scispace - formally typeset
Search or ask a question

Showing papers in "IACR Cryptology ePrint Archive in 2006"


Posted Content
TL;DR: In this paper, a general framework for constructing and analyzing public-key systems supporting conjunctive queries on encrypted data has been presented, without leaking information on individual conjuncts.
Abstract: We construct public-key systems that support comparison queries (x ≥ a) on encrypted data as well as more general queries such as subset queries (x ∈ S). These systems support arbitrary conjunctive queries (P1∧· · ·∧P`) without leaking information on individual conjuncts. In addition, we present a general framework for constructing and analyzing public-key systems supporting queries on encrypted data.

1,139 citations


Posted Content
TL;DR: The first fully anonymous identity-based encryption scheme was proposed in this article, which is based on the Decision Linear complexity assumption in bilinear groups and achieves provable anonymity at all levels in the hierarchy.
Abstract: We present an identity-based cryptosystem that features fully anonymous ciphertexts and hierarchical key delegation. We give a proof of security in the standard model, based on the mild Decision Linear complexity assumption in bilinear groups. The system is efficient and practical, with small ciphertexts of size linear in the depth of the hierarchy. Applications include search on encrypted data, fully private communication, etc. Our results resolve two open problems pertaining to anonymous identity-based encryption, our scheme being the first to offer provable anonymity in the standard model, in addition to being the first to realize fully anonymous HIBE at all levels in the hierarchy.

410 citations


Posted Content
TL;DR: This paper presents a method incorporating a built-in decisional function into the protocols, and discusses the resulting efficiency of the schemes and the relevant security reductions, in the random oracle model, inThe context of different pairings one can use.
Abstract: In recent years, a large number of identity-based key agreement protocols from pairings have been proposed. Some of them are elegant and practical. However, the security of this type of protocols has been surprisingly hard to prove. The main issue is that a simulator is not able to deal with reveal queries, because it requires solving either a computational problem or a decisional problem, both of which are generally believed to be hard (i.e., computationally infeasible). The best solution of security proof published so far uses the gap assumption, which means assuming that the existence of a decisional oracle does not change the hardness of the corresponding computational problem. The disadvantage of using this solution to prove the security for this type of protocols is that such decisional oracles, on which the security proof relies, cannot be performed by any polynomial time algorithm in the real world, because of the hardness of the decisional problem. In this paper we present a method incorporating a built-in decisional function in this type of protocols. The function transfers a hard decisional problem in the proof to an easy decisional problem. We then discuss the resulting efficiency of the schemes and the relevant security reductions in the context of different pairings one can use. We pay particular attention, unlike most other papers in the area, to the issues which arise when using asymmetric pairings.

360 citations


Posted Content
TL;DR: A protocol based on a certain RSA-based secure hash function is described, which prevents ‘cheating’ in a data transfer transaction, while placing little burden on the trusted third party that oversees the protocol.

247 citations


Posted Content
TL;DR: The Simple Branch Prediction Analysis (SBPA) attack as mentioned in this paper is a sidechannel side-channel attack against RSA implementations, where a carefully written spy-process running simultaneously with an RSA-process is able to collect during one single RSA signing execution almost all of the secret key bits.
Abstract: Very recently, a new software side-channel attack, called Branch Prediction Analysis (BPA) attack, has been discovered and also demonstrated to be practically feasible on popular commodity PC platforms. While the above recent attack still had the flavor of a classical timing attack against RSA, where one uses many execution-time measurements under the same key in order to statistically amplify some small but key-dependent timing differences, we dramatically improve upon the former result. We prove that a carefully written spy-process running simultaneously with an RSA-process, is able to collect during one single RSA signing execution almost all of the secret key bits. We call such an attack, analyzing the CPU’s Branch Predictor states through spying on a single quasi-parallel computation process, a Simple Branch Prediction Analysis (SBPA) attack — sharply differentiating it from those one relying on statistical methods and requiring many computation measurements under the same key. The successful extraction of almost all secret key bits by our SBPA attack against an OpenSSL RSA implementation proves that the often recommended blinding or so called randomization techniques to protect RSA against side-channel attacks are, in the context of SBPA attacks, totally useless. Additional to that very crucial security implication, targeted at such implementations which are assumed to be at least statistically secure, our successful SBPA attack also bears another equally critical security implication. Namely, in the context of simple side-channel attacks, it is widely believed that equally balancing the operations after branches is a secure countermeasure against such simple attacks. Unfortunately, this is not true, as even such “balanced branch” implementations can be completely broken by our SBPA attacks. Moreover, despite sophisticated hardware-assisted partitioning methods such as memory protection, sandboxing or even virtualization, SBPA attacks empower an unprivileged process to successfully attack other processes running in parallel on the same processor. Thus, we conclude that SBPA attacks are much more dangerous than previously anticipated, as they obviously do not belong to the same category as pure timing attacks.

222 citations


Posted Content
TL;DR: In this paper, a new general mathematical problem, suitable for public-key cryptosystems, is proposed: morphism computation in a category of Abelian groups in connection with elliptic curves over finite fields, the problem becomes the following: compute an isogeny (an algebraic homomorphism) between the elliptic curve given.
Abstract: A new general mathematical problem, suitable for publickey cryptosystems, is proposed: morphism computation in a category of Abelian groups In connection with elliptic curves over finite fields, the problem becomes the following: compute an isogeny (an algebraic homomorphism) between the elliptic curves given The problem seems to be hard for solving with a quantum computer ElGamal public-key encryption and Diffie-Hellman key agreement are proposed for an isogeny cryptosystem The paper describes theoretical background and a publickey encryption technique, followed by security analysis and consideration of cryptosystem parameters selection A demonstrative example of encryption is included as well public-key cryptography, elliptic curve cryptosystem, cryptosystem on isogenies of elliptic curves, isogeny star, isogeny cycle, quantum computer

206 citations


Posted Content
TL;DR: It is shown that the concept of HHS fits with class field theory to provide a unified theory for the already used discrete logarithm problems and the HHS is presented here.
Abstract: This note was written in 1997 after a talk I gave at the seminaire de complexite et cryptographie at the ´ Ecole Normale Superieure After it was rejected at crypto97 I forgot it until a few colleagues of mine informed me that it could be of some interest to some researchers in the field of algorithmic and cryptography. Although I am not quite happy with the redaction of this note, I believe it is more fair not to improve nor correct it yet. So I leave it in its original state, including misprints. I just added this introductory paragraph. If need be, I will publish an updated version later. We introduce the notion of hard homogeneous space (HHS) and briefly develop the corresponding theory. We show that cryptographic protocols based on the discrete logarithm problem have a counterpart for any hard homogeneous space. Indeed, the notion of hard homogeneous space is a more general and more natural context for these protocols. We exhibit conjectural hard homogeneous spaces independant from any discrete log- arithm problem. They are based on complex multiplication theory. This shows the existence of schemes for authentication and key exchange that do not rely on the difficulty of computing dicrete logarithm inany finite group nor factoring integers. We show that the concept of HHS fits with class field theory to provide a unified theory for the already used discrete logarithm problems (on multiplicative groups of finite fields or rational points on elliptic curves) and the HHS we present here. We discuss a few algorithmic questions related to hard homogeneous spaces. The paper is looking for a wider point of view on the discrete logarithm problem both mathematically and cryptographically.

203 citations


Posted Content
TL;DR: This paper shows how strong mutual authentication can be achieved even with a unidirectional visual channel, without having to switch device roles, even on devices that have very limited displaying capabilities.
Abstract: Recently several researchers and practitioners have begun to address the problem of secure device pairing or how to set up secure communication between two devices without the assistance of a trusted third party. McCune, et al. [12] proposed Seeing-is-Believing (SiB), a system which uses a visual channel. The SiB visual channel consists of one device displaying the hash of its public key in the form of a two-dimensional barcode, and the other device reading this information using a photo camera. Strong mutual authentication in SiB requires running two separate unilateral authentication steps. In this paper, we show how strong mutual authentication can be achieved even with a unidirectional visual channel, where SiB could provide only a weaker property termed as presence. This could help reduce the SiB execution time and improve usability. By adopting recently proposed improved pairing protocols, we propose how visual channel authentication can be used even on devices that have very limited displaying capabilities, all the way down to a device whose display consists of a cheap single light-source, such as an LED. We also describe a new video codec that may be used to improve execution time of pairing in limited display devices, and can be used for other applications besides pairing.

192 citations


Posted Content
TL;DR: In this article, the authors proposed new and stronger security definitions of searchable symmetric encryption (SSE) and presented two constructions that were shown secure under their new definitions, in addition to satisfying stronger security guarantees, their constructions are more efficient than all previous constructions.
Abstract: Searchable symmetric encryption (SSE) allows a party to outsource the storage of his data to another party in a private manner, while maintaining the ability to selectively search over it. This problem has been the focus of active research and several security definitions and constructions have been proposed. In this paper we begin by reviewing existing notions of security and propose new and stronger security definitions. We then present two constructions that we show secure under our new definitions. Interestingly, in addition to satisfying stronger security guarantees, our constructions are more efficient than all previous constructions. Further, prior work on SSE only considered the setting where only the owner of the data is capable of submitting search queries. We consider the natural extension where an arbitrary group of parties other than the owner can submit search queries. We formally define SSE in this multi-user setting, and present an efficient construction.

177 citations



Posted Content
TL;DR: In this paper, the authors describe the implementation of various pairings on a contemporary 32-bit smartcard, the Philips HiPerSmart, an instantiation of the MIPS-32 based SmartMIPSarchitecture.
Abstract: Pairings on elliptic curves are fast coming of age as cryptographic primitives for deployment in new security applications, particularly in the context of implementations of Identity-Based Encryption (IBE). In this paper we describe the implementation of various pairings on a contemporary 32-bit smart-card, the Philips HiPerSmart, an instantiation of the MIPS-32 based SmartMIPSarchitecture. Three types of pairing are considered, first the standard Tate pairing on a nonsupersingular curve E(Fp), second the Ate pairing, also on a nonsupersingular curve E(Fp), and finally the ηT pairing on a supersingular curve E(F2m). We demonstrate that pairings can be calculated as efficiently as classic cryptographic primitives on this architecture, with a calculation time of as little as 0.15 seconds.

Posted Content
TL;DR: In this paper, a self-generated certificate public key encryption (SGC-PKC) was proposed to solve the Denial-of-Decryption (DoD) attack.
Abstract: Certificateless Public Key Cryptography (CL-PKC) enjoys a number of features of Identity-Based Cryptography (IBC) while without having the problem of key escrow. However, it does suffer to an attack where the adversary, Carol, replaces Alice’s public key by someone’s public key so that Bob, who wants to send an encrypted message to Alice, uses Alice’s identity and other’s public key as the inputs to the encryption function. As a result, Alice cannot decrypt the message while Bob is unaware of this. We call it Denial-of-Decryption (DoD) Attack as its nature is similar to the well known Denial-of-Service (DoS) Attack. Based on CL-PKC, we propose a new paradigm called Self-Generated-Certificate Public Key Cryptography (SGC-PKC) that captures the DoD Attack. We also provide a generic construction of a self-generated-certificate public key encryption scheme in the standard model. Our generic construction uses certificateless signature and certificateless encryption as the building block. In addition, we further propose a certificateless signature and a certificateless encryption scheme with concrete implementation that are all provably secure in the standard model, which are the first in the literature regardless of the generic constructions by Yum and Lee which may contain security weaknesses as pointed out by others. We believe these concrete implementations are of independent interest.

Posted Content
TL;DR: A survey of the literature on certificateless encryption can be found in this paper, where the authors examine the security models that have been proposed to prove the security of CCE schemes and propose a new nomenclature for these models.
Abstract: This paper surveys the literature on certificateless encryption schemes. In particular, we examine the large number of security models that have been proposed to prove the security of certificateless encryption schemes and propose a new nomenclature for these models. This allows us to “rank” the notions of security for a certificateless encryption scheme against an outside attacker and a passive key generation centre, and we suggest which of these notions should be regarded as the “correct” model for a secure certificateless encryption scheme. We also examine the security models that aim to provide security against an actively malicious key generation centre and against an outside attacker who attempts to deceive a legitimate sender into using an incorrect public key (with the intention to deny the legitimate receiver that ability to decrypt the ciphertext). We note that the existing malicious key generation centre model fails to capture realistic attacks that a malicious key generation centre might make and propose a new model. Lastly, we survey the existing certificateless encryption schemes and compare their security proofs. We show that few schemes provide the “correct” notion of security without appealing to the random oracle model. The few schemes that do provide sufficient security guarantees are comparatively inefficient. Hence, we conclude that more research is needed before certificateless encryption schemes can be thought to be a practical technology.

Posted Content
TL;DR: In this paper, the authors generalize the classical Karatsuba Algorithm (KA) for polynomial multiplication to polynomials of arbitrary degree and recursive use, and provide detailed information on how to use the KA with least cost.
Abstract: In this work we generalize the classical Karatsuba Algorithm (KA) for polynomial multiplication to (i) polynomials of arbitrary degree and (ii) recursive use. We determine exact complexity expressions for the KA and focus on how to use it with the least number of operations. We develop a rule for the optimum order of steps if the KA is used recursively. We show how the usage of dummy coefficients may improve performance. Finally we provide detailed information on how to use the KA with least cost, and also provide tables that describe the best possible usage of the KA for polynomials up to a degree of 127. Our results are especially useful for efficient implementations of cryptographic and coding schemes over fixed-size fields like GF (p).

Posted Content
TL;DR: In this paper, the authors investigate efficient mitigations to protect AES-software against side channel vulnerabilities and present several mitigation strategies to harden existing AES software against cache-based software side channel attacks.
Abstract: Hardware side channel vulnerabilities have been studied for many years in embedded silicon-security arena including SmartCards, SetTop-boxes, etc However, because various recent security activities have goals of improving the software isolation properties of PC platforms, software side channels have become a subject of interest Recent publications discussed cache-based software side channel vulnerabilities of AES and RSA Thus, following the classical approach — a new side channel vulnerability opens a new mitigation research path — this paper starts to investigate efficient mitigations to protect AES-software against side channel vulnerabilities First, we will present several mitigation strategies to harden existing AES software against cache-based software side channel attacks and analyze their theoretical protection Then, we will present a performance and security evaluation of our mitigation strategies For ease of evaluation we measured the performance of our code against the performance of the openSSL AES implementation In addition, we also analyzed our code under various existing attacks Depending on the level of the required side channel protection, the measured performance loss of our mitigations strategies versus openSSL (respectively best assembler) varies between factors of 135 (266) and 285 (583)

Posted Content
TL;DR: WISSec 2006 : 1st Benelux Workshop on Information and System Security November 8-9, 2006, Antwerpen, Belgium
Abstract: WISSec 2006 : 1st Benelux Workshop on Information and System Security November 8-9, 2006, Antwerpen, Belgium

Posted Content
TL;DR: This paper examines two unlinkably anonymous, simple RFID identification protocols that require only the ability to evaluate hash functions and generate random values, and that are provably secure against Byzantine adversaries, and arrives at a universally composable security model tuned for RFlD applications.
Abstract: This paper examines two unlinkably anonymous, simple RFID identification protocols that require only the ability to evaluate hash functions and generate random values, and that are provably secure against Byzantine adversaries. The main contribution is a universally composable security model tuned for RFID applications. By making specific setup, communication, and concurrency assumptions that are realistic in the RFID application setting, we arrive at a model that guarantees strong security and availability properties, while still permitting the design of practical RFID protocols. We show that the two previously proposed protocols are provably secure within the new security model. Our proofs do not employ random oracles—the protocols are shown to be secure in the standard model under the assumption of existence of pseudo-random func-

Posted Content
TL;DR: An improved attack algorithm to find two-block colli- sions of the hash function MD5 and the set of sucient conditions is presented and a new technique which allows us to deterministically fulfill restrictions to properly rotate the dierentials in the first round is presented.
Abstract: In this paper, we present an improved attack algorithm to find two-block colli- sions of the hash function MD5. The attack uses the same dierential path of MD5 and the set of sucient conditions that was presented by Wang et al. We present a new technique which allows us to deterministically fulfill restrictions to properly rotate the dierentials in the first round. We will present a new algorithm to find the first block and we will use an al- gorithm of Klima to find the second block. To optimize the inner loop of these algorithms we will optimize the set of sucient conditions. We also show that the initial value used for the attack has a large influence on the attack complexity. Therefore a recommendation is made for 2 conditions on the initial value of the attack to avoid very hard situations if one has some freedom in choosing this initial value. Our attack can be done in an average of about 1 minute (avg. complexity 2 32.3 ) on a 3Ghz Pentium4 for these random recommended initial values. For arbitrary random initial values the average is about 5 minutes (avg. complexity 2 34.1 ). With a reasonable probability a collision is found within mere seconds, allowing for

Posted Content
TL;DR: This paper presents efficient trace-driven cache attacks on a widely used implementation of the AES cryptosystem and develops an accurate mathematical model that is used in the cost analysis of the attacks.
Abstract: Cache based side-channel attacks have recently been attracted significant attention due to the new developments in the field. In this paper, we present efficient trace-driven cache attacks on a widely used implementation of the AES cryptosystem. We also evaluate the cost of the proposed attacks in detail under the assumption of a noiseless environment. We develop an accurate mathematical model that we use in the cost analysis of our attacks. We use two different metrics, specifically, the expected number of necessary traces and the cost of the analysis phase, for the cost evaluation purposes. Each of these metrics represents the cost of a different phase of the attack.

Posted Content
TL;DR: In this paper, the authors showed that the modeling predictions of Kfir and Wool are quite accurate and showed how to build a portable, extended-range RFID skimmer, using only electronics hobbyist supplies and tools.
Abstract: Radio-Frequency Identifier (RFID) technology, using the ISO-14443 standard, is becoming increasingly popular, with applications like credit-cards, national-ID cards, Epassports, and physical access control. The security of such applications is clearly critical. A key feature of RFID-based systems is their very short range: Typical systems are designed to operate at a range of 5-10cm. Despite this very short nominal range, Kfir and Wool predicted that a rogue device can communicate with an ISO-14443 RFID tag from a distance of 40-50cm, based on modeling and simulations. Moreover, they claimed that such a device can be made portable, with low power requirements, and can be built very cheaply. Such a device can be used as a stand-alone RFID skimmer, to surreptitiously read the contents of simple RFID tags. The same device can be as the "leech" part of a relay-attack system, by which an attacker can make purchases using a victim's RFID-enhanced credit card-despite any cryptographic protocols that may be used. In this study we show that the modeling predictions are quite accurate. We show how to build a portable, extended-range RFID skimmer, using only electronics hobbyist supplies and tools. Our skimmer is able to read ISO-14443 tags from a distance of ≈ 25cm, uses a lightweight 40cm-diameter copper-tube antenna, is powered by a 12V battery-and requires a budget of ≈$100. We believe that, with some more effort, we can reach ranges of ≈35cm, using the same skills, tools, and budget. We conclude that (a) ISO-14443 RFID tags can be skimmed from a distance that does not require the attacker to touch the victim; (b) Simple RFID tags, that respond to any reader, are immediately vulnerable to skimming; and (c) We are about halfway toward a full-blown implementation of a relay-attack.

Posted Content
TL;DR: In this paper, the authors propose a framework for the analysis of cryptographic implementations that includes a theoretical model and an application methodology based on commonly accepted hypotheses about side-channels that computations give rise to.
Abstract: The fair evaluation and comparison of side-channel attacks and countermeasures has been a long standing open question, limiting further developments in the field. Motivated by this challenge, this work makes a step in this direction and proposes a framework for the analysis of cryptographic implementations that includes a theoretical model and an application methodology. The model is based on commonly accepted hypotheses about side-channels that computations give rise to. It allows quantifying the effect of practically relevant leakage functions with a combination of information theoretic and security metrics, measuring the quality of an implementation and the strength of an adversary, respectively. From a theoretical point of view, we demonstrate formal connections between these metrics and discuss their intuitive meaning. From a practical point of view, the model implies a unified methodology for the analysis of side-channel key recovery attacks. The proposed solution allows getting rid of most of the subjective parameters that were limiting previous specialized and often ad hoc approaches in the evaluation of physically observable devices. It typically determines the extent to which basic (but practically essential) questions such as "How to compare two implementations? " or "How to compare two side-channel adversaries? " can be answered in a sound fashion.

Posted Content
TL;DR: Canetti et al. as discussed by the authors showed that a dictionary can be used with the DamerauLevenshtein stringedit distance metric to construct a case-insensitive passphrase system that can tolerate zero, one, or two spelling-errors per word, with no loss in security.
Abstract: It is well understood that passwords must be very long and complex to have sufficient entropy for security purposes. Unfortunately, these passwords tend to be hard to memorize, and so alternatives are sought. Smart Cards, Biometrics, and Reverse Turing Tests (human-only solvable puzzles) are options, but another option is to use pass-phrases. This paper explores methods for making passphrases suitable for use with password-based authentication and key-exchange (PAKE) protocols, and in particular, with schemes resilient to server-file compromise. In particular, the Ω-method of Gentry, MacKenzie and Ramzan, is combined with the Bellovin-Merritt protocol to provide mutual authentication (in the random oracle model (Canetti, Goldreich & Halevi 2004, Bellare, Boldyreva & Palacio 2004, Maurer, Renner & Holenstein 2004)). Furthermore, since common password-related problems are typographical errors, and the CAPSLOCK key, we show how a dictionary can be used with the DamerauLevenshtein string-edit distance metric to construct a case-insensitive pass-phrase system that can tolerate zero, one, or two spelling-errors per word, with no loss in security. Furthermore, we show that the system can be made to accept pass-phrases that have been arbitrarily reordered, with a security cost that can be calculated. While a pass-phrase space of 2 is not achieved by this scheme, sizes in the range of 2 to 2 result from various selections of parameter sizes. An attacker who has acquired the server-file must exhaust over this space, while an attacker without the serverfile cannot succeed with non-negligible probability.


Posted Content
TL;DR: In this article, a process calculus is defined in order to take into account the probabilistic semantics of the computational model, which is already rich enough to describe all the usual security notions of both symmetric and asymmetric cryptography as well as the basic computational assumptions.
Abstract: This paper presents the first automatic technique for proving not only protocols but also primitives in the exact security computational model. Automatic proofs of cryptographic protocols were up to now reserved to the Dolev-Yao model, which however makes quite strong assumptions on the primitives. On the other hand, with the proofs by reductions, in the complexity theoretic framework, more subtle security assumptions can be considered, but security analyses are manual. A process calculus is thus defined in order to take into account the probabilistic semantics of the computational model. It is already rich enough to describe all the usual security notions of both symmetric and asymmetric cryptography, as well as the basic computational assumptions. As an example, we illustrate the use of the new tool with the proof of a quite famous asymmetric primitive: unforgeability under chosen-message attacks (UF-CMA) of the Full-Domain Hash signature scheme under the (trapdoor)-one-wayness of some permutations.

Posted Content
TL;DR: This work exploits the ideas of Bringer et al. by further perturbing the representation of a cipher towards a white box implemen- tation, and applies it to a variant of the block cipher AES.
Abstract: At CMS 2006 Bringer et al. show how to conceal the alge- braic structure of a \traceable block cipher" by adding perturbations to its description. We here exploit and strengthen their ideas by further perturbing the representation of a cipher towards a white box implemen- tation. Our technique is quite general, and we apply it { as a challenging example in the domain of white box cryptography { to a variant of the block cipher AES.

Posted Content
TL;DR: In this article, the authors describe a family of simple protocols for inexpensive untraceable identification and authentication of RFID tags, aimed primarily at RFID tag that are capable of performing a small number of inexpensive conventional (as opposed to public key) cryptographic operations.
Abstract: Security and privacy in RFID systems is an important and active research area. A number of challenges arise due to the extremely limited computational, storage and communication abilities of a typical RFID tag. This paper describes a step-by-step construction of a family of simple protocols for inexpensive untraceable identification and authentication of RFID tags. This work is aimed primarily at RFID tags that are capable of performing a small number of inexpensive conventional (as opposed to public key) cryptographic operations. It also represents the first result geared for so-called batch mode of RFID scanning whereby the identification (and/or authentication) of tags is delayed. Proposed protocols involve minimal interaction between a tag and a reader and place very low computational burden on the tag. Notably, they also impose low computational load on back-end servers.

Posted Content
TL;DR: In this article, the authors present a structured security analysis of the VoIP protocol stack, which consists of signaling (SIP), session description (SDP), key establishment (SDES, MIKEY, and ZRTP) and secure media transport (SRTP) protocols.
Abstract: The transmission of voice communications as datagram packets over IP networks, commonly known as Voice-overIP (VoIP) telephony, is rapidly gaining wide acceptance. With private phone conversations being conducted on insecure public networks, security of VoIP communications is increasingly important. We present a structured security analysis of the VoIP protocol stack, which consists of signaling (SIP), session description (SDP), key establishment (SDES, MIKEY, and ZRTP) and secure media transport (SRTP) protocols. Using a combination of manual and tool-supported formal analysis, we uncover several design flaws and attacks, most of which are caused by subtle inconsistencies between the assumptions that protocols at different layers of the VoIP stack make about each other. The most serious attack is a replay attack on SDES, which causes SRTP to repeat the keystream used for media encryption, thus completely breaking transport-layer security. We also demonstrate a man-in-the-middle attack on ZRTP, which allows the attacker to convince the communicating parties that they have lost their shared secret. If they are using VoIP devices without displays and thus cannot execute the “human authentication” procedure, they are forced to communicate insecurely, or not communicate at all, i.e., this becomes a denial of service attack. Finally, we show that the key derivation process used in MIKEY cannot be used to prove security of the derived key in the standard cryptographic model for secure key exchange.


Posted Content
TL;DR: In this paper, the authors propose a general computational model for interactive Turing machines (ITMs) where the runtime of the ITMs may be polynomial per activation and may depend on the length of the input received.
Abstract: Recently, there has been much interest in extending models for simulation-based security in such a way that the runtime of protocols may depend on the length of their input. Finding such extensions has turned out to be a non-trivial task. In this work, we propose a simple, yet expressive general computational model for systems of interactive Turing machines (ITMs) where the runtime of the ITMs may be polynomial per activation and may depend on the length of the input received. One distinguishing feature of our model is that the systems of ITMs that we consider involve a generic mechanism for addressing dynamically generated copies of ITMs. We study properties of such systems and, in particular, show that systems satisfying a certain acyclicity condition run in polynomial time. Based on our general computational model, we state different notions of simulation-based security in a uniform and concise way, study their relationships, and prove a general composition theorem for composing a polynomial number of copies of protocols, where the polynomial is determined by the environment. The simplicity of our model is demonstrated by the fact that many of our results can be proved by mere equational reasoning based on a few equational principles on systems.

Posted Content
TL;DR: Lindell et al. as mentioned in this paper constructed a concurrent and non-malleable zero-knowledge argument for every language in NP, and showed that it is impossible to construct a concurrent nonmalleability protocol for F in this model.
Abstract: We provide the first construction of a concurrent and non-malleable zero knowledge argument for every language in NP. We stress that our construction is in the plain model with no common random string, trusted parties, or super-polynomial simulation. That is, we construct a zero knowledge protocol such that for every polynomial-time adversary that can adaptively and concurrently schedule polynomially many executions of , and corrupt some of the verifiers and some of the provers in these sessions, there is a polynomial-time simulator that can simulate a transcript of the entire execution, along with the witnesses for all statements proven by a corrupt prover to an honest verifier. Our security model is the traditional model for concurrent zero knowledge, where the statements to be proven by the honest provers are fixed in advance and do not depend on the previous history (but can be correlated with each other); corrupted provers, of course, can chose the statements adaptively. We also prove that there exists some functionality F (a combination of zero knowledge and oblivious transfer) such that it is impossible to obtain a concurrent non-malleable protocol for F in this model. Previous impossibility results for composable protocols ruled out existence of protocols for a wider class of functionalities (including zero knowledge!) but only if these protocols were required to remain secure when executed concurrently with arbitrarily chosen different protocols (Lindell, FOCS 2003) or if these protocols were required to remain secure when the honest parties’ inputs in each execution are chosen adaptively based on the results of previous executions (Lindell, TCC 2004). We obtain an ˜ O(n)-round protocol under the assumption that one-to-one one-way functions exist. This can be improved to ˜ O(klogn) rounds under the assumption that there exist k-round statistically hiding commitment schemes. Our protocol is a black-box zero knowledge protocol.