Our Contributions. The main contributions of this paper are our novel design method for ciphers with efficient fault-detecting implementations and the concrete authenticated encryp- tion scheme Friet implemented with a new permutation Friet-P designed with our method. Moreover, we provide a design rationale for the permutation, per- formance evaluations in software and hardware including comparison with other relevant permutations, results of fault detection experiments and an evaluation of the impact of our method on leakage.
Our Contributions. We focus on the abstract problem of secret-key agreement between two parties holding instances w, wj of correlated random variables W, Wj that are guaranteed to be close but not necessarily identical. Specifically, we assume that w and wj are within distance t in some underlying metric space. Our definitions as well as some of our results hold for arbitrary metric spaces, while other results assume specific metrics. We restrict our attention to noninteractive protocols defined by procedures (Gen, Rep) that operate as follows. The first party, holding w, computes (R, P ) ← Gen(w) and sends P to the second party; this second party computes Rj ← Rep(wj, P ). (If the parties share a long-term key SKExt then Gen, Rep take this key as additional input.) The basic requirements, informally, are Correctness: R = Rj whenever wj is within distance t of w.
Our Contributions. We answer the remaining part of the open question for large inputs and present the first MVBA protocols with expected O(An + λn2) communicated bits. More precisely, ≤ | ∫ O
Our Contributions. We provide definitions and constant-round protocols for key agreement from noisy pass-strings that: – Resist off-line dictionary attacks and thus can handle low-entropy pass- strings, – Can handle a variety of noise types and have high error-tolerance, and – Have well specified composition properties via the UC framework [17]. Instead of imposing entropy requirements or other requirements on the dis- tribution of pass-strings, our protocols are secure as long as the adversary cannot guess a pass-string value that is sufficiently close. There is no requirement, for example, that the amount of pass-string entropy is greater than the number of errors; in fact, one of our protocols is suitable for iris scans. Moreover, our pro- tocols prevent off-line attacks, so each adversarial attempt to get close to the correct pass-string requires an on-line interaction by the adversary. Thus, for example, our protocols can be meaningfully run with pass-strings whose entropy is only 30 bits—something not possible with any prior protocols for the noisy case.
Our Contributions. In this work, we present a provably secure and minimal cost SAS-AKA scheme which re-uses public key pairs across protocol sessions and thus presents a lower-cost but non-PFS alternative to the perfect-forward secret SAS-AKA protocols of [10,12]. Our SAS-AKA relies on a non-malleable commitments just like the SAS-AKA schemes of [20,9,12], but unlike the previous schemes it is built directly on CCA-secure encryption, and it relies on encryption not just for key-establishment but also for authentication se- curity. As a consequence, the new SAS-AKA is somewhat simpler than the previous SAS-AKA’s which were built on top of the three-round SAS-MCA’s of [9,12], and in particular it does not need to use universal hash functions. However, the most impor- tant contribution of the new SAS-AKA scheme is that it remains secure if each player uses a permanent public key, and hence shares a state across all protocol sessions it executes. This leads to two minimal-cost 3-round non-PFS SAS-AKA protocols where the same public/private key pair or the same Xxxxxx-Xxxxxxx random contribution is re-used across protocol instances. Specifically, when instantiated with the hash-based commitment and the CCA-secure OAEP-RSA, this implies a 3-round SAS-AKA pro- tocol secure under the RSA assumption in ROM, with the cost of a single RSA encryp- tion for the responder and a single RSA decryption for the initiator. When instantiated with the randomness-reusing CCA-secure version of ElGamal [3] this implies a 3-round SAS-AKA protocol secure under the DH assumption in ROM, with the cost of one ex- ponentiation per player. In other words, the costs of the SAS-AKA protocols implied by our result are (for the first time) essentially the same as the costs of the correspond- ing basic unauthenticated key agreement protocols. By contrast, previously known PFS SAS-AKA protocols require two exponentiations per player if they are based on DH [12,10] or a generation of fresh public/private RSA key pair for each protocol instance if the general result of [12] is instantiated with an RSA-based key agreement. We note that the SAS-MCA/AKA protocol we show secure is very similar to the SAS-AKA protocols of [20,9,12], and it is indeed only a new variant of the same three- round commitment-based SAS-MA protocol analyzed in [20], which also forms a start- ing point for protocols of [9,12]. However, prior to our work there was no argument that such SAS-AKA scheme remains secure when players re-use their pu...
Our Contributions. In this paper, we classify the functions of password authen- tication key exchange scheme based on smart card into two types, essential function and auxiliary function . Then, we propose a strong off-line guessing attack called stealing card and eavesdropping off-line guessing attack, SEG attack for short. After pointing out SEG attack flaws in recent schemes, we raise a strong multi-function scheme with privacy preserving more efficient and secure by comparing with the related research.
Our Contributions. In this paper, we make several contributions towards realizing practical, massively-scalable BA: • Graded gossip with xxxxx. Our first contribution is identifying a gossip primitive that is powerful enough to allow significant communication-complexity gains compared to plain multicast over a fully connected network, but at the same time can be implemented with essentially the same cost as multicast over typical gossip communication graphs. We call the new primitive a d-graded gossip with abort. • Working directly in a graded PKI model. Our construction of graded gossip with abort can be realized directly in the graded PKI model. In this model, honest parties may not know the number or the identities of other parties in advance, and may have only partial consensus on who is allowed to participate in the protocol. This type of PKI is much easier to construct in a setting where trusted setup is not available. In fact, our requirements from graded PKI are general enough that we can model partial consensus at a message level using the same definition (e.g., when parties need to self-select using a VRF, but do not fully agree on the number of participants). Since all of our protocols in this paper use d-graded gossip as a substrate, they also work directly in the graded PKI model. Looking ahead, since our BA protocol supports agreement on sets, it can be used to bootstrap a graded PKI into a full PKI with a single BA invocation (by using the BA to agree on the set of valid public keys). • Constructing gradecast and graded crusader agreement. We show how to realize two classic primitives: gradecast and graded crusader agreement, over gossip with abort. This allows “transparent” compilation of any BA protocol based entirely on these prim- itives to the gossip-with-abort model, thereby improving communication complexity by an almost linear factor. Examples include the phase-king protocol of Xxxxxx, Xxxxx and Xxxxx [7], which can be formulated using crusader agreement, and the simple gradecast protocols of Ben-Or, Dolev, and Xxxx [5, 6]. • Concretely efficient BA. We construct a new, player-replaceable BA protocol in the graded PKI model. The concrete communication complexity of our protocol, for typical parameter values, is more than 25 times better than the current state-of-the-art XX xxxxx- cols in the honest-majority setting (e.g., for 800 participants, it requires less than 2MiB of communication per gossip peer, as opposed to more than 50MiB for previous protoc...
Our Contributions. We propose a three round authenticated GKA protocol with efficient proce- dures for group mergers and partitions. The protocol is shown secure against an active adversary (in the standard model) and has a tight security reduc- tion. The protocol is simple (a very natural extension of the 2-party DH key agreement) and thus carries a simple proof of security. It benefits from the following features:
Our Contributions. In this work, we introduce the notion of ALAs and show how to integrate them into the design of two-party cryptographic protocols; including secure two-party computation and proof of storage (PoS) protocols. We show that ALA-enhanced protocols are not only more efficient than standard protocols but that they exhibit a “cost-free” tradeoff. More precisely, we make the following contributions. Cryptographic inspection games. The introduction of contracts and punishment into cryptographic protocols results in new strategic interactions between the parties. We for- malize these interactions as cryptographic inspection games (CIG) which are strategic games played between an inspector and an inspectee which correspond to the verifier/evaluator and prover/garbler, respectively. CIGs are a variant of inspection games which were introduced in the 1960’s in the context of nuclear disarmament (we refer the reader to [9] for an overview). In an inspection game the inspector’s goal is to detect deviation from some prescribed “good” behavior whereas the inspectee’s goals are to deviate without being detected. One difference between CIGs and traditional inspection games is that, in our setting, we are also interested in cases where the inspector is dishonest and can itself deviate from the protocol. This can occur in the setting of ALA-enhanced protocols because the use of ALAs introduce an incentive for the inspector to “frame” the inspectee so that it can recover the damages. To address this, we use a dual ALA which is a second contract; this time between the inspector and a judge that, if required, can “inspect the inspector” to ensure that the former is honest. In this manner, we find a desirable equilibrium for our CIGs where the parties behave honestly. Secure two-party computation. We show how to integrate ALAs into 2PC protocols in order to get efficiency improvements against rational adversaries. More precisely, we augment PVC protocols [5] which guarantees accountability (i.e., deviations from the protocol can be publicly-verified) and defamation-freeness (i.e., no party can generate evidence that an honest party deviated) by having the garbler and evaluator first agree to an ALA that stipulates damages if the garbler deviates from the protocol. At high level, the ALA induces a CIG where the evaluator plays the role of inspector and the garbler plays the role of inspectee. We analyze this game and, based on the accountability of the underlying protocol, find co...
Our Contributions. We completely characterize the feasibility of AA in the best-of-both-worlds setting, by presenting a protocol and a matching impossibility result. • Feasibility result: Let 0 ≤ 𝑡𝑎 < 𝑛/3 ≤ 𝑡𝑠 < 𝑛/2. We present an Approximate Agreement protocol that is secure against 𝑡𝑠 corruptions in a synchronous network and 𝑡𝑎 corruptions in an asynchronous network, as long as 2 · 𝑡𝑠 + 𝑡𝑎 < 𝑛, assuming a setup for digital signatures. By setting 𝑡𝑎 = 0, this is also the first AA protocol that achieves up to 𝑡𝑠 < 𝑛/2 corruptions in the purely synchronous model. • Impossibility result: If 2 · 𝑡𝑠 + 𝑡𝑎 ≥ 𝑛, there is no Approximate Agreement protocol secure against 𝑡𝑠 corruptions in a synchronous network and 𝑡𝑎 corruptions in an asynchronous network, even with setup.
