, where the leakage function is fixed in advance, akin to [17, 19, 35, 37, 41]. At this point our approach seems to be dif- ferent from the typical models: the typical approach is to give a distinguisher access to a leaky version and a leak-free version of the cryptographic construc- tion, and it has to distinguish the latter from a random function. The reason that we adopted a different model is that the duplex is just used as building block for encryption, authenticated encryption, or other types of functionalities. To prove that the use of a leakage resilient duplex gives rise to a leakage resilient construction with one of above-mentioned functionalities, the typical approach to give a distinguisher access to a leaky version and a leak-free version of the cryptographic construction has to be used again, as we will show later. Second, in Sect. 5, we perform an in-depth and fine-grained analysis of the keyed duplex in the newly developed model. We take inspiration from Daemen et al. [15], who presented a detailed analysis of the keyed duplex in the black-box scenario, but the proof is not quite the same. To the contrary, due to various obstacles, it is not possible to argue similar to Daemen et al., nor to reduce the leakage resilience of a keyed duplex to its black-box security. Instead, we adopt ideas from the analysis of the NORX authenticated encryption scheme of Xxxxxxxxx et al. [26], and reason about the security of the keyed duplex in a sequential manner. One of the difficulties then is to determine the amount of min-entropy of a state in the duplex construction, given that the distinguisher may learn leakage from a duplex construction at different points in time. On the way, in Sect. 4 we give a detailed and accessible rationale of ho...
Our Contribution. The unsatisfactory situation described above has prompted this work aimed at designing an efficient and provably-secure key agreement scheme for a dynamic group where users commu- nicate over a high-delay network environment. We provide a rigorous proof of security of the scheme in the model of Xxxxxxx et al. [15, 12, 13] in which an adversary controls all commu- nication flows in the network. The concrete security reduction we exhibit in the ideal hash model is tight; breaking the semantic security of our scheme almost always leads to solving the well-established factoring problem, provided that the signature scheme used is existentially unforgeable. Our group key agreement scheme also provides perfect forward secrecy [18]; i.e., disclosure of long-term secret keys does not compromise the security of previously established session keys. In wide area network environments, the main source of delay is not the computational time needed for cryptographic operations, but the communication time spent in the network.1 Moreover, the power of computers continues to increase at a rapid pace. We refer the reader to the literature [2, 24] for detailed discussions of comparison between the communication latency in wide area networks and the computation time for modular exponentiation. As the experiment results of [2] also indicate, it is widely accepted that the number of communication rounds and the number of exchanged messages are two most important factors for efficient key agreement over a high-delay network. Table 1 compares the efficiency of our scheme given in Section 5 with other provably-secure 1For example, the computation of a modular exponentiation xy mod z with |x| = |y| = |z| = 1024 takes about 9 ms using the big number library in OpenSSL on a Athlon XP 2100+ PC, whereas a 100-300 ms round-trip delay in wide area networks is common. schemes that provide forward secrecy [12, 25]. As for computational costs, the table lists the total amount of computation that needs to be done by group members. As shown in the table, the scheme of [12] requires n communication rounds for initial key agreement which occurs at the time of group genesis, and j communication rounds for the rekeying operation that follows the joining of j new users. The protocol of [25], as already mentioned, requires n broadcast messages to be sent in each of three rounds, both for initial key agreement and for every group rekeying operation. In contrast, our scheme takes at most 2 communicatio...
Our Contribution. This paper investigates a close variation of the above mentioned problem of one-round group key agreement protocols and focuses on “how to establish a confidential channel from scratch for multiple parties in one round”. We provide a short overview of some new ideas to solve this variation. Asymmetric GKA. Observe that a major goal of GKAs for most appli- cations is to establish a confidential broadcast channel among the group. We investigate the potentiality to establish this channel in an asymmetric manner in the sense that the group members merely negotiate a common encryption key (accessible to attackers) but hold respective secret decryption keys. We in- troduce a new class of GKA protocols which we name asymmetric group key agreements (ASGKAs), in contrast to the conventional GKAs. A trivial solution is for each member to publish a public key and withhold the respective secret key, so that the final ciphertext is built as a concatenation of the underlying individual ones. However, this trivial solution is highly inefficient: the ciphertext increases linearly with the group size; furthermore, the sender has to keep all the public keys of the group members and separately encrypt for each member. We are interested in nontrivial solutions that do not suffer from these limitations. Aggregatable signature-based broadcast (ASBB). Our proposals rely on a new notion named aggregatable signature-based broadcast. In an ASBB scheme, the public key can be simultaneously used to verify signatures and en- crypt messages, and any valid signature can be used to decrypt ciphertexts un- der this public key; furthermore, an ASBB scheme satisfies the key-homomorphic property and the aggregatability property. The key-homomorphic property means that the combination of signatures on the same message produces a valid sig- nature of this message under the combination of the corresponding public keys. As a consequence, the combined signature can be used as a decryption key of the new ASBB instance. Aggregatability states that the combination of secure ASBB instances produces a new secure ASBB instance. Non-trivial one-round ASGKA. We propose a non-trivial one-round AS- GKA scheme. Our idea is to generate the public key of an ASBB scheme in a distributed manner, such that only each member can obtain a signature under this public key. These signatures can be used as their respective decryption keys and a confidential channel among the group is established. We build an efficien...
Our Contribution. In this paper, we present communication optimal, multi-valued A-cast and ABA protocols for long message, using the existing A-cast and ABA protocols for short message as black-box. Our protocols maintains the resilience and running time of underlying black box protocols. However, even though the underlying black box protocols involve error probability in at most one property, our multi-valued protocols introduce negligible error probability in both the properties namely, Termination and Correctness. In the following table, we summarize the properties of our protocols and corresponding black box protocols. We also specify the lower bound on the value of A for which our protocols are optimal and are strictly better than existing protocols. Though we have taken the best known protocols from literature to use as black box, we could have used any existing protocol (accordingly, the term in the communication complexity independent of A will change). Primitive This Article Exiting Best Known (used as black box) Lower Bound on A Type Resilience CC ERT Ref. Type Resilience CC ERT A-cast (δ, s) t < n/3 O(An + n4 + n3κ) O(1) [8] (0, 0) t < n/3 O(n2) O(1) ω(n2(n + κ)) ABA (δ, s) t < n/3 O(An + n9κ) O(1) [25] (δ, 0) t < n/3 O(n6κ) O(1) ω(n8κ) So, in this paper, our contributions are: O O
Our Contribution. Human Key Agreement In this section we describe the Human Key Agreement protocol. Informally speaking that, our protocol, while vulnerable to the “man-in-the middle” attacks, is secure against the “machine-in-the-middle” attacks (i.e.: an attack in which the adversary in not a human). Moreover, the protocol will be designed in such a way that using a human-in-middle attack, will be very expensive, since it will require the adversary to use humans to constantly monitor the network, solving a large number of Captcha puzzles. Consider a decentralized protocol for remote communication between the humans. For example, think of an internet instant messaging system, like XMPP1, or in general, any system where pairs of humans need to establish secure connection. How can the users of such a protocol establish session keys in a way that is secure against the man-in-the-middle attacks, when the the Public-Key Infrastructure is not available? None of the methods described in Sect. 1.1 seems to be applicable in this case. It is usually infeasible for the users to meet in person in order to establish a shared secret password. Sometimes they do not know each other well, so they cannot recognize each other’s voice, and hence they cannot use the “short string comparison” method used in the VoIP protocols [41, 42] (another reason may be that the voice link may simply not be available). Relying on a trusted server may also be a bad idea, as reported recently in the media [39]. Therefore, the adversary that controls the network can freely monitor, store and analyze all the messages that are transmitted by the users (as described in [39]). Our Human Key Agreement permits the users to significantly increase security of their communi- cation in this situation. The security of our protocol is based on the difficulty of solving the Captcha puzzles by a machine. More precisely the key established between each pair of participants will remain secret assuming that the adversary did not solve the Captcha puzzles that the users generated during the execution of the protocol. In addition, our protocol will be forward-secure, which means that, in order to break the security, the adversary will have to solve the Captcha puzzles during the execution of the protocol (solving the Captchas after the protocol is completed does not help him). Therefore the adversary will have to employ a significant amount of human power in order to decrypt users communication. Although, of course, this does no...
Our Contribution. Key agreement protocol with bilateral privacy Motivated by the various applications of anonymous roaming and our observation that existing research (e.g., see [12]) appears to focus only on unilateral identity privacy (i.e., only one protocol participant enjoys anonymity), we propose a secure key exchange among anonymous users in different spontaneous groups. Spontaneity and bilateral privacy features in our proposed protocol are particularly applicable in ad-hoc group communication settings. Furthermore, as noted in the literature of ID-based ring signature (e.g., [20]), ID-based solution provides a higher level of spontaneity and efficiency than conventional public key cryptosys- tem since one can conscript virtually anyone and no verification of public key certificates is required. With these benefits in mind, we introduce the notion of ID-based ad-hoc anonymous key agreement with bilateral privacy, which is realized by an extension of our basic protocol. Note that our approach is fundamentally different from that of Cheng et al. [12].
