In a proof-of-retrievability system, a data storage center convinces a verifier that he is actually storing all of a client's data. The central challenge is to build systems that are both efficient and provably secure--that is, it should be possible to extract the client's data from any prover that passes a verification check. In this paper, we give the first proof-of-retrievability schemes with full proofs of security against arbitrary adversaries in the strongest model, that of Juels and Kaliski. Our first scheme, built from BLS signatures and secure in the random oracle model, has the shortest query and response of any proof-of-retrievability with public verifiability. Our second scheme, which builds elegantly on pseudorandom functions (PRFs) and is secure in the standard model, has the shortest response of any proof-of-retrievability scheme with private verifiability (but a longer query). Both schemes rely on homomorphic properties to aggregate a proof into one small authenticator value.

/pdf/compact-proofs-of-retrievability-2cuaz82nov.pdf

Compact Proofs of Retrievability

An authenticated encryption scheme is a symmetric encryption scheme whose goal is to provide both privacy and integrity. We consider two possible notions of authenticity for such schemes, namely integrity of plaintexts and integrity of ciphertexts, and relate them (when coupled with IND-CPA) to the standard notions of privacy (IND-CCA,NM-CPA) by presenting implications and separations between all notions considered. We then analyze the security of authenticated encryption schemes designed by “generic composition,” meaning making blackbox use of a given symmetric encryption scheme and a given MAC. Three composition methods are considered, namely Encrypt-and-MAC, MAC-then-encrypt, and Encrypt-then-MAC. For each of these, and for each notion of security, we indicate whether or not the resulting scheme meets the notion in question assuming the given symmetric encryption scheme is secure against chosen-plaintext attack and the given MAC is unforgeable under chosen-message attack. We provide proofs for the cases where the answer is “yes” and counter-examples for the cases where the answer is “no.”

/pdf/authenticated-encryption-relations-among-notions-and-2asso16w07.pdf

Authenticated Encryption: Relations among notions and analysis of the generic composition paradigm.

At some point in the future, how far out we do not exactly know, wireless access to the Internet will outstrip all other forms of access bringing the freedom of mobility to the way we access the we...

ACM SIGCOMM computer communication review

Recent work by Krawczyk [12] and Menezes [16] has highlighted the importance of understanding well the guarantees and limitations of formal security models when using them to prove the security of protocols In this paper we focus on security models for authenticated key exchange (AKE) protocols We observe that there are several classes of attacks on AKE protocols that lie outside the scope of the Canetti-Krawczyk model Some of these additional attacks have already been considered by Krawczyk [12] In an attempt to bring these attacks within the scope of the security model we extend the Canetti-Krawczyk model for AKE security by providing significantly greater powers to the adversary Our contribution is a more compact, integrated, and comprehensive formulation of the security model We then introduce a new AKE protocol called NAXOS and prove that it is secure against these stronger adversaries

/pdf/stronger-security-of-authenticated-key-exchange-1t0j7ztp7s.pdf

Stronger security of authenticated key exchange

An authenticated encryption scheme is a symmetric encryption scheme whose goal is to provide both privacy and integrity. We consider two possible notions of authenticity for such schemes, namely integrity of plaintexts and integrity of ciphertexts, and relate them, when coupled with IND-CPA (indistinguishability under chosen-plaintext attack), to the standard notions of privacy IND-CCA and NM-CPA (indistinguishability under chosen-ciphertext attack and nonmalleability under chosen-plaintext attack) by presenting implications and separations between all notions considered. We then analyze the security of authenticated encryption schemes designed by “generic composition,” meaning making black-box use of a given symmetric encryption scheme and a given MAC. Three composition methods are considered, namely Encrypt-and-MAC, MAC-then-encrypt, and Encrypt-then-MAC. For each of these and for each notion of security, we indicate whether or not the resulting scheme meets the notion in question assuming that the given symmetric encryption scheme is secure against chosen-plaintext attack and the given MAC is unforgeable under chosen-message attack. We provide proofs for the cases where the answer is “yes” and counter-examples for the cases where the answer is “no.”

/pdf/authenticated-encryption-relations-among-notions-and-4s8vvjvgpy.pdf

Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm

This paper points out that, contrary to popular belief, allowing a message authentication adversary multiple verification attempts towards forgery is not equivalent to allowing it a single one, so that the notion of security that most message authentication schemes are proven to meet does not guarantee their security in practice. We then show, however, that the equivalence does hold for strong unforgeability. Based on this we recover security of popular classes of message authentication schemes such as MACs (including HMAC and PRF-based MACs) and CWschemes. Furthermore, in many cases we do so with a tight security reduction, so that in the end the news we bring is surprisingly positive given the initial negative result. Finally, we show analogous results for authenticated encryption.

/pdf/the-power-of-verification-queries-in-message-authentication-12gqjg4ir3.pdf

The Power of Verification Queries in Message Authentication and Authenticated Encryption.

In this paper we analyse the security of a new key exchange protocol proposed in [3], which is based on mutually learning neural networks. This is a new potential source for public key cryptographic schemes which are not based on number theoretic functions, and have small time and memory complexities. In the first part of the paper we analyse the scheme, explain why the two parties converge to a common key, and why an attacker using a similar neural network is unlikely to converge to the same key. However, in the second part of the paper we show that this key exchange protocol can be broken in three different ways, and thus it is completely insecure.

/pdf/analysis-of-neural-cryptography-4q1cxrqksp.pdf

Analysis of Neural Cryptography

KEA is a Diffie-Hellman based key-exchange protocol developed by NSA which provides mutual authentication for the parties. It became publicly available in 1998 and since then it was neither attacked nor proved to be secure. We analyze the security of KEA and find that the original protocol is susceptible to a class of attacks. On the positive side, we present a simple modification of the protocol which makes KEA secure. We prove that the modified protocol, called KEA+, satisfies the strongest security requirements for authenticated key-exchange and that it retains some security even if a secret key of a party is leaked. Our security proof is in the random oracle model and uses the Gap Diffie-Hellman assumption. Finally, we show how to add a key confirmation feature to KEA+ (we call the version with key confirmation KEA+C) and discuss the security properties of KEA+C.

/pdf/security-analysis-of-kea-authenticated-key-exchange-protocol-594an0gnzx.pdf

Security analysis of KEA authenticated key exchange protocol

We present a new primitive – Append-only Signatures (AOS) – with the property that any party given an AOS signature Sig[M1] on message M1 can compute Sig[M1 || M2] for any message M2, where M1 || M2 is the concatenation of M1 and M2. We define the security of AOS, present concrete AOS schemes, and prove their security under standard assumptions. In addition, we find that despite its simple definition, AOS is equivalent to Hierarchical Identity-based Signatures (HIBS) through efficient and security-preserving reductions. Finally, we show direct applications of AOS to problems in network security. Our investigations indicate that AOS is both useful in practical applications and worthy of further study as a cryptographic primitive.

/pdf/append-only-signatures-nyc55d1iie.pdf

Anton Mityagin

Papers

Stronger security of authenticated key exchange

The Power of Verification Queries in Message Authentication and Authenticated Encryption.

Analysis of Neural Cryptography

Security analysis of KEA authenticated key exchange protocol

Append-only signatures