In a proof-of-retrievability system, a data storage center convinces a verifier that he is actually storing all of a client's data. The central challenge is to build systems that are both efficient and provably secure--that is, it should be possible to extract the client's data from any prover that passes a verification check. In this paper, we give the first proof-of-retrievability schemes with full proofs of security against arbitrary adversaries in the strongest model, that of Juels and Kaliski. Our first scheme, built from BLS signatures and secure in the random oracle model, has the shortest query and response of any proof-of-retrievability with public verifiability. Our second scheme, which builds elegantly on pseudorandom functions (PRFs) and is secure in the standard model, has the shortest response of any proof-of-retrievability scheme with private verifiability (but a longer query). Both schemes rely on homomorphic properties to aggregate a proof into one small authenticator value.

/pdf/compact-proofs-of-retrievability-2cuaz82nov.pdf

Compact Proofs of Retrievability

An authenticated encryption scheme is a symmetric encryption scheme whose goal is to provide both privacy and integrity. We consider two possible notions of authenticity for such schemes, namely integrity of plaintexts and integrity of ciphertexts, and relate them (when coupled with IND-CPA) to the standard notions of privacy (IND-CCA,NM-CPA) by presenting implications and separations between all notions considered. We then analyze the security of authenticated encryption schemes designed by “generic composition,” meaning making blackbox use of a given symmetric encryption scheme and a given MAC. Three composition methods are considered, namely Encrypt-and-MAC, MAC-then-encrypt, and Encrypt-then-MAC. For each of these, and for each notion of security, we indicate whether or not the resulting scheme meets the notion in question assuming the given symmetric encryption scheme is secure against chosen-plaintext attack and the given MAC is unforgeable under chosen-message attack. We provide proofs for the cases where the answer is “yes” and counter-examples for the cases where the answer is “no.”

/pdf/authenticated-encryption-relations-among-notions-and-2asso16w07.pdf

Authenticated Encryption: Relations among notions and analysis of the generic composition paradigm.

At some point in the future, how far out we do not exactly know, wireless access to the Internet will outstrip all other forms of access bringing the freedom of mobility to the way we access the we...

ACM SIGCOMM computer communication review

Recent work by Krawczyk [12] and Menezes [16] has highlighted the importance of understanding well the guarantees and limitations of formal security models when using them to prove the security of protocols In this paper we focus on security models for authenticated key exchange (AKE) protocols We observe that there are several classes of attacks on AKE protocols that lie outside the scope of the Canetti-Krawczyk model Some of these additional attacks have already been considered by Krawczyk [12] In an attempt to bring these attacks within the scope of the security model we extend the Canetti-Krawczyk model for AKE security by providing significantly greater powers to the adversary Our contribution is a more compact, integrated, and comprehensive formulation of the security model We then introduce a new AKE protocol called NAXOS and prove that it is secure against these stronger adversaries

/pdf/stronger-security-of-authenticated-key-exchange-1t0j7ztp7s.pdf

Stronger security of authenticated key exchange

An authenticated encryption scheme is a symmetric encryption scheme whose goal is to provide both privacy and integrity. We consider two possible notions of authenticity for such schemes, namely integrity of plaintexts and integrity of ciphertexts, and relate them, when coupled with IND-CPA (indistinguishability under chosen-plaintext attack), to the standard notions of privacy IND-CCA and NM-CPA (indistinguishability under chosen-ciphertext attack and nonmalleability under chosen-plaintext attack) by presenting implications and separations between all notions considered. We then analyze the security of authenticated encryption schemes designed by “generic composition,” meaning making black-box use of a given symmetric encryption scheme and a given MAC. Three composition methods are considered, namely Encrypt-and-MAC, MAC-then-encrypt, and Encrypt-then-MAC. For each of these and for each notion of security, we indicate whether or not the resulting scheme meets the notion in question assuming that the given symmetric encryption scheme is secure against chosen-plaintext attack and the given MAC is unforgeable under chosen-message attack. We provide proofs for the cases where the answer is “yes” and counter-examples for the cases where the answer is “no.”

/pdf/authenticated-encryption-relations-among-notions-and-4s8vvjvgpy.pdf

Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm

The discrete logarithm problem (DLP) generalizes to the constrained DLP, where the secret exponent x belongs to a set known to the attacker. The complexity of generic algorithms for solving the constrained DLP depends on the choice of the set. Motivated by cryptographic applications, we study sets with succinct representation for which the constrained DLP is hard. We draw on earlier results due to Erdos et al. and Schnorr, develop geometric tools such as generalized Menelaus’ theorem for proving lower bounds on the complexity of the constrained DLP, and construct sets with succinct representation with provable non-trivial lower bounds.

/pdf/hard-instances-of-the-constrained-discrete-logarithm-problem-sscjqwict0.pdf

Hard Instances of the Constrained Discrete Logarithm Problem.

The discrete logarithm problem (DLP) generalizes to the constrained DLP, where the secret exponent $x$ belongs to a set known to the attacker. The complexity of generic algorithms for solving the constrained DLP depends on the choice of the set. Motivated by cryptographic applications, we study sets with succinct representation for which the constrained DLP is hard. We draw on earlier results due to Erd\"os et al. and Schnorr, develop geometric tools such as generalized Menelaus' theorem for proving lower bounds on the complexity of the constrained DLP, and construct sets with succinct representation with provable non-trivial lower bounds.

Hard Instances of the Constrained Discrete Logarithm Problem

Most research in data mining and knowledge discovery relies heavily on the availability of datasets. With the rapid growth of user generated content on the internet, there is now an abundance of sources from which data can be drawn. Compared to the amount of work in the field on techniques for pattern discovery and knowledge extraction, there has been relatively little effort directed at the study of effective methods for collecting and evaluating the quality of data.

Human computation is a new research area that studies the process of channeling the vast internet population to perform tasks or provide data towards solving difficult problems that no known efficient computer algorithms can yet solve. There are various genres of human computation applications available today. Games with a purpose (e.g., the ESP Game) specifically target online gamers who, in the process of playing an enjoyable game, generate useful data (e.g., image tags). Crowdsourcing marketplaces (e.g. Amazon Mechanical Turk) are human computation applications that coordinate workers to perform tasks in exchange for monetary rewards. In identity verification tasks, users need to perform some computation in order to access some online content; a recent example of such a human computation application is reCAPTCHA, which leverages millions of users who solve CAPTCHAs every day to correct words in books that optical character recognition (OCR) programs fail to recognize with certainty.

While there has been active work in this area, there is no dedicated forum to discuss these research ideas. The Human Computation Workshop (HCOMP 2009), held in conjunction with the 15th ACM SIGKDD Conference on Knowledge Discovery and Data Mining (KDD), is the first workshop bringing together academic and industry researchers to discuss existing human computation applications and future directions of this new subject area. An integral part of this workshop is a demo session where participants can showcase their human computation applications.

Our call for papers resulted in 33 high-quality submissions from a wide variety of perspectives. All papers were thoroughly reviewed by the program committee and external reviewers. Given the short, half-day duration of the workshop, only one-third of the submissions could be accommodated and appear in the proceedings. The accepted papers have been divided into four sessions: "Games", "Human Computation In Practice", "Game Theory" and "Labeling Cost and Efficiency".

Proceedings of the ACM SIGKDD Workshop on Human Computation

This paper studies quality of human labels used to train search engines’ rankers. Our specific focus is performance improvements obtained by using overlapping relevance labels, which collecting multiple human judgments for each training sample. The paper explores whether, when, and for which should obtain overlapping training labels, as well as labels per sample are needed. The proposed scheme collects additional labels only for a subset of training samples, specifically for those that are labeled relevant by a Our experiments show that this labeling schem NDCG of two Web search rankers on several real with a low labeling overhead of around 1.4 labels per sample This labeling scheme also outperforms several overlapping labels, such as simple k-overlap, majority vote, the highest labels, etc. Finally, the paper presents a study of how many overlapping labels are needed to get the best in retrieval accuracy.

/pdf/collecting-high-quality-overlapping-labels-at-6rbocpjnch.pdf

Collecting High Quality Overlapping Labels at

KEA is a Diffie-Hellman based key-exchange protocol developed by NSA which provides mutual authentication for the parties. It became publicly available in 1998 and since then it was neither attacked nor proved to be secure. We analyze the security of KEA and find that the original protocol is susceptible to a class of attacks. On the positive side, we present a simple modification of the protocol which makes KEA secure. We prove that the modified protocol, called KEA+, satisfies the strongest security requirements for authenticated key-exchange and that it retains some security even if a secret key of a party is leaked. Our security proof is in the random oracle model and uses the Gap Diffie-Hellman assumption. Finally, we show how to add a key confirmation feature to KEA+ (we call the version with key confirmation KEA+C) and discuss the security properties of KEA+C.

/pdf/security-analysis-of-kea-authenticated-key-exchange-protocol-4b2husjxdx.pdf

Anton Mityagin

Papers

Hard Instances of the Constrained Discrete Logarithm Problem.

Hard Instances of the Constrained Discrete Logarithm Problem

Proceedings of the ACM SIGKDD Workshop on Human Computation

Collecting High Quality Overlapping Labels at

Security Analysis of KEA Authenticated Key Exchange Protocol.