WEWoRC 2005 - COSICWEWoRC 2005 Western European Workshop on Research in Cryptology Chairs:...

WEWoRC 2005

Western European Workshopon Research in Cryptology

Chairs:Christopher Wolf, Stefan Lucks, Po-Wah Yau

Leuven, Belgium, July 5-7, 2005

Conference Records

WEWoRC is jointly organized by

Royal HollowayUniversity of London

Gold Sponsors

Horst Gortz Stiftung

Silver Sponsors

Bronze Sponsors

Programme

Monday, July 4

17.30–18.30 Registration

18.00–19.30 Welcome Reception

Tuesday, July 5

8.00– 8.45 Registration

8.45– 9.00 Introduction

9.00–10.00 Session on Pairing-Based Cryptography Session Chair: Gregory Neven

Emeline Hufschmitt, David Lefranc, Herve Sibert: A Zero-Knowledge IdentificationScheme in Gap Diffie-Hellman Groups, p 8

D. Nali, C. Adams, A. Miri: Hierarchical Identity-Based Signcryption with Public CiphertextAuthenticity and Forward Security, p 13

10.00–10.30 Coffee Break

10.30–11.00 Short Talks

Track A.1:Session Chair: Elke De Mulder

Takaaki Fujita, KunihiroOkamoto, Maki Yoshida, andToru Fujiwara: A WatermarkDetection Scheme Ensuring the FalsePositive Error Probability, p 18

Santa Agreste, Guido Andaloro,Daniela Prestipino, Luigia Puc-cio: Combination of cryptographic andwatermark schemes for copyright pro-tection of digital images, p 20

Track B.1:Session Chair: Joe Lano

Paz Morillo, Carla Rafols: A newCertificate-Based Encryption ChosenCiphertext Secure, p 22

Jens-Matthias Bohli, Jorn Muller-Quade, Stefan Rohrich: On GroupKey Agreement with Cheater Identifi-cation, p 23

11.00–11.10 Short Break

3


Track A.2:Session Chair: Elke De Mulder

Audrey Montreuil, Jacques Patarin:Computation of the “AND” withCards, p 25

Heiko Stamer: Efficient electronic gam-bling: An extended implementationof Schindelhauer’s Toolbox for MentalCard Games, p 27

Track B.2:Session Chair: Joe Lano

Takeshi Gomi, Kazukuni Kobara,Toshihisa Nakano, Masao Non-aka, Hideki Imai: Off-line Clone Dis-covery Using Portable Media, p 30

Masanori Yoshida, Rie Shigetomi,Hideki Imai: Revocation of anony-mous credentials by short information,p 32



Track A.3:Session Chair: Charlotte Vikkelsoe

Adrian Leung, Chris Mitchell: To-wards Secure Zero Configuration, p 34

Qing Zhang: A User-centric solution to re-alise m-payment, p 36

Track B.3:Session Chair: Ellen Jochemsz

Rie Shigetomi, Haruhiro Yoshimoto,Hideki Imai: How visual demonstra-tions help showing cryptographic algo-rithms to general audience, p 38

Christopher Wolf: Multivariate PublicKey Schemes, p 40

12.20–14.00 Lunch

14.00–15.30 Session on Theory Session Chair: Svetla Nikova

Frederik Armknecht: Algebraic Attacks and Annihilators, p 42

SeongHan Shin, Kazukuni Kobara, Hideki Imai: Password-based Information Retrievalwith Privacy, p 45

Marie Virat: Around ElGamal encryption cryptosystem on a Weierstrass cubic on Fq[ε], p 50


16.00–17.30 Session on Hardware-Oriented Cryptography Session Chair: Lejla Batina

Pim Tulys: Key Extraction from Noisy Data: Physical Unclonable Functions, p 55

Laurent Larger, Vladimir Udaltsov, Stephane Poinsot, Pierre–Ambroise Lacourt,Nicolas Gastaud: High speed chaotic carrier encrypting at the physical layer, p 58

Norbert Pramstaller, Christian Rechberger, Vincent Rijmen: An Efficient FPGAImplementation of Whirlpool, p 61

17.30–. . . Rump Session (Session Chair: Stefan Lucks): announcements, calls for papers, veryrecent results, . . .

4

Wednesday, July 6

9.00–10.30 Session on Mobile Security and Key Storage Session Chair: Po-Wah Yau

Adil Alsaid, Chris J. Mitchell: A scanning tool for PC root public key stores, p 65

Anish Mohammed, Chris J. Mitchell: Privacy aspects of wireless protocols, p 70

Anand S. Gajparia: On Location-based services and the UCONABC Model, p 74



Track A.4:Session Chair: Frederik Armknecht

Andrey Sidorenko, Berry Schoen-makers: State Compromise Attackson Pseudorandom Generators, p 79

Jaechul Sung, Jongsung Kim,Changhoon Lee, Seokhie Hong:Related-Cipher Attacks on Block Ci-phers with Flexible Number of Rounds,p 81

Track B.4:Session Chair: Rie Shigetomi

Satoshi Nakayama, Maki Yoshida,Shingo Okamura, Akira Fuji-wara, Toru Fujiwara : An EfficientPrivate and Consistent Data RetrievalProtocol, p 83

Abdelilah Tabet, SeongHan Shin,Kazukuni Kobara, Hideki Imai:Formal Verification of Password-basedProtocol by FDR Model Checking, p 85



Track A.5:Session Chair: Frederik Armknecht

Marion Videau: Symmetric Booleanfunctions with high nonlinearity, p 87

An Braeken: Error-Set Codes, SecretSharing Schemes and Matroids, p 89

Track B.5:Session Chair: Simos Xentillis

Kalid Elmufti, Chris J Mitchell:GSM for mobile SSO to protect userprivacy, p 90

Zinaida Benenson, Felix C. Freiling,Dogan Kesdogan: Secure Multi-Party Computation with Security Mod-ules, p 92

12.10–14.00 Lunch

14.00–. . . Social Programme

5

Thursday, July 7

9.00–10.00 Session on Cryptanalysis Session Chair: Nicolas Sendrier

Cedric Lauradoux: Collision attacks on processors with cache and countermeasures, p 94

Marine Minier: An integral cryptanalysis against a five rounds version of FOX, p 98



Track A.6:Session Chair: Simos Xentillis

Borislav Stoyanov: The 2-adicSummation-Shrinking Generator,p 103

Endre Bangerter, Andy Rupp,Ahmad-Reza Sadeghi: SimplifiedHardness Proofs in the Generic GroupModel, p 105

Track B.6:Session Chair: Ellen Jochemsz

Eabhnat Nı Fhloinn, Michael Purser:Applications of Partial Hiding in RSA,p 107

Julia C Bate, SeonHo Shin: Group KeyDistribution Patterns, p 109



Track A.7:Session Chair: Krystian Matusiewicz

Qiang Tang, Chris J. Mitchell: Secu-rity vulnerabilities of a password-basedkey establishment protocol, p 111

Till Stegers: Faugere’s F5 Algorithm Re-visited, p 113

Track B.7:Session Chair: Anand Gajparia

Simos Xenitellis: A list of open-sourcePKI implementations, p 115

Goran Pantelic, Slobodan Bojanic:Managing Security Levels in SmartCard Based Certification, p 117



Track A.8:Session Chair: Krystian Matusiewicz

Su-Jeong Choi: Cryptanalysis of Homo-morphic Public-Key Cryptosystem, p119

Alexandre Ruiz, Jorge Villar: An Ho-momorphic Scheme for Publicly Verifi-able Secret Sharing, p 120

Track B.8:Session Chair: Anand Gajparia

Shenglan Hu, Chris J. Mitchell: Us-ing Trusted Computing for IP addressautoconfiguration in MANETs, p 122

Jan Camenisch, Markus Rohe,Ahmad-Reza Sadeghi: Sokrates- A Compiler Framework for Zero-Knowledge Protocols, p 124

12.20–14.00 Lunch

6

14.00–15.00 Session on Modelling and Implementing Session Chair: Gregor Leander

S. Nachtigal, C.J. Mitchell: Modelling e-business security using business processes, p 126

Stefan Lucks, Nico Schmoigl, Emin Islam Tatlı: The Idea and the Architecture of aCryptographic Compiler, p 131


15.30–17.00 Session on Hash Functions Session Chair: An Braeken

Luis Carlos Coronado Garcıa : The Subset Sum Problem and (Universal) One-Way Func-tions based on it, p 136

Krystian Matusiewicz, Josef Pieprzyk: Collisions for simplified variants of SHA-256, p 140

Norbert Pramstaller, Christian Rechberger, Vincent Rijmen: Preliminary Analysisof the SHA-256 Message Expansion, p 145

17.00–17.15 Closing Remarks Goodbye!

Further Submissions

The following submissions were also accepted for WEWoRC as talks. Unfortunately, their authorscould not give the correspondig talks, due to time restrictions. Still, we decided to include thesetwo submissions in the conference records.

Dave Singelee, Bart Preneel: An overview of the security weaknesses in Bluetooth, p 150

Kristian Gjøsteen: A pseudo-random function family with a group structure, and an applica-tion to multiparty computations, p 151

Author Index

7

A Zero-Knowledge Identification Scheme in Gap Diffie-Hellman Groups

Emeline Hufschmitt, David Lefranc and Herve Sibert

France Telecom - 42 rue des Coutures - F-14066 Caen, France{emeline.hufschmitt,david.lefranc,herve.sibert}@francetelecom.com

1 Introduction

The Weil and Tate pairings are bilinear maps defined on elliptic curves which can be computedvery efficiently when used with specific classes (supersingular and MNT) of curves.

The existence of pairings gives rise to a new class of problems on these curves, such as theBilinear Diffie-Hellman problem. Moreover, the decisional version of the Diffie-Hellman problemis easy when pairings exist, and the computational Diffie-Hellman problem reduces to the GapDiffie-Hellman problem (G-DH), introduced by Okamoto and Pointcheval in [OP01].

The goal of this paper is to introduce a new identification scheme, which we prove is a zero-knowledge proof of knowledge based on the G-DH problem. This scheme is based on Schnorr’sidentification scheme [Sch91]. In addition to being zero-knowledge, this scheme is efficient comparedwith other pairing-based identification schemes, and its on-line execution time can be reduced usingoff-line precomputations.

2 Preliminary notions

2.1 The G-DH problem

Okamoto and Pointcheval formalized the gap between inverting and decisional problem in [OP01].In particular, they applied it to the Diffie-Hellman problems:

- The Inverting Diffie-Hellman Problem (C-DH) (a.k.a. the Computational Diffie-HellmanProblem): given a triple of G elements (g, ga, gb), find the element C = gab.

- The Decision Diffie-Hellman Problem (D-DH): given a quadruple of G elements (g, ga, gb, gc),decide whether c = ab mod q or not.

- The Gap Diffie-Hellman Problem (G-DH): given a triple (g, ga, gb), find the element C = gab

with the help of a Decision Diffie-Hellman Oracle (which answers whether a given quadrupleis a Diffie-Hellman quadruple or not).

At last, Proposition 2 of [OP01] states that, when the D-DH problem is strongly tractable, theinverting problem of f is reducible to the R-gap problem of f .

2.2 Bilinear maps and pairings

The bilinear maps used in cryptography are the Weil and Tate pairings on some elliptic curves.Both satisfy the following definition:

Definition 2.1 Let G and G1 be two groups of order some large prime q, denoted multiplicatively.An admissible bilinear map is a map e : G×G→ G1 that is:

8

- bilinear: e(ga, hb) = e(g, h)ab for all g, h ∈ G and all a, b ∈ Z,

- non-degenerate: for g and h two generators of G, we have e(g, h) 6= 1,

- computable: there exists an efficient algorithm to compute e(g, h) for any g, h ∈ G.

In the case of the Weil and Tate pairings, G is a subgroup of the additive group of points of anelliptic curve E/Fp, and G1 is the multiplicative group of the extension field Fp2 . However, in orderto remain close to the schnorr scheme, we keep the multiplicative notation both for G and G1.

3 Our pairing-based identification scheme

From now on, G = 〈g〉 is a group in which the Gap Diffie-Hellman problem is intractable. Weassume the existence of an admissible linear map e : G×G→ G1, with G and G1 of order q.

The prover holds public parameters(g, ga, gb, e(g, g), v = e(g, g)ab

)(v is given to withdraw

its computation) and a private key S = gab. The public key is I = (ga, gb). Our scheme is azero-knowledge proof of knowledge of the value gab obtained by iterating ` times the three-passalgorithm, described in Figure 1.

Prover Verifierchoose r ∈ [[0, q[[

compute W = e(g, g)r W−−−−−−−−→c←−−−−−−−− choose c ∈ [[ 0, 2k[[

check c ∈ [[0, 2k[[

compute Y = gr × Sc Y−−−−−−−−→ verify e(g, Y ) = W × vc

Figure 1: One round of the identification scheme

4 Security of the scheme

We follow the outline of general zero-knowledge proofs introduced in [FFS88]. Namely, we provethat the scheme is complete, sound and zero-knowledge. The prover and the verifier are modeledby Probabilistic Polynomial time Turing Machines (PPTM) and |I| is the security parameter.

4.1 The completeness property

If the legitimate prover and the verifier both follow the scheme, then it always succeeds:

e(g, Y ) = e(g, gr(gab)c) = e(g, g)r+abc = e(g, g)r × (e(g, g)ab)c = W × vc.

4.2 The soundness property

With classical arguments, a cheater has a non zero-probability of success. Indeed, for each round,he guesses the value c that will be sent to him, randomly picks an integer Y in G and computesW = e(g, Y )v−c. His overall probability of success over the ` rounds is at least equal to 1/2`k.

9

If the probability of success of a cheater is substantially greater than 1/2`k, then the private keycan be computed. Indeed, one can construct a polynomial time algorithm which, by interactingwith the cheater, obtains with non-negligible probability two couples (c1, Y1) and (c2,Y2), such thate(g, Y1)vc2 = e(g, Y2)vc1 . Then, denoting α = (c1− c2)−1 mod q, we obtain (Y1Y

−12 )α = gab, i.e the

private key, so that the G-DH problem is solved.The algorithm used to obtain the two couples is the same as in the proof for the Schnorr

scheme [Sch91]. Its time complexity is polynomial if ` is polynomial in I, and the probability ofsuccess of a cheater is negligible if log(|I|) = o(`k). This allows us to choose ` = 1 in practice.

4.3 The zero-knowledge property

The present identification scheme satisfies the zero-knowledge property. To simulate in polynomialtime (in |I|) the communications between a real prover and a (non-necessarily honest) verifier, weuse the following algorithm M .

For the simulation of one round, M randomly picks c in [[0, 2k[[, randomly picks Y in G andcomputes W = e(g, Y ) × v−1. M then sends W to the verifier which answers c. If c = c then thetriple (W, c, Y ) is kept, otherwise M computes a new triple. To simulate the ` rounds, M construct` triples with the previous method.

The equality c = c holds after 2k tests on average, so M constructs ` × 2k triples in order toobtain ` valid triples. If `×2k is polynomial in |I|, then we obtain a polynomial time algorithm. Atlast, the distribution of the simulation is perfectly equal to the distrbution of real communication.

5 Efficiency of the scheme

We compare our scheme with three other identification schemes based on bilinear maps. The firstone, described in Figure 2, was proposed by Shao, Lu and Cao [SLC04]. Its security is basedon the Strong Diffie-Hellman problem. The two remaining schemes were proposed by Kim andKim [KK02] and Yao, Wang and Wang [YWW03].

Public parameters: g, e(g, g); private key : s ∈ [[0, q[[; public key : v = gs

Prover Verifier

choose r ∈R [[0, q[[

compute W = gr W−−−−−→β←−−−− choose β ∈R [[0, q[[

compute Y = g1

r+sβY−−−−−→ verify e(Y, vβW ) = e(g, g)

Figure 2: The SLC identification scheme

To evaluate the efficiency of our new scheme, we first evaluate the number of computations ofeach scheme. We focus on the number of group exponentiations or bilinear map pairing evaluations,which are by far the costliest operations. These results are summed up in Figure 3.

Our scheme has about the same computation cost as the Shao-Lu-Cao scheme, being slightlymore efficient on the verifier’s side and about as efficient on the prover’s side. Moreover, it is strictlymore efficient than the Kim-Kim scheme and the Yao-Wang-Wang scheme.

10

Our scheme Shao Lu Cao Kim-Kim Yao Wang WangNumber of group 2+ε* 2 4 6exponentiations for the proverNumber of evaluations of e(., .) 0 0 0 0for the proverNumber of group ε 1 2 2exponentiations for the verifierNumber of evaluations of e(., .) 1 1 2 1for the verifier

*the exponent c is a k-bit number significantly less than q

Figure 3: Comparison of efficiency

Now, we analyze these schemes with respect to the possible use of coupons, i.e. the use ofprecomputations on the prover’s side. In our scheme, with the precomputation of W and gr,only one on-line group exponentiation by a k-bit number is required on the prover’s side. For thethree other schemes, one on-line group exponentiation by a log q-bit number is required, with log qsignificantly greater than k (for instance, log q = 160 and k = 32). Thus, both the prover’s and theverifier’s side become more efficient in our scheme than in the other schemes.

6 Applications

6.1 Using the identification scheme for anonymity

Consider Alice with key pair(a, ga

), and Bob with key pair

(b, gb

). Then, the public parameters

of the set {Alice,Bob} are essentially the same as the public key of the prover in our scheme. Theremaining public parameters of our scheme can be computed using the bilinear map e. Thus, thescheme provides a zero-knowledge identification of a prover P belonging to the set {Alice,Bob}.

Moreover, only the prover can revoke the anonymity after the execution of the protocol, bygiving the value y = r + sc, where s is a if the prover is Alice, and b if he is Bob, and c isthe challenge sent by the verifier during the execution of the scheme. Then, the verifier checkse(g, g)y = W × v′c, with v′ = e(g, gs), as gs is public (it is either ga or gb depending on who theprover pretends to be).

6.2 An identity-based identification scheme

An authority A broadcasts its public key gs, and keeps its private key s secret. The authorityprovides an entity P, whose identity is IdP , with the private key h(IdP)s.

Now, we are exactly in the framework of our identification scheme: let a be such that h(IdP) =ga. The element a is unknown, because h is a hash function. However, we can now say thatga = h(IdP) and gs are public, so the public key of P is

(g, ga = h(IdP), gs, e(g, g), v = e(g, g)as =

e(h(IdP), gs)). This public key can be computed by everyone knowing the authority’s public key

gs and the identity IdP .At last, the Fiat-Shamir paradigm can also be applied to our identity-based identification

scheme. This gives a very efficient identity-based signature scheme, which, we found, was pro-posed by Hess in [Hes02].

11

7 Conclusion

In this paper, we present a new identification scheme based on the Gap Diffie-Hellman problem, andprove that it is a zero-knowledge proof of knowledge. It appears that our scheme is among the mostefficient identification schemes based on bilinear maps. Moreover, we show that the private keygeneration gives rise to several applications, including very efficient identity-based identification.We believe that pairing-based cryptography can not only enable new applications, but also bringefficiency to many well-known applications, and this seems an appealing direction for future work.

Acknowledgements

We thank Marc Girault and Fabien Laguillaumie for valuable and helpful discussions.

References

[FFS88] U. Feige, A. Fiat, and A. Shamir. Zero Knowledge Proofs of Identity. Journal ofCryptology, 1(2):77–94, 1988.

[Hes02] F. Hess. Efficient Identity Based Signature Schemes Based on Pairings. In K. Nybergand H. M. Heys, editors, Selected Areas in Cryptography, volume 2595 of Lecture Notesin Computer Science, pages 310–324. Springer-Verlag, 2002.

[KK02] M. Kim and K. Kim. A New Identification Scheme Based on the Bilinear Diffie-HellmanProblem. In The 7th Australian Conference on Information Security and Privacy,ACISP ’02, pages 362–378. Springer-Verlag, 2002.

[OP01] T. Okamoto and D. Pointcheval. The Gap-Problems: A New Class of Problems for theSecurity of Cryptographic Schemes. In K. Kim, editor, Public Key Cryptography, volume1992 of Lecture Notes in Computer Science, pages 104–118. Springer-Verlag, 2001.

[Sch91] C. P. Schnorr. Efficient Signature Generation by Smart Cards. Journal of Cryptology,4(3):161–174, 1991.

[SLC04] J. Shao, R. Lu, and Z. Cao. A New Efficient Identification Scheme Based on the StrongDiffie-Hellman Assumption. In International Symposium on Future Software Technology,2004.

[YWW03] G. Yao, G. Wang, and Y. Wang. An Improved Identification Scheme. In Progress inComputer Science and Applied Logic. Berkhauser-Verlag, November 2003.

12

Hierarchical Identity-Based Signcryptionwith Public Ciphertext Authenticity and Forward Security

D. Nali, C. Adams, A. Miri

University of Ottawa{deholo,cadams,samiri}@site.uottawa.ca

Abstract. Signcryption schemes with public ciphertext authenticity (PCA) enable third parties (suchas firewalls) to stop or route encrypted messages based on the public keys of the senders of these messages.Moreover, signcryption schemes with forward security (FS) prevent the theft of any user’s private key fromcompromising the confidentiality of signcryptexts issued by this user. This paper describes an efficient andprovably secure hierarchical identity-based signcryption scheme with both PCA and FS.

Keywords. Authenticated Message Authentication. Hierarchical Identity-based Cryptography.

1 Introduction

Signcryption [15] is the process whereby a given message is both encrypted and digitally signed in one logicalstep. Signcrypted messages are henceforth called signcryptexts. A desirable property of signcryption schemesis public ciphertext authenticity (PCA) [4, 6]. This feature enables third parties to ascertain, without thehelp of any intended recipient, both the identity of any given signcryptext sender and the validity of thissigncryptext (i.e. the fact that the signcrypted message was validly signed and ciphered by the same party.)Such a feature is useful for applications in which valid signcrypted messages must be routed from one pointto another, stopped (e.g. by a firewall), or distinguished from fake signcryptexts. Another desirable propertyof signcryption schemes is forward-security (FS). This feature prevents the theft of any user’s private keyfrom compromising the confidentiality of signcrypted messages issued by this user. This paper is concernedwith signcryption providing both PCA and FS. More specifically we focus on hierarchical identity-basedsigncryption with the two aforementioned features, because of the convenience of use which identity-based(ID-based) schemes provide, and because of the scalability that hierarchical (ID-based) schemes offer.

1.1 Related Work

ID-based Cryptography. ID-based cryptography was introduced by Shamir [14] in 1984. However, it wasonly in 2001 that Boneh et al. [2] presented the first efficient and secure ID-based encryption, using bilinearpairings on supersingular elliptic curves [2]. A few HIDE scheme have been proposed [1, 7, 12]. Amongthese schemes, the most efficient ones are Boneh et al.’s [1] and Nali et al.’s [12]. Both of these schemes issueconstant-size ciphertexts and both have constant-time decryption procedures. Only Nali et al.’s scheme hasa constant-time key generation procedure, and only Nali et al.’s scheme issues constant-size private keys.Signcryption. The concept of public-key signcryption was introduced by Zheng [15], in 1997. Variousefficient signcryption schemes were first proposed, none of which were ID-based ones. In the last few years,however, a number of ID-based signcryption schemes have been proposed, with the following limitations.Malone-Lee’s scheme [10] is not semantically secure [8]. Nalla and Reddy’s scheme [13] does not providePCA [4]. Libert and Quisquater’s schemes [8] do not simultaneously provide PCA and FS. The samelimitations can be found in both Boyen’s scheme [3], and McCullagh and Barreto’s scheme [11]. Chow etal.’s scheme [4] simultaneously provide these two properties, but, as all the above schemes, it is not suitablefor hierarchical settings or for very large user communities. Chow et al.’s scheme [5] is the only knownhierarchical ID-based signcryption scheme. However, this scheme does not provide PCA. Moreover, thelength of each signcrypted message issued by Chow et al.’s scheme [5] is the sum of the hierarchical depthsof the corresponding signer and intended recipient. Libert and Quisquater [9] also suggested a signcryptionscheme which combines ID-based and certificate-based cryptography in order to handle large communities

13

of users forming multiple groups (domains). However, this hybrid scheme has the following limitations:first, it requires each signcryptext to include a digital certificate associated with its sender’s Private KeyGenerator (PKG) – thereby inducing higher space requirements and forcing signcryptext recipients to verifythe validity of each sender PKG’s digital certificate; second, it does not handle hierarchical key generation(i.e. the ability of PKGs to delegate, to other (hierarchically lower) PKGs, the task of user key generation).Consequently, the hybrid scheme is not suitable for hierarchically-structured or large user communities.

1.2 Contribution

The main contribution of this paper is to describe an efficient hierarchical ID-based signcryption (HIDSC)scheme featuring both public ciphertext authenticity and forward security. The HIDSC scheme (whichefficiently combines Nali et al.’s HIDE scheme [12] with a related hierarchical ID-based signature (HIDS)scheme1) is provably secure, in the random oracle model, assuming the intractability of a standard numbertheoretic problem (namely, the bilinear Diffie-Hellman problem [2]). These security proofs are presented inthe extended version of this paper. The sequel is organized as follows: §2 describes our proposed HIDSCscheme, and §3 discusses its efficiency and security. §4 concludes the paper.

2 Proposed Signcryption Scheme (NewHIDSC)

• Instance Generator (k). This procedure, denoted by IG, is a randomized algorithm which takes asecurity parameter k > 0, runs in O(k), and outputs (G1, G2, e), where G1 and G2 are two Abeliangroups of prime order q ≥ 2k, and e : G1 × G1 → G2 is an admissible pairing with respect to whichG1 and G2 are Gap-Diffie-Hellman groups.

• Root Setup (k). Given a security parameter k > 0, a root PKG :

1. runs IG with input k and obtains (G1, G2, e).

2. picks, randomly and uniformly2, P(1)0 , P

(2)0 , P

(3)0 , P

(4)0 , P

(5)0 ∈ G1;

3. picks s0, I0 ∈R Z∗q ;

4. computes n = poly1(k) and ` = poly2(k), ξ = poly3(k), where poly1, poly2 and poly3 are poly-nomials over the positive integers (n is the message length, ` is the maximal depth of the userhierarchy, and ξ is the bit size of a symmetric cipher’s keys);

5. chooses cryptographic hash functions:H1 : {0, 1}∗ → (Z∗

q − {I0})`, H2 : G2 → {0, 1}n, H3 : {0, 1}n ×G2 → {0, 1}n,H4 : Z∗

q → Z∗q ,

where the image throughH1 of a (t-long) ID-tuple IDt = (ID1, · · · , IDt) isH1(IDt) = (I1, · · · , It, I0, · · · , I0) ∈(Z∗

q −{I0})`, where I0 ∈R Z∗q −{I0}, Ii = H5(IDi) (1 ≤ i ≤ t) and H5 is any cryptographic hash

function from {0, 1}∗ to Z∗q − {I0}.

6. computes, (si = H4(si−1))`−1i=1 , L

(j)1 = s0P0

(j) for j = 3, 4, and(L

(j)i = si−1L

(j)i−1

)`

i=2for j = 3, 4.

7. chooses a symmetric cipher E : {0, 1}n → {0, 1}n whose keys belong the set {0, 1}ξ and whoseinverse is denoted by E−1. For instance, E can be instantiated with AES.

The message space isM = {0, 1}n and the ciphertext space is C = G41×{0, 1}n×{0, 1}n . The system’s

public parameters (which must be certified) are pubParams = (q, n, e, I0, P(1)0 , P

(2)0 , P

(3)0 , P

(4)0 , P

(5)0 , E,H1,H2,H3,H4, ((L

(j)i )`

i=1)4j=3),

and the root PKG keeps s0 secret, so that params = (pubParams, s0).

• Extract:1Due to space limitations, this signature scheme is only presented in the extended version of this paper.2In the sequel, we shall use the notation x ∈R X to indicate that the element x is chosen uniformly at random

from the set X.

14

– Root-level Extract : For each first-level user ID1, the root PKG picks αID1∈R Z∗

q , and computes(I1, I0, · · · , I0) = H1(ID1) ∈ (Z∗

q − {I0})`, s1 = H4(s0), and the following:

SID1= s0(I1P

(1)0 + I0P

(2)0 + αID1

P(3)0 ),

EID1= s0(P

(1)0 + I0P

(2)0 + αID1

P(3)0 ), and

SID1= s0αID1

P(4)0 .

Then, the root PKG gives dID1= (SID1

, EID1, SID1

, s1) to ID1.

– Lower-level Extract : For each child IDt+1 of a user IDt (t ≥ 1), IDt picks αIDt+1∈R Z∗

q ,

and computes (I1, · · · , It, It+1, I0, · · · , I0) = H1(IDt+1) ∈ (Z∗q − {I0})`, st+1 = H4(st), and the

following:

SIDt+1= st(It+1SIDt

+ I0EIDt) + αIDt+1

L(3)t+1,

EIDt+1= st(It+1 + I0)EIDt

+ αIDt+1L

(3)t+1, and

SIDt+1= st(It+1 + I0)SIDt

+ αIDt+1L

(4)t+1.

Then, IDt gives dIDt+1= (SIDt+1

, EIDt+1, SIDt+1

, st+1) to IDt+1.

• Signcryption: Given a message m ∈ M, the ID-tuple IDtAof a sender, the ID-tuple IDtB

of anintended recipient, the private key dIDtA

of IDtA, and pubParams, this algorithm:

1. picks x, y ∈R Z∗q , and computes U1 = xP

(4)0 , U2 = xP

(3)0 and V = y(P (4)

0 − P(3)0 );

2. computes (I1, · · · , ItB, I0, · · · , I0) = H1(IDtB

) ∈ (Z∗q − {I0})` and ρtB

= MtBP

(1)0 + NtB

P(2)0 ,

whereM1 = I1, M ′

1 = 1, N1 = I0, N ′1 = I0,

Mi+1 = Ii+1Mi + I0M′i and M ′

i+1 = (Ii+1 + I0)M ′i for 1 ≤ i < tB , and

Ni+1 = Ii+1Ni + I0N′i and N ′

i+1 = (Ii+1 + I0)N ′i for 1 ≤ i < tB ;

3. computes κ1 = e(P (4)0 − P

(3)0 , P

(5)0 )y and κ2 = H2(e(L

(4)t(B), ρtB

)x);

4. computes c = Eκ2(m), r = H3(c, κ1), StA= yP

(5)0 − rStA

, and StA= yP

(5)0 − rStA

;

5. outputs σ = (U1, U2, V, StA, StA

, c, r).

• Unsigncryption: Given a ciphertext σ = (U1, U2, V, StA, StA

, c, r) ∈ C, the ID-tuple IDtAof a sender,

the ID-tuple IDtBof an intended recipient, the private key dIDtB

of IDtB, and pubParams, this

algorithm:

1. computes (I1, · · · , ItA, I0, · · · , I0) = H1(IDtA

) ∈ (Z∗q − {I0})` and ρtA

= MtAP

(1)0 + NtA

P(2)0 ,

whereM1 = I1, M ′

1 = 1, N1 = I0, N ′1 = I0,

Mi+1 = Ii+1Mi + I0M′i and M ′

i+1 = (Ii+1 + I0)M ′i for 1 ≤ i < tA, and

Ni+1 = Ii+1Ni + I0N′i and N ′

i+1 = (Ii+1 + I0)N ′i for 1 ≤ i < tA;

2. computes κ1 = e(P (4)0 , StA

) · e(P (3)0 , StA

) · e(L(4)tA

, ρtA)r;

3. computes τ = H2(e(U1, SIDtB)e(U2, SIDtB

)−1), κ2 = H2(τ), and m = E−1κ2

(c);

4. outputs (m,“Valid”) if κ1 = e(V, P(5)0 ) and r = H3(c, κ1), and

outputs “Invalid” otherwise.

3 Efficiency and Security

Table 1 compares the computational requirements of Boyen’s ID-based signcryption (IDSC) scheme (Boy-IDSC [3]), Chow et al.’s efficient IDSC scheme (Chow-IDSC [4]), Chow et al.’s hierarchical IDSC scheme

15

Schemes Un+Sign-cryption Cost FeaturesHierarchical PCA

Boy-IDSC [3] 5P + 2MG1 + 1MZ∗q N NChow-IDSC [4] 6P + 3MG1 N Y

Chow-HIDSC [5] (tA + tB + 3)(P + MG1) Y NNewHIDSC 7P + 11MG1 + 6(tA + tB − 1)MZ∗q Y Y

Table 1: Comparison of NewHIDSC with related IDSC schemes.P is, by far, the most expensive operation, and tA, tB ≥ 4 can be assumed.

Only Chow-HIDSC and NewHIDSC are scalable to large user communities.

(Chow-HIDSC [5]), and our proposed HIDSC scheme (NewHIDSC.) All the compared schemes are prov-ably forward secure, semantically secure, and existentially unforgeable. The Hierarchical column indicateswhether each given scheme handles hierarchically-structured communities, and the PCA column indicateswhether the scheme features public ciphertext authenticity. tA and tB respectively denote the hierarchicaldepth of a signcryptext’s sender and intended recipient. MG1 denotes the computational cost of scalar mul-tiplication in G1, MZ∗q denotes the cost of multiplication in Z∗

q , and P denotes the computational cost ofpairing. Note that P is, by far, the most expensive of the aforementioned computational costs. Note alsothat, for some applications (e.g. email, phone, and IP-based routing), tA, tB ≥ 4 can be assumed. In thiscase, NewHIDSC requires 7 pairings instead of the 11 pairings imposed (at least) by Chow-HIDSC. Hence,NewHIDSC offers a computational cost similar to that of Chow-IDSC, and is significantly more scalable thanChow-IDSC.

Another analysis of interest consists of comparing a signcryption scheme with its underlying encryp-tion and signature schemes. With respect to this metric, NewHIDSC requires 7 pairing computations forsignature-encryption and decryption-verification, but avoids the necessity to compute some variables of theHIDE scheme’s Decryption algorithm. This saves 6(tA − 1) multiplications in Z∗

q , in comparison with theSign-then-Encrypt approach.

Security. In the extended version of this paper, NewHIDSC is proved to have the following securityfeatures, if the bilinear Diffie-Hellman problem is hard: (1) semantic security with respect to adaptive chosenciphertext attacks; (2) existential unforgeability with respect to adaptive chosen message attacks; (3) publicciphertext authenticity; (4) forward security.

4 Conclusion

The main goal of this paper was to describe an efficient hierarchical ID-based signcryption (HIDSC) schemefeaturing both public ciphertext authenticity (PCA) and forward security (FS). PCA enables third parties(such as firewalls) to route or stop signcrypted messages depending on the origin and validity of the signcryp-texts. FS prevents the theft of a user’s private key from compromising the confidentiality of signcryptextsissued by this user. The proposed HIDSC scheme provides both PCA and FS. An open question is whetherone can design a HIDSC scheme featuring ciphertext anonymity (i.e. the property whereby no informationconcerning both the sender and the recipient of any given signcryptext is revealed to an active third party.)

References

[1] D. Boneh, X. Boyen, and E.-J. Goh, Hierarchical Identity Based Encryption with Constant Size Cipher-text, Available at http://eprint.iacr.org/2005/015.pdf, 2005.

[2] D. Boneh and M.K. Franklin, Identity-Based Encryption from the Weil Pairing, Proceedings of the 21stAnnual International Cryptology Conference on Advances in Cryptology, vol. 2139, Springer-Verlag,2001, pp. 213–229.

16

[3] X. Boyen, Multipurpose Identity-Based Signcryption: A Swiss Army Knife for Identity-Based Cryptog-raphy, Proceedings of the 23rd International Conference on Advances in Cryptology (CRYPTO ’03),Lecture Notes in Computer Science, vol. 2729, Springer Verlag, 2003, pp. 383–399.

[4] S. S.M. Chow, S.M. Yiu, L.C.K. Hui, and K.P. Chow, Efficient Forward and Provably Secure ID-basedSigncryption Scheme with Public Verifiability and Public Ciphertext Authenticity, Proceedings of thesixth Conference on Information Security and Cryptology (ICISC’03) (Seoul, Korea), Lecture Notes inComputer Science, vol. 2971, 2003, pp. 352–369.

[5] S. S.M. Chow, T.H. Yuen, L.C.K. Hui, and S.M. Yiu, Signcryption in Hierarchical Identity BasedCryptosystem, Available at http://eprint.iacr.org/2004/244.pdf, 2004.

[6] C. Gamage, J. Leiwo, and Y. Zheng, Encrypted message authentication by firewalls, proceedings ofthe Second International Workshop on Practice and Theory in Public Key Cryptography (PKC’99),Springer-Verlag, 1999, pp. 69–81.

[7] C. Gentry and A. Silverberg, Hierarchical ID-Based Cryptography, Proceedings of the 8th InternationalConference on the Theory and Application of Cryptology and Information Security, vol. 2501, Springer-Verlag, 2002, pp. 548–566.

[8] B. Libert and J.-J. Quisquater, New Identity BAsed Signcryption Schemes from Pairings, Proceedingsof the IEEE Information Theory Workshop, Full version available at http://eprint.iacr.org, 2003,pp. 155–158.

[9] B. Libert and J.-J. Quisquater, The Exact Security of an Identity Based Signature and its Applications,Cryptology ePrint Archive, Report 2004/102, 2004.

[10] J. Malone-Lee, Identity Based Signcryption, Cryptology ePrint Archive, Report 2002/098, 2002.

[11] N. McCullagh and P.S.L.M. Barreto, Efficient and forward-secure identity-based signcryption, 2004,http://eprint.iacr.org/.

[12] D. Nali, C. Adams, and A. Miri, Hierarchical Identity-Based Encryption with Constant Ciphertext andKey Length, (Submitted), 2005.

[13] D. Nalla and K.C. Reddy, Signcryption scheme for Identity-Based Cryptosystems, Cryptology ePrintArchive, Report 2003/066, 2003.

[14] A. Shamir, Identity-Based Cryptosystems and Signature Schemes, Proceedings of CRYPTO 84 on Ad-vances in cryptology, Springer-Verlag New York, Inc., 1984, pp. 47–53.

[15] Y. Zheng, Digital Signcryption or How to Achieve Cost (Signature & Encryption) � Cost(Signature) +Cost(Encryption), Proceedings of CRYPTO 97 on Advances in cryptology, Lecture Notes in ComputerScience, vol. 1294, Springer-Verlag, 1997, pp. 165–179.

17

A Watermark Detection SchemeEnsuring the False Positive Error Probability

Takaaki Fujita, Kunihiro Okamoto, Maki Yoshida, and Toru Fujiwara

Graduate School of Information Science and Technology, Osaka University,1-5 Yamadaoka, Suita, Osaka, 565-0871, Japan.

{t-fujita@ist,[email protected],maki-yos@ist,fujiwara@ist}.osaka-u.ac.jp

Abstract. For a practical class of watermark embedding schemes, a detection scheme is presented where afalse positive error probability can be close to a given one.

Keywords. watermark detection, the false positive error probability, Patchwork

1 Introduction

A digital watermarking scheme is used to enforce copyright laws. In general, digital contents can be alteredby various signal processing operations such as compression. Then, detection errors may occur for alteredcontents and applied operations can be considered as attacks. When detecting a watermark, there are twokinds of detection errors: A false positive error (FPE) is to detect the watermark when actually it is notembedded; a false negative error (FNE) is not to detect the watermark when it is actually embedded. Thedetection errors undermine the credibility of the watermarking system. The both of the detection errorprobabilities need to be decreased. However, from the trade-off between the FPE probability and the FNEprobability, the FPE probability needs to be controlled strictly so that the FPE probability is sufficientlyclose to a given one, since the FPE is more serious than the FNE [PB+98].

In this paper, we propose a watermark detection scheme which can be used for a practical class ofwatermark embedding schemes, called the statistical embedding scheme.

The statistical embedding scheme embeds a watermark w into a digital content s by modifying s basedon w such that some statistical value of the modified content xs,w in which w is embedded satisfies thefollowing condition: For a watermark w′ 6= w, v(s, w) < v(xs,w, w), v(xs,w′ , w) < v(xs,w, w) where v(X, W )denotes the statistical value computed for a content X and a watermark W . The Patchwork for a still image[BG+96] is a typical example of the statistical embedding scheme. The statistical value is the mean of thesum of the difference computed by subtracting one brightness from the other at two points chosen at randomin a given still image.

2 Proposed Watermark Detection Scheme

A watermark detection scheme is to decide whether a given watermark w is embedded in a given contentx or not. We derive a property satisfied commonly by practical statistical embedding scheme, and considerthe watermark detection as a hypothesis testing of the hypothesis H0 that the property is satisfied for wand x. We decide that w is embedded in x if and only if H0 is rejected. If H0 is rejected when it is true, theFPE happens. By setting the significance level to a given FPE probability, the FPE probability is ensuredto be the given one.

The various statistical embedding schemes based on the Patchwork are proposed, e.g., in [CT04], andconsidered to be practical. Therefore, we target the Patchwork based schemes and derive the followingproperty: If w is not embedded in x, then there is a pair of distinct watermarks, denoted by (w1, w2), suchthat for the host content s

v(s, w1)− v(s, w)v(s, w2)− v(s, w)

=v(x, w1)− v(x, w)v(x, w2)− v(x, w)

where w1 6= w,w2 6= w,w1 6= w2. (1)

18

Table 1: The means of the FPE probabilities with the given FPE probability being 0.01

Picture name Baboon Girl (Lenna) PeppersMean of the FPE probability 9.94× 10−3 8.96× 10−3 9.67× 10−3

This property is derived from the experimental observation that the shape of the distribution, which thestatistical values for a watermark and a content in which the watermark is not embedded follow, is almostthe same even after attacks.

Many works address the problem to control the FPE probability [PB+98, CH03], and the detectionscheme which takes account of attacks is proposed in [CH03], too. The major advantage is that the proposeddetection scheme can be used for many embedding schemes, while the previous detection scheme in [CH03]targets a specific embedding scheme. For example, the Patchwork is not the target embedding scheme in[CH03].

3 Experimental Result

The actual FPE probability is obtained by simulation and compared with the given one. The proposedscheme is applied to the Patchwork for still images which has two parameters δ and N . δ and N denote thestrength of the watermark and the number of point pairs in which the watermark is embedded, respectively.δ = 3 and N = 10, 000 are used because these values are considered to be enough for keeping the qualityof the original image and satisfy the condition on the statistical value described in Section 2 with highprobability [BG+96]. We embedded watermarks to three standard images named Baboon, Girl (Lenna) andPeppers (which are available from http://sipi.usc.edu/database/), and applied JPEG compression (Quality:70%) as an attack. We detected watermarks from them with the given FPE probability being 0.01.

The obtained results are reported in Table 1. It is tested statistically whether the mean of the actual FPEprobability is close to the given one. The t-test is used at significance level of 0.01 with the null hypothesisthat the mean of the actual FPE probability is equal to the given FPE probability, and the null hypothesisis not rejected. This result can be considered as an experimental evidence that the actual FPE probabilityis sufficiently close to the given one. We also applied additive noise as an attack and obtains the similarresults. The results are omitted here.

4 Conclusion

In this paper, we propose the detection scheme to control the FPE probability strictly for the statisticalembedding scheme such as the Patchwork. It is confirmed experimentally that the FPE probability is closeto the given one.

References

[BG+96] W. Bender, D. Gruhl, N. Morimoto, and A. Lu. Techniques for data hiding. IBM System Journal,Vol.35, Nos.3&4, pp.313–336, 1996.

[CH03] Q. Cheng and T.S. Huanag. Robust Optimum Detection of Transform Domain MultiplicativeWatermarks. IEEE Trans. Signal Processing, Vol.51, No.4, pp.906–924, 2003.

[CT04] N. Cvejic and I. Tujkovic. Increasing Robustness of Patchwork Audio Watermarking AlgorithmUsing Attack Characterization. 2004 IEEE Int’l Sympo. on Consumer Electronics, pp.3–6, 2004.

[PB+98] A. Piva, M. Barni, F. Bartolini, and V. Cappellini. Threshold Selection for Correlation-BasedWatermark Detection. COST254 Workshop, pp.231–234, 1998.

19

Combination of cryptographic and watermark schemes for copyrightprotection of digital images

Santa Agreste∗, Guido Andaloro†, Daniela Prestipino† and Luigia Puccio†

∗Department of Information Science, University of [email protected]

†Department of Mathematics, University of Messina(guandalo,dpresti,gina)@dipmat.unime.it

Abstract. In this paper we analyze an approach that combines asymmetric cryptography, hash functionsand wavelet-based watermark schemes for copyright protection of digital still images in JPEG format. Publickey infrastructure schemes and hash functions are applied to build a one-way watermark, to prove identity ofowner of the image and uniqueness of watermark. Image signal processing directives are involved to computea watermark signal in an adaptive way, depending from image features. The algorithm described builds aninvisible, private and strong watermark with a typical formulation of embedding and detection. Originalimage is required for the watermark detection.

Keywords. Copyright Protection, Watermark Techniques, Asymmetric Cryptography, Hash Function,Wavelet and Image processing

1 Introduction

Digital watermark techniques are emerging as a valid solution for copyright protection, intellectual and/ormaterial rights protection of holders and buyers, for authenticity of multimedia content, solving legal disputesand proving righful ownership. An algorithm for an invisible digital watermarking must be strong againstattacks such as image trasformations techniques, with a low rate of false alarm and unique association tothe copyright holder identity. To match these requirements, algorithm described in this paper merges cryp-tographic and signal processing techniques: a message authentication code (MAC) based on SHA-256 hashfuncion is used to design, on the original image I, a selection scheme extracting a subimage Is to be water-marked. Watermark signal is calculed and detected on Discrete Wavelet Transform coefficients [MU01] of Is

in correlation with the image features and statistic properties [RC05],[DGW04]. These combined elementsare important to build a watermark invisible, robust, image and copyright holder depending [CC01],[HCH99].

2 Watermark Embedding

Watermark embedding scheme is the following:

1. Value plane from Hue Saturation Value (HSV) model is computed on the original image I;

2. A message authentication code based on SHA-256 hash funcion is calculed on a trust digital signatureof holder and on original image I to be watermarked;

3. Order of subimage Is matrix is calculed as pow of two which is nearer to longest dimension of theimage;

4. A selection scheme of coefficients of subimage Is is designed depending from MAC value and it isapplied to I; output subimage is trasformed in the Discrete Wavelet Transform (DWT) domain;

5. Watermark signal is embedded into DWT coefficients of high frequency DWT components, by com-parision with probability value of false alarm;

6. Inverse Discrete Wavelet Transform (IDWT) decomposition and HSV composition of image is calculed.

20

3 Watermark Detection

Watermark detection scheme is the following:

1. Check original and watermarked image size is need: if not equal a synchronization is made computinga central block of the original image wrt recognize some blocks of the watermarked image;

2. On watermarked image I and original image I are computed the same steps 1,2,3,4 of the embeddingscheme;

3. Watermark is detected computing the correlation between the watermarked coefficients and watermarksignal,in comparision to the threshold Tρ:

ρ = 1/3N∑

θ

rc∑i=1

rc∑j=1

Iθk(i, j)− Iθ

k(i, j)

(2)

Pf ≤ 1/2erfc(Tρ/√

2σ2) (3)

σ2 = 1/(3N)2∑

θ

rc∑i=1

rc∑j=1

Iθk(i, j)2 − Iθ

k(i, j)2

(4)

if ρ > Tρ watermark signal is detected, otherwise, watermark signal does not detected.

4 Conclusion

Sperimentation was developed on real multimedia gallery of images, in JPEG format with low and highlevel of resolution. The watermark embedded has a high level of robusteness against geometric and imageprocessing attacks and a low rate of false alarm. Selection scheme of host image coefficients based on a MACvalue copyright holder depending, using DWT on HSV color model and image statistic features are key stepsfor this approach.

Acknowledgements

Sperimentation was supported by two applied research projects: ”Ecumene” (which is part of project ”Par-naso” of MIUR, the Italian Ministry of Education, University and Research) and ”Beni Ecclesiastici in Web”(a project of CEI, the Italian Episcopal Conference), according to CEI, Owner of images, and relationshipwith Publisher of the images - I.D.S. Informatica - an ICT company located in Messina (Italy).

References

[RC05] A new wavelet based logo-watermarking scheme; Reddy Adhipathi A., Chatterji B.N.; ELSEVIER,Pattern Recognition Letters 26 (2005) 10191027.

[DGW04] A chaos-based robust wavelet domain watermarking algorithm; Dawei Z., Guanrong C., WenboL.; ELSEVIER, Chaos, Solitons and Fractals 22 (2004) 4754.

[MU01] A survey of wavelet-domain watermarking algorithms; Meerwald P., Uhl A.; In Proc. of SPIE, Elec-tronic Imaging, Security and Watermarking of Multimedia Contents III, CA, USA 4314 (January2001), pp. 505 516.

[CC01] A Secure and Robust Digital Watermarking Technique BY the block cipher RC6 and Secure HashAlgorithm; Chen, Y., Chang L.; IEEE, Image Processing, 2001. Proceedings. 2001 InternationalConference on Volume 2, 7-10 Oct. 2001 Page(s):518 - 521 vol.2

21

[HCH99] A watermarking technique based on one-way hash functions; Hwang M., Chang C.; Hwang K.;IEEE, Consumer Electronics, IEEE Transactions on Volume 45, Issue 2, May 1999 Page(s):286 -294.

[K98] Watermarking Resisting to Translation, Rotation and Scaling; Kutter M.; Proc. of SPIE: Multime-dia Systems and Applications, Nov. 1998, vol. 3528, pp. 423-431.

A new Certificate-Based Encryption Chosen Ciphertext Secure

Paz Morillo, Carla Rafols

Universitat Politecnica de CatalunyaDepartament de Matematica Aplicada IV

http://www-ma4.upc.edu/mak/{paz,crafols}@ma4.upc.es

Abstract. The aim of this work was to construct a new certificate-based encryption scheme achievingthe highest level of security in the standard model. Our construction is based on the identity-based encryptionscheme of Waters [W05] and some ideas proposed by Canetti et al. in [CHK04] to obtain chosen-ciphertextsecurity.

Keywords. identity-based encryption, one-time signature, certificate based encryption, chosen-ciphertextsecurity, standard model

1 Main results

The notion of certificate-based encryption was proposed to avoid the problems related to third party cer-tificate status queries. In order to construct a certificate encryption scheme satisfying the highest level ofsecurity we use the definitions and the ideas of Gentry [G03], an IBE secure in the standard model veryrecently proposed [W05] and a new technique, due to Canetti et al. [CHK04], for improving its security.Recently some papers have been devoted to construct IND-CCA secure systems (for example [DK05]).Canetti et al. proposed in [CHK04] a new technique to do this from an ID-based scheme with weaker secu-rity. The idea is to encrypt the message under identity vk, where vk is the verification key of a one-timesignature scheme and then sign the resulting ciphertext under this identity.

2 The scheme

NewCBE consists of five algorithms: GenIBE ,GenPKE , Upd1, Enc and Dec. (The definition of Gentryincludes a sixth algorithm Upd2 which is trivial in our case).In the following, we suppose that all periods and all verification keys are represented with an n bit string.If λ = λ1 . . . λn is such a string, then we note υλ the set of indices i for which λi = 1.

GenIBE : Let G be a group of prime order p with a bilinear map efficiently computableinto G1, e : G×G −→ G1.Choose g ← G, g a generator, α← Zp. Set g1 = gα ∈ GChoose u′, u1, . . . , un ← G. Set U = (u′, u1, ..., un).The space of messages is G1 and the system parameters are params = (p, n, G, G1, e, g, g1).The certifier’s master secret key is csk = α.

22

GenPKE The user chooses β ← Zp, h2 ← G and sets h1 = gβ ∈ G and g2 =(u′

∏j∈υuserinfo

uj) ∈ G. The users secret key is usk = β and his public key isupk = (g2, h1, h2).The user precomputes W = (w′, w1, . . . , wn) = (u′β , uβ

1 , . . . , uβn)

Upd1: At the beginning of period i the user obtains his certification from the CA asfollows:a) first he authenticates himself to the CAb) then the CA sends Certi = (Certi1, Certi2) = (gα

2 (u′ ∏

j∈νperiodiuj)ri , gri), where ri ←

Zp.

Enc Input: the period i, M ∈ G1 the message to be encrypted.Generate a one-time signature pair (sk, vk).Choose t← Zp.Set C = (Me(g1, g2)te(h1, h2)t, gt, (u

′ ∏j∈νvk

uj)t, (u′ ∏

j∈νperiodiuj)t).

Set σ = Signsk(C). Send 〈C, vk, σ〉.

Dec Input: 〈C, vk, σ〉 = 〈(C1, C2, C3, C4), vk, σ〉1) Check if Verfyvk(C, σ) = 1.2) If successful check if e(h1, C3) = e(C2, (w

′ ∏l∈νvk

wl))If either 1 or 2 fails, output ⊥, else decrypt in the following way:

C1e(Certi2, C4)

e(Certi1, C2)e(C2, hβ2 )

=Me(g1, g2)te(h1, h2)te(gri , (u′Πj∈νperiodi

uj)t)

e(gα2 (u′Πj∈νperiodi

uj)ri , gt)e(gt, hβ2 )

= . . . = M

3 Conclusions

A certificate-based encryption scheme has to “resist” both an attack from the certifier -allowed to makedecryption queries- and an attack from an uncertified client - who is allowed to make both certification anddecryption queries. Our scheme achieves only the highest level of security under an attack of the certifier,whereas in the uncertified client attack we achieve only the same security level as the underlying IBE scheme.This provides a very good example of how the idea of Canetti comes into play in a multiple encryption settingand it also makes clear the idea behind [DK05]. In this last paper, a method is proposed for achieving CCAsecurity in multiple encryption when all of the encryption schemes are CCA secure. In the proofs of ourscheme the need of such strong requirements becomes evident, as well as why and when the idea of Canettiet al. is useful to improve the security level.

References

[CHK04] R.Canetti, S.Halevi and J.Katz. Chosen Ciphertext Security from Identity-Based Encryption, Adv.in Cryptology -Eurocrypt 2004, LNCS vol. 3027, Springer-Verlag, pp. 207-222, 2004.

[DK05] Y.Dodis, J.Katz. Chosen Ciphertext Security of Multiple Encryption, Theory of Cryptography Con-ference, LNCS vol. 3378 , Springer-Verlag, pp. 188-209, 2005.

[G03] C.Gentry. Certificate-Based Encryption and the Certificate-Revocations Problem, Adv.in Cryptol-ogy - Eurocrypt 2003, LNCS vol. 2656 , Springer-Verlag, pp. 272-291, 2003.

[W05] B.Waters. Efficient Identity-Based Encryption Without Random Oracles, Adv. in Cryptology- Eu-rocrypt 2005, LNCS vol. 3494 , Springer-Verlag, pp. 114-127, 2005.

23

On Group Key Agreement with Cheater Identification

Jens-Matthias Bohli, Jorn Muller-Quade, and Stefan Rohrich

IAKS / E.I.S.S., Universitat Karlsruhe, Germany{bohli,muellerq,sr}@ira.uka.de

Abstract. Group key establishment protocols are needed to provide more than two principals with acommon session key for subsequent cryptographic protocols. We consider the problem of cheater identi-fication that gives robustness guarantees to the protocol, since the cheater who caused the failure can beexcluded and the protocol started anew in the smaller group. When all cheaters are excluded the protocolwill finally succeed. We introduce a functionality describing the task of group key establishment with cheateridentification in the UC framework. We adapt the protocol of [BN03] such that cheater can be identified if areliable broadcast is given, where all message are received within a known time period. Thereby we achievethe goals of [YRI04] with fewer assumptions and a conceptually simpler protocol.

Keywords. Group Key Establishment, Cheater Identification

1 Security Model

Security Model In order to model the security of our key establishment we use the simulation based UCframework of Canetti [Can05]. Our ideal functionality of key establishment for security parameter k is givenin Figure 1. Additionally we require the key agreement property that the cheaters cannot predetermine thekey. If this property would be reflected in the ideal functionality it would become unrealizable in the UCframework. To model the reliable network we impose restrictions to the adversary, moreover we consideronly static corruption.

Communication Network We assume the existence of a reliable authenticated broadcast. The authen-tication can be realized by signatures and unique session identifiers such that no messages of a participant’sold sessions can be replied to raise suspicion against him. We construct sid = U1‖pid‖r where U1 is theinitiator, pid the intended group and r ∈ {0, 1}k. The participants take care that they do not sign twomessages with corresponding session identifiers.

In order to model a reliable communication network we require the adversary in the real model to senda distinguished timeout message if he refuses to send a message for a corrupted participant. In particular, ifthe message was supposed to be broadcast, so will the corresponding timeout message (note that this modelsa high degree of synchronization in the network). The simulator is required to activate the ideal functionalitysufficiently often to guarantee delivery to all participants.

1. Wait for (init, pid) from Pi ∈ pid. Chose sid or, if Pi is corrupted, ask the simulator.2. Send (init, Pi, pid, sid) to the simulator S.3. If the simulator answers (abort, Pj) with a corrupted Pj ∈ pid output to all (sid, abort,P).

If the simulator answers (set, key′) and all participants in P ⊂ pid are corrupted output(sid, pid,P, key′), otherwise (Pi, sid, pid, key) with a uniformly chosen key ∈ {0, 1}k.

Figure 1: Ideal functionality FKECI

24

Round 1:

Computation U1 chooses Ni ∈ {0, 1}k, sid = U1‖pid‖r with r ∈ {0, 1}k. U1 computes Eejusing

random kj for all j and sets M11 = (pid, sid, Ee2(N1), . . . , Een

(N1)).Broadcast U1 broadcasts M1

1 .

Round 2:

Computation Ui 6=1 decrypts N1, chooses Ni ∈ {0, 1}k and sets M1i = (sid, Ui, N1).

Broadcast Each Ui broadcasts M1i .

Check On timeout or inconsistent messages the sender is marked as cheater.

Round 3:

Computation Each Ui sets M2i = (sid, h(N1‖N2‖ . . . ‖Nn‖1)).

Broadcast Each Ui broadcasts M2i .

Check On timeout or inconsistent messages the sender is marked as cheater. If key confirmationfails execute cheater identification.

Key computation: Ui computes the session key ski = h(N1‖N2‖ . . . ‖Nn‖0).

Cheater identification U1 broadcasts N1, k1, . . . , kn. If the first message was correct all participantswith wrong confirmation messages are marked as cheater, otherwise U1.

Figure 2: A modification of a group key establishment protocol from PKC 2003 [BN03].

2 Group Key Agreement and Cheater Identification

In [LP99] a key agreement based on secret sharing that can detect cheaters is proposed. Based on this pro-tocol, in [YRI04] a phase is appended and only executed if the key confirmation fails. Under the assumption,that a reliable broadcast is available, this phase allows the participants to identify the cheater. Besides notbeing proven secure in an established model these protocols make use of a trusted registry R, that in theprotocol of Yoo, Ryu and Im plays an important role for the cheater identification and is even in the positionto compute the session key—weakening the secrecy of the session key and the advantages that are given bythe agreement property.

An adaption of the protocol [BN03] can achieve cheater identification under similar assumptions—withouta trusted registry. The original protocol is proven secure in an indistinguishability based model. A descrip-tion of our protocol is given in Figure 2. We show that our protocol is a key establishment with cheateridentification realizing FKECI in the UC framework and additionally has the key agreement property.

References

[BN03] C. Boyd and J. M. Gonzalez Nieto. Round-optimal Contributory Conference Key Agreement.Proceedings of PKC 2003, LNCS 2567, pages 161–174. Springer, 2003.

[Can05] R. Canetti. Universally composable security: A new paradigm for cryptographic protocols. FOCS2001, Revised full version: http://eprint.iacr.org/2000/067, 2005.

[LP99] C.-H. Li and J. Pieprzyk. Conference Key Agreement from Secret Sharing. Information Securityand Privacy, LNCS 1587, pages 64–76. Springer, 1999.

[YRI04] K.-Y. Yoo, E.-K. Ryu, and J.-Y. Im. Multiparty key agreement protocol with cheater identificationbased on shamir secret sharing. Computational Science and Its Applications - ICCSA 2004, LNCS3046, pages 655–664. Springer, 2004.

25

Computation of the “AND” with Cards

Audrey Montreuil, Jacques Patarin

Universite de Versailles45 avenue des Etats-Unis

78035 Versailles Cedex - France

Abstract. In [1], a very simple and amazing way to compute the “AND” of two bits with five cardswas described in which no other information about these bits was given. However some practical attackscan be made against this scheme. For example if one of the two players hides a camera in the room or if asecret mark is written on some cards. We will study how to modify the scheme with cards in order to avoidthese attacks and other practical attacks.

1 Introduction

Den Boer gives a protocol in [1] by which two parties, Alice and Bob, may compute the AND function oftheir secret bits X and Y , but without revealing any other information about X and Y . What we want isthe party whose bit is 0 to be able to guess without any additional information on the other party’s bit. Xand Y can be answers to some questions like in The Marriage Proposal’s Problem [2] where Alice and Bobwant to know if they will get married. Then if the answer is “yes”, the secret bit will be 1 and 0 otherwise.We assume that the two parties do not answer “yes” just to obtain the other’s answer.

2 The Five Card Trick [1] - Computation of the “AND”

Den Boer’s protocol (cf [1]) is achieved by five cards. We will here shortly recall this scheme. The backs ofall cards are the same. The face sides of two of the five cards are identical, say red, and the faces of theother three are identical, say black. Each party is given one card of each color and the remaining black cardis put face down on the table and Bob then puts his cards face down on top of the initial black card. Hissecret choice of ordering for the two cards encodes his bit Y : red card on top means 1 and the other wayround means 0. Alice places her cards at the bottom of the stack. The secret order she chooses encodes herbit X, in a way that mirrors Bob: red card on the bottom means 1 and black card on the bottom means0. Then, each, Bob and Alice cut the cards in turns. The result is a random cyclic permutation knownto neither. After each is satisfied that the other does not know the cyclic permutation remaining in thecards, they display the cards on the table in a radial pattern like the spokes of a wheel. There are only twodistinct results apart from cyclic rotations, and they correspond to AND(X, Y ). The two red cards are onconsecutive spokes exactly when both bits are 1.

3 The camera attack

Let’s assume that Bob is a cheater and that he has hidden a camera in the room where they are followingthe protocol. Even if his answer is “no”, Bob can obtain Alice’s answer seeing the video since he can directlysee Alice’s cards (that is Alice’s answer) if the camera is well placed or since he can see where the pack hasbeen cut and find Alice’s cards when they reveal the result. So we propose to improve Den Boer’s protocolin order to avoid this attack:Alice and Bob take a deck of cards with only two kinds of cards: n red cards and n black cards (n ≥ 2).The backs of all cards are the same and the face side of either red or black cards are identical, i.e. all copiesof one either red or black card are indistinguishable from another red or black card. Alice and Bob mix thecards. Bob puts his head under a sheet and lies his hands conspicuously on the table for Alice to see them.Alice draws the cards one by one under the sheet in front of Bob’s eyes. Bob says “stop!” twice to selecttwo cards (a red one and a black one to answer “yes”, or a black one and a red one to answer “no”, like in

26

the previous protocol of section 2). Alice puts these two cards on the table and puts a black card on top.They do the same thing but reverse the roles. Alice says “yes” with black and red cards and “no” with redand black cards. Bob puts Alice’s two cards on the three that have been put aside. Alice and Bob mix thefive card deck (cyclic permutation) by cutting one after the other several times under the sheet until theyare satisfied with the cut. In that case, the one who does not cut can check that the pack is cut in the rightway without his or her knowing where exactly. Then they turn up the cards. The result of the AND is 1 ifand only if the two red cards are on consecutive spokes. They avoid camera attack because all the cards areshown under the sheet and the pack is cut under the sheet too. So, using a camera, no player can find theother’s cards and consequently the other’s answer.

4 The marked card attack

Another attack is by marking cards. Indeed, a player can use invisible ink and special glasses with which hecan see this ink. He can put ink on his thumb and mark cards by touching them (on the face side in orderto recognize them at the end of the protocol). He can do so at the beginning of the protocol when the cardsare mixed or under the sheet or when he makes the permutation of the five cards. So we can try to preventthe cheater from marking cards or we can modify the protocol in such a way that it does not matter if acheater marks cards:At the beginning of the protocol, Alice and Bob put cards in transparent cases. So if a party wants to marka card now he or she will mark the case in which the card is put. Both, Alice and Bob, choose their two redand black cards normally. Alice cuts the five card deck (in their cases) under the sheet (if she is a cheater,she can only mark the cases). They remove the cases (without modifying the order of the five cards). Bobcuts under the sheet in turns (if he is a cheater, he can mark directly the cards, but does not know whichcards to mark!).

References

[1] B. den Boer, More Efficient Match-Making and Satisfiability - The Five Card Trick, Eurocrypt ’89, pp208-217, 1989.

[2] A. Montreuil and J. Patarin, The Marriage Proposal’s Problem, Indocrypt ’04, pp 33–47, 2004.

Efficient electronic gambling: An extended implementationof Schindelhauer’s Toolbox for Mental Card Games

Heiko Stamer

University of Kassel, Department of Mathematics/Computer ScienceHeinrich-Plett-Straße 40, D-34132 Kassel, Germany

http://www.theory.informatik.uni-kassel.de/[email protected]

1 Secure electronic card games

Card games offer many interesting problems in different areas of mathematics or computer science, e.g. incombinatorics and artificial intelligence. With the availability of fast communication networks a cryptographyrelated question has been arisen: Is it possible to play fair card games over a network without the need fora trusted third party?

27

The first answer was due to Shamir, Rivest, and Adleman [SRA79]. They have shown that a completesolution is impossible in a information theoretic sense. Fortunately, they also developed a dealing protocolwhich works under computational assumptions. This protocol was found to be insecure by Lipton andCoppersmith, because it leaks partial information about the dealt cards. Then Goldwasser and Micali [GM81]used probabilistic public key encryption to solve this issue. However, an important drawback had stillremained: To detect a cheating player it was necessary to disclose all hidden cards resp. secret keys at theend of each game.

In card games like poker it is essential to keep the players’ strategy confidential. The first solutionfor this problem was the zero-knowledge protocol suite by Crepeau [Cre87]. Later it turns out that aimplementation [Edw94] of the original scheme was not practical at all.

After few years Schindelhauer [Sch98] introduced a more general toolbox which expands the previouswork of Crepeau. Roughly speaking, the type of a card is shared among the players through bitwise rep-resentation by quadratic (non-)residues. Thus the security relies on the well known Quadratic ResiduosityAssumption (QRA). The correctness of card and stack operations is assured by interactive zero-knowledgeproofs. Unfortunately, the size of a card grows linearly in the number of players and logarithmically in thenumber of different types. Recently a very efficient solution [BS03] was proposed, whose security can bebased on the Decisional Diffie-Hellman Assumption (DDH). The correctness of the most operations is shownby honest-verifier zero-knowledge proofs of knowledge. Moreover, the card encoding is independent of thenumber of players and almost independent of the number of different types.

2 LibTMCG: Open source project for secure card games

We have implemented the core of Schindelhauer’s toolbox (TMCG), i.e. all important operations like mask,shuffle, pickup, and public open of cards resp. stacks. The cryptographic primitive Verifiable k-out-of-kThreshold Masking Function (VTMF) by Barnett and Smart has been added recently. Our implementationonly provides the discrete logarithm variant of the latter, because the corresponding key generation is easyto realize even in a distributed game environment. The efficiency was further improved by three obviousoptimizations:

1. We use the particular generator g = 2 for the cyclic subgroup G = QRp (quadratic residues) of primeorder q. (p safe prime, p ≡ 7 (mod 8), and q = (p− 1)/2 with `q = 1023 bit)

2. The random exponents for the masking operation (ElGamal-style) are shorten to a size of `r = 160bit. Koshiba and Kurosawa [KK04] have shown that under the additional Discrete Logarithm withShort Exponent Assumption (DLSE) the DDH is not really weaken.

3. The commitments of the interactive zero-knowledge proof for the verifiable shuffling are shorten to`c = 160 bit by a cryptographic hash function h (e.g. RIPEMD-160). On the other hand, this hashfunction is used again to turn the proofs of knowledge into a non-interactive zero-knowledge proofs(NIZK) using the well-known Fiat-Shamir heuristic.

Our implementation is available as open source library [St05] and comprises approximately 6 700 lines ofC++ code. The following tables give a first comparison of the computational (Table 1) and communicationcomplexity (Table 2) of both implemented schemes.

3 Conclusion

We have created an efficient real-life implementation of Schindelhauer’s toolbox for mental card games.Further, our contribution shows that meanwhile even proposals are practical which do not require thedisclosure of the players’ strategy at the end of each game.

28

Table 1: Comparison of the computational complexity (libTMCG implementation)

Operation TMCG pi, qi ≡ 3 (mod 4) [Sch98] VTMF discrete logarithm variant [BS03]

Masking of a card = 3kdlog2 Memulm = 2spowm〈`r〉 + 2mulmProver = t · 5kdlog2 Memulm = 2spowm〈`q〉 + 5mulmVerifier = t · 3kdlog2 Memulm = 2powm〈`q〉 + 2powm〈`r〉 + 8mulm

Decryption of a card = 2dlog2 Memulm = 1spowm〈`q〉 + 2mulmProver ≤ dlog2 Me((4t+5)mulm+2powm〈`m/2〉) = 3spowm〈`q〉 + 1mulmVerifier ≤ dlog2 Me(2t + 2)mulm = 4powm〈`q〉 + 4mulm

Shuffle of a stack S = |S| · 3kdlog2 Memulm = |S| · (2spowm〈`r〉 + 2mulm)Prover ≈ t · |S| · 3kdlog2 Memulm ≈ t · |S| · (2spowm〈`r〉 + 2mulm)Verifier ≈ t · |S| · 3kdlog2 Memulm ≈ t · |S| · (2powm〈`r〉 + 2mulm)

k: number of players, M : number of different types, t: security parameter (controls the soundness errorprobability of the interactive zero-knowledge proofs), mulm: modular multiplication or similar, powm〈`〉:modular exponentiation with exponent of size `, spowm〈`〉: “blinded” exponentiation (2powm〈`〉+ 3mulm)

Table 2: Comparison of the communication complexity (libTMCG implementation)

Size of TMCG pi, qi ≡ 3 (mod 4) [Sch98] VTMF discrete logarithm variant [BS03]

Encoded card = kdlog2 Me`m = 2`p

Masking proof = t · kdlog2 Me · (2`m + 2) = `q + `c

Decryption proof ≤ t · kdlog2 Me · (5`m + 1) = `p + `q + `c + o(1)Shuffle proof = t · (`c +1+ |S| · (kdlog2 Me(`m +1)+ dlog2 |S|e)) = t · (`c + 1 + |S| · (`r + dlog2 |S|e))Default cryptographic sizes in libTMCG: `m = `p = 1024 bit, `q = `p − 1, `r = `c = 160 bit

References

[SRA79] A. Shamir, R.L. Rivest, and L.M. Adleman. Mental Poker. Technical Report MIT-LCS-TM-125,Massachusetts Institute of Technology, February 1979.

[GM81] S. Goldwasser and S. Micali. Probabilistic encryption and how to play mental poker keeping secretall partial information. In Proceedings of STOC ’82, pp. 365–377, 1982.

[Cre87] C. Crepeau. A zero-knowledge poker protocol that achieves confidentiality of the players’ strategyor how to achieve an electronic poker face. In Advances in Cryptology: CRYPTO ’86 Proceedings,Lecture Notes in Computer Science 263, pp. 239–247, 1987.

[Edw94] J. Edwards. Implementing Electronic Poker: A Practical Exercise in Zero-Knowledge InteractiveProofs. Master’s thesis, University of Kentucky, 1994.

[Sch98] C. Schindelhauer. Toolbox for Mental Card Games. Technical Report A-98-14, University of Lubeck,1998.

[BS03] A. Barnett and N.P. Smart. Mental Poker Revisited. In Cryptography and Coding 2003, LectureNotes in Computer Science 2898, pp. 370–383, 2003.

[KK04] T. Koshiba and K. Kurosawa. Short Exponent Diffie-Hellman Problems. In Public Key Cryptography- PKC 2004 Proceedings, Lecture Notes in Computer Science 2947, pp. 173–186, 2004.

[St05] H. Stamer. LibTMCG. http://savannah.nongnu.org/projects/libtmcg/

29

Off-line Clone Discovery Using Portable Media

Takeshi Gomi∗, Kazukuni Kobara∗, Toshihisa Nakano†, Masao Nonaka† and, Hideki Imai∗

∗Institute of Industrial Science, University of Tokyo, [email protected]{kobara,imai}@iis.u-tokyo.ac.jp

† AV Core Technology Development Center, Matsushita Electric Industrial Co., Ltd.{nakano.toshihisa,nonaka.masao}@jp.panasonic.com

Abstract. Catching the signs of existence of pirate or clone devices is very important to take quickcountermeasures against them. Discovering clones is not so difficult if the devices are connected on-line.They can be detected by authenticating the devices frequently. On the other hand, if the devices aredisconnected completely, it cannot be automatically and must be done in the real world, e.g. by sweepingsuspicious shops. In this paper we consider the scenario where devices are off-line but somehow connectedby way of portable media or something. Under this scenario, we propose how to detect clones while takingthe attacks being specific to this scenario into account.

Keywords. DRM system, clone discovery, portable media

1 Motivation

In most of the DRM (Digital Right Management) systems, access to contents is controlled by cryptographickeys called license keys. Only the legitimate devices, which are compliant with the content managementrules, are allowed to have the keys so that the contents should be managed properly. In practice, however,the license keys cannot be protected perfectly. Some keys might leak out from the compliant devices andothers might leak out from the makers who bought the license keys. The leaked keys are copied and installedin illegal devices called clone or pirate devices. (Even worse, clones may be made by the makers who boughtthe license keys.) The clones (and pirate devices) must be revoked as soon as possible, but to do this theevidence of clones must be captured first.

How to discover the clones is discussed in [AMM01, JR01], but they assume the on-line connectionbetween the devices and the clone discovery system. In this paper, we assume that devices are off-line butsomehow connected with it by way of portable media or something, which seems natural for most of thecurrent consumer electronics.

2 System Model and Our scheme

We give the system model in Figure 1. In our model, we define the legitimate device as “player”. The centralserver gathers player’s information and discover clones using it. The shop has the terminal which connectwith the central server. A content is encrypted with a contents-key.We show our clone discovery scheme using portable media. The scheme is following:

1. User inserts the portable media in own player, and stores the player’s information in the portablemedia.

2. When user buys contents at the shop, user hands the portable media to the shop, and the shop uploadsthe player’s information stored in the portable media to the central server via the terminal.

3. The server analyzes the player’s information using “Clone Discovery Method” mentioned later. Ifdecided that it is not clone, the server sends the contents-key to the portable media via the terminalof the shop.

4. User inserts the portable media in own player, decrypts and plays the contents.

30

Figure 1: The system model

Next, we show “Clone Discovery Method”. Because the clones have same ID, we need to use the pair ofplayer’s ID and “additional information” to distingush players from clones. we show three methods.

Use uniqueness of Portable media: The central server requests user to send the pair of player’s ID PIDand portable media’s ID MID and totals up the number of MID paired with PID. If over N (N: themaximum number of portable media having par user), the server decides the players having PID areclones. Although this method is simple, it is difficult to choose relevant N to detect clones exactly.

State information updating (by server): The central server requests user to send the pair of PID andplayer’s state information SI. Then the server confirms whether (PID, SI) uploaded by user correspondswith (PID, SI) registered in the server. If corresponding, the server updates the player’s SI by sendingthe state transition information STI to the player. Othewise, the server decides that the players havingPID are clones. this method can detect perfectly while assuming that players do not communicateeach other.

State information updating (by user): The central server requests user to send the pair of PID and SI.Then the server confirms whether (PID, SI) uploaded by user corresponds with (PID, SI) registered inthe server. If not corresponding, the server decides that the players having PID are clones. In thismodel, we use the self-updatable information (e.g. contents purchase history) as SI. this method canalso detect perfectly while assuming that players do not communicate each other.

References

[AMM01] J. Anzai, N. Matsuzaki and T. Matsumoto, “Clone Discovery Scheme Using Random Number(1),”Proceeding of SCIS 2001, pp.189-194, Japan, 2001.

[JR01] M. Jakobsson and M.K. Reiter, “Discouraging Software Piracy Using Software Aging,” DRM 2001,LNCS 2320, pp.1-12, 2002.

31

Revocation of anonymous credentials by short information

Masanori Yoshida, Rie Shigetomi, and Hideki Imai

Imai laboratory, IIS, University of Tokyohttp://imailab-www.iis.u-tokyo.ac.jp/

[email protected], [email protected], [email protected]

Abstract. In this paper, we propose a technique for revoking anonymous credentials used in systemsusing anonymous authentication. In paticular, we are interested in systems where authentication is conductedbetween a user’s handheld device (for instance, IC card) and a service provider’s equipment. In such asystem, when a user loses his IC card, he has to revoke anonymous credentials stored in the lost IC card.Our approach can eliminate the need for dedicated storage for secret information required for revoking lostcredentials. By using our technique, a user only has to remember a short password in case he loses IC card.

Keywords. Anonymous credential, Revocation, IC card

1 Introduction

In this paper, we propose a technique for revoking anonymous credentials used in systems using anonymousauthentication. In paticular, we are interested in systems where authentication is conducted between auser’s handheld device and a service provider’s equipment. This time, we assume that users use IC cards ashandheld devices. A user stores his anonymous credentials in IC card, and at authentication, the IC cardpresents the credentials to a service provider. The service provider verifies the credentials, and then providesservices for the user. In such a system, when a user loses his IC card, he has to revoke anonymous credentialsstored in the lost IC card. Our approach can eliminates the need for dedicated storage except for the ICcard for storing secret information required for revoking the lost credentials. By using our technique, a useronly has to remember a short password in case he loses the IC card.

2 Method of credential revocation

In general, an anonymous credential is composed of data and signature on the data as follows.

AnonCred =< m||signsk(m) >

AnonCred denotes an anonymous credential, signsk denotes a signature by a service provider’s private key,and m denotes data to be signed. As in refreshable token schme[RT02], normally in order to issue anonymouscredentials, blind signature protocols are used.

We use Schnorr blind signature[Sch] as a method of blind signature. Schnorr-based anonymous credentialsare issued as follows. First of all, m is composed of a set of exponentials, as follows.

m =< yx11 ||y

x22 ||... >

A user raises each exponential in m to r (i.e. the user blinded m), and sends mr to a service provider.

mr =< yx1r1 ||yx2r

2 ||... >

The service provider receives mr, signs on mr, and returns the signature to the user. The user obtains thefollowing AnonCredr.

AnonCredr =< mr||signsk(mr) >

Finally, the user can obtain AnonCred from AnonCredr by the mechanism of blind signature.Hence, we describe our method. In our method, we assume that multiple credentials are issued sim-

ulateneously. Let the number of credentials issued simultaneously be N . We add the following values tom.

32

< h||hc >

h is selected at random for each credential. The same c is used to credentials issued simultaneously. Thatis, mi(i = 1 . . . N) is as follows.

mi =< hi||hci ||y

x11 ||y

x22 ||... >

First of all, a user blinds mi(i = 1 . . . N). Additionally, the user computes gc. g is a generator commonin the entire system. The user sends mri

i (i = 1 . . . N) and gc. Before the service provider signs on mi,by zero-knowledge proof, the user proves that logg(gc) and logh

rii

(hrici )(i = 1 . . . N) are equivalent. After

verifying this proof, and recording gc in the data base, the service provider signs on mrii (i = 1 . . . N), and

returns them to the user. Finally the user gets AnonCredi =< mi||signsk(mi) >.The credentials thus issued are unlinkable as long as the DDH assumption holds. Moreover, in order to

revoke credentials issued simultaneously, the user does nothing but open the single c to the service provider.Since gc is recorded, the following attacks can be prevented.

1. An attacker is issued credentials of the same c at different times.

2. An attacker illegally revokes others’ credentials by guessing c.

3 Management of secret information for revocation

A user has to hold secret information c in a place other than IC card. Our goal is to eliminate the necessityof dedicated storage for having c. On the other hand, it should be impossible for the attacker to arbitrarilychoose c, and to revoke others’ credentials. To that end, the domain of c has to be wide enough, and thevalue of c has to look random. For satisfying these requirements, we decide c by the following.

c = hash(password||seed)

When credentials are issued, the user chooses a different password every time. seed is a constant value,though it is long enough. Since the value of c is randomized by pass, even if seed is a constant value, cbecomes a completely random value for the attacker. The user only has to remember pass, and the longseed is stored in IC card. It is only when the IC card is lost that the value of seed is needed. Normally, seedonly has to be written on paper, and to be put in the user’s desk.

References

[RT02] Rie Shigetomi, Akira Otsuka, Takahide Ogawa, and Hideki Imai: Anonymous refreshability oftokens, SITA 2002, 2002.

[Sch] C.P. Schnorr: Efficient Identification and Signatures for Smart Cards, Proceedings of Crypto ’89,LNCS 435, Springer-Verlag, pp. 235-251

33

Towards Secure Zero Configuration

Adrian Leung and Chris Mitchell

Information Security GroupRoyal Holloway, University of London

http:\\www.isg.rhul.ac.uk{A.Leung,C.Mitchell}@rhul.ac.uk

Abstract.Zero Configuration Networking is a suite of networking protocols that abstracts the configuration process

required to set up an IP-based network. Like any other networking technology, Zero Configuration Network-ing raises some specific security issues. Herein, we discuss the motivation for Zero Configuration, brieflyintroduce this new emerging technology, consider the associated security threats and identify the securityrequirements.

Keywords. Security, Zero Configuration, Auto Configuration, Self-Configuring, Self-Organizing.

1 Introduction

Computer Networking has come a long way since its infancy in the 1960s. Modern day networks differ greatlyfrom their predecessors in many ways.

Firstly, the types of hosts being interconnected are not constrained to only desktop computers, printersand servers, but a whole plethora of low power heterogeneous devices that are equipped with computationand communication capabilities. The second major difference is the mode or medium of connection. Besidesconnecting to a network through a wired cable, a growing number of hosts are also connecting to a networkvia various wireless interfaces. Thirdly, the deployment environments of a network have also evolved, andare no longer restricted to large enterprises, governments and academic institutions but also include smalloffices and homes. Finally, networks are becoming increasingly dynamic in nature. Hosts may come togetherand form a network spontaneously, and likewise, any host may also join or leave the network at their owndiscretion at any time in an ad hoc manner.

The aforementioned characteristics of present day networks have open up a vast array of new opportuni-ties. But there remains one obstacle to the full realisation and widespread deployment of such networks. Oneof Complexity: The very process of networking is a difficult endeavour in itself. Existing network protocolsare configurationally intensive and require a lot of technical expertise. This complex task is usually carriedout by a highly trained network administrator or dedicated servers. To a non expert user, network manage-ment is a daunting prospect. Also, there may be situations where skilled administration is unavailable orenvironments where administration is impossible. So how can a network be established in such scenarios?This is where Zero Configuration comes in.

Zero Configuration Networking (or Zeroconf in short) aims to eliminate the manual and external configu-ration process required to set up an IP-based network. In other words, when a group of devices come togetherand decide to form a network, each device will have the ability to configure itself and obtain the necessaryparameters automatically in the absence of any administration, human intervention and infrastructure.

In environments with administration, ZeroConf would also be a very welcome feature, as it would greatlyreduce the demand for skilled resources. In environments without administration, ZeroConf is simply notan option.

2 What is Zero Configuration Networking?

This pressing need to reduce the complexities of networking was recognised by the Internet EngineeringTask Force (IETF). In response, the IETF ZeroConf Working Group [ZW99] was chartered in 1999, with

34

the primary objective of defining and proposing a framework that would enable networking in the absenceof configuration and administration.

To better understand the workings of ZeroConf, we give a simple scenario illustrating the usefulnessof ZeroConf. Two people at a conference want to spontaneously exchange information via their respectivelaptops. With ZeroConf (assuming both machine are powered on and have each automatically obtain a validIP address), the sender’s laptop will discover the presence of the receiver laptop and sends the file. WithoutZeroConf, the sender will need to configure his machine with a IP address, then find out what the IP addressof the receiver is before he can send the file. ZeroConf aims to hide the configuration process from the user.

Networking usually entails the configuration of various parameters such as IP addresses, subnet masks,domain names, default routers and etc. The ZeroConf working group has identified the following four mainrequirements [AW00] in order to achieve zero configuration networking:

• Obtaining an IP Address automatically (without a Dynamic Host Configuration Protocol server),

• Name-to-Address Translation (without a Domain name System server)

• Service Discovery (without a directory server)

• Multicast Address Allocation (without a multicast server)

ZeroConf is a valuable feature but it is not a one size fits all solution [ED02]. It is inappropriate fordeployment in medium or large networks, networks where a high degree of security and control are required,and in networks with low bandwidth and high latency. In contrast, it is well suited in homes, small officenetworks and ad hoc networks at meetings and conferences.

3 Security Considerations

One other important requirement mandated by the working group is that ZeroConf must not be any lesssecure than related current protocols. ZeroConf networks are subjected to the same set of security issues asconventional networks such as passive (eavesdropping) and active attacks (denial of service). The charac-teristics of Zeroconf networks also make them susceptible to other threats. Several scenarios are highlightedbelow.

ZeroConf may be employed in a personal area network. When two of more of such personal area networkscomes within range of each other, there is a risk that an adversary may be able to use your phone with theirwireless (such as Bluetooth enabled) headset.

In ad hoc network such as people in a conference, it is desirable to establish secure private communicationsover a public wireless network. It is not difficult for an adversary to eavesdrop or even to disrupt thecommunication.

Wireless networking employing 802.11x in homes is very common nowadays. The network is almostcertain to extend to dwellings adjacent, above and below you. Anyone within range may take an inventoryof devices in your home or worse, control your devices and appliances. For example, turning on/off the lightsin your home or controlling the volume of your TV.

The threats discussed are by no means exhaustive. Mechanisms are therefore required to secure zeroconfiguration.

4 Future Work

Securing ZeroConf is going to be a challenging yet interesting task. The problem can be divided into thefollowing main areas,

• Authentication of devices.

• Secure IP Address Autoconfiguration

• Secure Name-to-address Translation

35

• Secure Service Discovery

• Secure Communication.

The aim is to provide a single security mechanism that allows simple configuration of all the varioussecurity parameters so as to maintain the spirit of ZeroConf. One option is for implementations to have safedefault configurations.

References

[ZW99] Zeroconf Working Group, Internet Engineering Task Force (IETF),http://www.ietf.org/html.charters/zeroconf-charter.html.

[AW00] Aidan Williams. Requirements for automatic configuration of IP hosts. drafts-ietf-zeroconf-reqts-12.txt

[ED02] Edgar Danielyan. Zero configuration networking. The Internet Protocol Journal, vol 5(4):20–26,2002.

A User-centric solution to realise m-payment

Qing Zhang

The ISG - Smart Card CentreFounded by Vodafone, G&D

and the Information Security Group, Royal Holloway, University of Londonhttp://www.scc.rhul.ac.uk

[email protected]

Abstract. In this paper, a practical user-centric mobile payment (m-payment) solution and its protocolare presented. By combining the strength of on-card-matching fingerprint authentication and public keyinfrastructure, the author constructed a powerful, secure, simple and practical m-payment system realizingmultiple payment methods, whilst maintaining fair-exchange and user’s anonymity.

Keywords. M-payment, user-centric, on-card-matching fingerprint authentication, PKI, multiple payments,privacy, anonymity, fair-exchange, smart card, Java card.

1 Introduction

After a careful observation and analysis of the existing m-payment solutions, it was discovered that most ofthem mainly focused on technological solutions and business requirements, rather than the user’s perspective.

The foregoing observations are justification for the development of a new user-centric m-payment solution.In contrast to earlier approaches, our first step is to first consider the user’s motivation and preference duringthe m-payment activities before presenting our technology solution. Following a review of a broad-range ofexisting m-payment solutions including eCash [MD01], GeldKarte [MD01], Mobilix [Ki01], EMPS [KP03],Achat [He02], Paiement CB [KP03], mPark [KP03], Paybox [KP03], Mobipay [He02], Vodafone M-pay[KP03], i-Mode [KP03] and especially concentrating on the users’ requirement and need, it was concludedthat a successful m-payment solution should satisfy following requirements:

• Minimum changes to customs’ phone

36

• Simple, fast and easy-to-use

• No complicated registration procedures

• Security design, e.g. biometrics enabled

• Multiple application requirements, e.g. proximity or Internet application

• Least involvement of the third party

• multiple payment, e.g. micro or macro payment

• Fair exchange

• Anonymity

The objective of this paper is to propose and critically review a new m-payment system implementedand its communication protocol to meet all above properties, which is specifically designed for the useof e-commerce via Internet scenario. In particular, the presented system integrates the merits of existingm-payment systems, combines the strength of on-card-matching fingerprint authentication, public key in-frastructure and multiple payment support, whilst maintaining fair-exchange and user’s anonymity. Thegoal in this paper was to practically apply good security and biometric practices in a way that would beattractive to the user. Such a solution would encourage the take-up of mobile payment for enhanced security,inter-operability, simplicity, fairness and low costs of deployment.

2 Contribution

The main contribution of our work includes:

Ensuring fair exchange: No existing e-commerce system known to the author incorporates physicaldelivery whilst supporting fair-exchange and so this becomes a main design goal for the proposed protocol.Based on a trusted third party, our protocol realizes the fairness and prevents any party from gaining benefitby misbehaving. Moreover, instead of ”after-the-fact” dispute resolution, our protocol itself attempts tohandle disputes automatically without manual intervention and within the protocol. I rely on the trustedthird party for realizing fair-exchange. But the third party is not involved unless a party’s misbehavinghappens. Thus the use of the third party is kept to a minimum level. Such protocols are termed optimistic[AS03].

Ensuring anonymity: The proposed system incorporates the concept of the delivery cabinet that helpsto conceal the identity of the customer. Neither is it possible to monitor a customer’s spending pattern andconsumer behavior or sensitive and personal information. Moreover, from the present solution, customers’identity can be protected under all possible scenarios, even when there is the collusion by other parties duringthe transaction.

Realizing biometric authentication: Biometric authentication, in particular fingerprint matching,is implemented in the solution to verify the identification of the user before the transaction operation. Abiometric authentication framework is also implemented within the mobile phone ensuring that sensitiveinformation stored inside the SIM card is only accessible after the successful fingerprint authentication.Moreover, the biometrics framework that the author implemented in our system is also transplantable toother environment and platform, e.g. smart card [ZM04], various controllers or DSP based embeddedmodules. As a result, it can also be significantly employed in other non-payment applications such as highsecurity access control.

37

References

[MD01] David McKitterick and Jim Dowling. State of the Art Review of M-Payment Technology. Depart-ment of Computer Science,Trinity College Dublin, 2001.

[KP03] Nina Kreyer, Key Pousttchi. Mobile Payment Procedures: Scope and Characteristics. e-ServiceJournal - Volume 2, Number 3, Summer 2003, pp. 7-22, 2003.

[Ki01] Kieser. Mobile Payment -Vergleich EleKtronische Zahlungssysteme, 2001.

[AS03] N Asokan, Matthias Schunter and Michael Waidner Optimistic protocols for fair exchange. Con-ference on Computer and Communications Security, pp. 7-17, 1997.

[He02] J Henkel. Mobile Paymen. Mobile Commerce,Volume 12, pp. 62, 2002.

[ZM04] Qing Zhang, Joan,N,B Moita and Keith Mayes and Konstantinos Markantonakis. The SecureSystem Based on the Mobile Phone Platform. Workshop on Infomation Security ApplicationsWISA 2004, pp. 233-244, 2004.

How visual demonstrations help showing cryptographic algorithms togeneral audience

Rie Shigetomi, Haruhiro Yoshimoto, Hideki Imai

* University of Tokyohttp://www.u-tokyo.ac.jp/

[email protected]

Abstract. Blind signature scheme is one of the most difficult scheme to explain to people who has littleexperience on cryptography. In this system, we will show how visual demonstrations help explaining blindsignature to general audience. Our demonstration is able to successfully represent each procedure of blindsignature: colors, shapes, and the movement of objects each have a corresponding meaning in the underlineblind signature scheme.

Keywords. Anonymity, Privacy Protection, Blind Signature

1 Introduction

As the use of digitized information became more the part of our everyday life, there is a notable increasein the amount of attention paid to the privacy of electronic services users. This has grew the attention to“anonymous schemes”, cryptographic techniques to protect privacy.

As privacy problem is a concern to anybody, anonymous schemes are also at the interest of generalpublic, with little to no prior knowledge of cryptography. However, complicated knowledge in mathematics isrequired to fully understand anonymous authentication scheme. Even more, the scheme itself is complicated,which makes the understanding of such schemes harder: while most scheme requires only the signer to docalculations, most schemes require the user to take part in signing, to have the user control what informationis given. Thus, it is vital for the user to understand the scheme correctly, as it is the only way that the usercan check if her privacy is really protected.

In this paper, we will introduce our approach to explain “blind signature scheme”, which is introducedby Chaum[Cha82] and Brands[Bra93], to general audience with little or no knowledge in cryptography. Wehave made a 3D demonstration of an anonymous authentication library. The library was implemented inC, and the demonstration uses OpenGL for the 3D graphics. The underlying calculations are real blindsignature calculations, and the viewers can see the actual values for further understanding.

38

2 Our Approach

An easy to understand application helps the explanation of blind signature. Blind signature has a lot ofapplication such as electronic voting, electronic cash system and electronic coupons. All these schemes needauthentication for checking weather the user has the right to be provided each service, while they should beprovided anonymously. We adopted the system for anonymous authentication called refreshable anonymoustoken scheme, which was first introduced in[SOI03]. This is because: the scheme has already implementationthat we could use, and an application could be easily imaginable from the system. This scheme is based onblind signature scheme.

In this scheme, we call the right for authentication the token. The user showing the token meansthe authentication by the service provider, who is the signer. This scheme has requirements which areanonymity, unforgeability and double use traceability. Also, the token can be refreshed anonymously. Thatmeans the user can receive a new token anonymously after the user used the token, but still having double-usetraceability. That means, the token contains an embedding of the user’s identification.

In our system, the application for refreshable tokens scheme is anonymous library, that a user is ableto anonymously borrow a book by presenting a token. The user needs to obtain a new refreshed token forborrowing another book, but this is done only when the user returned that book. If the user does not returnthe book borrowed after a certain date (due-date), her name is unveiled by using double-use traceability.

The procedure itself could be easily understood by anybody. The most difficult part is the “sign” to thetoken by the signer. Refreshable Token scheme is an application of blind signature scheme, so this scheme’smost difficult part is as same as blind signature scheme.

The procedure of issuing a token to a user by the librarian, could be divided into four parts: blind, check,sign and unblind. In our system we will show them on two screens: the user’s screen and the signer’s screen.

• Blind: The user creates a message to be included in the token as the user’s identity. The user blindsthe message which will be signed by the signer. They are represented by the user create square whitepaper.

• Check: The signer checks for double-use traceability, whether the token contains an embedding of theuser’s identification. They are represented with that the signer checks the white paper like checkingwatermarking.

• Sign: The signer signs the blinded message. They are represented with that the signer paints somevery special color to white paper.

• Unblind When the user receives the signed message, the user unblinds the message and signature.They are represented by the user cuts the square paper to globes.

Our demonstration is able to successfully represent each procedure of blind signature: colors, shapes,and the movement of objects each have a corresponding meaning in the underline blind signature scheme.

References

[Bra93] S. Brands. An efficient off-line electronic cash system based on the representation problem. In CWITechnical Report CS-R9323, 1993.

[Cha82] D. Chaum. Blind signatures for untraceable payments. In Proc. of CRYPTO’82, Lecture Notes inComputer Science, pages 199–203. Springer, 1982.

[SOI03] R. Shigetomi, A. Otsuka, and H. Imai. Anonymous authentication scheme for xml security standardwith refreshable tokens. In ACM Workshop on XML Security, pages 86–93, October, 2003.

39

Multivariate Public Key Schemes

Christopher Wolf

ESAT-COSIC, K.U. Leuven, Belgiumhttp://www.esat.kuleuven.ac.be/cosic/[email protected]

or [email protected]

Abstract. Multivariate Quadratic public key systems have been investigated since the 1980s. In this talk,we sketch the four basic schemes, i.e., Unbalanced Oil and Vinegar (UOV), Stepwise Triangular Schemes(STS), Matsumoto-Imai Scheme A (MIA), and Hidden Field Equations (HFE). Moreover, we discuss thequestion of equivalent keys for these schemes.

Keywords. Overview, Multivariate Quadratic

input x

?x = (x1, . . . , xn)

?private: S

x′

?private: P ′

y′

?private: T

output y�

public:(p1, . . . , pn)

Figure 1: Graphical Representation of the MQ-trapdoor (S,P ′, T )

1 Multivariate Quadratic Systems of Equations

One proposal for secure public key schemes is based on the problem of solving Multivariate Quadraticequations (MQ-problem) over finite fields. Here, the public key equations are written as

pi(x1, . . . , xn) :=∑

1≤j≤k≤n

γi,j,kxjxk +n∑

j=1

βi,jxj + αi

for 1 ≤ i ≤ m, 1 ≤ j ≤ k ≤ n, and the coefficients γi,j,k, βi,j , αi ∈ F for F being a finite field with q := |F|elements. We call the coefficients quadratic (γi,j,k), linear (βi,j), and constant (αi) coefficients, respectively.For short, we write the polynomial vector P := (p1, . . . , pm) and we have P ∈MQm(Fn).

To be useful for public key cryptology, we do not only need an intractable problem, but also a wayof embedding a trapdoor into it. For the MQ-problem as stated above, we are able to embed a trapdoor(S,P ′, T ) ∈ AGLn(F) ×MQm(Fn) × AGLm(F) into a system of equations P, cf Figure 1. Here, S, T areaffine transformations over the vector spaces Fn and Fm, respectively.

40

2 Different Trapdoors

ForMultivariate Quadratic public key systems, there are several ways to embed the trapdoor into the publickey P. In [WP05], the different possibilities known so far are outlined. In a nutshell, we have

1. Unbalanced Oil and Vinegar (UOV). Here, the equations become affine when the input variables arerestricted to a secret subspace.

2. Stepwise Triangular Schemes (STS). In this proposal, the private key equations are solved layer bylayer, either by brute force or by the means of another trapdoor, to obtain a solution.

3. Matsumoto-Imai Scheme A (MIA). This is the first example of a mixed scheme and uses perturbationmonomials over extension fields. Oldest proposed scheme.

4. Hidden Field Equations (HFE). Generalisation of MIA to avoid certain types of attacks. HFE are nolonger bijective, but are more secure.

Due to time and space limitations, we do not go into details of the security of these proposals but refer to[WP05] for an up to date overview and also a more detailed taxonomy ofMQ-schemes.

3 Conclusions

Multivariate Quadratic schemes are an interesting proposal to obtain fast public key signature schemes. Atpresent, their large public key sizes (8 kBytes up to 71 kBytes) are the main obstacle when using them inpractice. Moreover, there are no secure encryption schemes known. On the up side,MQ-systems allow shortsigning and signature verification times (down to 1ms or even µs), and also very short signatures (down to128 bit). So all in all, they are a worthwhile research topic.

References

[MvOV96] Alfred J. Menezes, Paul C. van Oorschot, and Scott A. Vanstone. Handbook of Applied Cryptog-raphy. CRC Press, 1996. ISBN 0-8493-8523-7, online-version: http://www.cacr.math.uwaterloo.ca/hac/.

[Sho97] Peter W. Shor. Polynomial-time algorithms for prime factorization and discrete logarithms on aquantum computer. SIAM Journal on Computing, 26(5):1484–1509, October 1997.

[WP05] Christopher Wolf and Bart Preneel. Taxonomy of public key schemes based on the problem ofmultivariate quadratic equations. Cryptology ePrint Archive, Report 2005/077, 12th of March2005. http://eprint.iacr.org/2005/077/, 60 pages.

41

Algebraic Attacks and Annihilators

Frederik Armknecht

Universitat Mannheim, Germanyhttp://th.informatik.uni-mannheim.de/people/armknecht.shtml

[email protected]

Abstract. Algebraic attacks on block ciphers and stream ciphers have gained more and more attention incryptography. The idea is to express a cipher by a system of equations whose solution reveals the secret key.The complexity of an algebraic attack is closely related to the degree of the equations. Hence, low-degreeequations are crucial for the efficiency of algebraic attacks.

In the case of simple combiners over GF(2), it was proved in [6] that the existence of low-degree equationsis equivalent to the existence of low-degree annihilators and the term ”algebraic immunity” was introduced.Later on, it was showed in [2] that the same is true for all three cases over any finite field GF (q).

In this talk, we explain the connection between low-degree equations and annihilators. This might serveas a starting point for further research.

Keywords. Algebraic attacks, combiners with memory, block ciphers, annihilators

1 Introduction

The idea of algebraic attacks is to attack a cipher by solving a system of equations. In this paper, weconcentrate on algebraic attacks against block ciphers and LFSR-based keystream generators.

In [5], the authors showed that AES can be attacked by solving a system of quadratic equations. Thereason is that the only non-linear operation, the S-box, can be described by a system of quadratic Booleanequations. Later, it was shown in [7] that this attack can be improved by using quadratic equations overthe finite field GF (28). These two attacks are the only attacks currently known which may work for fullAES. Although the correctness and the complexity require further examinations, the existence of a systemof low-degree equations is a potential threat.

In [4], algebraic attacks on simple combiners were presented. For each observed keystream bit, an attackerhas knowledge of one or several valid equations. If an attacker has enough equations at his disposal, thesecret key can be recovered by solving the system of equations. For several simple combiners (e.g. LILI-128,Toyocrypt), algebraic attacks are the fastest known attacks. Both the required number of known keystreambits and the complexity of the attack are polynomial in the key size, but exponential in the degree of theequations. Therefore, the availability of low-degree equations is crucial for an efficient attack.

For several reasons, the extension of the attack to combiners with memory (e.g., the Bluetooth keystreamgenerator) was not apparent. In [1], this question was finally solved. The authors showed that any LFSR-based keystream generator can be expressed by system of equations with a bounded degree. Also here, theeffort grows exponentially with the degree.

The three cases described above have in common that they require equations of low degree to be efficient.Consequently, one of the most important research topics in algebraic attacks is to develop methods for findingor avoiding low-degree equations.

2 Algebraic attacks on (k, `)-combiners

In this section, we briefly sketch algebraic attacks on (k, `)-combiners. Let F be a finite field. A (k, `)-combiner is defined by the following components:

1. k′ ≤ k LFSRs,

2. A memory M ∈ F`

42

3. An output function f : F` × Fk → F

4. A memory update function δ : F` × Fk → F`

At each clock t, the LFSRs produce an output denoted by Xt ∈ Fk. Further on, let Mt ∈ F` be the state ofthe memory at this time instance. The output is computed by zt = f(Mt, Xt), and the memory bits updatedto Mt+1 := δ(Mt, Xt). Obviously, the outputs zt, . . . , zt+r−1 depend on Mt and Xt, . . . , Xt+r−1. Hence, wecan extend the notion of f(Mt, Xt) = zt to fr(Mt, Xt, . . . , Xt+r−1) = (zt, . . . , zt+r−1).

Combiners with memory may be used as keystream generators and have found their way into practicalapplications (e.g. Bluetooth). The secret key is the initial state of the LFSRs, denoted by K and M1,whereas the output zt serves as a keystream. If ` = 0, then we speak of simple combiners. The attack modelis that an adversary knows several zt and tries to recover the secret key. An algebraic attacks consists ofdefining and solving a system of equations in the unknown value K and the known keystream. Afterwards,M1 can be easily reconstructed (or even guessed if ` is not too big).

Before we explain this attack in more detail, we need the notion of Z-functions:

Definition 2.1 Fix a (k, `)-combiner and Z ∈ Fr with r ≥ 1. A Z-function is a function FZ : Fk·r → Fsuch that the following holds for all clocks t:

(zt, . . . , zt+r−1) = Z ⇒ FZ(Xt, . . . , Xt+r−1) = 0.

Example 2.2 In the case of simple combiners and F = GF (2), it is f(Xt) = zt and hence f is a (0)-functionand f ⊕ 1 a (1)-function.

If, for a fixed value r, an attacker knows Z-functions for all Z ∈ Fr, he can set up the following system ofequations:

F(z1,...,zr)(X1, . . . , Xr) = 0F(z2,...,zr+1)(X2, . . . , Xr+1) = 0

. . .

(5)

Observe that FZ and FZ′ may be different for Z 6= Z ′ and that the equations depend on the observedkeystream zt. As the LFSR output Xt can be expressed by Lt(K) for known linear functions Lt : Fn → Fk,the system of equations (5) can be rewritten to

F(z1,...,zr)(L1(K), . . . , Lr(K)) = 0F(z2,...,zr+1)(L2(K), . . . , Lr+1(K)) = 0

. . .

(6)

Obviously, the solution of (6) is exactly the unknown value K. Although computing the solution of a systemof equations is difficult in general, one can exploit in this case that it is easy to get more equations thanunknowns which reduces the effort significantly. Corresponding algorithms exist but are outside the scope ofthis paper. Important is that the lower the degree of the Z-functions, the easier is the solving step. Hence,the efficiency of algebraic attacks is closely connected to the existence of low-degree Z-functions.

In [6], it was showed for the case of simple combiners with F = GF (2) that each Z-function withZ ∈ {0, 1} is either an annihilator of f or of f ⊕ 1. Therefore, the existence of low-degree equations isequivalent to the existence of low-degree annihilators. The definition of annihilators is as follows:

Definition 2.3 Let f and g be a functions Fn → F. g is said to be an annihilator of f if f · g ≡ 0.

We sketch now why the above statement is true for general (k, `)-combiners over arbitrary fields F. In-tuitively, the equations are associated with the information one gets about (Xt, . . . , Xt+r−1) by observingthe corresponding keystream (zt, . . . , zt+r−1). This is more precisely reflected by the function CZ , which isdefined as follows:

Definition 2.4 For a given (k, `)-combiner, fix a Z ∈ Fr. Then we define the function CZ on Fk·r by

CZ(X1, . . . , Xr) = 1 ⇐⇒ ∃M ∈ F` : fr(M,X1, . . . , Xr) = Z

43

Example 2.5 Consider the case of a simple combiner with F = GF (2). Then, it is C(0) = f ⊕ 1 andC(1) = f .

Depending on the (k, `)-combiner and Z, it may hold that CZ ≡ 1. This means that the output Z can beproduced by all possible inputs (X1, . . . , Xr). For example, this might be the case for r = 1 and ` ≥ 1. Onthe other hand, it was proven in [1] for the case of F = GF (2) that CZ 6≡ 1 do exist for Z ∈ {0, 1}`+1. Thefollowing Theorem expresses the connection between annihilators and Z-functions:

Theorem 2.6 Consider a (k, `)-combiner and a fixed Z ∈ Fr. Then, a function F : Fk·r → F is a Z-functionif and only if F is an annihilator of CZ .

3 Algebraic attacks on block ciphers

An S-box is a mapping S : Fn → Fm. In [5], the authors proposed an algebraic attack on the block cipherAES. The attack was based on the observation that the AES S-box S : {0, 1}8 → {0, 1}8 can be expressedby a system of quadratic equations. I.e., multiple functions g : {0, 1}16 → {0, 1} of degree 2 exist such that

S(X) = Y ⇒ g(X, Y ) = 0 (7)

They used this system of quadratic equations to derive an algebraic attack on the AES. Althoughthe attack in [5] is still controversially discussed, the existence of low-degree equations for the S-box is apotential threat that should not be ignored. In this section, we focus on this type of attack and show thatthe existence of low-degree equations is again equivalent to the existence of low-degree annihilators of anappropriate function.

Definition 3.1 Let an S-box S : Fn → Fm be fixed. A function F : Fn+m → F is called an S-function if

∀X ∈ Fn, Y ∈ Fm : S(X) = Y ⇒ F (X, Y ) = 0.

Hence, the attack on AES is based on the existence of degree-2 S-functions. Similarly to Theorem 2.6, oncan prove the following statement.

Theorem 3.2 Let an S-box S : Fn → Fm be fixed. We define a function CS on Fn+m by

CS(X, Y ) = 1 ⇐⇒ S(X) = Y.

Then, a function F : Fn+m → F is an S-function if and only if F is an annihilator of CS.

4 Conclusions

We have shown that the existence of low-degree equations is equivalent to the existence of low-degree an-nihilators of appropriate functions. Thus, understanding the properties of annihilators more deeply wouldhelp to increase the knowledge about algebraic attacks. In particular, it might help to answer the still openquestion whether efficient methods exist to find or avoid low-degree equations.

References

[1] Frederik Armknecht, Matthias Krause: Algebraic attacks on Combiners with Memory, Proceedings ofCrypto 2003, LNCS 2729, pp. 162-176, Springer, 2003.

[2] Frederik Armknecht: On the existence of low-degree equations for algebraic attacks, Cryptology ePrintArchive: Report 2004/185.

[3] Nicolas Courtois: Fast Algebraic Attacks on Stream Ciphers with Linear Feedback, Proceedings of Crypto2003, LNCS 2729, pp. 177-194, Springer, 2003.

44

[4] Nicolas Courtois, Willi Meier: Algebraic attacks on Stream Ciphers with Linear Feedback, Proceed-ings of Eurocrypt 2003, LNCS 2656, pp. 345-359, Springer, 2003. An extended version is available athttp://www.cryptosystem.net/stream/

[5] Nicolas Courtois, Josef Pieprzyk: Cryptanalysis of block ciphers with overdefined systems of equations,Proceedings of Asiacrypt 2002, LNCS 2501, pp. 267-287, Springer, 2002.

[6] Willi Meier, Enes Pasalic, Claude Carlet: Algebraic attacks and decomposition of Boolean functions,Proceedings of Eurocrypt 2004, LNCS 3027, pp. 474-491, Springer, 2004.

[7] Sean Murphy, Matthew Robshaw: Comments on the Security of the AES and the XSL Technique, Elec-tronic Letters, 39:26-38, 2003.

Password-based Information Retrieval with Privacy

SeongHan Shin, Kazukuni Kobara and Hideki Imai

Institute of Industrial Science, University of Tokyohttp://imailab-www.iis.u-tokyo.ac.jp/imailab.html

[email protected]

Abstract. In this paper we propose a password-based information retrieval (PIR) protocol that providesnot only a higher level of security against exposure of stored secrets (rather than the existing protocols) butalso privacy of information against the involving servers. The assumption of the PIR protocol is that a clientremembers his password and stores an additional secret on insecure devices. We also discuss about whetherthis assumption is reasonable or not and its possible applications.

Keywords. Password, Information Retrieval, Privacy of Information

1 Introduction

Consider a roaming client who accesses a network from different locations in order to retrieve some infor-mation that may be personal sensitive data, large files or private keys corresponding to public keys (fordigital signature generation or public-key decryption). This kind of roaming protocols can be supported bya credentials server that authenticates the client and then assists in downloading the information for theclient. There are several approaches proposed to date.

Previous Works. The simplest roaming protocol is EAP-SIM [HS04] that specifies an EAP-based mech-anism [BV98, ABV04] for a challenge-response authentication and session key distribution using the GSMSubscriber Identity Module (SIM). The authenticity is based on secret keys stored on SIM and in an authen-tication server. EAP-SIM adds a physical security assumption for authentication, however some securityflaws are discussed in [Pat]. In the same physical assumption, smartcards have promised to solve the privatekey storage problem for roaming clients, but this approach requires deployment of cards and installation ofcard readers.

Another roaming protocol is SPX LEAP [TA91], a tunneled EAP types such as TTLS (Tunneled TLS)and PEAP (Protected EAP), where a client transmits a password to a credential server through securechannels for authentication, and performs subsequent retrieval of the client’s private key. This approachprevents off-line password guessing attacks at the sacrifice of using PKI. Ford and Kaliski [FK00] furtherdescribed protocols that utilize multiple n servers, each of which holds a share of password-related data,provides the protection of the credential server database. That is, even if an attacker takes full control of upto n−1 servers, the attacker will not be able to verify a single guess for the password without being detected

45

by the remaining uncompromised server. However, their protocols rely on a prior server-authenticatedchannel such as SSL. Later, Joblon [Jab01] proposed a password-only multi-server roaming protocol withoutprior secure channels.

Bellovin and Merritt [BM92] first introduced a secure password-only protocols where a client remembersa short password only (without any device and any additional assumption) and the corresponding serverauthenticates the client with the password or its verification data that is used to verify the client’s knowledgeof the password (some related works can be found in IEEE P1363.2 web page). By combining the roamingmodel and password-only protocols, Perlman and Kaufman [PK99] showed that simple modifications of theunderlying password-only protocols were sufficient for secure roaming access to credentials. In order to in-tegrate the convenience of password into the conventional PKI, two different approaches (called virtual softtoken and virtual smartcard) have been proposed [PK99, Kwo02, SBG02] in the name of password-enablePKI. In the virtual soft token PKI [PK99, Kwo02], a private key encrypted with a password is stored ona server so that a client, after authenticating himself to the server and generating a strong session key,downloads the encrypted private key via the secure channel, decrypt it and use the private key as in theconventional PKI. In the virtual smartcard PKI [SBG02], a client’s private key is split into two parts (apassword and a secret) where the latter is stored on a server. To perform a cryptographic operation (sig-nature generation or decryption), the client first authenticates himself to the server using the password,generates a strong session key, and does the operation via the secure channel. On both approaches, Wang[Wan03] proposed an intrusion-tolerant roaming protocol where a password verification data as well as apassword-encrypted private key (or a partial secret) are shared among multiple servers using a thresholdsecret sharing scheme3.

Motivation. More realistic threat on cryptographic techniques is exposure of stored secrets that maybe secret keys, private keys, password verification data and/or password-encrypted keys. When we con-sider a large number of password verification data and password-related credentials stored on a server, theexposure of either secret (compromise or collusion of servers) allow an attacker to mount off-line passwordguessing attacks enough to retrieve private keys. Such threat seems inevitable since, for example, an attackermight gain the root privilege of a server by exploiting bugs in server software or mis-configurations of theserver. With this problem, we can see that PKI and assumption of physical security (such as perfect TRM)may not be a fundamental solution in the real world. The best way is to minimize the effect caused by theexposure of stored secrets.

The other motivation is in the fact that the colluded servers (inside attacker) in the password-onlyroaming protocols and password-enabled PKI can recover private keys, by verifying the password-encryptedprivate keys or checking the correctness of corresponding public keys, with passwords that are easily deducedwith off-line dictionary attacks. Note that, even if the functionality of one server is distributed to multipleservers, it doesn’t help preventing collusion of all the servers. Think of a situation where the colludedservers generate a digital signature with a client’s private key (this indeed violates non-repudiation of digitalsignature). Consequently, it is desirable to guarantee privacy of information against servers.

2 A Password-based Information Retrieval Protocol

In this section we propose a password-based information retrieval (for short, PIR) protocol that significantlyimproves the security against exposure of stored secrets and provides privacy of information against servers.The rationale of the PIR protocol is that (i) client’s password and additional secret is combined to be usedfor authentication; (ii) the secret and the verification data are updated whenever client and server runs theprotocol; (iii) client’s information (e.g., private keys) is encrypted with a symmetric key and then stored onserver’s database; (iv) in order to resist against off-line password guessing attacks the PIR protocol adoptsthe core techniques used in password-only protocols.

We give some preliminary notations to be used. Let G be a finite, cyclic group of prime order q andg be a generator of G (quadratic residues modulo p where p = aq + 1) where the Diffie-Hellman problem

3Any threshold or more of the servers can collectively authenticate a client and makes possible the client to securelydownload the password-encrypted private key (or do a cryptographic operation).

46

Client C Server Si (i ≥ 1)[Initialization]

αi1R← Z?

q , pi1 ≡ αi1 + pw mod q

C = EK(Info) pi1, C -

1, αi1,K 1, pi1, C

[j-th Information Retrieval (j ≥ 1)]

j, αij ,K j, pij , C

pij ≡ αij + pw mod q

W ← G(pij)x

R← Z?q , X ≡ gx, Z ≡ X ·W C, j, Z -

W ← G(pij)

If j is incorrect, then reject.

Otherwise, X ′ ≡ Z ·W−1

yR← Z?

q , Y ≡ gy, KMSi ≡ (X ′)y,VSi ← H1(s||W ||KMSi).Si, Y, VSi�

KMC ≡ Y x

If VSi 6= H1(s||W ||KMC), then reject.

Otherwise, VC ← H2(s||W ||KMC)SKij ← H3(s||W ||KMC),αi(j+1) ≡ αij +H4(s||W ||KMC),

and accept.

VC -If VC 6= H2(s||W ||KMSi), then reject.

Otherwise, SKij ← H3(s||W ||KMSi),pi(j+1) ≡ pij +H4(s||W ||KMSi),

and accept.

j + 1, αi(j+1),K j + 1, pi(j+1), CESKij (C)�

Figure 1: A password-based information retrieval (for short, PIR) protocol where s = C||Si||j||Z||Y and the enclosedvalues in rectangle represent stored secrets of client and server, respectively

is hard. Let EK(·) denote a symmetric-key encryption with key K. Let us define secure one-way hashfunctions. While G : {0, 1}? → Z?

q\{1} denotes a full-domain hash (FDH) function, the other hash functionsare denoted Hj : {0, 1}? → {0, 1}k for j = 1, 2, 3 and 4. Here G and Hj are distinct random functions oneanother. Let C and Si be the identities of client and server, respectively, with representing each ID ∈ {0, 1}?as well.

The PIR protocol consists of two phases: initialization and j-th (j ≥ 1) information retrieval protocol.In the initialization phase, client C registers i-th verification data that is combined with his password pw andadditional secret αi1 in size of q to the corresponding server along with an encrypted information with keyK. The initialization is done only once at the end of which client C remembers his password pw, and storesthe secret αi1 and the key K on insecure devices. The server Si also stores the verification data pi1 and theciphertext C on its database both of which may be exposed. In the j-th information retrieval protocol, thefirst two flows of the PIR protocol comprises a password-masked Diffie-Hellman key exchange protocol. Thatis, a weak secret (i.e., password) that may be vulnerable against off-line attacks is amplified to a strong one(we call it a keying material), which is no longer susceptible to off-line attacks, before client C and serverSi authenticate each other with the verification data pij by checking the counterpart’s authenticator V thatcan be computed with the keying material KM . Both of them finally generate a session key SK from the

47

shared keying material and refresh the secret αij (stored on client’s devices) as well as the verification datapij (stored on server’s database) to new ones without changing the password4. The whole protocol appearsin Figure 1.

3 Discussions

Security Analysis. We informally discuss about security of the PIR protocol against exposure of storedsecrets.

1. Security against exposure of client’s secret: If an attacker gets αij and K, the first to do is to try toauthenticate himself to server Si in order to retrieve the client’s information. However, the attacker cando no better than guess a password during the protocol as long as the computational Diffie-Hellmanproblem is hard and the collision of hash functions is unlikely. This is the same when impersonatingsever Si.

2. Security against exposure of server’s secret (or inside attacker): If an attacker gets pij and C, theattacker can freely impersonate server Si. We cannot avoid this attack as all of the password-basedauthentication protocols. Nevertheless, pij doesn’t reveal any information about password simplybecause it is one share of (2, 2)-threshold (perfect) secret sharing scheme. In addition, the attackercannot get the client’s information as long as the symmetric-key encryption is secure (privacy).

3. Security against exposure of client’s and server’s secrets: Suppose the PIR protocol runs at a fixedtime period (e.g., a day). In this case, an attacker can get both the password and the information onlyif he collects all of the secrets stored on client’s devices and server’s database. If the update is donebefore the attacker has all the secrets, the semantic security of the PIR protocol remains unchanged.

Insecure Device is a Strong Assumption? Compared to the password-only roaming protocols andpassword-enabled PKI, the assumption of stateful storage on client is, in fact, a strong one. However, aswe pointed out in the Motivation the previous protocols have vulnerability against exposure of secretson server side (think of a situation where a client has deposited different information at different serverswith only one password; a compromise of one server affects security of the remaining servers) and doesn’tguarantee privacy of information even if the latter is distributed among multiple servers. Remind that thePRI protocol doesn’t require both PKI and TRM while EAP-SIM, smartcards, SPX LEAP and FK protocol[FK00] does.

Possible Applications. Let us think of wireless networks where a client carries mobile devices (e.g.,mobile phones or PDAs) with some memory capacity itself, but TRM. Compared to [Jab01, Wan03], thePIR protocol is remarkably efficient in terms of computation costs of client, communication bandwidth andthe number of flows. This is due to the fact that the password and the information in the PIR protocolare secure against exposure of server’s stored secret so that both of them don’t need to be distributed orshared among multiple servers. This approach also makes possible when a client stores his many encrypted-information at different servers with only one password.

4 Conclusion

In this paper we revisited the previous roaming (specifically, private key retrieval) protocols from the pointof view of how much each protocol guarantees its security against exposure of stored secrets. Then wehave proposed a password-based information retrieval (PIR) protocol that provides not only a higher levelof security against exposure of stored secrets but also privacy of information against the involving servers.The distinguishing features of the PIR protocol is that (i) the authenticity is based on client’s password andadditional secret; (ii) the secret and the verification data are updated whenever client and server runs the

4Notice that the frequent change of passwords might incur the risk of password to be exposed, simply becausepeople tends to write it down on somewhere or needs considerable efforts to remember new passwords.

48

protocol; and (iii) an encrypted information is stored on server’s database. We also discussed about securityanalysis of the PIR protocol followed by its possible applications. As a result, carrying mobile devices onclient side seems a very small price for more strengthened security and efficiency in the PIR protocol.

References

[HS04] H. Haverinen and J. Salowey. Extensible Authentication Protocol Method for GSM SubscriberIdentity Modules (EAP-SIM). draft-haverinen-pppext-eap-sim-16.txt, December 2004.

[BV98] L. Blunk and J. Vollbrecht. PPP Extensible Authentication Protocol (EAP). IETF RFC 2284,March 1998.

[ABV04] B. Aboba, L. Blunk, J. Vollbrecht, J. Carlson and H. Levkowetx. Extensible Authentication Pro-tocol (EAP). IETF RFC 3748, June 2004.

[Pat] S. Patel. Analysis of EAP-SIM Session Key Agreement. available athttp://www.drizzle.com/ aboba/EAP/AnalyisOfEAP.pdf.

[TA91] J. Tardo and K. Alagappan. SPX: Global Authentication Using Public Key Certificates. In Proc.of 1991 IEEE Computer Society Symposium on Security and Privacy, pages 232-244, 1991.

[FK00] W. Ford and B. S. Kaliski. Server-Assisted Generation of a Strong Secret from a Password. In Proc.of the Fifth International Workshop on Enterprise Security, IEEE, 2000.

[Jab01] D. Jablon. Password Authentication Using Multiple Servers. In Proc. of CT-RSA 2001, LNCS 2020,pages 344-360, 2001.

[BM92] S. M. Bellovin and M. Merritt. Encrypted Key Exchange: Password-based Protocols Secure againstDictionary Attacks. In Proc. of IEEE Symposium on Security and Privacy, pages 72-84, 1992.

[PK99] R. Perlman and C. Kaufman. Secure Password-Based Protocol for Downloading a Private Key. InProc. 1999 Network and Distributed System Security Symposium, Internet Security, 1999.

[Kwo02] T. Kwon. Virtual Software Tokens - A Practical Way to Secure PKI Roaming. In Proc. of theInfrastructure Security (InfraSec), LNCS 2437, pages 288-302. Springer-Verlag, 2002.

[SBG02] R. Sandhu, M. Bellare, and R. Ganesan. Password Enabled PKI: Virtual Smartcards vs. VirtualSoft Tokens. In Proc. of the 1st Annual PKI Research Workshop, pages 89-96, 2002.

[Wan03] X. Wang. Intrusion-Tolerant Password-Enabled PKI. In Proc. of the 2nd Annual PKI ResearchWorkshop, pages 44-53, 2003.

49

Around ElGamal encryption cryptosystem on a Weierstrass cubic on Fq[ε]

Marie Virat

Laboratoire J.A. DieudonneNice Sophia-Antipolis University, Nice, France

[email protected]

Abstract. This paper introduces a new public key cryptosystem which is a variant of ElGamal public keycryptosystem on an elliptic curve. This cryptosystem presents no plaintext encoding problems. Moreover itreaches similar security levels as ElGamal public key cryptosystem on an elliptic curve.

Keywords. ElGamal public key cryptosystem, elliptic curves, semantic security

1 Introduction

This paper is organized as follows. In section 2, we introduce ElGamal public key cryptosystem on anabelian finite cyclic group and problems related to its security. Then in section 3, we define the group ofelements of a Weierstrass cubic on the ring Fq[ε] where ε2 = 0 and give result on its group structure. Insection 4, we relate the difficulty to solve problems underlying ElGamal encryption over a Weierstrass cubicon Fq[ε] and over an elliptic curve. In section 5, we introduce our new cryptosystem which is a variant ofElGamal encryption which handle the encoding problem. Finally in section 6 we study the security of thiscryptosystem.

2 ElGamal public key cryptosystem, underlying problems

Consider an abelian finite cyclic group (G, +), the ElGamal public key cryptosystem is defined as follows :

Key generation algorithm K→ (Pk, sk)

• 1. Choose an element P generator of G.

• 2. Randomly choose an integer sk between 2 and n− 1.

• 3. Compute Pk = skP .

Encryption algorithm of M in G : EPk(M ; r)→ (C1, C2)

• 1. Choose randomly an integer r between 2 and n− 1.

• 2. Compute C1 = rP and C2 = rPk + M in G.

Decryption algorithm of (C1, C2) : Dsk(C1, C2)→M

• 1. Compute C2 − skC1 = M

Obviously, the security of this cryptosystem depends on the group G. In particular, it is related to thediscrete logarithm problem, whose statement follows :

Discrete Logarithm problem over (G, +) of base PFor R in < P >, find an integer r such that R = rP .

50

An adversary who solves this problem can compute the secret key from the public one in the same time.In particular, the groups chosen for the construction of an ElGamal cryptosystem must resist the DiscreteLogarithm problem. Some groups do not resist, for example (Fq,+). Some others are prone to specificattacks like (F∗q ,×) [BW98] or the group of Fq-rational points of an hyperelliptic curve of genus strictlyhigher than four [Gau00].Some groups always resist the Discrete Logarithm problem, and are not (yet) prone to specific attacks. Thisis the case for the group of the Fq-rational points of an elliptic curve (E(Fq),+). Nevertheless, the ellipticcurve chosen must resist the Discrete Logarithm problem; for instance, this is not the case when the numberof Fq-rationnal points of the curve is divisible by the characteristic p of Fq [[Sma99],[Sea98],[AS98]].We list some other problems in the study of ElGamal public key cryptosystem security.

Computational Diffie Hellman problem over (G, +) of base P :Given R = rP and S = sP in G, compute rsP .

Decisional Diffie Hellman problem over (G, +) of base P :Given R = rP , S = sP and T over G, determine whether T = rsP .

Of course, an algorithm solving the Discrete Logarithm problem over G of base P necessarily solvesthe corresponding Computational Diffie Hellman problem, and in turn the corresponding Decisional DiffieHellman problem in the same time.Moreover if an isomorphism φ computable in polynomial time of log(|G|) from a group G to a group G′

exists, then each of these problems over G of base P are equivalent to the corresponding problem over G′ ofbase φ(P ), in the sense that polynomial transformations from one to the other can be constructed.

In the next section, we define an abelian finite group.

3 Weierstrass cubic on Fq[ε] and group structure

Consider a finite field Fq in characteristic p different of 2 and 3 and the ring Fq[ε] where ε2 = 0. These noninvertible elements are from type kε with k in Fq. Moreover, this ring projects canonically in Fq. We denoteby π this projection : for all a0 and a1 in Fq, π(a0 + a1ε) = a0.

Definition 3.1 A Weierstrass equation over Fq[ε] is an equation of type Y 2Z = X3 + aXZ2 + bZ3 with aand b in Fq[ε]. Then the reduction on Fq of such equation is Y 2Z = X3 + π(a)XZ2 + π(b)Z3.Consider a Weierstrass equation over Fq[ε]. It define a Weierstrass cubic over Fq[ε], if its reduction on Fq

define an elliptic curve. Then equivalently the associated Weierstrass equation is such that 4a3 + 27b2 isinvertible in Fq[ε].Then we define two types of element over this cubic :

• the elements at infinity Θk = [kε : 1 : 0] for all k in Fq.

• the elements of type P = [x0 + x1ε : y0 + y1ε : 1] which satisfies the following system{y20 = x3

0 + a0x0 + b0

(2y0)y1 = (3x20 + a0)x1 + a1x0 + b1

Then an element at finite distance is a element [x0+x1ε : y0+y1ε : 1] such that [x0 : y0 : 1] is in Eπ(a),π(b)(Fq)and (x1, y1) is on the line of F2

q of equation (2y0)y1 = (3x20 + a0)x1 + a1x0 + b1.

The set Ea,b(Fq[ε]) of the elements of the Weierstrass cubic projects naturally on the set of the Fq-rationnalpoints of the underlying elliptic curve in this way :

πEa,b: Ea,b(Fq[ε]) −→ Eπ(a),π(b)(Fq)

[X : Y : Z] 7→ [π(X) : π(Y ) : π(Z)]

The usual cord and tangent construction of elliptic curves are extended to the set of Weierstrass cubicelements on Fq[ε], and give a group law [Gal02]. Moreover, πEa,b

is a group morphism for this law.

51

4 Equivalent problems

Lemma 4.1 Let Fq be a finite field in characteristic p different of 2 and 3, a and b in Fq[ε] such that theequation Y 2Z = X3 + aXZ2 + bZ3 define a Weierstrass cubic on Fq[ε]. We denote by N the cardinal ofthe set Eπ(a),π(b)(Fq). If p does not divide N, then there exists a group isomorphism between Ea,b(Fq[ε]) andFq × Eπ(a),π(b)(Fq) which is computable in polynomial time in log(q).

The Discrete Logarithm problem is easily solved on (Fq,+). Then from this lemma comes the followingresult :

Theorem 4.2 Let Ea,b(Fq[ε]) be a Weierstrass cubic on Fq[ε] and P an element of Ea,b(Fq[ε]); if p does notdivide N, then the Discrete Logarithm problems over Ea,b(Fq[ε]) of base P and over Eπ(a),π(b)(Fq) of baseπ(P ) are equivalent.

Similar theorems stand for the Computational and Decisional Diffie-Hellman problems.So, it may be interesting to consider ElGamal public key cryptosystem on a Weierstrass cubic on Fq[ε] forwhich the reduction on Fq resists the Discrete Logarithm problem.However for a chosen cubic Ea,b on Fq[ε], the secret key sk must be chosen such that the Discrete Loga-rithm problem of base π(P ) and with instance skπ(P ) is difficult over Eπ(a),π(b)(Fq). So, with P chosen inEa,b(Fq[ε]), the secret keys set must be restricted to the set of integers between 1 and order(P ) − 1 whichare not divisible by the order of π(P ).In spite of this restriction, the isomorphism of theorem allows to find the rest of Euclidean division ofsearched discrete logarithm between 1 and order(P ) − 1 by q. The cardinal of the set of Weierstrass cubicelements Ea,b(Fq[ε]) is q × Eπ(a),π(b)(Fq). So it is useless to choose secret keys between 1 and order(P ) − 1: we can just choose secret keys between 1 and order(π(P )) and take the corresponding public key Pk = skqP .

5 Cryptosystem Wε

The ElGamal public key cryptosystem on a Weierstrass cubic on Fq[ε] needs the plaintext to be encodedby an element of Ea,b(Fq[ε]). This type of encoding is not trivial. Let M = [x0 + x1ε : y0 + y1ε : 1]we would like to encode the plaintext by x0 + x1ε. In this case, x0 must be such that x3

0 + ax0 + b is asquare in Fq; which not satisfied by all x0 in Fq. On the other hand, no specific condition is imposed tox1. So we construct an variant of ElGamal public key cryptosystem for which the plaintext is encoded onlyby the indeterminate x1 and (x0, y0) is randomly chosen. This encoding gives the following cryptosystem Wε.

Consider a prime number p, a and b two elements of Fp[ε] defining a Weierstrass cubic of prime cardinalN different to p and an element P generator of Ea,b(Fp[ε]). These elements are the initialization parametersof following algorithm :

Key generation algorithm KWε(p, a, b,N, P )→ (Pk, sk :Input : (p, a, b,N, P ) : initialization parametersOutput : (Pk, sk) with sk integer between 2 and N− 1 and Pk in Ea,b(Fp[ε])

• 1. Randomly choose an integer sk between 2 and N− 1.

• 2. Compute Pk = skqP .

Encryption algorithm EWεPk (m; r)→ (C1, C2) :

Input : m in Fp.Output : C = (C1, C2) in Ea,b(Fp[ε])2

• 1. Randomly choose an integer r between 2 and N− 1.

• 2. Randomly choose a point [x0 : y0 : 1] in Eπ(a),π(b)(Fp).

• 3. Compute M = [x0 + mε : y0 + y1ε : 1] in Ea,b(Fq[ε]).

52

• 4. Compute C1 = rP and C2 = rPk + M in Ea,b(Fp[ε]).

Decryption algorithm DWεsk (C1, C2)→ m :

Input : C = (C1, C2) in Ea,b(Fp[ε])2

Output : m in Fp.

• 1. Compute C2 − skC1 = M = [x0 + mε : y0 + y1ε : 1].

• 2. Extract m from M .

In the next section, we discuss the security aspects of the cryptosystem Wε.

6 Security

In the framework of public key cryptosystem a user have full access to the encryption system. Consider aCPA adversary Z represented by a probabilistic algorithm which have a subroutine of encryption of plaintext.Rest to define the adversary goals.

6.1 Onewayness

We want to know if the encryption function is one-way. Here the goal of an adversary is to find a plaintextwith a corresponding ciphertext and public instances.

Definition 6.1 Consider an CPA adversary Z laying out a time τ ; its success probability to decrypt thecryptosystem Wε of initialization parameters (p, a, b,N, P ) without knowing the secrete key is :

SuccOW−CPAWε (Z|τ ) = Prm,r[(Pk, sk)← K(q, a, b,N, P ) : Z|τ (Pk,EPk(m; r)) = m]

where probability is taken from Fp , the integer between 2 and N, from the set of keys and the random initialtape of the adversary.This system is (τ, δ) OW-CPA

if for all CPA adversary Z laying out a time τ , SuccOWWε (Z|τ ) < δ.

Then we have the following result :

Theorem 6.2 Let Ea,b a Weierstrass cubic on Fq[ε], such that p does not divide N, if the cryptosystem Wεof initialization parameters (p, a, b,N, P ) is not (τ, δ) OW-CPA, then there exists a probabilistic algorithmsolving the Computational Diffie Hellman problem of base pπ(P ) on the elliptic curve Eπ(a),π(b) with aprobability δ/3 and a time τ +O(M(p) log5 p) where M(p) is the computation time of a multiplication in Fp.

This result comes from following properties :

• ElGamal encryption cryptosystem inversion is equivalent to the Computational Diffie Hellman problem[Poi02].

• If in initialization parameters the choice of Weierstrass cubic is restricted to the Weierstrass cubic atcoefficients in Fq, then M can be find from the ciphertext C, the corresponding plaintext m and thepublic instance in a polynomial time and a probability 1/3.

6.2 Indistinguishability

Consider the following game : we give a public key to the CPA adversary Z. It returns two plaintexts m0

et m1, then we return a ciphertext corresponding at one of these plaintexts. For the adversary the goal ofgame is to find which plaintext correspond to the the ciphertext. With a random choice the adversary has aprobability 1/2 to find the good one. We measure its advantage by the distance between its probability tofind the good plaintext and 0.5. .

53

Definition 6.3 Consider a CPA adversary Z = (Z1,Z2) laying out a time τ ; its advantage on the cryp-tosystem Wε of initialization parameters (p, a, b,N, P ) :

AdvIND−CPAWε (Z|τ ) =∣∣2Prb,r

[(sk,Pk)← KWε(p, a, b,N, P ), (m0,m1, s)← Z1(Pk), c← EPk(mb; r) : Z2(c, s) = b

]− 1

∣∣This cryptosystem is (τ, δ) IND-CPA

if for all adversary Z laying out a time τ , AdvIND−CPAWε (Z|τ ) < δ.

Here s represents informations that Z1 gives to Z2. The following result comes from the security results ofElGamal encryption cryptosystem [Poi02].

Theorem 6.4 Let Ea,b be a Weierstrass cubic on Fq[ε], such that p does not divide N. If there exists aCPA adversary whose advantage on the cryptosystem Wε is higher than δ, then there exists an probabilisticalgorithm solving the Decisional Diffie Hellman problem of base qπ(P ) on the elliptic curve Eπ(a),π(b) withthe same probability and a same time.

References

[AS98] K. Araki and T. Satoh. Fermat quotients and the polynomial time discrete log algorithm for anoma-lous elliptic curves. Commentarii Math. Univ. St. Pauli, 47 (81-92), 1998.

[BW98] J.Buchmann and D. Weber. Discrete logarithms : Recent progress. In Proc. International Confer-ence on Coding Theory,1998.

[Gal02] S. Galbraith. Elliptic curve Paillier schemes. Journal of Cryptology. 2002. vol. 15 (2) pp. 129-138.

[Gau00] P. Gaudry. An algorithm for solving the discrete log problem on hyperelliptic curves. Advances inCryptology. 2000. Springer-Verlag. LNCS 1807. pp 19-34.

[Sma99] N. Smart. The Discrete Logarithm Problem on Elliptic Curves of Trace One. Journal of Cryptology.1999. vol. 12(3).pp. 193-196.

[Poi02] David Pointcheval. Le chiffrement asymtrique et la scurit prouve. Thesis at Universit Paris VII.2002.

[Gar79] M. R. Garey and D. S. Johnson. Computers and Intractibility, a guide to the Theory of NP-completeness. 1979. W. H. Freeman and Company.

[Sea98] I. A. Semaev. Evaluation of dicrete logarithms in a group of p-torsio points of an elliptic curve incharacteristic p. Math. Comp. 1998. vol. 67. pp. 353-356.

54

Key Extraction from Noisy Data: Physical Uncloneable Functions

Pim Tuyls

Philips Research Laboratories,Prof. Holstlaan 4,

5656 AA Eindhoven, The Netherlands

Abstract. In this talk we discuss a practical implementation of key extraction from noisy data. Currentlythere are two main constructions, developed independently of each other. One construction is called FuzzyExtractors and the other is based on Shielding Functions. We present a practical implementation of thosealgorithms and show how they can be applied to optical PUFs.

1 Introduction

A ‘Physical Uncloneable Function’ (PUF) is a function that is realized by a physical system, such thatthe function is easy to evaluate but the physical system is hard to characterize or reproduce. PUFs wereintroduced by Pappu [3, 5] as cost-effective identification tokens. Additionally, they can be used as a sourceof key material for authentication purposes. This makes PUFs attractive for Digital Rights Management(DRM) systems.

A PUF is a physical system designed such that it interacts in a complicated way with stimuli (challenges)and leads to unique but unpredictable responses. A PUF challenge and the corresponding response aretogether called a Challenge-Reponse-Pair (CRP). In its unpredictability, a PUF is similar to a keyed hashfunction. The physical system consisting of many “random” components is equivalent to the key. In orderto be hard to characterize, the system should not allow efficient extraction of the relevant properties of itsinteracting components by measurements.

Physical systems that are produced by an uncontrolled production process, i.e. one that contains somerandomness, turn out to be good candidates for PUFs. Because of this randomness, it is hard to produce aphysical copy of the PUF. Furthermore, if the physical function is based on many complex interactions, thenmathematical modeling is also very hard. These two properties together are referred to as Uncloneability.

1.1 Applications

From a security perspective the uniqueness of the responses and uncloneability of the PUF are very usefulproperties. Because of these properties, PUFs can be used as unique identifiers, means of tamper-detectionand/or as a cost-effective source for key generation (common randomness) between two parties. By em-bedding a PUF inseparably into a device, the device becomes uniquely identifiable and uncloneable. Here’inseparable’ means that any attempt to remove the PUF will with very high probability damage the PUF anddestroy the key material it contains. A wide range of devices can be equipped in this way, e.g. smart-cards,credit cards, RFID tags, value papers, chips, security cameras, etc.

A practical authentication scheme works as follows. First of all, one needs a detector for measuring theanalog output of a PUF and an algorithm that extracts bit-strings from this output. The detector and theprocessor executing the algorithm are located on the device with the embedded PUF, or inside a separatereader device. The scheme consists of two phases: enrolment and authentication. In the enrollment phase,the Verifier produces the PUF, embeds it in a device, and stores an initial, small set of Challenge-ResponsePairs securely in his database. Then the device is given to a user. The authentication phase starts whenthe user presents his device to a terminal. The verifier sends a randomly chosen PUF challenge from hisdatabase to the user. (We assume all communication to take place over a public channel). If the verifierreceives the correct answer from the device, the device is authenticated. Then this CRP is removed fromthe database and will never be used again. A secure channel is set up between the verifier and the device,using a session key based on the PUF response. As the channel is a public one, the response cannot be sent@directly/literally to the verifier. Instead, the device proves its knowledge of the response in an indirect

55

way, e.g. by encrypting a random nonce using the response as a key. Note that the challenges do not haveto be treated as secrets, since the responses are unpredictable. For secure protocols based on PUF keys werefer to [6, 1, 7].

A special class of applications becomes possible if so-called ’control’ is introduced. A Controlled PUF(CPUF) is a PUF that is bound to a processor which completely governs the input and output. The chip canprohibit frequent challenging of the PUF and forbid certain classes of challenge. It can scramble incomingchallenges, so that an attacker cannot systematically probe the device. Furthermore, it can hide the physicaloutput of the PUF, revealing to the outside world only indirect information derived from the output, e.g. byencrypting or hashing the bit-string that is extracted from the analog output. This control layer substantiallystrengthens the security, since an attacker cannot probe the PUF at will and cannot interpret the responses.CPUFs allow for new applications such as ’certified execution’ [1, 7] and ’certified measurement’. A CPUFcan generate a signed digital certificate, stating that a certain kind of processing has occurred inside theCPUF, such as program execution or some measurement, and listing the results of this processing. Thecertificate can be verified by the original verifier as well as by third parties. A powerful example is a CPUFbound to a security camera. Footage from such a camera can serve as strong evidence in court, since thecertificate allows the judge to verify the identity of the camera and to ascertain that the pictures have notbeen tampered with.

1.2 Types of PUF / Physical realizations

Several physical systems are known on which PUFs can be based. The main types are optical PUFs [3, 5],coating PUFs [7], silicon PUFs [2, 6] and acoustic PUFs [7]. In this paper we only discuss optical PUFs.

Optical PUFs consist of a transparent material containing randomly distributed scattering particles.They exploit the uniqueness of speckle patterns that result from multiple scattering of laser light in adisordered optical medium. The challenge can be e.g. the angle of incidence, focal distance or wavelength ofthe laser beam, a mask pattern blocking part of the laser light, or any other change in the wave front. Theoutput is the speckle pattern. As the speckle pattern contains many randomly distributed bright and darkpatches, a high-entropy bit-string can be extracted from it using a modest amount of image analysis.

Physical copying of optical PUFs is difficult for two reasons: (i) The light diffusion obscures the locationsof the scatterers. At this moment the best physical techniques can probe diffusive materials up to a depthof approximately 10 scattering lengths [9]. (ii) Even if all scatterer locations are known, precise positioningof a large number of scatterers is very hard and expensive, and requires a production process different fromthe original randomized process.

Modeling, on the other hand, is difficult due to the inherent complexity of multiple coherent scattering[10]. Even the ‘forward’ problem turns out to be hard. Given the details of all the scatterers, the fastestknown computation method of a speckle pattern is the transfer-matrix method [11]. It requires in the orderof (A/λ2)3d/λ operations (where A is the illuminated area, λ the wavelength and d the PUF thickness).

PUFs as a source of Key Material: In order to make controlled PUFs possible, techniques for extractingkeys from PUFs are needed. As measurements on physical systems are inherently noisy, mechanisms to derivekeys from noisy data have to be applied an implemented. We will apply the shielding function techniquedeveloped in [12]. We note that this technique is up to some details equivalent to the Fuzzy Extractorsdeveloped in [4].

1.3 Example algorithm

In order to illustrate the above definitions we present an example based on an Error Correcting Code E . Bya robust component, we mean a component in the output of the PUF that has low probability of changingsign.

• Enrollment Phase: The PUF is subjected to a challenge C. The analog output is converted toa bit-string ~b. A set I is constructed, consisting of indices pointing at the locations of the robustcomponents in ~b. A second bit string (X) is obtained by concatenating the robust bits. A secret codeword S ∈ E is randomly generated. The difference W = X ⊕ S is computed. The total set of helperdata consists of the set I and the string W . The Verifier stores (IDPUF, C, I,W, S).

56

• Verification Phase: When the PUF is inserted into the reader the PUF’s identity is sent to theVerifier. The Verifier chooses a random challenge C from his database and sends it to the PUFtogether with the corresponding helper data I,W . The reader subjects the PUF to the challengeC. The analog response is converted to a bit-string ~b′. The helper data indices I are used to selectbits from ~b′, yielding a bit-string X ′. The second part of the helper data, W , is used to computeS′ = X ′ ⊕W = (X ′ ⊕X)⊕ S. Finally, E is used to correct any errors present in S′.

Clearly, if the number of errors is not too large then the error correction step will correctly decode S′ intoS. Note that the δ-contracting property arises from the error correcting capacity of E , while the ε-revealingproperty follows from the fact that the secret S gets masked by the random variable X.

References

[1] B. Gassend et al., Controlled Physical Random Functions, Proc. 18th Annual Computer SecurityApplications Conf., Dec. 2002.

[2] B. Gassend et al., Silicon Physical Unknown Functions, Proc. 9th ACM Conf. on Computer andCommunications Security, Nov. 2002.

[3] R. Pappu, Physical One-Way Functions, PhD thesis, MIT 2001.

[4] Y. Dodis, L. Reyzin, A. Smith, Fuzzy Extractors: How to generate strong secret keys from biometricsand other noisy data, In Advances in Cryptology - Eurocrypt’04, LNCS 3027, 523–540, 2004.

[5] R. Pappu et al., Physical One-Way Functions, Science Vol. 297, Sept 2002, p.2026.

[6] B.L.P. Gassend, Physical Random Functions, Master’s Thesis, MIT 2003.

[7] P. Tuyls, B. Skoric, Secret Key Generation from Classical Physics, Proceedings of the HardwareTechnology Drivers for Ambient Intelligence Symposium, Philips Research Book Series, Kluwer,2005.

[8] P. Tuys, B. Skoric, S. Stallinga, A.H.M. Akkermans, W. Ophey, Information-Theoretic SecurityAnalysis of Physical Uncloneable Functions, Proc. Financial Cryptography 2005 @@

[9] M. Magnor, P. Dorn and W. Rudolph, Simulation of confocal microscopy through scattering mediawith and without time gating, J.Opt.Soc.Am. B, Vol. 19, no. 11 (2001), pp 1695–1700.

[10] J. F. de Boer, Optical Fluctuations on the Transmission and Reflection of Mesoscopic Systems, PhD thesis, 1995, Amsterdam.

[11] H. Furstenberg, Noncommuting Random Matrices, Trans. Am. Math. Soc. 108, 377, 1963.

[12] J.P. Linnartz, P. Tuyls, New Shielding Functions to enhance Privacy and Prevent Misuse of Bio-metric Templates, Proc. 4th International Conference on Audio and Video based Biometric PersonAuthentication, LNCS2688, Guildford UK, June 9-11, 2003.

57

High speed chaotic carrier encrypting at the physical layer

Laurent Larger, Vladimir Udaltsov, Stephane Poinsot, Pierre–Ambroise Lacourt, Nicolas Gastaud

FEMTO-ST UMR 6174 / Optics Dept, University of Franche–Comte16 route de Gray 25030 Besancon, France

http://www.georgiatech-metz.fr/english/research/[email protected]

Abstract. We report recent results obtained in chaos based masking techniques dedicated to optical fibercommunications. An large amplitude analog hyperchaotic (very high–dimensional) optical waveform is gen-erated physically using an ultra–wide band optoelectronic oscillator, and it is used to mask a small amplitudeoptical non–return–to–zero pseudo random bit sequence. Chaos replication is involved at a nearly identicalreceiver (symmetric physical key) to unmask the binary message. Bit rates of several Gb/s are demonstrated,with bit error rate as low as 10−9. A potential attack is presented, it is based on nonlinear time series analysisintended to recover the physical parameter of the hyperchaos generator.

Keywords. chaos communication, chaotic masking, physical layer encoding, spread spectrum communica-tions

1 Introduction

Chaotic waveforms appeared in the early 90s as potential carrier signals in transmission systems, as soon astheir possible synchronization between two distant similar chaotic oscillators was theoretically demonstrated[PC90]. Other properties like their natural broad spectrum, or their noise like behavior, lead to the ideaof a potential secure character for a communication channel making use of a chaotic carrier, in referenceto another well known spread spectrum communication technique, CDMA. First experimental demonstra-tions of chaos communication [CH93] were however rapidely demonstrated as exhibiting a low security level[BL93], mainly due to the low complexity of the chaotic waveform of concern (3-dimensional phase spacefor Chua’s or Lorenz’s chaotic attractors). Further investigations in optics opened the way to the use ofvery high dimensional chaos for communication applications, especially through the study of the dynamicalproperties of nonlinear delayed dynamical systems [MC96, VR98, GL98]. In a recent hybrid optoelectronicapproach[GP04], we developed an emitter–receiver scheme generating similar high–dimensional chaos in theoptical domain, and we used it to mask a high bit rate optical binary data.

2 Principle of operation

The setup is depicted in Fig.1. The emitter (left) consists of an optoelectronic feedback loop oscillator,intended to perform nonlinear delay dynamics. Such kind of dynamical systems are well known [Ik79]to evolve in an infinite dimensional phase space. Under proper conditions (large delay compared to thephysical response time of the dynamical process, and strong nonlinear function), their chaotic regimes arecharacterized by finite, but very high dimensional attractor (dimension greater than 100 in experimentalsituations). Important features of this chaos generator are first its strong nonlinear transformation performedby an electro-optically tunable integrated optics Mach-Zehnder interferometer (mathematically realizing asin−function), and second an analog delay line in the oscillator feedback long provided by a length of anoptical fiber (the delay acts as a shift register of the nonlinear transformation before feedng it back tothe Mach-Zehnder modulator). An optoelectronic feedback is performed by a photodiode converting theoptical intensity fluctuations into an electrical signal, which is amplified before being applied to the tuningelectrodes of the Mach-Zehnder. The continuous wave laser serves only as a light source energy, which is thenmodulated in the oscillator loop. The continuous time fluctuations of the optical intensity behaves stronglychaotic when then feedback loop gain is high enough, thus involving a strong nonlinear transformation inthe oscillation process.

58

Figure 1: Optoelectronic intensity chaos encoder and decoder

An optical binary message is added inside the oscillation loop with a second laser diode, which is directlymodulated by an electrical digital signal. It is inserted with a small amplitude relative to that of the opticalchaotic fluctuations available at the Mach-Zehnder output.

At the receiver side, the receiver consists of the same elements used at the emitter to generate the chaos.Those different elements, and their operating parameters, form the secret key of the transmission. Thereexists practically many different chaos generator architectures which can produce qualitatively equivalentspread spectrum chaotic signals, so that the precise architecture can be considered as part of the secretkey, thus improving the key space size. The main differece at the receiver side consists in the open looparchitecture, which ensures an unconditionaly stable chaos replication. A negative sign is also required togenerate the opposite of the chaotic signal; the latter is performed practically by properly adjusting thebiais of the receiver Mach-Zehnder in order to produce a π−shifted nonlinear sin−function. At the outputof the RF power combiner (“plus” bloc at the receiver), the locally generated chaos cancels the receivedchaotic signal masking the information, thus leaving at the adder output the message signal only. Residualdecoding noise is always observed, due to unavoidable parameter mismatch at the receiver with respect tothe parameter settings used at the emitter.

3 Coding and decoding results

Figure 2 illustrates with actual experimental signals the coding and decoding performances of the system[LG04]. At Alice’s side (left), a 3Gb/s pseudo random bit sequence corresponding to a message is super-imposed to the chaotic signal (represented by an experimental bifurcation diagram of the chaos generator).The resulting signal is a noise like one, with which it is not possible for Eve to define any optimal thresholdallowing for the recovery of the “0s” and “1s” digits. At the receiver side, Bob is able to generate exactly thesame chaotic waveform used for the masking operation, thanks to the knowledge of exact parameter settings.He is thus able to cancel the chaotic carrier, and to retrieve the digits, with a distinguishable superimposeddecoding noise (due to residual parameter mismatch). Under proper weighting (parameter α in Fig.1 of themessage amplitude with respect to the chaos amplitude

4 Discussion, security aspects

When assuming that the architecture depicted in Fig.1 is known, the key space of the encoding principle ispretty small. Considering each parameter sensitivity, and each parameter tuning range allowing for a chaoticbehavior, the number of bits needed to describe the parameter settings with a sufficient accuracy is about 25.There exists however a huge set of possible architectures allowing for the generation of chaotic waveforms

59

Figure 2: Actual coded, and decoded signals at 3Gb/s

with similar statistical properties.Nonlinear time series analysis is also possible in order to recover some important parameters of the chaos

generator, such as the value of the delay. Once again, the architecture of the chaos generator is crucial forthe possibility to extract with enough accuracy the parameters. New architectures that robust again knowntime delay identification techniques are currently explored, such as delay modulated oscillators.

Current hot topics in chaos based communication systems are concerned by discrete time chaos generatorsfor symbolic dynamic encoding or compatibility with routing functionnalities of optical networks, and alsoby high speed random number generators.

References

[PC90] L.M. Pecora, T.L. Carroll, Phys. Rev. Lett., 64, 821 (1990).

[CH93] K.M. Cuomo, A.V. Oppenheim, Phys. Rev. Lett., 71, 65 (1993).

[BL93] Th. Beth, D.E. Lazic and A. Mathias, Lect. Notes in Comp. Sc., 839, 318 (1993).

[MC96] C. Mirasso, P. Colet, P. Garcia-Fernandez, IEEE Phot. Techn. Lett., 8, 299 (1996).

[VR98] G. D. VanWiggeren and R. Roy, Science 279, 1198 (1998).

[GL98] J.-P. Goedgebuer, L. Larger, H. Porte, Phys. Rev. Lett. 80, 2249 (1998).

[Ik79] K. Ikeda, Optics Commun. 30, 257 (1979).

[GP04] N. Gastaud, S. Poinsot, L. Larger, M. Hanna, J.-M. Merolla, J.-P. Goedgebuer, F. MalassenetElectron. Lett., 40, 898 (2004).

[LG04] L. Larger, J.–P. Goedgebuer, V.S. Udaltsov, C. R. Physique 5, 669 (2004)

60

An Efficient FPGA Implementation of Whirlpool

Norbert Pramstaller and Christian Rechberger and Vincent Rijmen

IAIK — Graz University of Technology, Austriawww.iaik.TUGraz.at/research/krypto/

{Norbert.Pramstaller,Christian.Rechberger,Vincent.Rijmen}@iaik.tugraz.at

Abstract. In this extended abstract we propose an efficient hardware implementation of the hash functionWhirlpool. To the best of our knowledge only one FPGA implementation of Whirlpool has been publishedso far. We exploit only basic features of Field Programmable Gate Arrays (FPGAs) such that the proposedarchitecture can be implemented on different FPGA families.

Keywords. Hash function, FPGA, Whirlpool

1 Introduction

The hash function Whirlpool [BR00] is a block cipher based hash function operating in the Miyaguchi-Preneelmode [MOV97]. The used block cipher W is strongly based on the structure of the Advanced EncryptionStandard AES [NIST01]. W is a 512-bit block cipher and uses a 512-bit key. The input (plaintext) is theith message block to be hashed and the key is the intermediate hash value from the previous iteration. Forthe first message block an initial vector IV is used for deriving the round keys.

The 512-bit internal state is organized as an 8 × 8 array of bytes. All the round transformations areapplied to the state and after 10 rounds the state holds the ciphertext. The round keys used in each iterationare derived from the intermediate hash value of the previous iteration. The key schedule uses the same roundtransformations as for the encryption of the input message. The used round transformations are:

• the nonlinear layer γ, where a nonlinear S-Box is applied to each byte of the state independently

• the cyclical permutation π, where the bytes of column j are shifted downwards by j positions

• the linear diffusion layer θ, where the state is multiplied by a constant matrix

• the key addition σ[k], where also round constants cr are introduced

One round ρ[k] of W is performed as follows:

ρ[k] ≡ σ[k] ◦ θ ◦ π ◦ γ,

where the transformations are applied to the state from the right to the left. The round keys are derivedfrom the initial key K (either IV or intermediate hash value) by applying the same round transformations γ,π, and θ. Also the round constants cr are introduced by the key schedule. For details see [BR00]. A singleinput message block is processed as following. The initial key value K is added to the message block andstored in the state. Then, the round transformation ρ[k] is applied to the state for 10 rounds with the roundkey for each round provided by the key schedule. After 10 rounds the state containing the ciphertext, theinitial key Ki, and the input message block are added (Miyaguchi-Preneel operation mode) resulting in theinitial key Ki+1 for the next message block, or the final hash value if the input message has been completelyprocessed. Based on this description we will discuss the proposed hardware architecture in the next section.

This article is structured as follows. In Section 2 we present the proposed hardware architecture anddiscuss the basic design strategy. Performance estimations are given in Section 3. Conclusions and futurework are presented in Section 4.

61

2 An efficient hardware architecture

In this section we describe an FPGA-optimized hardware architecture for the Whirlpool hashing function.The proposed architecture is based on the AES implementation for FPGAs presented in [PW04].

Figure 1 shows a block diagram of the proposed hardware architecture. Basically, it can be divided intothree parts: the data unit, the key unit, and the operation unit. For the sake of clearness the AMBA businterface and the control unit are omitted in Figure 1. The data unit processes the input message blocks as

DataStateA

DataStateB

KeyStateA

KeyStateB

ModeRAM

γ θ γ θ

input message 64

64

64 64

64

64

64

64

data unit

hash value

64

key unit

oper

atio

n un

it

64

(0,3)

...

...

...

...

...

...

(15,3)

0

1

14

15

RA

M 3

addr

ess [

3..0

]

Dat

aSta

teA

Dat

aSta

teB

(0,2)

...

...

...

...

...

...

(15,2)

(0,1)

...

...

...

...

...

...

(15,1)

(0,0)

...

...

(7,0)

(8,0)

...

...

(15,0)

RA

M 2

RA

M 1

RA

M 0

(0,7)

...

...

(7,7)

(8,7)

...

...

(15,7)

(0,6)

...

...

...

...

...

...

(15,6)

(0,5)

...

...

...

...

...

...

(15,5)

(0,4)

...

...

...

...

...

...

(15,4)

RA

M 7

RA

M 6

RA

M 5

RA

M 4

. . .

. . .

. . .

. . .

. . .

roun

dco

nsta

nts

Figure 1: Block diagram of the proposed architecture.

described in Section 1. The key unit provides the round keys for each round using the same transformationsas the data unit and includes the round constants. Basically, the cipher W consists of two block ciphers,whereby the key for the key schedule are the round constants. The third part, the operation unit, implementsthe Miyaguchi-Preneel operation mode.

2.1 Basic building blocks of FPGAs

We shortly introduce a basic feature offered by FPGAs that we will exploit for our implementation. Thebasic building blocks of Xilinx FPGAs are Configurable Logic Blocks (CLBs). CLBs are arranged in arectangular matrix and are wired by programmable interconnect. A CLB contains four logic cells (LUTs)that can be programmed to have different functionality: combinational logic (an arbitrary Boolean functionof four inputs), logic and a register, or synchronous 16× 1 bit RAM. Combining two logic blocks allows toimplement a 16× 1 bit dual-port RAM.

2.2 Implementation of the state for the key unit and data unit

Both the key unit and the data unit require an 8×8 array of bytes referred to as the DataState and KeyStatefor the remainder of this article. In a straightforward approach this would require two 512-bit registers. Amore efficient way is to use LUT-based RAMs. One LUT can be configured as a synchronous 16× 1 bitRAM. Therefore, the implementation of the DataState and KeyState requires 64 LUTs each. Comparedto a 512-bit register requiring approximately 512 LUTs, this leads to a remarkable improvement regardinghardware resources. Using LUT-based RAMs has still another advantage. Since we actually only need8 rows of the RAM for one state, we can implement a second state for free, i.e. with 64 LUTs we canimplement a 16× 64 bit state. Using a second state has the advantage that the round transformation πcan be implemented by accordingly addressing the state RAM. For the implementation we used 8 slices of

62

16× 8 bit synchronous dual-port RAM as shown in Figure 2. Using dual-port RAMs increases the arearequirements by a factor 2, but it allows to read and write from/to the RAM concurrently.

(0,3)

...

...

...

...

...

...

(15,3)

0

1

14

15

RA

M 3

addr

ess [

3..0

]

Dat

aSta

teA

Dat

aSta

teB

(0,2)

...

...

...

...

...

...

(15,2)

(0,1)

...

...

...

...

...

...

(15,1)

(0,0)

...

...

(7,0)

(8,0)

...

...

(15,0)

RA

M 2

RA

M 1

RA

M 0

(0,7)

...

...

(7,7)

(8,7)

...

...

(15,7)

(0,6)

...

...

...

...

...

...

(15,6)

(0,5)

...

...

...

...

...

...

(15,5)

(0,4)

...

...

...

...

...

...

(15,4)

RA

M 7

RA

M 6

RA

M 5

RA

M 4

. . .

. . .

. . .

. . .

. . .

Figure 2: The DataState as 8 slices of 16× 8 bit LUT-based RAM.

From now on we will refer to the two states as DataStateA and DataStateB (KeyStateA and KeyStateB,respectively). With these two states one round can be computed as following. Since it is the same procedurefor the data unit and key unit that work in parallel, we only use the DataState for the explanation. Afterthe input data has been stored in DataStateA, eight 8-bit values are read according to the π transformation.These 64 bits are then input to the γ transformation and the resulting output is stored in the first row ofDataStateB. This is done for all eight 64-bit values. After DataStateA has been processed, the first row ofDataStateB is input to the θ transformation and after round key addition the result is stored back in thefirst row of DataStateA. After processing all (eight) rows, one round is finished and the second round isperformed in the same way. After computing 10 rounds, DataStateA holds the ciphertext. The values ofDataStateA and the values of ModeRAM (see Figure 1) are added and stored in KeyStateA. KeyStateA holdsthe intermediate hash value for the next message block or the final hash value. Different to the DataStateand the KeyState, the ModeRAM is implemented as a single port RAM. The reason for this is that theModeRAM is only used to store the value that is added to the ciphertext after one iteration. Therefore, wedo not need dual-port functionality and as already mentioned before, using LUT-based RAM requires lessresources than a register.

2.3 Implementation of the round transformations γ and θ

The non-linear layer γ consists of five so-called mini-boxes, where each box is defined for four bits. We imple-mented the 8-bit S-Box as suggested in [BR00] and used for each mini-box four LUTs. The θ transformationis defined as a multiplication of each row of the state with a constant matrix that produces a new 64-bitrow (see [BR00]). For the multiplication of the state elements with the constants modulo an irreduciblepolynomial, we derived Boolean equations such that we can implement θ fully combinatorial. For one row,i.e. eight 8-bit values, we implemented a multiplier that performs the constant multiplications and producesan 8-bit output. Processing one 64-bit row requires 8 multipliers.

3 Performance figures and discussion

We implemented Whirlpool on a Xilinx Spartan 3 xc3c460pq208 device. The area requirements for differentmodules are listed in Table 1.

As it can be seen in Table 1, the hardware implementation of Whirlpool requires 2144 CLB-slices. Thisis roughly 59 % of the available resources for the used FPGA device. It is important to note, that ourimplementation does not use block RAMs (on-board memory of FPGA devices). If block RAMs are usedthe required number of CLB-slices decreases remarkably.

We achieve a throughput of 380 Mbps with a frequency of 125 MHz without using device-specific op-timizations. To the best of our knowledge, there has been published only one Whirlpool implementationfor FPGAs by Kitsos and Koufopavlou [KK04]. This implementation and the proposed hardware architec-ture follow different design strategies. Their different architectures all use a fully parallel 512-bit approach,

63

Table 1: Hardware resources for the proposed Whirlpool implementation

module CLB-slices %data unit 824 38.4key unit 822 38.3operation unit 192 9.0control unit 102 4.8AMBA interface 204 9.5total 2144 100

i.e. one round per cycle is computed. They achieve higher throughput rates for the cost of increased hardwarerequirements. The highest throughput reported is 4480 Mbps requiring 5.585 CLB-slices.

4 Conclusion and future work

We have presented an hardware implementation of the Whirlpool hashing function. The implementationexploits only basic FPGA features such that it can be implemented on different FPGA devices. For theproposed architecture we achieve a throughput of 380 Mbps with a frequency of 125 MHz. The completeimplementation requires 2144 CLB-slices and no block RAMs.

Currently we are working on a more efficient implementation. Mainly, we try to optimize the transfor-mations θ and γ. Also the required hardware resources for the proposed architecture can still be reduced byreusing the transformations θ and γ of the data unit for the key unit. This can be done because during thecomputation of γ the transformation θ can be used by the key unit and vice versa. The performance figurescan be improved by considering these optimizations and changes in the architecture.

Acknowledgements

The work described in this paper has been supported by the European Commission through the IST Pro-gramme under Contract IST-2002-507932 ECRYPT.

Disclaimer

The information in this document reflects only the author’s views, is provided as is and no guarantee orwarranty is given that the information is fit for any particular purpose. The user thereof uses the informationat its sole risk and liability.

References

[MOV97] Alfred J. Menezes, Paul C. van Oorschot, and Scott A. Vanstone. Handbook of Applied Cryptog-raphy. CRC Press, 1997. Available online at http://www.cacr.math.uwaterloo.ca/hac/.

[NIST01] National Institute of Standards and Technology (NIST). FIPS-197: Advanced Encryption Stan-dard, November 2001. Available online at http://www.itl.nist.gov/fipspubs/.

[PW04] Norbert Pramstaller and Johannes Wolkerstorfer. A Universal and Efficient AES Co-processor forField Programmable Logic Arrays. In Field Programmable Logic and Application, 14th InternationalConference , FPL 2004, Leuven, Belgium, August 30-September 1, 2004, Proceedings, volume 3203of Lecture Notes in Computer Science, pages 565–574. Springer, 2004.

[BR00] Paolo S.L.M. Baretto and Vincent Rijmen. The Whirlpool Hashing Function, 2000, revised in May2003. http://paginas.terra.com.br/informatica/paulobarreto/WhirlpoolPage.html%.

[KK04] P. Kitsos and O. Koufopavlou Efficient Architecture and Hardware Implementation of the WhirlpoolHash Function IEEE Transactions on Consumer Electronics, 50:208–213, 2004.

64

A scanning tool for PC root public key stores

Adil Alsaid and Chris J. Mitchell


Egham, Surrey TW20 0EX, [email protected],[email protected]

Abstract. As has recently been demonstrated, a malicious third party could insert a self-issued CA publickey into the list of trusted root CA public keys stored on an end user PC. As a consequence, the maliciousthird party could potentially do severe damage to the end user computing environment. In this paper, wediscuss the problem of fake root public keys and suggest a solution that can be used to detect and removethem. We further describe a prototype implementation of this solution.

Keywords. PKI, Root Public Keys, Web browsers, Digital Signature, Certificates, CA

1 Introduction

Many internet applications, e.g. online banking and e-commerce, rely on Public Key Infrastructure (PKI) [FB01]functionality to support the security services necessary to ensure the authenticity, integrity, and confiden-tiality of the communications. The correct functioning of a PKI relies on trusted third parties known asCertification Authorities (CAs) operating correctly. Moreover, users of a PKI must have trusted copies ofthe public keys of one of more of these CAs in order to be able to verify the public key certificates that theCAs produce. Such CA public keys are usually referred to as root public keys.

The main task of a CA is to issue, i.e. digitally sign, digital certificates. A typical certificate issuingprocess involves verifying the identity of the entity requesting the digital certificates. When the entityidentity is verified, the CA uses its own private key to digitally sign the public key certificate.

One of the most widely used applications of PKI is web server SSL/TLS. The detailed operation of theSSL/TLS protocol is outside the scope of this paper. However, the part of the protocol that of interest tothe discussion here is the web server response to the ClientHello protocol message. When a user requestsa secure web page, the web browser sends a ClientHello message to the web server. The web server repliesby sending a copy of its certificate, in addition to other protocol data. The browser checks the certificateagainst the list of trusted root CA public keys installed on the user’s PC. If the received certificate wassigned by any of the trusted root CAs whose public keys are installed on the user’s PC, the browser usesthe appropriate public key to verify the server certificate. If the necessary CA public key is not present, orif the verification fails, the browser may give the user a warning message or abort the communications.

A malicious third party could insert a fake root public key into the list of trusted root public keys, asdemonstrated in [AM05]. Detecting and addressing this security threat is an important issue that does notappear to have been previously addressed. In this paper, a tool to detect the insertion of fake root CA publickeys is discussed, and the implementation of a prototype tool is described. The rest of the paper is organisedas follows. Section 2 outlines ways in which a root key insertion attack might be conducted. Section 3discusses possible means to deal with unauthorised insertion of root public keys. Section 4 describes a toolto detect and remove suspicious root CA public keys. A prototype implementation of the tool discussed inSection 4 is described in Section 5.

2 Root Key Insertion Attacks

A malicious third party could insert a self-issued public key into the list of trusted root public keys on theend user’s PC, as demonstrated in [AM05]. As a consequence, the malicious third party could potentially dosevere damage to the end user computing environment. For example, the malicious third party could sign

65

applets, macros, and emails and claim that they originate from a reputable software company or web site.A possible scenario for such an attack is discussed in the following paragraph.

One possible means by which a fake root public key insertion attack could be exploited is through webspoofing [FBDW97]. In such an attack, the malicious third party installs the fake root public key into thevictim PC, e.g. using the technique described in [AM05], and then convinces the victim to visit a spoofedsecure web site. When the victim’s navigates to the spoofed secure web site, the victim’s browser will receivean applet apparently signed by a legitimate party. Depending on the security settings, the browser will eitherrun this applet without notifying the user, or will ask the user’s permission to execute it whilst providing(false) assurance to the user regarding the provenance of the applet. Detecting such an attack would bedifficult for an average user. One possible way to detect the attack is to examine the URL of the visited website. However, a determined malicious third party could fake the browser’s URL bar that displays the URLof the genuine web site, as discussed in [YYS02]. The web spoofing attack scenario shows how dangerousfake root insertion can be. Other attack scenarios exist.

The following paragraphs outline possible means by which a fake root key insertion attack could belaunched, as described in [AM05].

First, a malicious third party creates a self issued root public key using freely available tools, suchas Microsoft’s makecert.exe. Second, the self-issued root public key needs to be inserted into the user’sroot public key repository store. Three possible approaches to a root key insertion attack are listed below(see [AM05]).

1. Inserting the root public key under user control.

2. Writing directly to the root certificate store.

3. Installing the root public key without user intervention.

The focus of this paper is on measures to address attacks after they have occurred, rather than onpreventative measures. Such preventative measures are a topic for future study.

3 Addressing Root Key Insertion Attacks

It would be very difficult for the vast majority of users to detect the insertion of a false root key without theaid of supporting tools or utilities. However, general strategies can be devised to facilitate the detection ofsuch an attack. The possible strategies are discussed in the following paragraphs.

One possible strategy to detect and possibly eliminate inserted root keys is by using a root public keyscanning tool. The scanning tool searches the user’s root public key store for fake root public keys. When afake root public key is found, the scanning tool provides the possibility to delete, view, or backup the fakeroot public key. This strategy is discussed in more detail in Section 4.

Another possible strategy is the use of integrity check tools. Here, an integrity check tool is used tocompute an integrity check value (ICV), e.g. a cryptographic hash code (see, for example, [MOV97, Chapter9]) on the root public key store. The ICV can be recomputed at any time and compared with the previouslycomputed value. If the two values do not match, the tool could alert the user of the fact that changeshave been made to the root public keys store. However, it would not be possible for the tool to distinguishbetween a malicious or an innocent insertion of a root public key. Moreover, such a check will not revealexactly which root public key is causing the check values to be different.

A third possible strategy is to use backup tools. Here a backup tool is implemented to keep a separatecopy of the root public key store. On demand, the backup tool compares the current root public key storewith the backup copy and reports any differences. Such a tool could detect newly inserted root public keysand, if required, delete them. It would also be possible for such a tool to restore the root public key store toa previous state.

66

4 The Scanning Tool

The main objective of a root public key scanning tool is to detect and remove fake root public keys. Thescanning tool requires the following two functionalities in order to achieve its objectives.

1. The tool should have access to the root public key store, which holds the root public keys currentlyinstalled on the user’s PC. The appropriate access right is required to allow the tool to remove fakeroot public keys.

2. The tool should have some means of distinguishing between ‘genuine’ and ‘fake’ root public keys.

A possible technique for distinguishing between ‘genuine’ and ‘fake’ root public keys is to maintain alist of genuine root public keys. The tool compares the genuine root public keys list to the list found on theuser’s PC to detect any mismatch. Once a mismatch is found, the scanning tool has detected a ‘suspicious’root public key. This technique is the base of the prototype discussed in Section 5. The scanning tool cannotguarantee that a detected root public key is truly fake, because users may add their own root public keys.The scanning tool would need a separate list of fake root public keys in order to be able to mark any keyas certainly ‘fake’. The list of genuine root public keys could be obtained in various ways. One possibleapproach would be to bundle with the tool the list of root public keys supplied by the manufacturer of thebrowser. This list can be updated to include newly added root public keys.

Another technique for distinguishing between ‘genuine’ and ‘fake’ root public keys is to to maintain anonline repository of fake root public keys. The repository is continuously updated with newly discoveredfake root public keys. The scanning tool consults the online repository to check the status of a given rootpublic key, to discover whether it is a known fake. The technique mentioned in the previous paragraph canbe combined with this technique to achieve better scanning results.

5 A Prototype Implementation

In this section, a prototype implementation of the root public key scanning tool is discussed and analysed.The tool was implemented on the Microsoft Windows XP operating system and the main user interface forthe scanning tools is shown in Figure 1. When executed, the tool performs the following steps.

1. Loads a list of ‘genuine’ root CA public keys from the tool’s database.

2. Loads the list of root CA public keys currently installed on the user’s PC.

3. Compares the installed list to the ‘genuine’ list. When an entry that is not present in the ‘genuine’root CA public keys list is found, the tool marks it.

Figure 1: The Scanning Tool main interface

67

The prototype is implemented using Microsoft Visual Basic .NET and the Microsoft Windows Crypto-graphic Application Programming Interface (CryptoAPI). CryptoAPI contains procedures needed to interactwith the root public key repository store. The main procedures making up the tool are ‘LoadGenuineCAs’and ‘LoadAndCheckInstalledCAs’. The following paragraphs discuss these two procedures.

The main task of the LoadGenuineCAs procedure is to load the genuine root CA public keys list from afile. The file is created when the tool is installed and it contains a list of thumbprints of the genuine rootCA public keys. The list of genuine root CA public keys was generated at the time of tool development byimporting the current default root CA public keys on a Microsoft Windows platform. Regular updates ofthe file are required in order to add new genuine CA public keys.

Once the list of genuine root CA public keys is loaded, the LoadAndCheckInstalledCAs procedure isexecuted and performs the following steps.

1. Open the root public keys store using the ‘Open’ method of the ‘Store’ CryptoAPI object, as shownin Figure 2. The ‘CertificatesStore’ is an instance of the ‘Store’ object, which is used to obtain thelist of installed root public keys on the user PC. Three flags need to be passed to the ‘Open’ method.The first flag indicates the location of the certificate store. The name of the certificate store is givingin the second flag and the third flag indicates open mode.

Private Sub LoadAndCheckInstalledCAs()

Dim CertificatesStore As New CAPICOM.Store

......

CertificatesStore.Open(CAPICOM.CAPICOM_STORE_LOCATION.CAPICOM_CURRENT_USER_STORE,

CAPICOM.Constants.CAPICOM_ROOT_STORE,

CAPICOM.CAPICOM_STORE_OPEN_MODE.CAPICOM_STORE_OPEN_READ_WRITE)

......

Dim CertIndex As System.Collections.IEnumerator

CertIndex = CertificatesStore.Certificates.GetEnumerator()

While CertIndex.MoveNext()

If Not (ValidCAs.Contains(Cert.Thumbprint)) Then

’ the Certificate thumbprint was not found in the

’ ValidCAs list, mark the certificate as suspicious

End If

End While

......

End Sub

Figure 2: Source code of the Root CA scanning tool

2. Once the previous step is completed, the tool enumerates all installed root CA public keys and searchfor any root certificate that is not included in the genuine root CA public keys list, as shown inFigure 2. If the tool finds a root certificate that is not listed in the genuine list, the root certificate ismarked as ‘suspicious’. The tool uses thumbprints to compare root certificates.

3. The results of the previous steps is displayed to the user with the suspicious certificate marked. Thetool offers the user the possibility to remove a suspicious certificate or display the contents of acertificate.

6 Conclusions and Future Work

As discussed and illustrated in this paper, the fake root certificates attack is potentially a serious threat.The single point of trust, i.e. the list of root CA public keys, creates the problem. By default, web browserstrust the list of installed root CA public keys on the user machine without distinguishing between originalroot CA public keys, i.e. those shipped with the browser, and added root CA public keys. Distinguishingbetween the two would be useful when the browser is engaged in a secure transaction. When the browserreceives a certificate signed by an added root CA, it could alert the user and wait for confirmation beforecontinuing the transaction.

68

One limitation of the discussed tool is that, although it can detect fake root public keys, it cannotdistinguish between those deliberately added and ‘true’ fakes. A database of fake root certificates couldbe used to help support this functionality. The fake root certificates database could be created by usingpreviously discovered or reported fake root certificates. When a ‘suspicious’ root certificate is found, thetool would consult the fake root certificates database to search for the ‘suspicious’ certificate. If it is foundin the database, then the tool could guarantee that the root certificate is truly fake.

More research is also needed on possible means of protecting end users against such an attack. It maybe the case that trusted computing technology [BCP+03] is useful in this context.

References

[AM05] Adil Alsaid and Chris J. Mitchell. Installing Fake Root Keys on a PC. In David Chadwick, editor,Proceedings of the Second European PKI Workshop, Lecture Notes in Computer Science. Springer-Verlag, Berlin, July 2005.

[BCP+03] Boris Balacheff, Liqun Chen, Siani Pearson, David Plaquin, and Graeme Proudler. TrustedComputing Platforms: TCPA Technology in Context. Prentice Hall PTR, Upper Saddle River, NewJersey, 2003.

[FB01] Warwick Ford and Michael S. Baum. Secure Electronic Commerce: Building the Infrastructure forDigital Signatures & Encryption. Prentice Hall PTR, Upper Saddle River, New Jersey, 2001.

[FBDW97] Edward W. Felten, Dirk Balfanz, Drew Dean, and Dan S. Wallach. Web Spoofing: An InternetCon Game. In Proceedings of 20th National Information Systems Security Conference, pages 95–103,October 1997.

[MOV97] A. Menezes, P. C. van Oorschot, and S. A. Vanstone. Handbook of applied cryptography. CRCPress, Boca Raton, Florida, 1997.

[YYS02] E. Ye, Y. Yuan, and S. Smith. Web Spoofing Revisited: SSL and Beyond. Technical ReportTR2002-417, Dartmouth College, Computer Science, Hanover, NH, February 2002.

69

Privacy aspects of wireless protocols

Anish Mohammed and Chris J. Mitchell

Royal Hollowaywww.isg.rhul.ac.uk

[email protected],[email protected]

Abstract. This paper reviews privacy aspects of wireless protocols. Due to the nature of the medium,all wireless communications are prone to eavesdropping. This raises concerns about eavesdroppers learningthe identity of wireless devices. The privacy characteristics of the Bluetooth, GSM, 802.11 and 3G protocolsare reviewed. All the wireless protocols reviewed, except for GSM and 3G, do not seem to provide the userswith acceptable levels of privacy. Moreover user privacy does not seem to be have been among the designcriteria for these wireless protocols.

Keywords. Privacy, Wireless, 802.11, GSM, 3GPP, UMTS, Bluetooth

1 Introduction

Changes in information and communication technology in recent years have made collection, storage andretrieval of vast amounts of information a viable possibility. When this is applied to personal information,it could result in a breach of privacy. For the purposes of this paper, privacy [11] is the right of individuals,groups, or institutions to determine for themselves when, how, and to what extent information about themis communicated to others. Thus a system that respects a user’s privacy will allow the user to select whatinformation about that user is revealed, and to whom. The proliferation of wireless networks which allowusers to access network resources while on the move have raised a number of privacy-related issues. Inparticular, we are concerned here with the ease with which a passive or active eavesdropper can learn theidentity of a particular mobile device, and thereby potentially monitor the location (and activities) of anindividual.

To perform this analysis we review a range of different wireless technologies, and consider the potentialprivacy problems arising in each of these technologies. The wireless network protocols discussed here includeBluetooth, 802.11, GSM and 3G. We also briefly consider ways in which the identified privacy threats mightbe addressed.

2 Bluetooth

A Bluetooth network is called a piconet. A piconet is defined as a set of at most seven active devicesoperating under the control of a single device called the master device, the other devices being known asslave devices. All Bluetooth devices have a unique 48-bit device identifier, called the Bluetooth deviceaddress. Bluetooth devices are always in one of two modes: discoverable mode and non-discoverable mode.A device in discoverable mode responds to all discovery inquiries, whereas those in non-discoverable modeonly respond to inquiries from known devices. For initiating connections the initiating device needs to knowthe device addresses of nearby Bluetooth units.

The Bluetooth security architecture [4], includes provisions for authentication and encryption. Bluetoothhas three security modes, the lowest having no security mechanisms, and the highest enforcing authentication,authorisation, and encryption at the link level. Authentication uses the SAFER block cipher [4], andencryption of data between devices is achieved using E0, a stream cipher.

Possible location privacy attacks on Bluetooth are described in [4, 5]. Each device can be identifieduniquely, since every device has a unique device identifier. When a device interacts with, or moves into therange of, a Bluetooth network, that identifier can be read when it is sent across the wireless interface.

Privacy attacks can be active or passive. Possible active attacks include the inquiry attack and thePaging attack , and passive attacks include traffic monitoring attacks .

70

• Inquiry attack [4]The attacker distributes one or more Bluetooth devices throughout the region in which he desires tomonitor Bluetooth users. This attack requires that the potential victim of such an attack has left hisor her device in discoverable mode. The attacking device(s) interrogates all devices in the area usingfrequent inquiry messages, and could, for example,maintain a log of all the device addresses that arediscovered.

• Paging attack [4]This attack allows the attacker to determine if a given device with a known Bluetooth device addressor device access code is present within range. To mount a successful attack the victim’s device shouldbe in connectable mode. The attacking device pages the victim’s device and waits for the Identifierpacket to be returned, and then stops responding. The Identifier packet reveals the presence of a givendevice.

• Passive traffic monitoring attack [4]Here the attacker passively monitors the communications between two mutually trusted devices. Thesedevices will communicate using a specific channel access code. This is computed from the device ad-dress of the master device in the Bluetooth piconet. Hence the attacker can determine if the masterdevice is in the area by monitoring all local network traffic.

The frequency hopping scheme used in Bluetooth provides minimal protection against eavesdropping.The scheme does not a use a secret to generate the sequence of visited channels; it is solely determined bythe master device’s address and native clock.

Location information [5] about the device and hence the user could also be revealed by locating Bluetoothdetecting devices at different locations and correlating the location information.

3 IEEE 802.11

The IEEE 802.11 standard defines authentication and encryption services based on the Wired EquivalentPrivacy (WEP) algorithm. A mobile device trying to connect to a wireless network has to provide theappropriate Service Set Identifier (SSID) before it is permitted to join. The SSID is a unique string thatidentifies the network, and is the same for all users on the network. The SSID is sent unencrypted.

An 802.11 device has two modes of operation. The first, called Open System Authentication, is a nullauthentication scheme, where all mobiles requesting access are accepted into the network. The second modeof operation, called Shared Key Authentication, uses shared key cryptography to authenticate the mobile.Analyses of the security of 802.11 can be found in [3].

The following privacy vulnerabilities exist in IEEE 802.11 networks.

• IEEE 802.11 networks can reveal SSIDs to a passive attacker (eavesdropper). This could possibly leadto the compromise of privacy relevant information, such as organisational affiliation.

• The confidentiality provided by WEP to the user is weak as attacks are known on WEP [3].

• The uniqueness of the device MAC layer addresses could allow possible identification of the user.

• There are no active mechanisms to protect user identity, as found in GSM.

• The encryption of 802.11 is not turned on by default. This could result in loss of user confidentiality.

4 GSM

A GSM network has three main components the Mobile Station,Base Station and the Network Subsystem.TheInternational Mobile Subscriber Identity (IMSI) is a permanent and unique identifier given to the user whena user first registers with a service provider. The Subscriber Identity Module (SIM) is a smart card issuedto the user by the service provider, and the SIM securely stores the IMSI and the unique key (Ki) [9]. The

71

authentication centre (AuC) securely stores the unique key (Ki) of each user and generates the challengesthat are used to authenticate the users to the network. A detailed analysis of GSM security can be found in[9]. The main objective of the security features built into the GSM system is to provide a level of securitycomparable to the public switched telephone network and to prevent phone cloning [10].

One of the design objectives for GSM is Subscriber identity confidentiality [9]. The use of temporaryidentifiers providing a degree of anonymity in networks, and thus provides provide a level of privacy protectionfor the users against passive attacks. On every location update a new temporary mobile subscriber identity(TMSI) is allocated by the PLMN and used to identify a MS on the air interface. There have been attacksknown [2]on GSM encryption algorithm. An successful attack would result in loss of traffic confidentiality.

The false base station(BS) attacks [9] on MS could reveal the IMSI of the user. This is possible as theauthentication of the MS to the network is not mutual. The network is not authenticated to the MS. Thebase station could send a Identity request [9] to the MS, to which the MS would respond with the IMSI.

5 UMTS

UMTS Network is considered to be made of three functional entities [8] the User Equipment(UE), UTMSTerrestrial Radio Access Network (UTRAN)and the core network(CN). A detailed description of 3GPPsecurity is found in [8].

The design provides Identity confidentiality the permanent user identity (IMSI) of a user is not revealed byeavesdropping on the radio link [8]. User location confidentiality (privacy) is provided, presence or arrival of auser in a certain area is not revealed by eavesdropping on the radio access link. User untraceability is offered,an intruder cannot deduce whether different services are delivered to the same user by eavesdropping on theradio access link [8]. The addition security features include [8], mutual authentication and key agreementbetween MS and network; encryption of user traffic and signalling data over the air interface; and integrityprotection of signalling data over the air interface. The features that have been retained from GSM includeSIM (called USIM); authentication of the UE to the network;encryption of user traffic and signalling overthe RF (air). The users identity confidentiality is maintained by the temporary identifiers. Hence providesanonymity of the users in the roaming networks.

6 Possible privacy-enhancing techniques

The confidentiality of the mobile user identity could be protected against passive or active eavesdroppers bya variety of methods. These include the following.

• Recognising networksWireless networks could be identified as being either secure or insecure. It could be possible for 802.11devices to recognise networks based on the SSIDs or the MAC layer addresses of devices they arecommunicating with. Based on device identifiers, a Bluetooth device would be able to recognise if allof the devices it is communicating with are devices which have been authenticated in the past; if so,then the network could be considered safe. This could also be achieved by recognising the devices withwhich a device has been associated for a long period of time. If some of the devices are not long-termassociates then this could possibly allow the devices to turn off options such as discovery mode inBluetooth. In the case of Bluetooth this could also be used to turn on authentication.

• PseudonymsThe wireless devices could use pseudonyms as identifiers on the network. Both GSM [9] and 3G [8]use pseudonyms to protect the identity of the user. Many different methods have been proposed forgenerating pseudonyms, including Cryptographically Generated Addresses [1], using a hash functionon device identifiers, etc.

• EncryptionThe identifiers could be encrypted, thus hiding the identity of the users against eavesdroppers. Theexchange of key material for encryption could possibly be achieved by anonymous Diffie-Hellman keyexchange or by using a shared key. The application of VPN protocols such as IPsec [6] or 802.1x does

72

not seem to provide protection against attackers. In the case of IPsec, in IKE [6] the initiator is theclient machine or the user device, and hence the identity of the user is not protected.

7 Conclusions

Wireless communications appear to hold great promise for future. But it also opens up a range of new privacythreats; anyone with the appropriate wireless receiver can eavesdrop. Furthermore, since the wireless mediumis not restricted by the usual physical barriers such as walls and doors, detecting passive eavesdroppers isalmost impossible. This increases the privacy concerns in wireless networks.

With the exception of GSM and UMTS, the main current wireless protocols do not seem to provide userswith acceptable levels of privacy. In fact, the need for user privacy to some extent conflicts with the needfor user authentication. End user privacy seems to on a collision course with authentication. Further, loss ofuser privacy is also indirectly caused by techniques designed to provide resistance to denial of service (DoS)attacks [7]. The emergence of wireless protocols that both provide privacy to wireless users and protect theauthenticator from DoS attacks would serve both the interests of users and service providers.This is clearlyan issue of ongoing research interest.

References

[1] Tuomas Aura. Cryptographically generated addresses (CGA). In Colin Boyd and Wenbo Mao,editors, Proc. 6th Information Security Conference (ISC’03), volume 2851 of LNCS, pages 29–43,Bristol, UK, October 2003. Springer.

[2] E. Barkan, E. Biham, and N. Keller. Instant ciphertext only cryptanalysis of GSM encryptedcommunication. In Dan Boneh, editor, Advances in Cryptology - CRYPTO 2003, volume 2729 ofLecture Notes in Computer Science, pages 600–616. Springer, August 2003.

[3] Nikita Borisov, Ian Goldberg, and David Wagner. Intercepting mobile communications: the inse-curity of 802.11. In Proceedings of the 7th annual international conference on Mobile computingand networking, Rome, pages 180–189. ACM, 2001.

[4] Christian Gehrmann, Joakim Persson, and Ben Smeets. Bluetooth Security. Artech House, 2004.

[5] M. Jakobsson and S. Wetzel. Security weaknesses in Bluetooth. In David Naccache, editor, Topicsin Cryptology — CT-RSA 2001, volume 2020 of Lecture Notes in Computer Science, pages 176–191.Springer-Verlag, 2001.

[6] Stephen Kent and Randall Atkinson. Security architecture for the Internet Protocol RFC 2401.Internet Engineering Task Force, November 1998.

[7] David Moore, Geoffrey M. Voelker, and Stefan Savage. Inferring internet denial-of service activity.10th Usenix Security Symposium, August, 2001 Washington, D.C., USA, August 2001.

[8] Valterri Niemi and Kaisa Nyberg. UMTS Security. John Wiley and Sons, Chichester, England,2003.

[9] P. S. Pagliusi. A Contemporary Foreword on GSM Security. In George I. Davida, Yair Frankel,and Owen Rees, editors, InfraSec 2002, volume 2437, pages 129–144. Springer-Verlag, 2002.

[10] M. Walker and T. Wright. Security. In F. Hillebrand, editor, GSM and UMTS: The Creation ofGlobal Mobile Communication, pages 385–406. John Wiley &Sons, 2002.

[11] Alan Westin. Privacy and Freedom. New York: Atheneum, 1967.

73

On Location-based services and the UCONABC Model

Anand S. Gajparia

Information Security Group,Royal Holloway, University of London,

Egham, Surrey TW20 0EX, UK.http://www.isg.rhul.ac.uk/~plah317/

[email protected]

Keywords. Location based services, location information, constraints, privacy, access control

1 Extended abstract

The privacy of personal information is an issue of growing significance. This is in part due to the ease atwhich information can now be stored, used and distributed. Location Information (LI) is a form of personalinformation which refers to the location of a subject. Using this information entities can provide servicessuch as directions to a restaurant from a current position. Of course, it is also possible for malicious entitiesto use LI for unauthorised purposes. For example, they may use it to monitor a subject’s movements withoutthe subject’s knowledge.

We investigate the control of LI in the context of the UCONABC model [11, 12, 13, 14]. We look atattributes of LI, and the entities in an architecture designed to control the dissemination and use of LI. Wealso look at the stages in the provision of an LI service in which LI control may take place.

There are various levels of private information. For example, a person may regard both a password anda telephone number as private information however, the password is likely to be regarded as “more” private.Another person may not regard a telephone number as private information at all. With this in mind, it isimportant to be able to control private information according to individual personal preferences. If a persondoes not want anyone to know their telephone number, they can simply not tell anyone. Of course, if theperson wants to receive phone calls this is simply not possible. In reality, personal information is distributedin a controlled manner, sometimes with attached constraints. For example, a person may only give theirphone number to friends and family. If a person distributes their phone number to an unknown entity, thenthey may state certain restrictions on the way their personal information is to be managed. For example,on an application form, they may state that their personal information is not to be redistributed.

LI may be used in various domains, including mobile telephony and personal computing. We lookat constraints which may be placed on the dissemination and use of LI and investigate how LI may becontrolled. The constraints used to control LI may limit the intended use for the LI, the time at which LImay be obtained, or even the actual LI itself.

We are by no means the first to investigate access control for LI. Leonhardt and Magee in [10] generaliseclassical access control models [1, 9] and apply them to LI. They consider a variety of access control models,looking at authorisation to control access to LI. For their purposes, authorisation is based only on theidentity of the requesting entity. Hengartner and Steenkiste in [8] discuss controlling access to LI based onthe location of the subject and the time at which the LI is requested. They discuss implementation of theirmodel using SPKI/SDSI certificates. Control of LI is discussed in terms of its distribution, i.e. the entitiesto which LI distribution is permitted. Gathering of LI or the use of LI is not discussed.

Park and Sandhu have developed a general access control model called the usage control (UCON)ABC

model [11, 12, 13, 14]. This model is designed to address issues such as DRM, code authorisation, and thecontrol of personal data. UCON extends the traditional authorisations to obligations and conditions. Anobligation requires a subject to perform a task in order to exercise a right on an object. For example, aperson may have to sign a waiver before being allowed to participate in a parachute jump. A conditionrequires a predefined state to be true before the subject can exercise a right on an object. For example, the

74

temperature must be below 15◦C before the heating is permitted to be turned on. Using a combination ofauthorisations and conditions, we describe LI constraints in this general UCONABC model.

1.1 Constraints

In [5] we introduced the use of constraints, which are simple statements used to control the dissemination anduse of LI. In most cases constraints are defined by the LI subject, the entity to which the LI relates. Otherentities could also define constraints. For example a network entity may define the constraints applying toall the LI generated in a mobile phone network. In certain countries [7] the provision of an emergency servicemay take precedence over any constraints which may be in place. Constraints can be used at three stagesin the provision of a Location-based service (LBS): when LI is first gathered by the LI gatherer; when LI isdistributed by an entity; and when LI is used, typically by the LBS provider.

1.1.1 LI gatherer constraints

Gathering time constraints limit the times at which LI may be gathered. The constraints placed on LIgatherers may prevent LI from being gathered altogether. Alternatively, they may be used to reduce theaccuracy of LI. For example, instead of showing accuracy to the nearest metre, the LI gatherer may only bepermitted to gather LI specifying the location of the LI subject to an accuracy of the nearest kilometre. Ofcourse, LI gathering cannot be constrained based on location, as only once LI is gathered can the locationbe assessed. Constraints based on location are considered under LI distribution constraints in section 1.1.2.

1.1.2 LI distribution constraints

When LI is requested, constraints may be placed on the entities to which LI is distributed. This type ofconstraint is called an LI distribution constraint. These constraints can be further subdivided into distri-bution time constraints, distribution entity constraints, distribution usage constraints, distribution locationconstraints and distribution validity constraints.

1.1.3 LI use constraints

When LI is used by an entity, access may be restricted by LI use constraints. These restrictions includeusage validity constraints, usage location constraints, usage time constraints, use constraints and possessionconstraints. Use constraints looks at the reason for which the entity uses the LI. Usage validity constraintsrefer to specific LI and may extend control on LI based on its validity. As with distribution validity con-straints, this applies when constraints are securely attached to LI. Constraints may also be held in a centralserver, in which case applying this to specific LI becomes difficult.

1.1.4 Difficulties in implementing constraints

The LI gatherer is usually a trusted entity. When LI is gathered on a user device, the LI subject can applyingconstraints to its LI directly. LI may also be gathered by a network entity and in this case the LI subjectmust trust it to act according to the constraints.

Difficulties arise when LI is distributed or used by other entities. Once an entity possesses LI retainingcontrol of it is difficult as they must be trusted to apply any controls. Trusted computing platforms couldpotentially force entities to impose these constraints. The use of trusted computing platforms in relationto LI and privacy is discussed further in [4]. This paper discusses control models for LI. Enforcing theseconstraints is not discussed in our paper.

1.2 An Introduction to UCON

The UCONABC [11, 12, 13, 14] model consists of eight components, namely subjects, objects, rights, subjectattributes, object attributes, authorisations, obligations and conditions. The use of these components forma generic model to control data. We look at he possible use of this model to control the use of LI.

75

Table 1: LI constaints

Authorisation Obligation ConditionLI gathering Gathering time

LI distribution Distribution entity Distribution valitityDistribution usage Distribution time

LI use Use Usage validityPossession Usage time

Usage location

In the UCONABC model, the subject is a human being. We change this aspect of the model and describethe subject as an LI entity. The subject has properties, known as subject attributes. It should be notedthat the subject in this case is entirely different to the LI subject discussed earlier. The object is the item towhich the the subject wishes to exercise a right. In our case, the object will be LI. The object’s propertiesare known as object attributes. The are used for control decisions. For example, LI may have times whenit may be used as an attribute. If the time attribute does not allow its use when its use is being requested,then it can not be used. A right is the action which a subject may invoke on an object. Examples of theserights are read, write and execute. The rights which we will be interested in are gather, receive and use. If asubject wishes to exercise a right on an object, the authorisation, obligation and condition properties mustbe satisfied. Of course, it is not always necessary to use all these properties.

The authorisation property asks the question, is the subject allowed this right to this object? Toanswer this question a decision must establish whether the subject has the correct subject attributes toaccess the object with object attributes. An authorisation may be a pre-authorisation, preA or an on-goingauthorisation onA. If an authorisation is preA, the authorisation process takes place before the right isexercised on the object. If an authorisation is onA, authorisations take place continuously. That is, before,and during the right being exercised.

Obligations ask the question, has process A taken place so a right may be exercised? For example, asubject may have to sign a contract before being allowed a right to some information. Obligations may alsobe a pre-obligation, preB or an on-going obligation, onB. We do not discuss obligations when describing theUCONABC model for use with LI.

Finally, condition property asks the question is condition B true so a subject may have this right to thisinformation. Conditions may be a precondition, preC or an on-going condition, onC.

An important property of the UCONABC model is that it allows mutability. This means that attributesmay be changed before, during or after a right has been exercised. Four levels of mutability are described.These are: immutable; pre-update; ongoing-update; and post-update. If an attribute is immutable, it maynot be changed. A pre-update means, the attribute can be changed before a right to an object is exercised.An ongoing-update means that an attribute may be constantly changing. A post update means that theattribute can be changed after access to the object is gained.

1.3 Modeling LI constraints in UCONABC

We describe the use of LI constraints to control LI in a formal way using the UCONABC model. Table 1shows LI constraints which may be used control LI. This will help us to describe LI constraints in UCONABC .

1.3.1 Authorisation restrictions

Authorisations will take place before LI is distributed, and before LI is used. The LI constraints whichinvolve authorisations are distribution entity constraints, distribution usage constraints, usage constraints,and possession constraints. Before LI is distributed, the distributing entity establishes the identity of theentity to which LI is being sent from the distribution entity constraint and the intended use of the LI by

76

the entity to which the LI is being sent from the distribution usage constraint. This establishes if thereceiving entity is eligible to possess this LI. Both the distribution entity constraint and the distributionusage constraint are pre-authorisations i.e. the authorisation takes place only before the distribution ofLI. Of course any authorisation which take place after the LI has been distributed is pointless because atthis point, the entity already possesses the LI. Before the LI is used, the entity must itself establish if it ispermitted to use the LI from the use constraint and if it is permitted to possess the LI from the possessionconstraint. An LI may be permitted to possess LI and not use it if for example, it just distributes theLI. Usage constraints and possession constraints are also pre-authorisations. The authorisations describedimmutable i.e. they do not change as a result of exercising a right.

1.3.2 Conditional restrictions

Conditional restrictions refer to constraints which consider the circumstance in which a right is being ex-ercised when making a control decision. Conditional restrictions are used when LI is gathered, distributedand used. The conditional restrictions are gathering time constraints, distribution validity constraints, dis-tribution time constraints, usage validity constraints, usage time constraints and usage location constraints.When LI is gathered, the time when LI gathering takes place must be consistent with the times at whichLI gathering is permitted by the LI subject. These permitted times are recorded in the gathering timeconstraints. This is a pre-condition i.e. this is decided before the LI is gathered. When LI is distributed, theconstraints considered are the distribution validity constraints and the distribution time constraints. Theseconditions are also pre-conditions. The distribution validity constraint considers the duration for which theLI may remain in existence. For example, an LI subject may only want LI to exist for an hour after it hasbeen gathered. If the LI is no longer valid then it should be destroyed by the entity distributing it. Thedistribution time constraint considers the times at which LI may be distributed.

When LI is used the constraints considered are the usage validity constraint, usage time constraint andusage location constraint. The usage validity constraint considers the validity of the LI in order for it to beused. The usage time constraint considers the time at which LI may be used. The usage location constraintconsiders the location to which the LI refers to constrain its use. For example, if an LI subject is at home,they may not want their LI used at all. Usage time constraints and usage validity constraints are on-goingconditions i.e. these constraints have to be evaluated continuously as the LI is used. The reason this is anon-going constraint is that time will change during LI use, and a constraint which allows LI use at one pointin time may deny it at another during its use.

The usage location constraint is not an on-going condition. Although the LI subject change its locationwhile the LI is being used, the actual LI which the entity uses remains constant. When new LI is sent tothe using entity, LI may then be denied if the usage location constraint reflects this.

At the LI gatherer stage the subject is the entity wishing to generate LI. The object in this case is aservice and not actual data.

1.4 Structure of paper

We begin our paper by describing the entities involved in an LI architecture. We describe the constraintsto be used to control LI and go on to describe the UCONABC model. The use of the UCONABC with LIconstraints is described and conclude with a discussion of the results and of future work.

References

[1] D. E. Bell and L. J. La Padula. Secure computer systems: Unified exposition and multics interpretation.Technical Report ESD-TR -75-306, The Mitre Corporation, March 1976.

[2] Simon Byers and Dave Kormann. 802.11b access point mapping. Communications of the ACM, 46(5):41–46, May 2003.

77

[3] Dorothy E. Denning and Peter F. MacDoran. Location-based authentication: Grounding cyberspacefor better security. In Dorothy E. Denning and Peter J. Denning, editors, Internet Besieged, CounteringCyberspace Scofflaws, chapter 12, pages 167–174. ACM Press Books, 2nd edition, February 2001.

[4] C. J. Mitchell, editor. Trusted Computing. IEE press, To appear.

[5] Anand S. Gajparia, Chris J. Mitchell, and Chan Y. Yeun. Using constraints to protect personal locationinformation. In Proceedings of VTC 2003 Fall, IEEE Semiannual Vehicular Technology Conference,volume 3, pages 2112–2116. IEEE press, 2003.

[6] Anand S. Gajparia, Chris J. Mitchell, and Chan Yeob Yeun. The location information preferenceauthority: Supporting user privacy in location based services. In S. Liimatainen and T. Virtanen,editors, 9th Nordic Workshop on Secure IT systems, pages 91–96. Helsinki University of Technology,Finland, November 2004.

[7] Dale N. Hatfield. A report on technical and operational issues impacting the provision of wirelessenhanced 911 services. Technical report, Federal Communications Commission, 2002.

[8] Urs Hengartner and Peter Steenkiste. Implementing access control to people location information. InProceedings of the ninth ACM symposium on Access control models and technologies, pages 11–20. ACMPress, June 2004.

[9] Butler W. Lampson. Protection. ACM SIGOPS Operating Systems Review, 8(1):18–24, January 1974.

[10] Ulf Leonhardt and Jeff Magee. Security considerations for a distributed location service. Journal ofNetwork Systems Management, 6(1):51–70, March 1998.

[11] Jaehong Park and Ravi Sandhu. Originator control in usage control. In Proceedings of the 3rd Inter-national Workshop on Policies for Distributed Systems and Networks, pages 60–67. IEEE ComputerSociety, June 2002.

[12] Jaehong Park and Ravi Sandhu. Towards usage control models: beyond traditional access control. InProceedings of the seventh ACM symposium on Access control models and technologies, pages 57–64.ACM Press, June 2002.

[13] Jaehong Park and Ravi Sandhu. The UCONABC usage control model. ACM Transactions on Informa-tion and System Security, 7(1):128–174, February 2004.

[14] Ravi Sandhu and Jaehong Park. Usage control: A vision for next generation access control. In VladimirGorodetsky, Leonard J. Popyack, Leonard J. Popyack, and Victor A. Skormin, editors, Computer Net-work Security, Second International Workshop on Mathematical Methods, Models, and Architectures forComputer Network Security, pages 17–31. Springer, September 2003.

78

State Compromise Attacks on Pseudorandom Generators

Andrey Sidorenko∗ and Berry Schoenmakers†

∗ Eindhoven University of Technology † Eindhoven University of TechnologyEindhoven, The Netherlands Eindhoven, The Netherlands

[email protected] [email protected]

Abstract. In this paper we analyze resistance of pseudorandom generators against state compromiseattacks. In particular we show that Blum-Micali generators are resistant against these attacks. Moreover,the security reduction is very efficient.

Keywords. Pseudorandom generators, state compromise attacks, concrete security, computational indis-tinguishability, one-way functions

1 Secure Pseudorandom Generators

A pseudorandom generator is a deterministic algorithm that, given a truly random binary sequence of lengthn, outputs a binary sequence of length M > n that ”looks random”. The input to the generator is calledthe seed and the output is called the pseudorandom sequence. Security of a pseudorandom generator is acharacteristic that shows how hard it is to tell the difference between the pseudorandom sequences and trulyrandom bit strings.

Let G be some pseudorandom generator that produces binary sequences of length M . Let SM be a setof such sequences. Let D be a probabilistic statistical test {0, 1}M → {0, 1}. The generator G passes thetest D with tolerance ε > 0 if

|Pr(D(s) = 1 | s ∈R SM )− Pr(D(s) = 1 | s ∈R {0, 1}M )| < ε.

Definition 1.1 A pseudorandom generator is secure if there is no statistical test with running time poly-nomial in n such that the generator fails this test with tolerance non-negligible in n.

An attempt to distinguish the pseudorandom sequence from a random sequence is called a direct cryptanalyticattack. A pseudorandom generator is secure if no direct cryptanalytic attack is feasible.

2 State Compromise Attacks

In this paper we analyze resistance of pseudorandom generators against a subclass of direct cryptanalyticattacks, namely state compromise attacks. The notation is due to [KS+98].

Definition 2.1 Let G be some pseudorandom generator. Suppose there is an algorithm A : {0, 1}m →{0, 1}n that, given m < M first bits of a pseudorandom sequence, outputs the seed of the pseudorandomgenerator in expected time TA. Assume that if there is no pseudorandom sequence starting with r ∈ {0, 1}mthen A(r) = 0n. Then A is a (TA,m)-state compromise attack on the pseudorandom generator.

Theorem 2.2 Each state compromise attack is a direct cryptanalytic attack.

Theorem 2.2 implies that the class of state compromise attacks is a subclass of direct cryptanalyticattacks.

State compromise attacks on pseudorandom generators are analogous to key recovery attacks on publickey cryptosystems and signature schemes. In both cases an adversary not only inverts the correspondingmapping but also reveals the hidden structure. Although key recovery attacks on many public key schemeshave been thoroughly analyzed state compromised attacks on most of pseudorandom generators have notbeen studied so far.

79

3 Blum-Micali Construction

A family of cryptographically strong pseudorandom generators is proposed by Blum and Micali [BM84]. Letf be a one-way permutation defined over some domain D. Let b be a hard-core predicate for f . The seed x1

of the pseudorandom generator is a uniformly distributed element of D. The pseudorandom sequence (theBM sequence) s ∈ {0, 1}M is generated as follows:

si = b(xi), xi+1 = f(xi)

for i = 1, . . . ,M .If an adversary does not know the seed she cannot distinguish the BM sequence from a random sequence in

polynomial time with non-negligible advantage [BM84, Go01]. Therefore due to Theorem 2.2 no polynomialtime state compromise attack on the BM generator is feasible. It means that, as the seed length increases, nopolynomial time adversary can retrieve the seed of the pseudorandom generator. However this asymptoticstatement says little about the security of the pseudorandom generator in practice for a particular seedlength and against adversaries investing a specific amount of computational effort.

For a certain choice of the one-way function f and the hard-core predicate b the security of the BMgenerator is proved by reduction [BM84, FS00, Ka88]. It is shown that the problem of distinguishing BMsequences from random sequences can be reduced to inverting f . The reductions proposed are polynomialhowever in some cases they are inefficient in practice.

In this paper we prove the impossibility of state compromise attacks on BM generators in a different way.We show that there is a tight reduction between state compromise attacks on a BM generator and inversionalgorithms for the corresponding one-way function.

References

[BM84] M. Blum, S. Micali. How to Generate Cryptographically Strong Sequences of Pseudo-Random Bits.SIAM Journal on Computing 13, 1984, pp. 850–864.

[Go01] O. Goldreich. Foundations of Cryptography. Basic Tools. Cambridge University Press, 2001.

[FS00] R. Fischlin and C. P. Schnorr. Stronger Security Proofs for RSA and Rabin Bits. Journal ofCryptology (2000) 13, pp. 221–244.

[Ka88] B. S. Kaliski. Elliptic Curves and Cryptography: A Pseudorandom Bit Generator and Other Tools.Ph.D. thesis, LCS, MIT, Cambridge, MA, 1988.

[KS+98] J. Kelsey, B. Schneier, D. Wagner, and C. Hall. Cryptanalytic Attacks on Pseudorandom NumberGenerators. Fast Software Encryption, Fifth International Workshop Proceedings (March 1998),Springer-Verlag, 1998, pp. 168–188.

80

Related-Cipher Attacks on Block Ciphers with Flexible Number of Rounds

Jaechul Sung∗, Jongsung Kim†, Changhoon Lee‡ and Seokhie Hong‡

∗Department of Mathematics, University of Seoul,Cheonnong-Dong, Dongdaemun-Gu, Seoul, KOREA

[email protected]

†Katholieke Universiteit Leuven, ESAT/SCD-COSIC,Kasteelpark Arenberg 10, B-3001 Leuven-Heverlee, Belgium

[email protected]

‡Center for Information Security Technologies(CIST), Korea University,Anam-Dong 5-ga, Sungbuk-Gu, Seoul, KOREA

{crypto77,hsh}@cist.korea.ac.kr

Abstract. Related-cipher attack was introduced by Hongjun Wu in 2002 [2]. We can consider relatedciphers as block ciphers with the same round function but different number of rounds and their key schedulesdo not depend on the total round number. This attack can be applied to block ciphers when one uses somesemi-equivalent keys in related ciphers. In this paper we introduce differential related-cipher attacks onblock ciphers, which combine related-cipher attacks with differential cryptanalysis. We apply this attack tothe block cipher ARIA and SC2000. Furthermore, related-cipher attack can be combined with other blockcipher attacks such as linear cryptanalysis, higher-order differential cryptanalysis, and so on. In this point ofview we also analyze some other block ciphers which use flexible number of rounds, SAFER++, CAST-128and DEAL.

Keywords. Block Cipher, Related-Cipher Attack, Related-Key Attack, Slide Attack, Differential Crypt-analysis, ARIA, SC2000, SAFER++, CAST-128, DEAL.

1 The Related-Cipher Attack and Their Applications

Related-cipher attack [2] can be applied to the ciphers with flexible number of rounds. In [2] they appliedthe attack to the block cipher SQUARE and the AES variant [1] which was proposed at ACISP 2002. Aninteresting feature of the related-cipher attacks is that they are independent of the number of rounds. Theyonly depend on the difference of the number of rounds. Following is a brief description of related-cipherattack.

Let E0 : {0, 1}k×{0, 1}n → {0, 1}n be a r-round block cipher and E1 : {0, 1}k+k′ ×{0, 1}n → {0, 1}n bea r′-round block cipher. We assume that there exists a (r+ r′)-round block cipher E : {0, 1}k+k′ ×{0, 1}n →{0, 1}n such that EK||K′(P ) = E1

K||K′ ◦E0K(P ) for any k-bit key K, some fixed k′-bit key K ′, and any n-bit

plaintext P . Then E0 and E are called related ciphers and 2k (K, K||K ′) are called semi-equivalent keys.Related cipher attack uses the following property for related ciphers.

EK||K′(P ) = C ′, E0K(P ) = C → E1

K||K′(C) = C ′.

If the difference of round numbers between related ciphers is small (i.e., r′ is small), it is more vulnerableto the related-cipher attack. However typical related-cipher attack is more difficult to apply as the differenceof round numbers becomes bigger. In order to overcome this problem, we combine the related cipher attackwith differential cryptanalysis(DC), which we call the differential related-cipher attack (or, related-cipherdifferential attack). Moreover we can also extend related-cipher attack by combining other block ciphercryptanalyses, such as linear cryptanalysis(LC), higher-order differential cryptanalysis(HODC).

Table 1 is the summary of our related-cipher attacks on the Block Ciphers ARIA, SC2000, SAFER++,CAST-128, and DEAL.

81

Table 1: Summary of Related-Cipher Attacks

Related-Cipher1 # Rounds2 # Semi- Complexity3 Type4 Used

(Cipher(a)/Cipher(b)) (c/d) Equi. Keys (Data/Time) (Cipher(a)/Cipher(b)) technique

ARIA(128)/ARIA(192) 10/12 264 9RC/264T KP/CP DC

ARIA(192)/ARIA(256) 12/14 264 9RC/264T KP/CP DC

SC2000(128)/SC2000(192) 6.5/7.5 264 2RC/233T KP/CP DC

SC2000(128)/SC2000(256) 6.5/7.5 2128 2RC/233T KP/CP DC

DEAL(192)/DEAL(256) 6/8 264 ≤ 270RC/≤ 2121E KP/CP DC

DEAL(128)/DEAL(256) 6/8 2128 ≤ 270RC/≤ 2121E KP/CP DC

SAFER++(128)/SAFER++(256) 7/10 2128 ≤ 281RC/≤ 2101E KP/CP LC

CAST-128(m)/CAST-128(n) 12/16 2m ≤ 217RC/≤ 240E CC/ACP HODC

1a,b : The size of key , m, n : 40 ≤ m < 80, 80 ≤ n ≤ 128.

2 c,d : Each number of rounds for Cipher(a) and Cipher(b)

3 RC : Related Cipher pairs, T : Table look-up operations, E : Encryption units

4 KP : Known Plaintext, (A)CP : (Adaptive) Chosen Plaintext, CC : Chosen Ciphertext

References

[1] L. May, M. Henricksen, W. Millian, G. Carter, and E. Dawson, Strengthening the Key Schedule of theAES, The 7th Australasian Conference on Information Seucurity and Privacy(ACISP 2002), LNCS 2384,Springer-Verlag, pp. 226–240, 2002.

[2] H. Wu, Related-Cipher Attacks, Information and Communications Security : 4th International Confer-ence(ICICS 2002), LNCS 2513, Springer-Verlag, pp. 447–455, 2002.

82

An Efficient Private and Consistent Data Retrieval Protocol

Satoshi Nakayama, Maki Yoshida, Shingo Okamura, Akira Fujiwara,and Toru Fujiwara

Graduate School of Information Science and Technology, Osaka University,1-5 Yamadaoka, Suita, Osaka 565-0871, Japan

{s-nakaym,maki-yos,s-okamur,a-fujiwara,fujiwara}@ist.osaka-u.ac.jp

Abstract. A data retrieval protocol allows a user to obtain an item of a database from a database server.The security requirements of the protocol are the privacy of a user, the privacy of a database server, and theconsistency of query answers. The efficiency requirement of the protocol is that the size of communicationdata is smaller than the total size of database. No previous data retrieval protocol satisfies both the securityrequirements and the efficiency requirement. In this paper, an efficient data retrieval protocol which satisfiesall requirements is proposed.

Keywords. data retrieval, oblivious transfer, Merkle tree

1 Introduction

Consider a data retrieval protocol between a database server, who has a database of N data, and a user,who has an index i with 1 ≤ i ≤ N , to allow the user to obtain the i-th item. The size of each item isconstant. Many works address the security issues of the several types of data retrieval protocols, such asoblivious transfer [Cha04], oblivious keyword search [OK04], and zero-knowledge sets [MRK03]. The securityissues can be classified into the privacy of a user, the privacy of a database server, and the consistency ofanswers. We briefly show the security requirements defined for these issues: The database server cannotlearn anything about i (the privacy of a user); the user cannot learn anything about the database beyond thei-th item (the privacy of a database server); the database server can publish a commitment of the databaseso that the database server can later give the proof that a query answer is consistent with the database(the consistency of a query answer). In addition to satisfy the security requirements, the protocol should beefficient. The efficiency requirement is that the size of a commitment, a query, an answer, and the proof issmaller than the total size of N data.

The oblivious keyword search protocol [OK04] satisfies all the security requirements, but does not satisfythe efficiency requirement. On the other hand, other previous efficient data retrieval protocols do not satisfyall the security requirements. In this paper, we propose an efficient data retrieval protocol which satisfies allrequirements.

2 Proposed Protocol

One natural approach is to combine popular cryptographic primitives used for satisfying the security require-ments. As long as combining these primitives straightforwardly, the good efficiency cannot be expected. Weoverview the idea to realize efficient combination. The used cryptographic primitives are the oblivious trans-fer in [Cha04] and the Merkle tree [Mer80]. The oblivious transfer allows the user to obtain the i-th itemso that the privacy of the user and the database server is satisfied and the size of the query and the answeris smaller than the total size of N data. The Merkle tree allows the database server to generate a singlehash-value of the database as a commitment and log N hash-values as the proof of consistency of a queryanswer. The j-th hash-value is selected from N/2j hash-values at the j-th level in the Merkle tree where thelevel of leaves is zero.

In the proposed protocol, the user first executes oblivious transfer with the database server to obtain thei-th item, and then executes oblivious transfer to obtain each of log N hash-values. To decrease the totalsize of queries, the database server uses the first query not only at the first execution of oblivious transfer

83

but also at the following executions. We note that the first query is generated for obtaining one item from Ndata. If the first query is used directly, then the execution to obtain each hash-value burdens the databaseserver with larger computation. We transform the first query into more suitable form for the execution toobtain each hash-value. Consider a binary tree made by swapping each node in Merkle tree for its siblingnode. In such tree, hash-vaules related to an item are on the path from the root to the leaf related to theitem. We associate the database server’s input data of oblivious transfer with the nodes in that tree, andtransform a query for an item in a leaf into the queries for hash-values in each of ancestor nodes.

3 Comparison of Efficiency

We evaluate the efficiency of the proposed protocol. Table 1 is to compare the proposed protocol (PRP),the straightforward protocol (SFP), and the protocol, called the directly querying protocol (DQP), whichuses the first query directly at the following executions. Only dominant terms are given in the table. Theparameters of the oblivious transfer is chosen such that the size of an answer is minimum while the sizeof a query is smaller than the total size of N data. Compared to the straightforward protocol, althoughthe computation of the database server increases, the size of the query and computation of the user in theproposed protocol are reduced. The size of the commitment is h and that of the proof is h log N in everyprotocol, where h is the size of a hash-value. These values satisfy the efficiency requirement.

Table 1: The comparison of the efficiency of the protocols.

Communication data size ComputationQuery Answer User Server

SFP 8√

N + (log N)2 2(log N)2 + 8 log N 8√

N + 2(log N)2 13√

N + 6(log N)2

DQP 2√

N + log N 4(log N)2 + 6 log N 2√

N log N + 2√

N 3√

N log N + 3√

N

PRP 2√

N + log N 2(log N)2 + 8 log N 2√

N + (log N)2√

N log N + 6√

N

4 Conclusion

The efficient data retrieval protocol which satisfies all requirement is proposed. The proposed protocoluses an efficient oblivious transfer protocol proposed in [Cha04] and the Merkle tree proposed in [Mer80].Although the computation of the database server in the proposed protocol increases, the size of the queryand the computation of the user are reduced from the straightforward protocol.

References

[Cha04] Y. C. Chang. Single Database Private Information Retrieval with Logarithmic Communication.ACISP2004, LNCS3108, pp.50–61, 2004.

[OK04] W. Ogata and K. Kurosawa. Oblivious Keyword Search. J. of Complexity, vol.20, pp.356–371,2004.

[MRK03] S. Micali, M. Rabin, and J. Killian. Zero-Knowledge Sets. 44th FOCS, pp.80–91, 2003.

[Mer80] R. C. Merkle. Protocols for Public Key Cryptosystems. IEEE Symposium on Security and Privacy,pp.122–134, 1980.

84

Formal Verification of Password-based Protocol by FDR Model Checking

Abdelilah Tabet, SeongHan Shin, Kazukuni Kobara, Hideki Imai

Institute of Industrial Science, University of Tokyo4-6-1 Komaba Meguro-ku Tokyo 153-8505 Tokyo,Japan

{abdel1t,shinsh}@imailab.iis.u-tokyo.ac.jp{kobara,imai}@iis.u-tokyo.ac.jp

Abstract. Security protocols have been developed to enhance and overcome many flaws of security.However many of them are still vulnerable to several kinds of attacks even for those claimed to solve securityholes found in previous protocols. Formal methods are pioneers to detect security flaws in cryptographicprotocols, and still lead the research in this area. In this paper, we evaluate a password-based protocol byFDR [FSL99], well-known tool in the literature, against off-line attacks. We verify the typical password-based protocol and compare the result from FDR with its theoretical result.

Keywords. Formal Methods, Casper, FDR

1 FDR Model checking

FDR (Failure Divergence Refinement) is one of the widely used security protocols verification method,specially after it exposed the man-in-the-middle attack of Needham-Shroeder Public Protocol [Ga96]. Thechecker FDR is a model-checking tool for concurrent and reactive system modeled in CSP (CommunicationSequential Processes) [Ho85]. Since generating CSP code is a time consuming and error-prone task, Casperwas produced by Gavin Lower in 1997 [Ga97], to overcome CSP code writing difficulties. Casper compilesan easy input script to a CSP code. Therefore it simplifies the task for non-experts and non familiars withCSP code to produce a CSP code without having much knowledge about its notations. In security protocols,FDR is restricted to a small type of systems where for example nonces and keys types are finite. The input ofCasper must not only contain the protocol definitions but also the type of system to be checked. Thereforethe input file include two different parts: the first part defines how the protocol is operating, the initialknowledge of the agents, and the specification of protocol’s goal; the second part defines the datatypes to beused and the intruder’s abilities.

2 Verification of Password-based Protocol by FDR

2.1 off-line attacks

Many Password-based protocols have been proposed in the literature each with its security goal. Howevermany of these protocols can fail to fulfil its security purpose in the case where users chose short passwords.Such situation can be very dangerous since it would be easy for an attacker to mount a dictionary attackon the password and therefore break the secrecy of the authentication which the protocol was designed toestablish. In this work we focuss only on off-line attacks in password-based protocols, since it is difficult toavoid it. However it is easy to avoid on-line attacks.

2.2 Verification of RSA-based EKE protocol

We verify the security of an example of RSA-based EKE protocol using FDR model checking. First wedescribe the protocol as shown in the protocol script using Casper. In this step it is important to putsome modifications to the original protocol in order to avoid the state explosion problem and minimize thecomputation time which can be caused by the use of a big number of functions and variables. Here a, b arerespectively Alice and Bob’s IDs, pk is RSA public key, passwd is the shared password between Alice andBob and which is defined to be a secret, r1 and r2 are two nonces and k is random variable generated byBob. This protocol ends by sharing a symmetric key between Alice and Bob.

85

#Protocol description0. -> a : b1. a -> b : a, r12. b -> a : b, r2, pk3. a -> b : {{k}{pk}}{passwd}4. b -> a : f(passwd,k,r1,r2)5. a -> b : f(passwd,k,r1,r2)

After we check the protocol by FDR the security assumption we put were stratified and no attack wasfound. However the theoretical result says that e-residue attacks is possible on the protocol. This result asothers results (verification results of other protocols by the same tool) show the limitation of FDR in findingattacks on cryptographical protocols.

3 Conclusion

In this research we verified the security of one of the EKE protocols, a typical examples of password-basedprotocols, using FDR. Very interestingly, the result from FDR is the opposite to that obtained by thetheoretical verification. In a near future, we treat almost all the possible cases of protocols that may usepasswords, and evaluate the performance of FDR model checking against off-line attacks.

References

[BM92] Steven M. Bellovin and Michael Merrit. Encrypted key exchange: password-based protocols secureagainst dictionary attacks . IEEE Symposium on Research in Security and Privacy,Oakland, CAUSA, May 1992.

[Ga96] G. Lowe. Breaking and fixing the Needham-Schroeder Public- Key protocol using FDR. In Proceed-ings of Tools and Algorithms for the Construction and Analysis of Systems, volume 1055 of LNCS,pages 147-166. Springer-Verlag, 1996.

[Ga97] G. Lowe. Casper: A compiler for the analysis of security protocols . 10th IEEE Computer SecurityFoundation Workshop, 1997.

[FSL99] Formal Systems {Europe} Ltd. FDR2 User Manual, August, 1999

[Ho85] C.A.R. Hoare. Communication Sequential Processes, 1985

86

Symmetric Boolean functions with high nonlinearity

Marion Videau

INRIA-Rocquencourt, projet CODEShttp://www-rocq.inria.fr/codes/

[email protected]

Abstract. It is known that the symmetric Boolean functions with optimal nonlinearity are the quadraticfunctions. Here, we extend this work and we characterise the functions with suboptimal nonlinearity byusing the link between the periodicity of their simplified value vectors and their algebraic degrees.

Keywords. Boolean functions, symmetric functions, nonlinearity

1 Introduction

Symmetric Boolean functions can be easily represented by reduced versions of their value vectors and oftheir algebraic normal forms. Besides this conciseness, they are also good functions in terms of gate com-plexity [Weg87]. These properties make them be interesting candidates to be used in many applications.Unfortunately, it has been proved that their nonlinearities and algebraic degrees which are important cryp-tographic parameters, cannot be simultaneously maximised. However symmetric functions with suboptimalnonlinearity might be of interest for designing cryptographic primitives.

Definition 1.1 A Boolean function f is symmetric if its output is invariant under any permutation of itsinput bits :

f(x1, x2, . . . , xn) = f(xσ(1), xσ(2), . . . , xσ(n)), for all permutations σ of {1,. . . ,n} .

It means that there exists a function vf : {0, . . . , n} → F2 such that ∀x ∈ Fn2 , f(x) = vf (wt(x)). We will

refer to the sequence v(f) = (vf (0), . . . , vf (n)) as the simplified value vector of f .

Proposition 1.1 A Boolean function f of n variables is symmetric if and only if its algebraic normal formcan be written as

f(x1, . . . , xn) =n⊕

i=0

λf (i)⊕

u∈Fn2

wt(u)=i

n∏j=1

xuj

j , λf (i) ∈ Fn2 .

We call the (n + 1)-bit vector λ(f) = (λf (0), λf (1), . . . , λf (n)) the simplified ANF vector of f .

It is proved in [CV05] that low degree symmetric functions have a periodic simplified value vector.

Theorem 1.2 Let f be a symmetric Boolean function of n variables with simplified ANF vector λ(f) =(λ0, . . . , λn) and simplified value vector v(f) = (v0, . . . , vn).

Then, v(f) is periodic with period 2t if and only if deg(f) ≤ 2t − 1. Moreover, (v0, . . . , v2t−1) is thesimplified value vector of the symmetric Boolean function of (2t−1) variables with (λ0, . . . , λ2t−1) as simplifiedANF vector.

We recall the notation for the Walsh coefficients and the nonlinearity of a Boolean function f . If we denotea linear function by ϕa : x 7→ a · x, then

F(f + ϕa) =∑

x∈Fn2

(−1)f(x)+a·x, L(f) = maxa∈Fn

2

| F(f + ϕa) |, and NL(f) = 2n−1 − L(f)2

.

87

2 Highly nonlinear symmetric Boolean functions

The maximum nonlinearity for symmetric functions of n variables has been proved to be reached onlyby quadratic functions. More precisely, when n is even, these functions are bent and the nonlinearity is2n−1 − 2

n2−1[Sav94] and when n is odd, the maximal nonlinearity is 2n−1 − 2

n−12 [MS02]. In this section

we investigate cases of suboptimal nonlinearity and we point out that the nonlinearity is related to theperiodicity of the simplified value vector.

Theorem 2.1 Let f be a symmetric Boolean function of n variables. If L(f) < 2bn+1

2 c + 2t+1 for someinteger t, 0 ≤ t < bn+1

2 c, then

vf (i + 2) = vf (i)⊕ 1, for all t ≤ i ≤ n− 2− t ,

or equivalently f = q + h where q is a symmetric quadratic function and h is a symmetric function ofn variables such that vh(i) = 0 for all t ≤ i ≤ n− t.

This can be proved by induction on t using the properties of periodicity of the restrictions of a symmetricBoolean function [CV05].

As a direct corollary, we can deduce a necessary condition on the simplified value vector of the symmetricfunctions f with L(f) < 2b

n+12 c+1.

Corollary 2.2 Let f be a symmetric Boolean function of n variables.

• For n even, if vf (n2 − 1) = vf (n

2 + 1), then L(f) ≥ 2n2 +1.

• For n odd, if vf (n+12 ) = vf (n−3

2 ) or if vf (n+32 ) = vf (n−1

2 ), then L(f) ≥ 2n+1

2 +1.

Theorem 2.1 also points out that the resiliency order of a highly nonlinear symmetric function is limited.

Corollary 2.3 Let f be a symmetric Boolean function of n variables such that L(f) < 2bn+1

2 c + 2t+1 forsome integer t, 0 ≤ t < bn+1

2 c. Then, f is at most (2t + 2)-resilient.

Now, we can characterise the symmetric functions whose nonlinearity is very close to the optimal nonlinearity.

Proposition 2.1 The symmetric Boolean functions f of n variables such that L(f) = 2bn+1

2 c + 2 are the8 functions of degree n defined by the following simplified ANF vectors:

λf = (a, b, 1, 0, . . . , 0, 1) and λf = (a, b, 0, 1, . . . , 1, 1), a, b ∈ F2.

Proposition 2.2 The symmetric Boolean functions f of n variables such that L(f) = 2bn+1

2 c + 4 are the4 functions of degree (n− 1) defined by the following simplified ANF vectors:

λf = (a, b, 0, 1, . . . , 1, 0), a, b ∈ F2 .

References

[CV05] A. Canteaut and M. Videau, Symmetric Boolean functions, IEEE Trans. Inform. Theory. —Regular paper, to appear.

[MS02] S. Maitra and P. Sarkar, Maximum nonlinearity of symmetric Boolean functions on odd number ofvariables, IEEE Trans. Inform. Theory, vol. 48, no. 9, 2002.

[Sav94] P. Savicky, On the bent functions that are symmetric, European J. of Combin., vol. 15, pp. 407–410,1994.

[Weg87] I. Wegener, The complexity of Boolean functions. Wiley, 1987.

88

Error-Set Codes, Secret Sharing Schemes and Matroids

An Braeken

Department Electrical Engineering - ESAT/SCD/COSIC,Katholieke Universiteit Leuven, Kasteelpark Arenberg 10,

B-3001 Leuven, Belgiumhttp://www.esat.kuleuven.ac.be/cosic/

[email protected]

Abstract. Error-set correcting codes differ from the error-correcting codes in the sense that the minimumdistance of the code is replaced by a collection of monotone decreasing sets ∆, which define the supports ofthe vectors that do not belong to the code. It is shown how these codes are related to matroids. In this way,we complete the equivalence of ideal linear secret sharing schemes and matroids on the one hand and linearsecret sharing schemes and error-set correcting codes on the other hand.

Keywords. Linear code, matroid, ideal linear secret sharing scheme.

1 Definitions

Define the set P = {1, . . . , n} and denote the power set of P by P (P). The set Γ ⊆ P (P) is called monotoneincreasing if for each set A in Γ, each set containing A is also in Γ. Similarly, the set ∆ ⊆ P (P) is calledmonotone decreasing, if for each set B in ∆ each subset of B is also in ∆. The concept of monotone decreasingset will be used in the definition of the following three objects: error-set codes, linear secret sharing schemes,and matroids.

The linear [n, k, d]-code [MS90] over Fq can be generalized to the linear [n, k,∆(C)]-code C over Fq. The[n, k,∆(C)]-code is called an error-set code [NN03] because of the property that all vectors for which thesupport belongs to ∆ are no codewords.

A secret sharing scheme [S79] allows the dealer P0 to share a secret among n participants in such away that some sets of participants (those in Γ), called allowed coalitions, can recover the secret, while anyother set of participants (non-allowed coalitions) cannot get any information about the secret. The schemeis called ideal if the size of any share coincides with the size of the secret. If the share of any participant iscomputed by a fixed linear function of the key and some other random elements, the SSS is said to be linear(shortly denoted as LSSS).

A matroid [W76] M = (P, I) is a finite set M and a collection I of monotone decreasing subsets of P(called the independent sets) such that the following two properties are satisfied. The ∅ ∈ I, and if U, V ∈ Iwith |U | = |V | + 1, then there exists x ∈ U \ V such that V ∪ x ∈ I. The maximal independent sets arecalled bases. The dual matroid M∗ of a matroidM is defined by the set of bases B∗ = {P \Bi : i ∈ I}.

2 Main Results

The augmentation theorem will be used for proving the properties of error-set correcting codes.

Theorem 2.1 [W76] (Augmentation Theorem) Suppose that X, Y ∈ I and that |X| < |Y |. Then thereexists Z ⊆ Y \X such that |X ∪ Z| = |Y | and X ∪ Z ∈ I.

One can now easily derive the following relations between matroids and error-set correcting codes.

Theorem 2.2 The parity check matrix of an [n, k,∆(C)]-code is a matroid defined on the set of columnindices S = {1, . . . , n} with independent set I = ∆(C).

Theorem 2.3 The generator matrix of an [n, k,∆(C)]-code is equivalent to a matroid defined on the setS = {1, . . . , n} with an independent set I = ∆(C)∗.

89

From these relations, we derive several new properties such as for instance the weight distribution and thedual code by using known results from the theory of matroids.

In [BD91], Brickell and Davenport have shown the relation between ideal LSSS and matroids. Nikovand Nikova, introduced in [NN03] the error-set correcting codes by means of monotone span programs inorder to show a one-to-one relation with the ideal LSSS. Therefore, this relation completes the equivalencesbetween matroids, LSSS and error-set codes.

References

[BD91] E. Brickell and D. Davenport, On the Classification of Ideal Secret Sharing Schemes, Journal ofCryptology, 4: 123-134, 1991.

[MS90] F.J. MacWilliams and N.J.A. Sloane, The Theory of Error-Correcting Codes, Elsevier, 1991.

[NN03] V. Nikov and S. Nikova, On a Relation Between Verifiable Secret Sharing Schemes and a Class ofError-Correcting Codes, ePrint 2003/210, 2003.

[S79] A. Shamir, How to share a secret, Communications of the ACM, 22: 612-613, 1979.

[W76] D. Welsh, Matroid Theory, Academic Press, London, 1976.

GSM for mobile SSO to protect user privacy

Kalid Elmufti, Chris J Mitchell

City University London / Royal Holloway, University of [email protected]/[email protected]

Abstract. This paper proposes a system in which a GSM user can access third party services withtotal anonymity as far as the service providers are concerned; however it is possible for a trusted authority toreveal the identity of the user if he or she is suspected of illegal activities. The system makes use of variouscryptographic techniques, as well as Single Sign-On, GSM encryption, and PKI to achieve its goals.

Keywords. GSM, Single Sign-On.

1 Introduction

Mobile Commerce or M-Commerce is growing fast as more and more users start using their phones for manyother applications than just making phone calls, and as mobile phones become more powerful. Servicesproviders can now provide a wide range of services such as downloading digital content or allowing users tobuy goods through their mobile devices. However one of the main issues for M-Commerce is the protectionof user privacy. Theoretically it is possible to have systems with full anonymity, although such systems maynot be desirable as it may lead to increased misuse of the system [FZ02]. This paper gives an overviewof a system in which it is possible for the user to have full anonymity as far as the services providers areconcerned; however it is possible for a trusted authority to reveal the identity of the user if he or she issuspected of illegal activities.

The main idea behind the system is that the user binds the secret key shared with its GSM mobileoperator to a random ID. This ID is used as the user identifier with the service providers, and the only wayto link this random identifier to the user is by knowing the secret key shared by the user and the mobileoperator.

90

2 System overview

The system consists of three types of player: Mobile Devices, Service Providers, and GSM Network Operators.The User operates a Mobile Device (MD) and wishes to access services provided by a service provider viaa mobile network provide by a Network Operator (NO). The MO also provides a SSO service for the MD,and acts as a ’Anonymity Revocation Authority’ to reveal the MD identity in some scenarios. Finally, theService Provider (SP) provides services to the MD.

It is assumed that the NO is trusted by the User not to reveal the User’s true identity to any thirdparties, except in specified circumstances. It is further assumed that the NO has an asymmetric key pair fora signature scheme and the MD and the SP possess a trusted copy of the public key PKNO.

It is also assumed that the MD is equipped with a SIM or connected to a SIM card, which shares a secretkey with the NO, in line with GSM security standards.

The MD will establish a secret session key (Kc) with the NO, this key will be derived from the long termsecret key K and a random challenge RAND received from the NO based on A8 function used by GSM system[CM04]. Then for every SP it wants to access, the MD will generate public/private key pair (PK/SK)SP tobe used for a binding signature scheme. This public key (PKSP ) will also acts as the User/MD ID, whichwill be different for every SP. The MD will then create a Binding Signature (BS), a binding signature isthe unique product of the operation of a cryptographic binding algorithm on a short message, m, using thesecrete session key Kc and the private key SkSP where m is the input message which contains informationsuch as the MD IMSI number and RAND.

MD will create an authentication token and sends it to the NO, which will include the following attributes:

• User/MD ID, which will be the public key KSP .

• Revocation Attribute (RA), where RA = ENCPKno(BS).

The NO will then decrypt the RA using its private key SKNO to obtain the BS, in the verification process,the verification algorithm operates on the binding signature using Kc and KSP , the output will be a binaryresult, which if successful will indicate that the User used the same RAND sent earlier. The NO then createan Identification Attribute (IA), where IA = ENCPKno(IMSIMD, RAND) and add it to the security token.Using its SSO system the NO forwards the MD request (which includes the security token) to the SP, usingKSP as the user ID. As the KSP was generated by the MD the SP will have no trace to the identity of theuser. However if the user is involved in illegal activities, the user identity can be revealed as follows:

• The SP forwards the security token to the NO.

• The NO uses its private key to decrypt the identification attribute (IA), then it uses its secret sessionkey K associated with IMSIMD and RAND to generate the secret session key (Kc).

• Then it applies Kc and MD public key for this services KSP to the binding signature BS. The outputis again a binary result, which if successful will indicate that owner of this public key KSP is the sameas the owner of the secret key K which is linked to IMSI number, and therefore the user identity canbe revealed.

3 Conclusions and further work

The aim of the system introduced above was not to provide total anonymity to the user as this may bemisused in M-Commerce applications, therefore the aim was to provide total anonymity from the pointview of the services providers only. It was described how this can be achieved through the use of varioustechnologies such as GSM encryption methods, SSO, and PKI, with the assumption that the mobile operatorsare trusted entities.

We are now working on a detailed protocol to see how this system can be integrated in a web servicesenvironment to allow for more security analysis. Other issues in the system that must be looked at are thebinding signature and the other cryptographic operations carried by the mobile device should be analyzedcarefully to minimis the operational cost of the mobile device.

91

References

[FZ02] C. Farkas, G. Ziegler. Anonymity and Accountability in Self-organising Electroni Communities. Inproceedings of ACM workshop on privacy in Electronic society, pages 81-90, Nov, 18-22, 2002.

[CM04] C. Mitchell (editor). Security for Mobility, IEE Telecommunications Series 51, 2004 .

Secure Multi-Party Computation with Security Modules

Zinaida Benenson and Felix C. Freiling and Dogan Kesdogan

RWTH Aachen [email protected]

Abstract. We consider the problem of secure multi-party computation (SMC) in a new model whereindividual processes contain a tamper-proof security module.

Keywords. secure multi-party computation, security module, tamper proof hardware

1 Secure Multi-Party Computation

In secure multi-party computation (SMC) a set of processes p1, . . . , pn, each starting with an input value xi,must compute the result of a function r = F (x1, . . . , xn) such that the individual inputs remain secret toother processes, and that malicious processes can neither prevent the computation from taking place norinfluence r in favorable ways.

Definition 1.1 (secure multi-party computation) A protocol solves secure multi-party computation(SMC) if it satisfies the following properties:

• (SMC-Validity) If a process receives an F -result, then F was computed with at least the inputs of allcorrect processes.

• (SMC-Agreement) If some process pi receives F -result ri and some process pj receives F -result rj thenri = rj.

• (SMC-Termination) Every correct process eventually receives an F -result.

• (SMC-Privacy) Faulty processes learn nothing about the input values of correct processes (apart fromwhat is given away by the result r and the input values of all faulty processes).

2 Untrusted Hosts and Security Modules

We consider a system consisting of a set of processes interconnected by a synchronous communication networkwith secure reliable bidirectional channels. The processes are divided into two disjoint classes: the untrustedsystem, consisting of hosts, and the trusted system, consisting of security modules (Fig. 1). Every host isconnected to exactly one security module. In practice, hosts represent Internet hosts and their users, whereassecurity modules abstract tamper proof components of user systems (smart cards or special microprocessors),see Fig. 2.

The setting described above is formalized using distinct failure models for different parts of the system.We assume that nodes in the untrusted system can act arbitrarily, i.e., they follow the Byzantine failure model[LSP82]. For the trusted system we assume the failure model of general omission [PR03], i.e., processes cancrash or fail by not sending messages or not receiving messages.

92

untrustedsystem

process with general omission

Byzantine process

sec. mod.1

sec. mod.2

trustedsystem

host1

host2

host3

3sec. mod.

Figure 1: Hosts and security modules.

logical communication link (over physical link)

host1

host2

host3

sec. mod.1

physical communication link

sec. mod.2

3sec. mod.

Figure 2: Internet hosts with tamper-proof hardwarecorresponding to Fig. 1.

3 Results

We investigated the solvability of SMC in the untrusted system by relating it to the problem of uniforminteractive consistency (UIC) [PR03] in the trusted system. The following theorem shows that SMC andUIC are “equivalent” in their respective worlds. Going from UIC to SMC in the proof requires the strongsecurity properties given by the trusted hardware. In a system with n processes, we use t to denote a boundon the number of process which may fail.

Theorem 3.1 SMC is solvable for any deterministic F in the untrusted system if and only if UIC is solvablein the associated trusted system.

Corollary 3.2 There is no solution to SMC in the untrusted system if t ≥ n/2.

In the standard model without security modules, SMC also requires a majority of honest processes[GMW87]. The most efficient solution to date [HMP00] requires communicating O(m · n3) messages (wherem roughly corresponds to the number of multiplications in F ) and additionally needs O(n2) invocations of abroadcast primitive. Thus, adding trusted hardware cannot improve the resilience of SMC. However, in theextended version of this paper [BGK05] we developed an efficient SMC protocol with message complexityof O(n3) (message complexity does not depend on F anymore). Moreover, our SMC protocol is the firstprotocol that can be implemented with tolerable overhead. We are now implementing it using Java smartcards.

References

[BGK05] Z. Benenson, F. C. Gartner, and D. Kesdogan. Secure Multi-Party Computation with SecurityModules. Sicherheit 2005 Conference, LNI 62.

[GMW87] O. Goldreich, S. Micali, and A. Wigderson. How to play any mental game — a completenesstheorem for protocols with honest majority. In Proceedings of the 19th ACM Symposium on theTheory of Computing (STOC).

[HMP00] M. Hirt, U. Maurer, and B. Przydatek. Efficient secure multi-party computation. In Proceedingsof Asiacrypt, 2000.

[LSP82] L. Lamport, R. Shostak, and M. Pease. The Byzantine generals problem. ACM Transactions onProgramming Languages and Systems, 4(3):382–401, July 1982.

93

[PR03] P. R. Parvedy and M. Raynal. Uniform Agreement Despite Process Omission Failures. In 17th Inter-national Parallel and Distributed Processing Symposium (IPDPS 2003). IEEE Computer Society,April 2003.

Collision attacks on processors with cache and countermeasures

Cedric Lauradoux

INRIA Rocquencourt, Projet CODESwww-rocq.inria.fr/codes/[email protected]

Abstract. Many timing attacks have been carried out recently, especially the recent cache-timing attacks.We clarify these attacks on the AES, and we point out that they correspond to partial collision attacks. Wealso give several countermeasures to defeat them.

Keywords. Timing attacks, collision attacks, AES, lookup table, side channel attacks

1 Introduction

Collision attacks are a new class of side channel attacks introduced in [SWP03], which exploit internal col-lisions in the implementation of cryptographic primitives. Those attacks are not classical cryptographicattacks as they require side channel information like timing or power consumption. These attacks have beendemonstrated on dedicated devices against several cryptographic designs [SLFP04, LMV04]. No counter-measures have been proposed yet to avoid collision attacks.

On the other hand, the cryptographic community starts to investigate timing attacks on general purposeprocessors [Pag02, TSS+03, Ber05]. Timing attacks on superscalar processors are possible because modernprocessors embed many optimization features that may induce time variations. But they are difficult tomodel because there is no standard specification in processor design, and many parameters have to beconsidered. Data collection can be done like in [Pag02, Ber05, TSS+03]. The underlying issue raised bythose attacks is the following: constant time algorithm does not imply constant time execution.The aim of this paper is to clarify the recent cache-timing attacks described by Bernstein [Ber05] and byTsunoo et al. [TSS+03]. Most notably, we show that these attacks correspond to partial collision attacksbut in the context of processors with cache. We also propose several countermeasures to defeat them.

2 AES timing analysis and cache memory

The evaluation of the efficiency of an algorithm is very difficult on superscalar processor. This is even moredifficult when memory is involved. The AES algorithm can be implemented in many different ways but themost efficient implementation ([DR02]) uses 4 KB of lookup table. The experiment protocol used in timingattacks on superscalar processors is very simple. We first clear the cache to guarantee that there is no tablein the cache. Then we encrypt one data block with a constant key and measure the encryption time. Thecache is cleared between any two encryptions. We obtain the timing observation given on Figure 1. Thesame experiment on x86 architectures leads to similar results, even if some parameters change because thex86 memory hierarchy is different.

The following questions then arise: where does the observed irregularities come from? Do they provideany information which can be exploited to mount an attack?

94

80

100

120

140

160

180

200

220

240

0 10 20 30 40 50 60 70 80 90 100

timinghigh hit rate

CPU cycles

number of theencrypted block

average valuelow hit rate

Figure 1: Simple timing observation on a PowerPC 7457

The irregularity in the execution time is mainly due to non constant access memory. The first Moore’slaw states that the number of transistors integrated in a processor doubles every 18 months. But, the secondMoore’s law explains that the speed of memory only doubles every 10 years. It implies that processor isusually idle most part of the time, waiting for memory access. In order to reduce this gap, computer designershave design a complex memory hierarchy to speed-up memory accesses [HP96]. The main assumption whichhas motivated this design is the spatial and temporal locality of data: data may be accessed several timesand in the most possible contiguous way. According to the locality principle, the memory embedded in theprocessor (i.e., the registers and the cache) is the fastest part.

The impact of the memory hierarchy on the execution time can be exhibited when we disable the cacheby using the cr0 register. In this case, the execution time is more regular but some particular events stillappear. They are due to buffer between the different memory levels.

Moreover, many others choices may interfere in the efficiency of the cache ([HP96, Hil87]): size of line,associativity, size of cache, victim buffer, pre-fetching engine. . . . Figure 2 illustrates the difficulty to observethe events occurring in a processor. We first observe a sequence of cache flush and encryptions. Whenexecution time is low, we deduce that memory access were fast. Then we observe several times the samesequence and plot the average value for each observation. Some irregularities remain but other event seemto be more sensitive to the execution context. Many things may affect the execution time but some eventsappear to be consistent. It clearly appears from these simulations that a single observation is not enoughto obtain a good understanding of phenomena with a high confidence rate. Several executions are requiredto give an accurate view of what happens within the processor. It follows that chosen plaintext attacks aremuch more powerful in this context since the same date can be encrypted several times, providing manyobservations of the same phenomenon. In known plaintext attacks, where only a single observation of eachencryption is available, the observation time must be much longer.

3 Cache-timing attacks as partial collision attacks

Nevertheless, the sizes of the cache and of the cache lines, and the number of fully associative subsets arethe parameters which mostly affect the running-time and the power consumption. Several miss models havebeen proposed (see e.g. [Hil87]). There are several techniques for improving data locality in order to reducemiss penalties. Those techniques can only be achieved if memory accesses are deterministic and can bedetermined before running time. For the programmer, the worst case is reached when data are accessed in a

95

8000

8500

9000

9500

10000

10500

11000

11500

12000

0 10 20 30 40 50 60 70 80 90 100

average valueover 10 observationssimple observation

CPU cycles

number of theencrypted block

Figure 2: Average value versus simple observation on a Pentium 4

random way. Nothing is under control and we can have either the best memory access pattern or the mostpathologic one. In this situation, we are able to mount collision attacks.

As described in [SWP03, SLFP04, LMV04], power analysis or timing analysis enables to detect internalcollisions within a function f , where f is either the round function of a block cipher or a subfunction of theround. In the context of an implementation on a micro-controller, we say that a partial collision occurs iffor an input word d the Hamming distance with the resulting word d′ = f(d) is low. This definition is dueto the fact that power consumption highly varies in this particular case.

In the context of processors with cache, our definition is quite different. Actually, we want to use the factthat we are able to determine whether only a few cache lines are accessed during an execution. Therefore,we say that a partial collision occurs when the elements addressed in the lookup table by 2 successivecomputations of f lie in the same cache line.

Unfortunately, a partial collision on a single encryption round cannot be detected since we observe thetiming of a complete AES encryption. Then, we are only able to detect the encryptions where partialcollisions occur in many rounds. The situation is different if we consider power analysis of a DSP, since weare able to analyze the encryption rounds separately.

4 Countermeasures

The first obvious countermeasure consists in replacing lookup tables by operations. This countermeasureis not effective on all platforms. On micro-controller, instructions are executed in a sequential way andmemory accesses are performed in constant time. Then, internal (partial) collisions are distinguished fromnormal events using power consumption when we choose either lookup table implementations or instructionimplementations for the Sboxes. In the context of a superscalar or of a VLIW processor, the situation iscompletely different. Several operations can be fetched and computed in one cycle and nobody can guaran-tee the scheduling of the instructions and where they are executed. Then, power consumption analysis aremeaningless on those platforms. The main problem is that replacing lookup tables by processor instructionscan have a huge cost. This solution is clearly not appropriate for applications with hard timing constraintslike in a server environment.

Now, we detail several suitable solutions for reducing the impact or defeating those attacks.

• Dummy access to a table can increase noise in order to decrease the ability of the opponent to dis-

96

tinguish timing related to the key from others. This technique was proposed in [Pag03]. When thedummy array is twice larger than the cache, then the hit probability is 1

2 . For each access to thelookup tables we made an access to the dummy array. This technique has 2 drawbacks:

– the random number generator must be fast and unbiased. A bias generator would not counterthe attack.

– dummy data can interact with lookup tables. This can create conflict memory access and im-portant CPU idling.

• Warming up the processor may guarantee the presence of the tables in cache. This can be efficientonly for small tables and if the size of the data are not too big to affect the miss ratio. If an interruptoccurs during the execution and flushes the cache then the warm-up effect is annihilated. Warm-updoes not guarantee the location in the cache of the data. This solution is only a good solution forencryption of small piece of data.

• A collision is the relation between 2 elements that affects the timing or the power consumption ofthe algorithm. On superscalar processors, it corresponds to several accesses on the same cache line.Clearly, this can not be avoided. But, collision attacks can be defeated by masking the relationshipbetween the data involved in a collision. This can be achieved by adding several implementation secretkeys (these implementations keys are local parameters and must not be transmitted since they do notinfluence the ciphertext). Here, each key is a parameter in a permutation of the inputs of the lookuptable. Then, we access the table through the permutation. Those permutations can be implementedefficiently using another lookup table or in a different way. With those permutations, the attackerstill detect the collisions but he is not able to find the underlying relation if he does not know thepermutation table. He has to perform

(nk

)trials where n is the number of elements in the table and

k the number of elements per cache line, for recovering the composition of each line of the lookuptable. For the AES table, the number of trials is more than 2135 (256 elements per table and 32elements per L2 data cache line of a Pentium 4). But now the opponent can try to find collisions onthe permutation if we use a table. It is more difficult because the size of the permutation table is moresmall: n elements of size log2(n) and we can use other methods to implement the table.

• Prefetching seems to be an interesting solution since we can improve the performance of the algorithmand confuses the attacker since it would not be easy to distinguish a collision from something else.We try to hide memory latencies by anticipating accesses. This is completely different from warm-uptechnique as prefetching instructions are before and inside the encryption loop. When any interruptionsoccur, we have what is known in processor design a Cold start miss (3C of Hill [Hil87]). By usingprefetch we will reduce the penalties of Cold start miss.

5 Conclusion

We demonstrate how an opponent can take advantage of the optimization mechanism of a processor. Partialcollision attacks seem quite powerful as they apply on different contexts, in power analysis [SWP03, SLFP04]or in timing attack [TSS+03, Ber05]. We give several possibilities to defeat those attacks. All the coun-termeasure that we have proposed have a computational cost. Among all those countermeasures the mostinteresting one is the permutation solution because we can give rigorous security argument.

An extended version of this paper will be published soon.

References

[Ber05] Daniel J. Bernstein. Cache-timing attacks on AES, 2005.

[DR02] Joan Daemen and Vincent Rijmen. The design of Rijndael: AES — the Advanced EncryptionStandard. Springer-Verlag, 2002.

97

[Hil87] Mark Hill. Aspect of cache memory and instruction buffer performance. PhD thesis, Caltech,1987.

[HP96] John Hennessy and David Patterson. Computer Architecture: A quantitative approach. MorganKaufmann Publisher, Inc, 1996.

[LMV04] Herve Ledig, Frederic Muller, and Frederic Valette. Enhancing collision attacks. In CHES 2004,LNCS 3156, pages 176–190. Springer, 2004.

[Pag02] D. Page. Theoretical use of cache memory as a cryptanalytic side-channel. Technical ReportCSTR-02-003, Department of Computer Science, University of Bristol, June 2002.

[Pag03] D. Page. Defending against cache based side-channel attacks. Information Security TechnicalReport, 8(1):30–44, April 2003.

[Per05] Colin Percival. Cache missing for fun and profit. In BSDCan, 2005.

[SLFP04] Kai Schramm, Gregor Leander, Patrick Felke, and Christof Paar. A collision-attack on AEScombining side channel- and differential-attack. In CHES 2004, LNCS 3156, pages 163–175.Springer-Verlag, 2004.

[SWP03] Kai Schramm, Thomas J. Wollinger, and Christof Paar. A new class of collision attacks and itsapplication to des. In FSE 2003, LNCS 2887, pages 192–205, 2003.

[TSS+03] Yukiyasu Tsunoo, Teruo Saito, Tomoyasu Suzaki, Maki Shigeri, and Hiroshi Miyauchi. Crypt-analysis of des implemented on computers with cache. In CHES 2003, LNCS 2779, pages 62–76,2003.

An integral cryptanalysis against a five rounds version of FOX

Marine Minier

INRIA - Rocquencourt - Projet CODESDomaine de Voluceau-Rocquencourt

B.P. 10578 153 LE CHESNAY CEDEX - FRANCE

[email protected]

Abstract. FOX is a new class of block ciphers designed by P. Junod and S. Vaudenay and presented atSAC’04 [JV04]. This is a modified version of the Lai-Massey scheme using an internal function based on theMDS properties and a Feistel transformation. In this paper, after having generalised the integral property ofFOX partially described in [JV03], we present a five rounds attack against FOX64 using differential extensionsof this property. This attack has a complexity equal to 2105 encryptions for a number of chosen plaintextequal to 243 for FOX64 and could also be applied on FOX128.

Keywords. FOX, Integral Cryptanalysis, Differential Distinguisher

1 Introduction

FOX is a new family of block ciphers proposed by P. Junod et S. Vaudenay at SAC’04 built on a modifiedversion of the Lai-Massey scheme where a Feistel round is added while the round function is a Substitution-Permutation. Two versions of this well-designed algorithm are described in [JV04b] with a variable numberr of rounds depending on the key sizes: the first one FOX64/k/r has a block size equal to 64 bits with a

98

variable key size k equal to k = 8 ∗ t with 0 ≤ t ≤ 32 (typically t = 16, 24 or 32), the second one FOX128/k/ruses a block size equal to 128 bits with the same possible key lengths.

In this paper, we describe a new integral property stronger than the one proposed in the initial paperpresenting the FOX family. This particular property could be used to mount a more relevant four roundsdistinguisher based on a differential property and an attack against a five rounds version of the FOX family.

The rest of this paper is organised as follows: Section 2 briefly summaries the FOX cipher. Section 3presents the new three rounds integral property and the extension by one round at the beginning that uses adifferential method. Section 4 presents the four rounds distinguisher deduced which form the starting pointof the attack presented in the same section. Section 6 concludes this paper.

2 An outline of the FOX family ciphers

We recall that FOX64/k/r and FOX128/k/r encrypt 64-bit blocks and 128-bit blocks with a key of length kon r rounds. The recommended number of rounds is 16. The algorithm consists of the encryption functionitself and a key schedule that derives (r) 64-bit subkeys RKi

(64) for FOX64 or 128-bit subkeys RKi(128) for

FOX128 from the master key where i denote the round number (0 ≤ i ≤ r− 1). We just give here an outlineof the encryption function, the only part required for our attack.

The encryption function consists of (r − 1) iterations of the round function round64 for FOX64 andround128 for FOX128, followed by a final transformation consisting in applying the round function withoutthe or operation.

The current block is represented by a 64-bit word X(64) = X0(32)||X1(32) for FOX64 and by a 128-bit wordX(128) = X0(32)||X1(32)||X2(32)||X3(32) for FOX128 where || denotes the concatenation. Each 32-bit, 64-bit or128-bit word could also be represented as a 4-byte, 8-byte or 16-byte word:

X(t∗8) = X0(8)|| · · · ||X(t−1)(8)

with t = 4, 8 or 16 according the byte length.We use the same notations for the subkey, i.e., RKi

(64) = RKi0(32)||RKi

1(32) and RKi(128) = RKi

0(64)||RKi1(64).

The round function is composed by an application of the function f32 for FOX64 and of f64 for FOX128.We only describe here FOX64 and f32, for a complete description of FOX128 see [JV04]. The f32 functionis embedded inside a Lai-Massey scheme: the input of the f32 function is the X-or between the two 32-bitwords of the current block X(64) = X0(32)||X1(32). Then, the outputs of f32 and of f64 are X-ored witheach half of the current block X(t∗8) (see figure 1).

Finally a simple Feistel transformation without function called here or is applied on the most left32-bit words. If Y(32) = Y0(16)||Y1(16) = or(Y ′

(32)) = or(Y ′0(16)||Y

′1(16)) then Y0(16) = Y ′

1(16) and Y1(16) =Y ′

0(16) ⊕ Y ′1(16).

Now, for the i-th round, we are going to study more precisely the design of Y ′(32) = f32(X ′

(32)) chosenfor their good properties of confusion and diffusion (see figure 1):

• the first transformation applied on (X ′(32)) is a simple x-or operation between this value and the first

half of the subkey, i.e., RKi0(32).

• The second transformation is four parallel applications of an 8-bits non linear S-box sbox on the GaloisField GF (256) ≈ GF (2)[X]/(X8 +X7 +X6 +X5 +X4 +X3 +1) chosen for its good resistance againstlinear and differential cryptanalyses (LP sbox

max = DP sboxmax = 2−4).

• The third transformation is a linear mapping represented by a 4 × 4 MDS matrix mu4 chosen for itsgood properties of diffusion (see [DR02] or [JV04b]). The current word is represented as a byte vectorover GF (256) and multiplied by the matrix to obtain an output vector of the same size.

• The output of the previous transformation is then x-ored with the second half of the current subkeyRKi

1(32).

• We, then, apply an other time four parallel applications of the sbox transformation.

99

f32

functionor

RK0(32)

RK0(32)

RK1(32)

mu4

f32

i

i

i

0(8)

sbox sbox sbox sbox

sboxsboxsbox sbox

1(8) 2(8) 3(8)X’ X’ X’ X’

1(8) 2(8) 3(8)0(8)Y’ Y’ Y’ Y’

X X

Y Y

RK(64)

round64

0(32)

0(32) 1(32)

1(32)

i

Figure 1: The round functions round64 and the f32 function for FOX64

• And, one more time, the output of the previous transformation is then x-ored with the first half ofthe current subkey RKi

0(32) in order to strengthen the key-dependency.

3 The three rounds properties and the extension to a fourth round

From now, we denote by Xi(64) the i-th input of the round function and by X ′i

(64) the i-th input of the f32

function and by Y ′i(64) the corresponding output. We are now going to study a particular integral property

(formalised in [KW02]) of the FOX family ciphers.

3.1 The three rounds properties

Property 1 For FOX64, if X0(64) = X0

0(8)|| · · · ||X07(8) with X0

j(8) = cj mod 4 for j = 0, 1, 2, 4, 5, 6 wherec0, c1, c2 are three different constants and with X0

3(8) = a and X07(8) = a⊕ c3 where a take all possible values

between 0 and 255 and c3 is an other constant, after the third round, we have:

255⊕k=0

X3(k)0(8) =

255⊕k=0

X3(k)6(8) and

255⊕k=0

X3(k)1(8) =

255⊕k=0

X3(k)7(8) .

This property also holds for FOX128 at 128-bit level.

3.2 Extension by one round at the beginning

Due to the particular structure of the round function, we could extend this particular property by one roundat the beginning using the following differential method for FOX64:

After the first round, we want to have the particular structure described just before (we focus from nowon the second one with c3 = 0):

X1(64) = X1

0(8)|| · · · ||X17(8) = c0||c1||c2||a||c0||c1||c2||a.

Just before the or function, this expression is equivalent to c0 ⊕ c2||a⊕ c1||c0||c1||c0||c1||c2||a.So, due to the structure of the Lai-Massey scheme, we need to obtain on the one hand:

X00(32) ⊕ (Y ′0

0(8)||Y′01(8)||Y

′02(8)||Y

′03(8)) = c0 ⊕ c2||a⊕ c1||c0||c1

100

where Y ′0(64) denotes the output of f32 and

X01(32) ⊕ (Y ′0

0(8)||Y′01(8)||Y

′02(8)||Y

′03(8)) = c0||c1||c2||a.

Those equations give :X0

0(32) ⊕X01(32) = c2||a||c0 ⊕ c2||a⊕ c1.

And on the other hand:

X00(32) ⊕X0

1(32) = (X ′00(8)||X

′01(8)||X

′02(8)||X

′03(8)).

So, in summary, we have: X ′00(8) = c2, X ′0

1(8) = a, X ′02(8) = c0 ⊕ c2, X ′0

3(8) = a⊕ c1.This particular property also holds for FOX128.

4 A five rounds attack

4.1 The four rounds distinguisher

So, from the previous property, we could build a four rounds differential distinguisher using an integralproperty. Indeed, for FOX64, the probability to find the plaintext such as X0

0(32)⊕X01(32) = c2||a||c0⊕c2||a⊕c1

(here we restrict us on the case where c0 = c2 = c1 = 0) for all possible a values between 0 and 255 that gives,after four rounds,

⊕255a=0 X

4(a)0(8) =

⊕255a=0 X

4(a)6(8) and

⊕255a=0 X

4(a)1(8) =

⊕255a=0 X

3(a)7(8) is p = 2−32. The corresponding

probability for a random permutation to have two such equalities is about p∗ = (((2−1)8))2 = 2−16. Then,the distinguishing probability is |p− p∗| = 1

2 − 2−32. So, if we test all the 232 possible values for X00(32), the

probability to distinguish the four rounds encryption function of FOX64 from a random permutation is near1. The same corresponding probability holds for FOX128: p = 2−64, p∗ = 2−32 and then |p− p∗| = 1

2 − 2−64.

As mentioned just before and to improve the complexity of our four rounds distinguisher, we restrict uson the case where X0

0(32) ⊕X01(32) = (0||a||0||a). The number of such plaintexts with an a value fixed is 232,

so the total number of plaintexts to test is 240. The four rounds distinguisher works as follows:

• For each possible value of the 232 X00(32) plaintexts, compute the corresponding ciphertexts for all the

256 possible plaintexts of the form X00(32) ⊕X0

1(32) = (0||a||0||a) with a = 0 · · · 255 and compute after

four rounds:⊕255

a=0 X4(a)(64) .

• Test if⊕255

a=0 X4(a)0(8) =

⊕255a=0 X

4(a)6(8) . If yes, test if

⊕255a=0 X

4(a)1(8) =

⊕255a=0 X

3(a)7(8) .

The computations made at the second step and at the third step (256 x-or operations and one or two testsof equalities) are less expensive than a FOX64 encryption, so the complexity of this distinguisher is about 241

FOX64 encryptions and the memory needed is about 234 bytes.

A same distinguisher could be mounted against FOX128.

4.2 The five rounds attack

We could extend the previous four rounds distinguisher by one round at the end using a key exhaustive searchon the fifth subkey RK5 that permits us to entirely recover this subkey and that provides some informationbits on the key material.

We could use the following algorithm with a large amount of pre-computations to improve the keyexhaustive search :

101

First Step :Cipher the 240 chosen plaintexts for all possible values of asorted according the X0

0(32) value

and stock the corresponding ciphertexts X5(a)(64) .

Second step: key exhaustive searchFor all the possible values of the subkey RK5

(64) do

For each possible value of X5(a)(64) , for a between 0 and 255,

by deciphering one round, compute the corresponding values of X4(a)(64)

Test if⊕255

a=0 X4(a)0(8) =

⊕255a=0 X

4(a)6(8)

If equality then test if⊕255

a=0 X4(a)1(8) =

⊕255a=0 X

3(a)7(8)

End IfEnd For

In this key exhaustive search, the complexity of the first pre-computation phase is about 240 FOX64 executionsand the memory required is about 243 bytes.

The computations made in the second step are, for each key value, less expensive than 64 FOX64 encryp-tions (256 partial decryptions, an x-or on 256 values and at most 2 tests). So, the total complexity of thealgorithm is about 2102 FOX64 executions and requires 243 bytes of memory.

In order to avoid false alarms (bad keys that pass successfully the test), we could repeat this attack forother values of the quartet of constants (c0, c1, c2, c3) instead taking only the null value. The number ofquartets of constants needed is in direct relation with the signal-to-noise ratio, here equal to S/N = p−p∗

p∗ ≈215 >> 1. So, the required number of different quartets of constants is about 6. We claim that to take 8such sets in the first step is enough to find the good key and eliminate the false alarms.

So the complexity of this five rounds cryptanalysis is finally about 2105 FOX64 encryptions for an amountof memory equal to 246 bytes. This five rounds attack is more efficient than a key exhaustive search fork = 128, 192 or 256 bits and than the integral cryptanalysis described in [JV04b].

We could build the same sort of attack for FOX128 with 23 sets. The complexity of the precomputationstep is about 23× 272 = 275 FOX128 encryptions, the complexity of the second step is then about 23× 2128×64× 264 = 2201 FOX128 encryptions. The required amount of memory is 8× 272 × 16 = 279 bytes.

So this attack stays less expensive than a key exhaustive search for k = 256 bits.

5 Conclusion

We have shown that we could use an integral property embbeded in a differential distinguisher to buildcryptanalyses against five rounds versions of FOX64 and FOX128 faster than the exhaustive key search.Those attacks are also the first known against the well-designed family of block ciphers FOX.

References

[DR02] J. Daemen, V. Rijmen, “The Design of Rijndael”, book, Springer-Verlag, 2002.

[JV03] P. Junod and S. Vaudenay, “FOX Specifications Version 1.0”. Technical Report,EPFL/IC/2003/82, Ecole Polytechnique Federale, Lausanne, 2003. Available athttp://lasecwww.epfl.ch/pub/lasec/doc/JV03b.pdf

[JV04] P. Junod and S. Vaudenay, “FOX: A New Family of Block Ciphers”. To appear in the proceedingsof SAC’04, Lecture Notes in Computer Science, Springer-Verlag.

[JV04b] P. Junod, S. Vaudenay, ”Perfect diffusion primitives for block ciphers - building efficient MDSmatrices”, to appear in the proceedings of Selected Areas in Cryptography (SAC’04), August 9-10,2004, Waterloo, Canada, Lecture Notes in Computer Science, Springer-Verlag.

102

[KW02] L. Knudsen and D. Wagner, ”Integral Cryptanalysis”. In Fast Software Encryption’02, pp. 117-127,LNCS 2365, Springer-Verlag, Leuven, February 2002.

[Vau99] S. Vaudenay, “On the Lai-Massey Scheme”. InAdvances in Cryptology ASIACRYPT’99, Singapore,Lecture Notes in Computer Science No. 1716, pp 9-19, Springer-Verlag, 2000.

The 2-adic Summation-Shrinking Generator

Borislav Stoyanov

Faculty of Computer InformaticsShumen University, Shumen, Bulgaria

[email protected]

Abstract. We introduce a new cryptographic 2-adic Summation-Shrinking generator (2SumSG), combiningthe 2-Feedback with Carry Shift Registers (2FCSRs), the 2-adic Summation generator and the Shrinkinggenerator. This pseudorandom generator (PRG) appears to be secure. The paper describes its scheme,period, complexity, implementation and statistically testing.

Keywords. 2-Feedback With Carry Shift Registers, Shrinking Generator, 2-adic Summation Generator

1 Construction, Period and Linear Complexity

The basic principles of the 2SumSG will be explained on Fig. 1.

2FCSR R 0n

2FCSR R 1n

2FCSR R 01

2FCSR R 11

b i = 0discard a i

b i = 1output a i

clock

m 1

m 0

Σ

Σ

a 1n

a 11

b 0n

b 00

a i

b i

Figure 1: 2-adic Summation-Shrinking Generator

As it is shown, the 2-adic Summation generator [KG94] R0 selects a portion of the output sequence ofanother 2-adic Summation generator R1. Each of them consists of n ≥ 2 2FCSRs [CKM94], depicted asR01 ÷ R0n and R11 ÷ R1n. Therefore, the produced keystream is a shrunken and mixed version of the

103

output sequences ai, i = 1, 2, 3, ... of the 2-adic Summation generator R1. Let us first choose n ≥ 2. Thenthe algorithm consists of the following steps:

(1) All 2FCSRs R01 ÷ R0n and R11 ÷ R1n are clocked.(2) If the 2-adic output bi = 1 of R0, the output bit ai forms a part of the keystream. Otherwise, if the

output bi = 0 of R0, the output bit ai is discarded.The 2SumSG is simple variant of the N -adic Summation-Shrinking generator (NSumSG) [BTS04],

[TBS05], where controlling N -adic Summation generator, selects portions of N -1 numbers of 2-adic Summa-tion generators. All Summation generators consist only by 2 numbers of NFCSRs [Xu00]. The two PRGsare the same only when n = N = 2.

Let d01, .., d0n, d11, .., d1n are strong 2-prime connection numbers [KG94], [SL+00] for the 2FCSRsR01 ÷ R0n and R11 ÷ R1n. Then from [KG94] T0 = (d01−1)...(d0n−1)

gcd((d01−1)...(d0n−1)) and T1 = (d11−1)...(d1n−1)gcd((d11−1)...(d1n−1)) are

the periods of R0 and R1. The period Sn of the 2SumSG will be Sn = T∗0 T1

gcd(T0, T1)[CKM94], where T ∗

0 is thetotal number of ones of the R0. The linear complexity of the 2SumSG is greater or equal to log2(Sn + 1)[BP82].

2 Implementation and Statistical analysis

The 2SumSG is implemented with the class p adic [SBZ04], when n = 3. In this configuration 1000 sequenceswere generated by 1000000 bits each. The seed was changed in every single sequence.We apply the NIST suite [RS+01] to the output file. It completely passed all 16 tests with their proportionsand the p-valuesT .

We described, analyzed and statistically tested the new 2SumSG. We consider this PRG useful forstochastic simulations and cryptography applications.

References

[BTS04] Bedzhev B. Y, Zh. N. Tasheva, B. P. Stoyanov. Summation-Shrinking Generator. InternationalConference ”Information Technologies and Security” (ITS - 2004), 22-26 June 2004, Partenit,Crimea, Ukraine, pp.119-127.

[BP82] Beker H., F. Piper. Cipher Systems: The Protection of Communications. New York: van NostrandReinhold, 1982.

[CKM94] Coppersmith D., H. Krawczyk, Y. Mansour. The Shrinking Generator Proceedings of Crypto 93,Springer-Verlag, 1994, pp. 22-39.

[KG94] Klapper A., M. Goresky. 2-adic Shift Register. Fast Software Encryption, Second InternationalWorkshop. (LNCS, vol. 950, Springer Verlag, N. Y., 1994.) pp.174-178.

[RS+01] Rukhin A., J. Soto, J. Nechvatal, M. Smid, E. Barker, S. Leigh, M. Levenson, M. Vangel, D.Banks, A. Heckert, J. Dray, S. Vo. A Statistical Test Suite for Random and Pseudo-RandomNumber Generators for Cryptographic Application. NIST Special Publication 800-22 (with revisionMay 15, 2001).

[SL+00] Seo Ch., S. Lee, Y. Sung, K. Han, S. Kim. A Lower Bound on the Linear Span an FCSR. IEEETransaction on Information Theory, IT-46(2):691–693, March 2000.

[SBZ04] Stoyanov B. P., B. Y. Bedzhev, Zh. S. Zhekov. Computation Model of p-adic Arithmetic. XXXIXInternational Scientific Conference on Information, Communication and Energy Systems and Tech-nologies, ICEST 2004, 16-19 June 2004, Bitola, Macedonia, pp. 341-344.

[TBS05] Tasheva Zh. N., B. Y. Bedzhev, B. P. Stoyanov. N -adic Summation-Shrinking Generator. Basicproperties and empirical evidence, http://eprint.iacr.org/2005/068.

[Xu00] Xu J. Stream Cipher Analysis Based on FCSRs. PhD Diss., Univ. of Kentucky, 2000, http://cs.engr.uky.edu/etd/theses/uky-cocs-2000-d-002/xu.ps.

104

Simplified Hardness Proofs in the Generic Group Model

Endre Bangerter Andy Rupp Ahmad-Reza Sadeghi

Ruhr-Universitat Bochumhttp://www.crypto.rub.de/

{endre, arupp, sadeghi}@crypto.rub.de

Abstract. The generic group model (GGM) is an essential tool for analyzing the computationalhardness of the algebraic problems used in cryptography. Although the hardness proofs done so far withinthis model exhibit strong similarities, in absence of some kind of “master theorem”, the computationalintractability of every newly introduced problem needs to be proven from scratch. Doing such a proof caneasily become a complicated and cumbersome task depending on the complexity of the “problem setting”.Thus, the goal of our ongoing work is to determine efficiently verifiable criteria which if met by a problemideally imply its hardness in the GGM or at least allow to skip main parts of a rigorous proof within ageneral proof framework.

Keywords. Provable Security, Generic Group Model.

1 Generic Group Model

In the generic group model, introduced by Shoup [Sho97], one considers the success probability of a specialclass of attackers, so called generic algorithms, which do not exploit any special properties of the encodingsof group elements in order to solve an instance of a cryptographic problem.5 This restriction on the abilitiesof an attacker is modelled by allowing only indirect access to a group through an oracle which provides arestricted set of operations on group elements. For instance, in Shoup’s original model generic algorithmsfor solving the DL and related problems are only allowed to apply the group action, invert group elementsand do equality tests.

Since there is no rigorous evidence for the validity of the hardness assumptions made in cryptography,it seems to be a good practice to prove them under the restrictions of the generic group model. Thismodel is especially useful to provide preliminary evidence for the hardness of new computational/decisionalproblems that cannot be reduced to standard problems (which are believed to be hard). However, oneshould keep in mind that a problem which is provably hard in the GGM, is not necessarily hard in anyparticular instantiation of a group, where an adversary is given the specific representation of group elements(see [Den02] for a concrete example).

2 Problem and Work

Over the years many new interesting cryptographic systems have been proposed whose security relies onnovel non-standard assumptions. These assumptions tend to be based on quite complex ”problem settings”,i.e., they are based on multiple different groups, adversaries are allowed to perform other operations inaddition to that of Shoup’s original model, etc. Since no easily verifiable criteria are known so far that allowto check the hardness of algebraic problems within the GGM, one has to do a hardness proof from scratchfor every new problem. In order not to weaken the significance of such a proof one should extend the modelto accurately reflect the problem setting. Especially, all operations allowed (explicitly or implicitly) by theproblem setting should also be available within the model. But in doing so a (strict) proof can easily becomea complex task.

The goal of our ongoing work is to tame the complexity of hardness proofs in the generic group model.To have a common basis for our analysis we considered it necessary first to develop a general framework

5These algorithms can therefore be used to solve the problems, they are intended for, within every instantiationof a group.

105

for rigorous proofs in this model. This was due to the fact that although the overall structure of all proofs,we are aware of, is the same, they vary in detail and strictness, authors use different variants of the model,different arguments, etc., what hampers comparisons and analyses.A proof following our framework mainly consists of four steps:1. Set up the model (real world). As the first step one has to feed the problem setting into the model.Here, we have two parties O and M , where M is a probabilistic TM (the generic algorithm) with accessto an oracle O. O provides M with all operations allowed in the problem setting but without revealingthe specific representation of involved group(s). In doing so we follow a variant of the GGM introduced byMaurer [Mau00], where group elements are represented by integers indexing computed elements, i.e., integersare returned to M that index computed group elements which are stored in certain lists (one list per group)by O. M can perform an operation on specific elements by issuing a query specifying the respective listindices. Moreover, O is responsible for setting up a problem instance, i.e., it does the secret random choicesand stores initial inputs to M in the respective list(s).2. Set up the simulation (simulated world). Here, one sets up an oracle O′ that behaves in almostall cases like O (i.e., their “behaviour” is computationally indistinguishable) but without knowing the se-cret choices. This is done by letting O′ introduce a new variable Xi for any group element that wouldnormally be chosen at random within the real world. Thus for instance, O′ would operate on the groupG′ := (Zn[X1, . . . , Xm],+) if O operates on the cyclic group G := (Zn,+). A relation between computationsof the two worlds is established by using evaluation homomorphisms. For instance, above we would define thehomomorphisms ϕt : G′ → G, ϕt(P ) = P (X1 = r1, . . . , Xm = rm), where t = (r1, . . . , rm) are the randomchoices done during a computation in the real world. The success event of M within the simulated world isdefined in a natural way using these mappings.3. Prove central relation between simulated and real world. Here we show that for our construc-tions O and O′ the central relation Pr(S) ≤ Pr(S′) + Pr(¬K) holds, where Pr(S) resp. Pr(S′) denotesthe success probability of M within the real resp. simulated world and Pr(¬K) the probability that thesimulation fails (i.e., the behaviour of O′ differs from that of O). For this purpose one “simply” has to showthat S ∩K = S′ ∩K holds. This is the main part of the proof, since its complexity is strongly related tothe complexity of the problem setting.4. Show that bounds in simulated world are negligible. In the last proof step one exploits theadvantage that within the simulated world it is easy to determine upper bounds on Pr(S′) and Pr(¬K).The essential idea for establishing a bound on Pr(¬K) is that simulation fails if and only if any two elementscomputed during the simulation that are unequal over the polynomial ring become equal under the evalua-tion homomorphisms. The key observation for establishing a bound on Pr(S′) is that all computations inthe simulated world are independent of secret choices and thus M cannot derive any information about thesecrets at all. Thus, it can just guess the right solution. Finally, it is shown that Pr(S′) and Pr(¬K) arenegligible, which implies that Pr(S) is negligible. Hence, the hardness property follows.

We have already proven the hardness of several problems within this framework. In spite of the diversityof their problem settings the proofs proceed very similar. By analyzing these similarities we were able toidentify the common key parts of hardness proofs within the GGM. One of these parts is a substep of theproof for S ∩K = S′ ∩K (Step 3) in which is shown that if simulation succeeds the lists, say L′

j and Lj ,of computed elements maintained by O′ and O are equal under the evaluation homomorphisms ϕt

j , i.e.,∀j : ϕt

j(L′j) = Lj . Another key part consists in the determination of an upper bound on Pr(¬K) (Step 4)

in which always the same kind of approximations (using Lemma 1 in [Sho97]) can be applied.Now, the goal is to derive sufficient conditions for the hardness of “general classes of algebraic problems”

by considering these key parts. For this purpose we will work on the determination and formalization of suchproblem classes and their settings, e.g., by extending the ideas in [SS01]. Afterwards, we will formulate ourproof framework for this general case in order to finally prove the hardness of problem classes fulfilling thederived conditions in our framework. As a result of this work, future proofs of hardness for most problemsshould ideally consist in just showing that their settings satisfy some simple properties.

106

References

[Den02] A. W. Dent. Adapting the weaknesses of the random oracle model to the generic group model.In Advances in Cryptology: Proceedings of ASIACRYPT 2000, volume 2501 of Lecture Notes inComputer Science, pages 100–109, Springer-Verlag, 2002.

[Mau00] U. Maurer. Index search, discrete logarithms, and Diffie-Hellman, October 2000. MRSI Number-theoretic cryptography workshop, Mathematical Sciences Research Institut (MRSI), Berkeley.

[Sho97] V. Shoup. Lower bounds for discrete logarithms and related problems. In Advances in Cryptology:Proceedings of EUROCRYPT 1997, volume 1233 of Lecture Notes in Computer Science, pages256–266, Springer-Verlag, 1997.

[SS01] A. Sadeghi and M. Steiner. Assumptions related to discrete logarithms: Why subtleties make a realdifference. In Advances in Cryptology: Proceedings of EUROCRYPT 2001, volume 2045 of LectureNotes in Computer Science, pages 243–260, Springer-Verlag, 2001.

Applications of Partial Hiding in RSA

Eabhnat Nı Fhloinn and Michael Purser

School of Mathematics, Trinity College Dublin, Irelandhttp://www.maths.tcd.ie/~evoflynn/

[email protected]

Abstract. This paper explores the possibility of exposing sections of the private key in RSA, withoutjeopardising the security of the overall system. Previous work has focused on inadvertant exposure; welook instead at the advantages of deliberate disclosure and so, term our scheme “partial hiding”. Makingsignificant segments of the key publicly available greatly reduces the amount of data which must be securelyhidden, allowing us to use biometric readings to protect the key. We suggest the use of iris recognition forthis purpose.

Keywords. Partial key exposure, Partial hiding, RSA, Iris recognition, Biometrics

1 Biometric Identification

A biometric measures an individual’s unique physical or behavioural characteristics for recognition or au-thentication purposes. Iris recognition is emerging as an accurate and reliable form of personal identificationand we wish to use this to securely protect the private key in RSA, for example, by using the exclusive-OR(XOR) operation to combine an iris scan and key. However, the most well-known iris recognition algorithm[D93] can only produce 2048 bits of data, of which at most 1600 are uncorrupted. Given that an RSAmodulus size of n = 2048 is recommended for the most secure applications, there is insufficient data in aniris scan to directly XOR with such a key. Therefore, we consider making sections of the private key publiclyavailable, while using the iris scan to securely protect the secret portions.

2 Partial Hiding in RSA

We let N = pq be an RSA modulus of size n = 2048 bits, with p and q each 1024 bits long, and e = (216 +1).From [BDF98, p 6], the most significant 1024 bits of the private key, d, are automatically leaked in low-exponent RSA such as this, without affecting the system’s security. We base our system on an adaptation

107

of that proposed by [SZ01], setting the m least significant bits (LSBs) of p and q to be equal. They showthat if low-exponent RSA in this form is secure with no bits exposed, then it is secure if up to 2m LSBs areexposed. Thus, if we let

m =n

4(1− ε) , (8)

with small ε in a secure system, we can expose the n/2 (=1024) MSBs of d and the (n/2)(1 − ε) (=1024− 1024ε) LSBs of d and still have a secure system.

We must now determine the optimum value for ε. We want ε < 0.5, as there is a considerable reductionin the cost of computation if this is true [SZ01]. However, we also need to ensure that 2y is too large toexhaustively search for y unknown bits of p or q, where y = (εn/4).

Based on Silverman’s estimates [S01] on the costs of breaking cryptographic keys, with a budget of $10million dollars, 256 takes < 5 minutes to crack; 280 takes 600 months; 296 takes 3 million years; 2128 takes1016 years. Therefore, we reject values as low as ε = 0.125, as 264 is too low for security. The currentstandards for symmetric cryptography suggest to use 128 bits for AES, so a value of ε = 0.25 would providecomparable security. With this choice, we have m = 384 and a value of 2128, which would seem to suit ourpurposes well while still being sufficiently large to be considered safe.

Thus, we set the 384 LSBs of p and q to be equal. In order to generate these primes, simply find p inthe usual fashion, fix the 384 LSBs of q to be identical to p, and produce a prime q of this form [SZ01]. Thisshould be as efficient as the standard prime-generating algorithm for RSA moduli, where each candidate forq is chosen independently of p as a random odd integer.

If we let ε = 0.25, then the 1024 MSBs and the 768 LSBs of d can be exposed for low-exponent RSA,and if the original system was secure, then this new system should also be. This means we need to keep256 bits securely hidden at all times, in bit positions from 769 to 1024 inclusive, assuming an offset of 1 andworking from right to left. This number of bits could now easily be protected by XORing it with bits fromthe individual’s iris scan.

3 Attacks on Partial Hiding

The most basic attack on partial hiding in RSA consists of a brute force approach, where an attacker triesall possible combinations for the hidden portion of the private key, d. We are proposing to hide bits 769-1024of a 2048-bit d, meaning that only 256 bits must be uncovered to break the system. However, an attackerwould need to calculate the values of all of these bits before being in a position to judge if any were correct.The parameters we have chosen for this system are secure under current and projected computing power.

Because our system is based on that in [SZ01], it is resistant to any of the attacks listed in [BDF98],as these were taken into account when creating the scheme. [BM03] contains several attacks which may,however, be applicable. The first of these works for all e < N

78 , provided a certain minimum number of

LSBs are known. The second involves a provable attack for almost all e < N12 , again based on knowledge of

a particular number of LSBs. The final attack is derived from CRT RSA, and works for low-exponent RSAsuch as e = (216 + 1), given the least significant half of the bits of dp = d mod (p− 1). We have investigatedwhether any of these attacks could damage our system; however, due to the parameters we have chosen, it isprotected from all of these attacks. In addition, we consider an adaptation of Wiener’s continued fractionsattack [W90], but again conclude that it does not pose a threat to the security of the system.

Thus, we have created a secure scheme for protecting the private key in RSA by XORing certain portionsof the key with a biometric such as iris recognition.

References

[BM03] J. Blomer and A. May. New partial key exposure attacks on RSA. In Advances in Cryptology -Proc. of Crypto ’03, vol. 2729 of Lecture Notes in Computer Science. Springer-Verlag, 2003.

[BDF98] D. Boneh, G. Durfee and Y. Frankel. Exposing an RSA private key given a small frac-tion of its bits, 1998. Full version of work presented at Asiacrypt ’98, available athttp://crypto.stanford.edu/∼dabo/abstracts/ bits of d.html

108

[D93] J. Daugman. High confidence visual recognition of persons by a test of statistical independence.IEEE Trans. Pattern Anal. Machine Intell., 15(11):1148-1161, Nov. 1993.

[S01] R.D. Silverman. A cost-based security analysis of symmetric and asymmetric key lengths. RSALaboratories’ Bull. 13, Nov. 2001. Revised edition.

[SZ01] R. Steinfeld and Y. Zheng. An advantage of low-exponent RSA with modulus primes sharing leastsignificant bits. In Proc. of RSA Conf. 2001, Cryptographer’s Track, vol. 2020 of Lecture Notes inComputer Science, pp. 52-62. Springer-Verlag, 2001.

[W90] M.J. Wiener. Cryptanalysis of short RSA secret exponents. IEEE Trans. Information Theory,36(3):553-558, May 1990.

Group Key Distribution Patterns

Julia C Bate and SeonHo Shin

Royal Holloway, University of [email protected]

Abstract. An introduction to Group Key Distribution Patterns. We give definitions using design theory[2], investigating security methods as first introduced by Rolph Blom [1] and giving examples, constructionsand efficiency measures. Comparing the results produced to those of standard KDPs and investigating thegeneralization of bounds first introduced by Kathleen Quinn [4].

Keywords. Key pre-distribution, key management, combinatorial cryptography.

1 Introduction

Group Key Distribution Patterns (G-KDPs) provide a method of secure communication between all prede-fined subsets of users in a large network. Every user in the network stores a small set of subkeys and thekey required for a subset of users to communicate securely can be made up from a combination of some ofthe subkeys already held in common by that subset.

G-KDPs may have applications in many different scenarios where established subsets of users wish tocommunicate securely, a hierarchical system of users based on trust may be one such example.

A Group Key Distribution Pattern is simply a more general version of the standard KDP as introducedby Mitchell and Piper in 1987 [3] and as such it is obvious that a standard KDP is a special case of a G-KDPwhere the predefined subsets of users are simply every pair of users from within the network.

2 Definition

G-KDPs are public patterns of subgroups produced using incidence structures.

Definition 2.1 Let K = (P,B, I) be a finite incidence structure with v ≥ 2 and let Γ = {γ1, γ2, · · · , γβ}be a set of subsets of points such that every γi ∈ Γ contains 2 or more distinct points Pi1, Pi2, · · · , Pik ∈ P.Then K = (P,B, I) is called a Group Key Distribution Pattern for Γ(G-KDP for Γ) if for every γi ={Pi1, Pi2, · · · , Pik} in Γ⋂k

j=1(Pij) ⊆ (Pm) if and only if Pm = Pij for some j = 1, 2, · · · , k

109

We must identify each point of K as a user from the network and each block of K as a subkey. The keyto be used by a subset of users to allow them to communicate securely is made up from those subkeys whichthe subset of users have in common.

This definition basically states that no user outside of any selected predefined subset (γi) will hold allof the subkeys held in common by every user belonging to that subset. The combining of the subkeys isperformed using a publicly known one way function which takes a number of subkeys as the argument andyields a key containing n bits of information. Hence, any user outside of a predefined subset will be unableto calculate the key for that subset, enabling the users within the subset to communicate securely.

As defined by Doug Stinson [5] for KDPs, we note that a G-KDP can also be represented by a v × bbinary matrix A = (ai,j) which is defined as follows:

(ai,j) ={

1 if Pi ∈ xj

0 otherwise

In fact, using this representation in reverse, any binary matrix with row size ≥ 3 and some column sum ≥ 2defines a G-KDPs.

Example 2.2 Suppose that

A = (ai,j) =

1 0 0 0 00 1 1 1 00 1 1 0 10 1 0 1 11 0 1 1 1

If we label the rows as points P1, P2, · · · , P5 and the columns as blocks x1, x2, · · · , x5, then A defines a G-KDPwith

Γ ⊆ {{P1, P5}, {P2, P3}, {P3, P4}, {P4, P5}, {P2, P3, P4}, {P2, P3, P5},{P2, P4, P5}, {P3, P4, P5}}

References

[1] R.Blom, Non-public key distribution, Advances in Cryptology, Proceedings of Crypto ’82, PlenumPress, New York (1985) pp. 231-236.

[2] D.R.Hughes and F.C. Piper, Design theory, Cambridge University Press, Cambridge, England,1985.

[3] C.J.Mitchell and F.C. Piper, The cost of reducing key storage requirements in secure networks,Computers and Security, Vol.6 (1987) pp. 339-341.

[4] K.A.S.Quinn, Combinatorial structures with applications to information theory, PhD Thesis, Uni-versity of London (1991).

[5] D.R.Stinson, On some methods of unconditionally secure key distribution and broadcast encryption,Designs Codes and Cryptography, Vol.12(1997) pp. 215-243.

110

Security vulnerabilities of a password-based key establishment protocol

Qiang Tang and Chris J. Mitchell


Egham, Surrey TW20 0EX, UKhttp://www.isg.rhul.ac.uk/∼pnai104

http://www.isg.rhul.ac.uk/∼cjm{qiang.tang,c.mitchell}@rhul.ac.uk

Abstract. In this paper we analyse a password-based authenticated key establishment protocol dueto Laih, Ding and Huang, which enables a user to authenticate himself to a server and negotiate a sharedsession key. This protocol is also designed to guarantee that a human being is actually involved in an ongoingprotocol execution. However we show that the protocol suffers from offline dictionary attacks.

Keywords. key agreement, CAPTCHA

1 Review of the LDH protocol

We first introduce some notation. The special function used in [LDH05] is defined as ϕ(r, s) = g(p(r, s)),where g is a a distortion function and p is a picture function. Specifically, given inputs r and s, where r is arandom string of characters or bits and s is a random number, p generates a random picture which depictsr in some way. Given an input p(r, s) (a picture) the distortion function g generates a distorted versionR′ = g(p(r, s)) such that humans have the ability to recognise r from R′ while a machine typically cannot.

Suppose {Epw, Dpw} denotes a pair of symmetric encryption/decryption functions, where pw is the secretkey. h denotes a one-way hash function, n is a security parameter, and Bn denotes the set of all strings oflength n, with elements drawn from some set of characters (e.g. all letters or all alphanumeric symbols). Allthese system parameters except pw are made known to all relevant parties. The secret key pw (a password)is only known to the user and the server.

Suppose a user (U ) with identity IDU wishes to authenticate himself to the server (S ) and negotiate asession key. U and S perform the following steps.

1. U generates a random number t, and sends {IDU , t} to S.

2. S first generates a random number s and randomly selects r ∈ Bn. Then S computes and sendsC1 = Epw(ϕ(r, s)) and C2 = h(pw||r||t) to U, where, as throughout, || represents the concatenationoperator.

3. U first computes Dpw(C1), which should equal a distorted version of an image depicting r. U thenrecovers r′ from the image, and checks whether or not C2 = h(pw||r′||t). If the check succeeds (implyingthat r = r′), U computes and sends C3 = h(1||pw||r′||t) to S . Otherwise U terminates the protocol.

4. S checks whether C3 = h(1||pw||r||t) holds. If the check succeeds, S has confirmed that U is the validuser and is involved in the current protocol execution. Otherwise, S terminates the protocol.

If the protocol successfully ends, S and U compute their shared session key as h(2||pw||r||t).

2 Security vulnerabilities

We exhibit a number of security vulnerabilities in the LDH protocol which exist almost regardless of thechoice of ϕ. These vulnerabilities are based on the following observations.

111

1. A human being must be able to easily recognise r from Dpw(ϕ(r, s)), which implies that Dpw(ϕ(r, s))is very different from a completely random picture.

2. If pw′ 6= pw then Dpw′(ϕ(r, s)) will resemble a random image. This implies that it is possible todetermine whether or not a guessed password pw′ is correct merely by deciding whether Dpw′(C1) isa (distorted) image or a random pattern.

3. It is likely to be very simple to develop software to distinguish between a distorted image and arandom pattern (for example, a compression algorithm should be able to compress an image whereasa random pattern will be incompressible). This is certainly a much simpler problem than automaticstring recognition.

4. If humans choose passwords, then they are much more likely to choose some passwords than others;hence if users are free to choose 4-character passwords, then in practice |Cpw| will be significantly lessthan 223.

Specifically, the following attacks might be mounted by a machine or a human being.

1. In some cases it might be feasible for a machine to mount an offline password guessing attack. Themachine works through all possible passwords and, for each guessed password pw′, the machine com-putes A = Dpw′(C1). By some means (see fact 3 above) the machine then checks whether or not Aresembles a distorted image rather than a random bit pattern. Because of fact 2 above, the correctpassword can be identified from the unique case where A is a distorted image rather than a randombit pattern. This attack only requires a machine-based search of size |Cpw|. If, for example, it takes amillisecond to check one value of A, then checking through a password space of size 223 will take only2.3 hours.

2. The above attack does not take into account fact 4 above. Hence the process can be made significantlyfaster by checking the most likely passwords first.

3. Even if the method of distinguishing random from genuine images is not perfect, i.e. the exhaustivesearch yields a small number of possible candidate values pw′, then a human can be used to check theremaining candidate values A to eliminate all but the value corresponding to the correct password.

4. Distributed attacks are also possible. It may be possible to deploy a cooperative Internet-based attack,e.g. by distributing the pattern recognition problems to users across the Internet (see, for example,[Pri03]).

References

[LDH05] C. S. Laih, L. Ding, and Y. M. Huang. Password-only authenticated key establishment protocolwithout public key cryptography. Electronics Letters, 41(4):185–186, 2005.

[Pri03] G. Price. A general attack model on hash-based client puzzles. In K. G. Paterson, editor, Cryp-tography and Coding, 9th IMA International Conference, Cirencester, UK, December 16-18, 2003,Proceedings, volume 2898 of Lecture Notes in Computer Science, pages 319–331. Springer-Verlag,2003.

112

Faugere’s F5 Algorithm Revisited

Till Stegers

Technische Universitat DarmstadtDepartment of Computer Science

Cryptography and Computer Algebrahttp://www.cdc.informatik.tu-darmstadt.de/~stegers/

[email protected]

Abstract. Faugere suggested the algorithms F4 and F5 for computing Grobner bases and solving poly-nomial systems. We point out some theoretical and practical drawbacks in the F5 algorithm and suggest anew variant named F4.5 aimed to combine advantages of F4 and F5.

Keywords. Grobner bases, algebraic attacks, multivariate polynomial equations

1 Introduction

Systems of multivariate polynomial equations arise in many contexts. In cryptography, two notable examplesare stream ciphers [FA03] and, more directly, multivariate schemes, which are based on the hardness of solvingmultivariate quadratic systems over finite fields.

Grobner bases, a tool from computational commutative algebra, are special bases of ideals in multivariatepolynomial rings that allow to compute numerous properties of systems of polynomials. For instance, theycan be used to decide whether a given polynomial belongs to the ideal generated by a system of polynomialsor, under certain conditions, to determine the set of solutions of a system of polynomial equations.

One way to solve a multivariate system is to compute a Grobner basis with respect to a “fast” termorder, and then, if necessary, convert it to a Grobner basis with respect to the lexicographical term orderusing an algorithm such as FGLM or Grobner Walk. As computing the initial Grobner basis is often the mosttime-consuming task, considerable efforts (starting with [Buc79]) have been made to speed up Grobner basisalgorithms for practical examples. Demonstrating the success of the Grobner basis approach, the first HFEchallenge posed by Patarin was broken by Faugere [FJ03] using highly optimized Grobner basis techniques.

2 The F5 Algorithm

Many algorithms for computing Grobner bases are derivations of the classical Buchberger algorithm. In anutshell, this algorithm repeatedly selects polynomials derived from an intermediate basis and reduces them,adding them to the basis if they do not reduce to zero. A major slowdown in implementations is the factthat a large number of polynomials does in fact reduce to zero, and thus is not contributing to the finalresult.

In [Fau02], Faugere proposed a new algorithm called F5 which is able to avoid all reductions to zero if theinput polynomials f1, . . . , fm form a regular sequence, that is, fi is not a zero divisor modulo fi+1, . . . , fm

for every i = 1, . . . ,m. Faugere used a variant of F5 to crack the HFE challenge, which shows that thealgorithm has potential. However, the description of F5 in [Fau02] is not unambiguous and the proofs ofthe underlying theorems are only sketched. Moreover, Faugere actually implemented an unpublished hybridversion combining F5 and its predecessor algorithm F4 [Fau99].

3 Contributions

We give a description of F5 and outline proofs of the underlying theorems stated in [Fau02], referring to[Ste05b] for the complete proofs. Furthermore, we explain the difficulties we encountered when implementinga proof-of-concept version of F5 in the computer algebra system Magma. For instance, while the classical

113

Buchberger Algorithm and also F4 allow to optimize the selection and the reduction of polynomials inde-pendently, these stages are highly interdependent in F5. In addition, no efficient modification ensuring thetermination for non-regular sequences is published. Unfortunately, many of the systems arising in cryp-tographic applications such as the cryptanalysis of HFE are not regular and cause the algorithm to loopindefinitely.

We also report performance results, showing that a lot of work remains to get closer to the sophisticated(but unpublished) algorithm of [FJ03]. To this end, we suggest a variant of F5 partly based on F4 andF5-matriciel [Bar04] that aims to take advantage of the simultaneous reduction of several polynomials andenable the use of sparse linear algebra techniques. An implementation of this algorithm, tentatively namedF4.5, is underway. Allan Steel of the Magma team also reports [Ste05a] to have such a hybrid (unpub-lished) algorithm. Pearce [Pea05] and Segers [Seg04] have (not very stable) implementations of F5 in Maple,respectively, in Magma.

4 Conclusions

While in theory, the performance of F5 as described in [Fau02] seems quite promising, computational ac-complishments have been made using unpublished variants. Pointing out some drawbacks of F5, we suggestan F4-like variant to stimulate further research on this topic.

References

[Bar04] Magali Turrel Bardet. Etude des systemes algebriques surdetermines. Applications aux codes cor-recteurs et a la cryptographie. PhD thesis, Universite Paris 6, December 2004.

[Buc79] Bruno Buchberger. A criterion for detecting unnecessary reductions in the construction of Grobnerbases. In EUROSAM ’79, pages 3–21. Springer-Verlag, 1979.

[FA03] Jean-Charles Faugere and Gwenole Ars. An algebraic cryptanalysis of nonlinear filter generatorsusing Grobner bases. Research report 4739, INRIA Lorraine, France, 2003.

[Fau99] Jean-Charles Faugere. A new efficient algorithm for computing Grobner bases (F4). Journal ofPure and Applied Algebra, 139(1-3):61–88, June 1999.

[Fau02] Jean-Charles Faugere. A new efficient algorithm for computing Grobner bases without reductionto zero (F5). In ISSAC ’02, pages 75–83. ACM Press, 2002. Version 1.2.http://www-calfor.lip6.fr/~jcf/Papers/@papers/f5.pdf

[FJ03] Jean-Charles Faugere and Antoine Joux. Algebraic cryptanalysis of Hidden Field Equation (HFE)cryptosystems using Grobner bases. In CRYPTO 2003, volume 2729 of Lecture Notes in ComputerScience. Springer-Verlag, 2003.

[Pea05] Roman Pearce, January 2005. Private communication.http://www.cecm.sfu.ca/~rpearcea/

[Seg04] A.J.M. Segers. Algebraic attacks from a Grobner basis perspective. Master’s thesis, TechnischeUniversiteit Eindhoven, October 2004.

[Ste05a] Allan Steel, January 2005. Private communication.http://magma.maths.usyd.edu.au/users/allan/

[Ste05b] Till Stegers. Faugere’s F5 algorithm revisited (working title). Diplom thesis, Technische UniversitatDarmstadt, June 2005. To appear.

114

A list of open-source PKI implementations

Simos Xenitellis

Information Security Group, Royal Holloway,University of London, United Kingdom

http://www.isg.rhul.ac.uk/[email protected]

or http://simos.info/

Abstract. Open-source software has gained significant importance over the last ten years. Several typesof bussiness softwares have open-source equivalents. In this paper we explore the currently available open-source Public-Key Infrastructure (PKI) or Certification Authority (CA) implementations.

Keywords. PKI, Certification Authority, open-source software

1 Introduction

A Public-Key Infrastructure (PKI) implementation allows users to create and manage public-key certificatesfor security applications such as S/MIME [DHR+98] secure e-mails and SSL/TLS-enabled [Tre01] WWWservers.

Open-source [Ope05a] software (also known as free software [Fre85]) has gained momentum during thelast decade, allowing users to experiment and learn in practice on technologies such as PKIs. There areseveral PKI implementations which are based on this type of software.

The basic software component used to enable cryptographic services such as key generation, encryption,decryption, signing and verification is OpenSSL [Ope05b].

2 Previous work

Another list of open-source PKI software is available at the Open-Source PKI Book [Xen00], written in 2000.This work is an update to the old, now outdated list.

3 PKI and CA implementations

As a full PKI implementation is quite extensive, several software packages categorise themselves as CAimplementations, focusing on the specific core components of public-key generation and management ofcertificates.

The following projects are listed in alphabetic order.

3.1 The EJBCA Project

The Enterprise Java Beans Certificate Authority (EJBCA) (http://ejbca.sourceforge.net/) Project im-plements a certification authority. It is written in the Java programming language and uses the BountyCastle http://www.bouncycastle.org/ open-source Java Cryptography Extension (JCE) for the crypto-graphic primitives. EJBCA is a fully functional Certification Authority.

3.2 The ElyCA Project

The ElyCA Project (http://elyca.eurodev.net/) implements a certification authority, based on theOpenSSL library. It uses the Python programming language and offers a Web interface for the manage-ment of the CA. It also uses a SQL database for the storage of the certificates and public-keys.

115

3.3 The EUPKI Project

The EuropePKI Project (http://www.europepki.org/) implements a PKI based on the OpenSSL library.It offers a Web interface for the management of the CA. It has received funding from the European Unionas an Information Societies Technologies (IST) Project (http://www.cordis.lu/ist/) and it involved 15partners originating from 5 European countries. Part of the software is available from the project developmentWebsite, at http://projects.axetel.com/projects/eupki/.

3.4 The IDX-PKI Project

The IDX-PKI Project (http://idx-pki.idealx.org/index.en.html) implements a public-key infrastruc-ture, based on the OpenSSL library. It uses the Perl programming language and offers a Web interface forthe management of the CA. The authors follow the PKIX Internet drafts [PKI05] for the description of thePKI. They mentain both a public and a private version of their work, offering the latter to their customers.

3.5 The NewPKI Project

The NewPKI Project (http://www.newpki.org/) is a PKI programming library, allowing other software tobe based on it. It is written in the C++ programming language and makes use of the OpenSSL library. Itsupports several features that are required in a PKI implementation.

3.6 The PHPki Project

The PHPki Project (http://phpki.sourceforge.net/) implements a certification authority based on theOpenSSL library. It is web-based, written in the PHP programming language and specifically targets thecreation of certificates for use in S/MIME secure electronic mails.

3.7 The pyCA Project

The pyCA Project (http://www.pyca.de/) implements a certification authority based on the OpenSSLlibrary. It uses the Python programming language and offers a Web interface for the management of theCA. pyCA is not currently an active project.

3.8 The XCA Project

The XCA Project (http://www.hohnstaedt.de/xca.html) implements a certification authority based onthe OpenSSL library. It is a cross-platform graphical tool written in the QT toolkit, offering the basicfunctionality of a certification authority.

4 Summary

There are several open-source PKI or CA implementations, allowing for choices in the experimentation andlearning of the academic user.

References

[DHR+98] S. Dusse, P. Hoffman, B. Ramsdell, L. Lundblade, and L. Repka. S/mime version 2 messagespecification. Technical Report 2311, Internet Engineering Task Force, March 1998. Available athttp://www.ietf.org/rfc/rfc2311.txt.

[Fre85] Free Software Foundation. Free software. http://www.fsf.org, 1985.

[Ope05a] Open Source Initiative (OSI). Open source definition. http://www.opensource.org, 2005.

[Ope05b] OpenSSL Project. Openssl. http://www.openssl.org, 2005.

116

[PKI05] PKIX Working Group. Ietf pkix internet drafts. http://www.ietf.org/html.charters/pkix-charter.html, 2005.

[Tre01] Win Treese, editor. Transport Layer Security (TLS), Security Area,http://www.ietf.org/html.charters/tls-charter.html, 2001. The Internet Engineering TaskForce, IETF.

[Xen00] Simeon Xenitellis. The Open-Source PKI Guide. SourceForge, http://ospkibook.sourceforge.net/,2000.

Managing Security Levels in Smart Card Based Certification

Goran Pantelic∗ and Slobodan Bojanic†

∗ NetSet, Beograd, Serbia and Montenegro † Universidad Politecnica de Madrid, Spainwww.netset.co.yu www.die.upm.es


Abstract. Implementation of cryptosystems sometimes restricts the use of facilitated crypto data inorder to face the key management problem. The paper presents an integrated certification solution thatencompasses the formation of public key infrastructure and CA body, and data personalization via smartcards. Such solution supports the different applications like e-banking, secure e-mail etc. and it is used inpractice by numerous entities.

Keywords. PKI, certification, smart cards, key managment, e-banking

1 Introduction

The commercial certification software sometimes restricts the use of facilitated crypto data in order to facethe key management problem. Some programs issue only the certificates, while others generate the keys thatare stored in computer but cannot be easily accessed by the user, or cannot be used for another or properapplications where the user prefers to implement own security mechanisms.

The aim of this work was to design a certification authority (CA) system that manages different op-tions for the generation and the use of the cryptographic keys preserving the security requirements on userauthenticity, data integrity, non-repudiation. It is an integrated certification solution that encompasses theformation of public key infrastructure (PKI) and CA body, and data personalization via smart cards. Suchsolution supports the different applications like e-banking, e-business, e-management, secure e-mail etc. andit is used in practice by numerous entities.

2 Functionality

The application establishes PKI environment using smart cards. It can be applied as classical CA entity thatissues the certificate upon the users requests and with an additional option to create the keys that can bewritten with the certificate onto smart card. To realize these functionalities, the programme is composed offour modules: for the request registration in electronic or paper form, certification authority, key generationmodule and smart card personalization module that stores users data with the corresponding keys andcertificate on the smart card.

The key generation option is aimed for higher security requirments where the signing and encryptionwith private keys are needed. The keys can be generated by the CA or by proper user. The CA carries outkey generation in software using Miller-Rabinss prime test with 9 passes or via Hardware Security Module

117

(HSM) using Thales’ WebSentry module. The system facilitates different key managment options: the CAgenerates and guards encrypted keys or passes them to smart card, the user generates the keys (on its ownor using API) that enables non-repudiation and liberates the CA of the key management. Key lengths are1024, 2048 or even more bits if generated in software but the most of smart cards support 1024 bits.

Smart card personalization can be used independently or in conjucion with the CA and our otherapplications for secure file transfer, e-bankning, etc. The system supports 16 KB GemSafe, StarCos, andJAVA (SmartCafe 32 KB, JCOP 32 KB) smart cards. The embedded cryptographic coprocessor enablescertain cryptographic functions to carry out on the card (e.g. digital signature, DES encryption etc.). ForJAVA smart cards, the proper crypto Apllet is developed. The protected part of the smart card with usersprivate key and certain functions is accessed by the PIN code. Administrators PIN can be generated andthen saved in CA database or issued to user thus the card can be deblocked in CA or user can deblock usingadditional API or program. On the smart card, the system allows to store the certificates, the keys, etc.encrypted with the 128-bit IDEA, 256-bit AES or users own algorithm and MD5, SHA-1 hash fuctions; toform the certificate request; to generate key; to create the digital signature. The user name and password arecreated for the user identification and card serial number is kept in the CA database. API module facilitatesfunctions for digital signature (on card or in software), data encyption/decryption, digital envelope, generatecertificate request, read smart card, write certificate and data on the card etc.

The implementation adheres to standards X509 v3 and v1 [OS01], PKCS#1 [RS99], PKCS#10, PKCS#11[Op98]. The implemented system checks if certificate digital signatures of the user and the server correspondto each other. For the certificate authentication, the sequence of the certificates can be used. Since somedata of CA issuer can be stored on the card e.g. its certificate or public key, the validation in some case canbe performed using only the card. When certificate is expired the user creates a request form through APIand the request is processed in standard manner. If the users data are changed, new certificate without keychange can be issued on request. The application of issued certificates is not restricted by the system andthe certificate requests are compatible to those created from e.g. SSL and through Microsofts CA.

In the practice, the system secures different services that e.g bank offers via its Web site. To use protectedservices e.g. related to money transfer, account status, the user after connecting to the banks site, insertsthe card into the reader and provides the name and the password. After local log-in on the smart card whenthe user name and the password are transformed to the PIN for the acces to the protected part of the smartcard, the user is logged into the the system. After filling the necessary application forms, the submitteddata are digitaly signed and encrypted via the keys and parameters stored on the card, and then sent to theserver that has corresponding card. The server decrypts received data using the session key and checks thedigital signature using the certificate sent by user and that stored in the servers database. It also checksif the certificate belongs to the same CA system to legitimate the user while the integrity is preserved viathe signature and non-repudity is guaranted via users signature. After processing the transaction, the serverkeeps the message and the signature in its archive.

3 Conclusions

The realized cryptosystem encompasses the functionality of various components as the basis that facilitatesfurther application of PKI system: establishment of PKI environment, creation of CA body and personaliza-tion of generated data on smart cards as target technology for data handling. Therefore the applied systemfor the establishment and application of PKI that supports numerous functions from user registration requestto issue of the smart card that user can utilize in different applications, is completed. Through various APIfunctions, the application of the system is facilitated to e-banking and other secure implementations.

References

[Op98] R. Oppliger. Internet and intranet security. Artech House, 1998.

[OS01] X.509. Open Systems Interconnection, 2001. www.itu.int/rec/.

[RS99] RSA Labs. PKCS#1: RSA Encryption Standard, Version 2, 1999.

118

Cryptanalysis of Homomorphic Public-Key Cryptosystem

Su-Jeong Choi


http:\\www.isg.rhul.ac.uk/[email protected]

Abstract. In this paper, it is shown how to obtain the secret keys from the public keys and we break thisnew homomorphic public key cryptosystem over groups based on the membership problem.

Keywords. homomorphic public-key cryptosystem, membership problem, representation, free group

D. Grigoriev and I. Ponomarenko [1] proposed a new homomorphic public-key cryptosystem over finitegroups based on the difficulty of the membership problem. This cryptosystem uses the two algebraic struc-tures H and G where H is a nontrivial group given by a set X of at least two generators and a set of relations< and G is a special free subgroup of the group GL2(Z). For a natural number n ≥ 2, a free group Γn is

generated by the two matrices An =(

1 n0 1

)and Bn =

(1 0n 1

)and given a nonempty set S ⊂ Z, a free

subgroup of Γn, G(n, S) is generated by X(n, S) = {A−sn BnAs

n : s ∈ S}. The cryptosystem is set up asfollows:1. For the security parameter k, we choose randomly n ≥ 2, S ⊂ Z and R ⊂ W< such that |X| = |S| = |R|and `(n)+ `(S)+ `(R) = O(k) where W< is a set of all words with basis <±1 and `(S) is the sum of bit sizesof all elements of S.2. We fix a bijection f1 : X → X(n, S) by f1(h) = xh and induce a bijection f2 : WX → WX(n,S). So, theinclusion map i1 : R→WX induces an injection i2 : R→WX(n,S) by i2 = f2 ◦ i1.3. Given an arbitrary bijection f3 : X → R, we define an injection i3 : X → WX(n,S) by i3(h) = i2 ◦ f3(h)and we write i3(h) = rh.4. Set Gk =< Xk(n, S,R) > where Xk(n, S,R) = {xhrh : h ∈ X}.The public-keys consist of the set Xk(n, S,R) and the bijection fk : X → Xk(n, S,R) given by fk(h) = xhrh

and secret-keys consist of the set X(n, S) and the bijection f1 : X → X(n, S) given by f1(h) = xh.The message space is H and encryption is as follows: For a message h(∈ H) = h1 · · ·hu, hi ∈ X and u ∈ N ,1. Using the bijection fk : X → Xk(n, S,R), put Mh = (xh1rh1) · · · (xhu

rhu).

2. For a random word r(∈W< ⊂WX) = h1′ · · ·hv′ where hi′ ∈ X and v ∈ N , put Mr = (xh1′rh1

′) · · · (xhv′rhv

′).3. The ciphertext E(h) = M(∈ GL2(Z)) = MrMh.A ciphertext M ∈ Gk =< Xk(n, S,R) > is decrypted as follows:1. Find the X(n, S)-representation wM = x1 · · ·xt of M with xi ∈ X(n, S) and t ∈ N .2. Let hi ∈ X be such that xhi = xi, i = 1 · · · t. Output h = h1 · · ·ht as the plaintext D(M) of M .

References

[1] D. Grigoriev and I. Ponomarenko, ”Homomorphic public-key cryptosystems over groups and rings,”to appear in Quaderni di Mathematica

119

An Homomorphic Scheme for Publicly Verifiable Secret Sharing

Alexandre Ruiz and Jorge Villar

Dept. Matematica Aplicada IV. Universitat Politecnica de Catalunya.C/Jordi Girona, 1-3, 08034 Barcelona, Spain

{aruiz,jvillar}@ma4.upc.edu

Abstract. In this work we propose a PVSS scheme based on the homomorphic properties of thePaillier’s encryption scheme, which are very interesting for other fields, e.g. in electronic voting. At the end,we prove that the Dealer can’t be dishonest with anybody in this scheme.

Keywords. PVSS, homomorphic encryption, secret sharing schemes

1 Introduction

Verifiable secret sharing (VSS) was proposed in [2] to solve the problem of the dishonest dealers who try todeceive the participants. In a Publicly verifiable secret sharing (PVSS) not only the participants can verifythe validity of their shares but also anyone.Notations. Let p, q be two large primes and N = pq. We will denote by φ(N) Euler’s function and by L(wλ

mod N2) the function described in the Paillier’s encryption scheme (See [3]) where λ is the Carmichael’sfunction.Paillier’s encryption scheme uses to encrypt a message m the functionεg : ZN x Z∗

N 7−→ Z∗N2 , (m, r) −→ gm · rN mod N2, where r is a random. Note that this encryption

is homomorphic, i.e. εg(m1, r1) + εg(m2, r2) = εg(m1 + m2, r1 · r2). To decrypt is sufficient to take aciphertext c < N2 and obtain a message m as follows: m = Dec(c) := L(cλ mod N2)

L(gλ mod N2)mod N which implies

that Dec(c1 · c2) = Dec(c1) + Dec(c2) mod N .

2 Publicly verifiable secret sharing scheme

We now proceed to describe a secure (t, n)-threshold PVSS scheme. We work with a Dealer D who sharesthe secret, the set P = {Pi : 1 ≤ i ≤ n} of n participants and a Verifier V who verifies that D is honest.D chooses two large primes p, q and publishes N = pq, then select a g ∈ Z∗

N2 such that O(g) = N whichmakes public . We use the Paillier’s probabilistic encryption scheme, where (N, g) is the public key andλ = lcm(p− 1, q − 1) is the secret key.We share with the Shamir (t, n)-threshold scheme (See [5]), where t ≤ n and any t participants of n partici-pants can compute the secret. The secret a0 ∈ ZN is hidden in the polynomial a(x) = a0+a1x+· · ·+at−1x

t−1

with coefficients in ZN . Then D gives the value (xi, si) ∈ {1, 2, . . . , n} x ZN to Pi where si = a(xi) mod Nand when a subset B ⊆ P of t participants Pi1 , . . . , Pit want to reconstruct the secret a0, then they mustsolve the system of t linear equations in the t unknowns a0, . . . , at−1, which yields that the determinant ofthe matrix A from this system is det(A) =

∏1≤k<j≤t(xij

− xik).

From now on we suppose that i ∈ {1, . . . , n} and j ∈ {0, . . . , t− 1}. We describe now the protocol below:

1. Every Pi selects a pair (mi, ri) ∈ ZN x Z∗N which remains private, where ri is a random, then sets and

broadcasts to D ci = gmi · riN mod N2

2. (a) D selects a pair (aj , r′j) ∈ ZN x Z∗

N which remains private, where r′j is a random, defines a(x) =a0 + a1x + · · ·+ at−1x

t−1 and sets si = a(i) mod N

(b) D decrypt ci using mi = L(cλi mod N2)

L(gλmod N2)mod N and compute ri=( ci

gmi)N−1

mod N , then broadcastsdi=si + mi mod N to every Pi

(c) D broadcasts to V Aj = gaj · r′jNmod N2 and ti=ri ·

∏t−1j=0 r′j

ij

mod N

120

3. V checks A0 ·A1i · · ·Ait−1

t−1 =gdi

ci· tNi mod N2 for every person Pi

Note that V uses the homomorphic property when he checks the third point in this protocol.The correctness of the scheme is easily verified because si = a(i) mod N implies ga0+a1i+···+at−1it−1

=gsi mod N2 since O(g) = N .And every subset B ∈ Γ can always recover a unique secret because det(A) ∈ Z∗

N thanks to we can forcethat D chooses suitable p, q such that n << p, q.

3 Security in the verification

In the following we are going to prove that when D is dishonest he can convinces nobody.Let Γ be the set of subsets of participants that should be able to comput the secret, we define the cartesianproduct 2P × 2ZN . Now we restrict this cartesian product in Γ × SΓ ⊆ 2P × 2ZN , where SΓ is the set ofsubsets in 2ZN whose elements are shares and come from some authorized subset in Γ.

Definition 3.1 We define the function Rec : Γ× SΓ 7−→ ZN , (B,SC) −→ a0, where a0 is the secret whichthe authorized subset of participants B reconstruct when they use the shares SC from the authorized subsetof participants C.

Definition 3.2 We say that D decives if there exists A1, A2 ∈ Γ differents such that Rec(A1, SA1) 6=Rec(A2, SA2).

Theorem 3.3 If V verify the point 3 in the protocol, then D can not deceive in this PVSS scheme.

References

[1] A. Shamir. How to share a secret. Commun. of the ACM, Vol.22, pp.612-613, 1979.

[2] B. Chor, S. Goldwasser, S. Micali, and B. Awerbuch. Verifiable secret sharing and achieving simultaneityin the presence of faults. In Proc. 26th IEEE Symp. on Found. of Computer Science, pages 383-395,1985.

[3] Pascal Paillier. Public-Key Cryptosystems Based on Composite Degree Residuosity Classes, in Advancesin Cryptology - EUROCRYPT’99, vol. 1952 of Lecture Notes in Computer Science, pp.223-238, 1999.

[4] Eiichiro Fujisaki and Tatsuaki Okamoto. A Practical and Provably Secure Scheme for Publicy VerifiableSecret Sharing and Its Applications, in Advances in Cryptology - EUROCRYPT’98, LNCS 1403, pp.32-46, 1998.

[5] D. R. Stinson. An explication of secret sharing schemes. Designs, Codes and Cryptography, 2, pp.357-390, 1992.

121

Using Trusted Computing for IP address autoconfiguration in MANETs

Shenglan Hu and Chris J. Mitchell

Information Security GroupRoyal Holloway, University of London{s.hu,c.mitchell}@rhul.ac.uk

Abstract. IP address autoconfiguration is an important task for zero configuration. However, performingIP address autoconfiguration in ad hoc networks in a secure way remains a major problem. TCG-compliantcomputing platforms are likely to be widely deployed over the next few years. This paper describes a methodfor secure IP address autoconfiguration using the Direct Anonymous Attestation scheme (DAA), appropriatewhen the mobile devices in a mobile ad hoc network (MANET) are all Trusted Platforms conforming to theTrusted Computing Group (TCG) specifications.

Keywords. IP address autoconfiguration, trusted computing, DAA

1 Security issues of existing schemes

Secure allocation of unique addresses to the nodes in an ad hoc network, where there is no central admin-istrator to perform the address allocation task, is a particularly difficult issue. No satisfactory solution hasyet been devised to this problem.

Several IP address autoconfiguration schemes for ad hoc networks based on Duplicate Address Detection(DAD) have recently been proposed [PRD00, FVP03, NP02]. However, by using DAD, these schemes sufferfrom a variety of possible attacks. For example, a malicious node could claim to possess the IP addressrequested by a node newly joining the network to cause a denial of service (DoS) attack. Alternatively, amalicious node could claim to possess a particular IP address occupied by an existing node in order to causean “IP address collision” and hence force this node to change its IP address.

Nikander [Nik01] proposed a scheme to provide IP address “ownership” by binding an IP address to apublic/private key pair; the scheme can be used for IP address autoconfiguration in MANETs. However, sinceIP addresses are derived from hash-values of the public component of a public/private key pair randomlygenerated by a node, it suffers from pre-computation attacks in which a malicious node can generate a largenumber of public/private key pairs and claim to possess any of the corresponding IP addresses.

In addition, none of the above schemes can prevent sybil attacks in MANETs, where a node fraudulentlyuses multiple identities in the network.

2 Our scheme

The Direct Anonymous Attestation (DAA) scheme was adopted by the Trusted Computing Group as amethod for remote authentication of a Trusted Platform Module (TPM) while preserving its privacy. Thefull cryptographic details can be found in [BCC04]. In our scheme, we use the DAA algorithm for IP addressautoconfiguration in MANETs. We assume that all mobile nodes in the network are using TCG-compliantplatforms and can be represented by the TPM present in the node.

Before a TPM P joins a MANET, it has to go through a join process. It is authenticated to a trustedthird party (called an issuer) via its Endorsement Key (EK) and also reveals a pseudonym NP to the issuerin the form of ζr, where ζ is derived from the issuer’s name and is an element of some suitable group, andr is a secret value generated by the TPM in the node. The issuer provides P with a DAA credential afterverifying that the platform has the architecture of a trusted platform. The join process is designed so thata TPM will normally receive exactly the same DAA credentials from a given issuer, no matter how manytimes the join process is executed and no matter whether the issuer changes his keys.

122

In a MANET, a node assigns itself an IP address by computing:

IPP = h((NP ||TP ||Random)r),

where TP is the joining time, h is a hash-function giving a 32- or 128-bit output (depending on whetheran IPv4 or an IPv6 address is required), and Random is a random number generated by the TPM. Wheneveran IP address collision occurs, a node can use the DAA-Signing algorithm to prove to any other node that ithas a valid credential supplied by a particular issuer, and convince them that the value r used for computingIPP is the same as the one claimed at the time of credential issuance. If two nodes who have the same IPaddress have proved to each other their ownership of the IP address, the node with newest joining time willcompute another IP address based on a new random number.

3 Main Contribution

• The use of DAA never reveals the TPM identity (in the form of the endorsement key), i.e. DAAsupports the privacy of a TPM.

• In our scheme, the IP address of a node is bound to its DAA credential, which enables it prove itsownership of the IP address to other nodes when IP address collisions occur. This prevent a maliciousnode claiming to possess an arbitrary IP address to cause DoS attacks and unnecessary IP addresscollisions.

• A node can change its IP address whenever needed, however, all such addresses are linked to its DAAcredential, which is unique for a given issuer. This prevents sybil attacks.

References

[PRD00] Charles E. Perkins, Elizabeth M. Royer, and Samir R. Das. IP address autoconfiguration in adhoc networks. draft-ieft-manet-autoconf-00.txt, July 2000. Inactive IETF draft.

[FVP03] M. Fazio, M. Villri, and A. Puliafito. Autoconfiguration and maintenance of the IP address in ad-hoc mobile networks. In Proceedings of Australian Telecommunications, Networks and ApplicationsConference 2003, 2003.

[NP02] Sanket Nesargi and Ravi Prakash. MANETconf: Configuration of hosts in a mobile ad hoc network.In Proceedings of INFOCOM 2002, volume 2, pages 1059C1068. IEEE, 2002.

[Nik01] Pekka Nikander. Denial-of-service, address ownership, and early authentication in the IPv6 world.In B. Christianson, B. Crispo, J. A. Malcolm, and M. Roe, editors, Proceedings of Security Protocols,9th International Workshop, Cambridge, volume 2467 of Lecture Notes in Computer Science, pages12C21. Springer-Verlag, Berlin, 2001.

[BCC04] Ernest F. Brickell, Jan Camenisch, and Liqun Chen. Direct anonymous attestation. In Proceedingsof the 11th ACM Conference on Computer and Communications Security, pages 132C145. ACMPress, New York, NY, 2004.

123

Sokrates - A Compiler Framework for Zero-Knowledge Protocols

Jan Camenisch∗, Markus Rohe† and Ahmad-Reza Sadeghi†

∗IBM Research †Applied Data Security GroupZurich Research Lab, Switzerland Ruhr-Universitat Bochum, Germany

[email protected] {rohe,sadeghi}@crypto.rub.de

Abstract. The design of zero-knowledge proof systems turns out to be a cumbersome and error-pronetask, especially, when their structure becomes complicated due to the composition of several sub-protocols.To simplify this task we outline the conception of a compiler for the design of efficient zero-knowledge proofsof knowledge on one-way homomorphisms. Such a tool provides a practical design aid for converting theassertion to be proven into a concrete protocol. Furthermore, it can also serve as a prototype testbed toverify the manually designed protocol proposals. This paper presents the current state of the project andthe plans for further developments.

Keywords. zero-knowledge, protocol, compiler, language design

Motivation

About 25 years after their invention, zero-knowledge proof systems have become an integral part of moderncryptography. They are used as building blocks in many applications including identification schemes, inter-active verifiable computations, credential systems, group signature schemes, voting schemes, mix-networks,as well as in technical specifications, e.g., for privacy preserving mechanisms in the context of TCG specifi-cation (Trusted Computing Group, cf. direct anonymous attestation [BCC04]).

Most efficient protocols for practical applications are proofs of knowledge of preimages on one-way ho-momorphisms. Examples are the discrete powering homomorphism and the RSA homomorphism underlyingthe Schnorr and Guillou-Quisquater identification schemes, respectively. The proofs vary depending on therequirements of the employed homomorphisms and groups, however, their structure usually consists a so-called Σ-protocol6 [Cr97]. Hence, a common framework to support sophisiticated compositions of differentzero-knowledge proof is highly desirable to assist in the design of new protocols.

Sokrates7 consists of a language describing the class of Σ-protocols and a corresponding compiler whicheither outputs the input specification as a well-formatted protocol description in LATEXor as JAVA source-code for prover and verifier such that the user is able to carry out performance tests for various securityparameters.Related Work: There already exists a compiler to generate interactive proofs of knowledge [MOR03]. How-ever, their approach is limited to interactive computations with a fixed set of integrated protocols to jointlycompute secret values among two parties and to verify this computation in zero-knowledge. Their appliedcommitment scheme for the intermediate shares and the domain of the secret values are predetermined aswell. Sokrates is focused in zero-knowledge proofs of knowledge and aimed to become more flexible andextensible in this domain, i.e., to cover a larger variety of protocol specifications, mathematical objects anda wider combination ability among the statements to be proven.

Current State of Work

The tool is based on the work in [B04] and IBM Research Zurich with the goal to become an open sourceproject. The compiler processes an input file containing the protocol specification and then generates eitheran extensible protocol description as a well-formatted LATEX-source or a source code in JAVA for the prover

6A Σ-protocol is a well known three-move protocol consisting of the first message from the prover, a challengeuniformly chosen at random from the verifier and the corresponding response from the prover again.

7The name is inspired by the Greek philosopher Sokrates (about 469 – 399 B.C.) who is attributed to the famousstatement: “I know that I know nothing”, which is indeed the core idea behind the zero-knowledge property.

124

and the verifier. At this stage, the compiler considers the honest-verifier zero-knowledge and the completenessproperty of the given protocol.

Up to now, the framework evokes the following mathematical objects: Finite additive (G, +) and mul-tiplicative groups (G, ·), one-way homomorphisms8, the set of integers Z and intervals on integers. So far,the compiler supports the types of honest-verifier Σ-protocol [Cr97] and the Σ+-protocol [BCM05], which isa proof of knowledge for more general assumption9.

Moreover, the compiler provides protocols that allow the prover to show that an integer preimage lies ina given interval. Boolean compositions by AND and OR among the statements to be proven are included(e.g., of the form described in [Cr97])as well as the boolean connection of constraints on preimages from thesame group.

Future Work

For the near future a first stable public release and new extensions has been planed. The addition of newmathematical objects, such as groups of points on elliptic curves, and a detailed analysis of computation andcommunication complexity for concrete protocols should increase the flexibility of the exsiting tool.

Further, in the current version, the user has to indicate explicitly all mathematical objects and theapplied homomorphisms. Hence, the simplification of the protocol specifications by adding macros to theinput language is highly recommended10. In this case, the compiler receives a high-level specification ofthe desired proof and constructs a corresponding protocol automatically. Here, one option is to applya precompiler which translates the protocol’s high level description to the protocol description that thecurrent compiler is able to process.

Furthermore, the integration of different proof-modes, i.e., methods how the protocols are executedamong prover and verifier, is another important task. In one such mode, the protocol is honest-verifier zero-knowledge, whereas other modes will transform the protocol onto one that offers zero-knowledge againstarbitrary verifier, employing the various means to do so. For instance, one could apply the Fiat-Shamirheuristic [FS86] or a transformation into the common reference string model [D00].

Last but not least, providing other backends than JAVA or LATEX, for example C-code for a specificembedded platform is a further feature which is foreseen for this compiler tool.

References

[DF02] Damgard, I., Fujisaki, E.: A statistically-hiding integer commitment scheme based on groups withhidden order. In Proc. of ASIACRYPT. Volume 2501 of LNCS., pages 125–142, Springer, 2002

[B04] Thomas Briner: Compiler for Zero-Knowledge Proof-of-Knowledge Protocols. Diploma Thesis,Eidgenossische Technische Hochschule Zurich, 2004

[BCC04] Ernie Brickell, Jan Camenisch and Liqun Chen: Direct Anonymous Attestation In Proceedings ofthe 11th ACM conference on Computer and communications security, pages 132-145, ACM Press.

[Cr97] Ronald Cramer: Modular Design of Secure yet Practical Cryptographic Protocols. PhD thesis,Universiteit van Amsterdam, January 1997.

8A mapping ψ : G→ H with (G,+) and (H, ·) and the property ψ(g + g′) = ψ(g) · ψ(g′) for all g, g′ ∈ G and theinversion ψ−1 is computationally infeasible.

9The setting of the commitment scheme by Damgard and Fujisaki [DF02] and their special definition for a proof ofknowledge resulting from their setup procedure requires the verifier to be aware of the group’s order representing theco-domain of the applied homomorphism. A Σ+-protocol, however, turns out to be a proof of knowledge regardlesswhether the verifier knows the group’s order or not [BCM05].

10For example, assume that the user intends to prove that a certain preimage is greater or equal to zero. This canbe achieved taking advantage of a number-theoretic result by Lagrange that every positive integer can be representedby a sum of 4 Squares. Hence, the compiler is supposed to automatically construct such a 4-square decomposition ofpreimage and to augment the protocol description by the corresponding additional commitments and subproofs.

125

[BCM05] Ende Bangerter, Jan Camenisch and Ueli Maurer: Efficient Proofs Of Knowledge of DiscreteLogarithms and Representations in Groups with Hidden Order. In Proc. of PKC 2005. Volume 3386of LNCS, pages 154–171. Springer-Verlag, 2005.

[MOR03] Philip MacKenzie, Alina Oprea, and Michael K. Reiter. Automatic generation of two-party com-putations. In CCS, pages 210–219. ACM, October 2003.

[FS86] Amos Fiat and Adi Shamir. How to prove yourself: Practical solutions to identification and signatureproblems. In Proceedings of CRYPTO’86, pages 186–194.

[D00] Ivan Bjerre Damgard. Efficient concurrent zero-knowledge in the auxiliary string model. In Pro-ceedings of Eurocrypt 2000, pages 418–430, Spinger.

Modelling e-business security using business processes

S. Nachtigal, C.J. Mitchell

ISGRoyal Holloway, University of London

[email protected]@rhul.ac.uk

Abstract.Organisations (enterprises, businesses, government institutions, etc...) have changed their means of

doing business from traditional means to E-Business processes. That change makes the perimeter securityapproach no longer appropriate for such new types of organisations. The well-known and widely used securitymechanisms, including cryptography-based tools and techniques, cannot provide a sufficient level of security,while being used alone, without being a part of a comprehensive organisational approach/philosophy. Theapproach has to be different from the current ruling approach, namely perimeter security, by focusing on theorganisational components. Here we suggest a process security approach.

Keywords. perimeter security, E-Business (E-Biz), information security, cryptography, information flows,business process

1 Introduction

Corporate information systems security has been dominated by ‘traditional’ security considerations for manyyears. According to the traditional information security model concept, security is achieved by providing asecurity perimeter, which is designed to protect the company’s boundaries from the external world. The goalis to prevent malicious/non-authorised users and applications from accessing the company and its variousbusiness functions.A wide variety of tools and mechanisms have been (and are still being) developed to support corporate se-curity based on this perimeter security approach. In this approach, information systems security is providedon the basis of a trust hierarchy, by which the internal users (i.e.,the company’s employees) automaticallyare assigned a maximal level of trust, while everyone trying to enter the business from the external world isassigned a minimal level of trust, if at all. This approach has a number of shortcomings, including the basicassumption that employees can be trusted (according to CSI’s statistics, about 75% of all security incidentsare due to the employee actions performed either deliberately or by error), and the concept of closed borders,which does not fit Internet-based business operations. New threats and problems arise while using Inter-net technology in general, and especially when a company adopts the E-Business (E-Biz) format of doing

126

business. The uniqueness — and the danger — in running E-Biz is in its ‘openness’ to the environment,and the various connections and communication channels with the external world. The traditional businessmodels for information systems security are no longer appropriate and fit neither the new organisationalenvironment nor the new organisational security needs. E-Biz involves performing business interactions (inother words, by transmitting documents, i.e. data flow) between organisation portals by means of Internettechnology.The objective of this paper is to introduce a new approach, namely a business-processes oriented secu-rity model to E-Business enterprise security, based on an E-Biz core characteristic of performing businessfunctions by means of electronic data and information flows.

2 The business process

A process, as commonly defined, is a conversion/transformation of a certain entity (tangible or non-tangible)from one form to another while undergoing a series of certain actions. A business process can be definedas a certain sequence of activities that transforms inputs from different suppliers into outputs to selectedcustomers.Smith and Fingar [SF04] distinguish three different characteristics related to business processes:

• state - the value of calculations performed and the amount of information collected and generatedduring the execution of the process

• capability - the activities and relationships of communications, established between the participants atany time of the process

• design- the intentional characteristics of the process, that have been put in place during the design ofthe process.

Smith and Fingar [SF04] use these process characteristics to link business management and business tech-nology. Dynamics is a significant characteristic of a modern business — not just the process itself, but alsothe relationships between the processes and even the channels of executing the processes.Business process, as defined above, practically occurs by transforming documents between stations involvedin a specific series of actions in order to complete a specific mission. Documents contain data essential toperform each one of the procedural stages of a specific process. In other words, we use documents as aconvenient way of carrying data.

3 Modelling security using the business process

There are two universal macro-level modules which comprise any organisation in the world, namely operationsand management, while the operations module is the basic one — without operations (i.e. processes) thereis no management, and all together there is actually no organisation. Any kind of organisation will not beable to function as a vital active unit without properly performing its processes.Following the discussion in the previous section, a process can be described by mapping all the documentscarrying the data relevant to the process. An E-Biz process is completely based on a set of information/dataflows that actually enable its existence. Practically, it is the only way to perform an E-Biz process — totransmit documents over different types of electronic channels, according to specific technologies that areused as an infrastructure to enable that business communications. The whole existence of the company isdependent (in case of E-Biz) on the functionality of that electronic channels (e.g. the functionality of theInternet-related technologies) and the information they carry, while the importance of the information qualityand functionality is becoming a critical factor for all the E-Biz companies. Major parts of the documents(if not all of them) include sensitive information, but, anyway, in order to assure the functionality of thebusiness going according to plan, all the business data and information (both transmitted and stored)should be protected. All these lead us to a conclusion that for an E-Biz company to function properly (andto function at all) its business processes have to be secured. This paper will introduce a quite new approachto secure business information systems by focusing on business processes.

127

4 The security modelling process

The existing tools and mechanisms (developed upon the traditional perimeter security concept) based onhardware and software products, including cryptography, are not sufficient since they do not relate to spe-cific parameters that characterize business process. As said above, a process is associated with documentstransmitted between different stations of the process. That’s why the best way to present a process is bypresenting the information involved (i.e. produced, transmitted and stored) in the process. The businessprocesses could be identified by describing the business functions that the processes are a part of them.As said before, E-Biz firm is running its business in a different way, compared to the traditional firm. Itsbusiness processes are an integration of sequences and sets of information flows. (The concept of analyzinginformation flows has been used by McCumber in his McCumber Cube approach [McC03], while dealingwith mapping information flow states and introducing the concept of 3-states information existence). Thispaper introduces a different direction of information flow analysis. In order to define the E-Biz functionsand processes, a detailed description of the well known and well analyzed traditional business functions andprocesses is performed. Any process is viewed as being comprised of a set (and a very complex one) of specificinformation flows. All the processes of the organization and the relevant information flows associated withthem are described and the results are summarized by means of IbPT- Information by Processes Table.In order to secure a business process, not only the comprising information flows should be secured, but alsoall the data storages that serve those information flows. In order to operate properly, E-Biz must rely onand use a vast variety of data to support organization’s activities. For example, in order for a customerto make a purchase, an E-Biz company must contain a catalog of goods for sale (catalog data), the dataassociated with processing orders (tax and shipping data), and the inventory to fulfill the request (inventoryand fulfillment data). The following list illustrates just a few of the types of database assets of a generaltypical E-Biz:Prices, Catalogs, Site Information, Business Policies, Members, Payment, Inventory, Taxes, Customer Pro-files, Campaigns, Discounts, etc . . . .Besides all these business data and information storages, there are also storages (packages) of specific com-puter system data, needed for system’s execution or produced by the system.All the processes together with the associated information flows, databases and a set of various business(operational and management) parameters which characterize the processes, will be evaluated and the finalmodel will be formulated. The actual relations between the model’s components will be defined followingthe test phase of the research.

5 Using the security model

Organizations are being constantly investing in their information technologies in general, and in businessinformation systems security in particular, while those security expenditures are being constantly increasingfor the last few years. The expenditures are mostly for the widely used tools such as firewalls, antiviruses,VPNs, encrypted channels, etc. Although the tools are effective to a certain extent, there are objectiveshortcomings related to all existing security tools and mechanisms:

1. they solve just the technical side of the security problem

2. the acquisition of those tools and mechanisms is not based on any analytical model, since the man-agement is not supported by such analytical model in their decisions

According to the traditional perimeter security approach, security tools are used in order to protect orga-nizations by preventing certain types of activities - which results in a hard-to-operate business environmentfor the employees. That security-arms race is a never-ending process, since the threats and risks are beingconstantly growing and the organizational management never knows how much security is enough to preventthe unauthorized access into the business, and the result, again, are employees’ operational limitations.The new approach - and the model which comes with it - suggested here , comes to enable business instead

128

of prevent business by abandoning the concept of borders (which is no more relevant for an E-Biz company)and providing decision makers with security measures based on business process specifications. That is arational and, therefore, useful tool since the most important thing for the organization is its business pro-cesses being performed properly. The model will make possible to plan both the business security measuresand the security management process.

6 Testing the model

Due to the nature of discipline under research (information systems security) and the research target, it wasdecided to apply a heuristic case study method in this research.There are will be four different Case Studies due to the following considerations:Any E-Business firm has to decide upon its business model, which is a different and new model comparing tothe traditional type businesses. All the e-business models can be grouped and classified into two categories[A01] - the classification should be made on a basis of separation between two kinds of companies:

• Digital businesses - firms that are built and launched on the Internet

• Businesses that provide the platform upon which digital businesses are managed and operated.

Gloor [G02] brings a more detailed classification of models suggested by Professor Tom Malone. ProfessorMalone distinguishes four fundamentally different types of models for E-Biz:

• Creators - producers of goods (physical or information) such as General Electric, Cisco, Dell, Microsoft,on-line versions of newspapers.

• Distributors - companies that distribute and/or supply the goods, such as electronic shops for booksor music (the most representative example is Amazon).

• Brokers - companies that act as intermediaries, such as on-line auctioneers, travel agencies (eBay,Netaction and Olsale , Thelastminute, the90minute) are examples of that type of E-Biz).

• Extractors - these are companies that exist only on Internet, operate as portals, and whose businessmodel is based on advertising revenue. Typical examples are Yahoo and Google.

That classification seems to be generic enough and indeed includes all kinds of organizations acting as anE-Biz. Based on discussions in previous sections , the next phases of this research in regard with developmentmethodology will include:

1. To choose four different E-Biz firms, one for each of the following types of E-Biz Models :a) creatorb) distributorc) brokerd) extractorEach of these chosen companies will be used as a Case Study.

2. To perform a Systems Analysis in each one of the Case Studies, covering the:

• background• full processes description• full information flows description• relevant databases• security analysis• business issues (strategies, policies, etc . . . )

(all these are performed by means of a questionnaire and personal interview at the middle andhigh level management)

129

3. The data will be analyzed (the structured data will be also processed) and discussed

4. Based on the case studies findings, a ’process security’ model will be developed and formulated.

5. The model (models) will be implemented on the case studies firms.

7 Conclusions

This research findings might be very useful for organizations which practice full or partly E-Business activity,as discussed above. Additional benefits will come in form of rich information acquired during the researchphases of testing the models, i.e. the data collected from the case studies. These will lead to additionalpossible research projects, and first of all - a follow-up on the case-studies organizations in order to analyzethe impact of the suggested model in the middle- and long-term periods.Also, a map of business processes with the associated information flows, which will be one of this research’sby-products, can be a useful basis for analyzing the actual need of cryptography strength related to a specificbusiness process.

References

[A01] Applegate, Lynda M. ‘E-Business Handbook’. Harvard Business School Working Knowledge publi-cations, Jul 8, 2002.

[G02] Gloor, P. ‘Making the e-Business Transformation’. Springer, 2000.

[McC03] McCumber, J. ‘Assessing and Managing Security Risk in IT Systems’. Auerbach Publications,2005.

[SF04] Smith, H. and Fingar, P. ‘Business Process Management: The Third Wave’. Meghen-Kiffer Press,2003.

130

The Idea and the Architecture of a Cryptographic Compiler

Stefan Lucks, Nico Schmoigl, Emin Islam Tatlı

University of Mannheimhttp://th.informatik.uni-mannheim.de

{lucks,tatli}@th.informatik.uni-mannheim.de,[email protected]

Abstract. Flawed implementation of security protocols is a major source of real world security problems.Typically, such protocols are specified in some “high-level” way and may even be formally proven secure.Implementing them in practical (and comparatively “low-level”) source code has turned out to be error-prone. This paper introduces an experimental language for high-level protocol specifications and describesa tool to automatically compile source code from these specifications.

Keywords. Compiler, cryptographic protocol, protocol language, protocol specification

1 Motivation

In practice, the designers of cryptographic security protocols should fear their friend, the implementor oftheir cryptosystem, as much as their foe, the cryptanalyst. A huge number of security flaws in applicationsis due to implementation flaws rather than successful attacks against the specified scheme. Implementorsoften miss some subtle issues of the protocol, perhaps when committing last-minute changes or quickly fixingbugs discovered before. Sometimes, the implementor may even deliberately deviate from the specification.Even if the implemented protocol still passes all functional tests and runs perfectly well in a non-adversarialenvironment, the difference between specification and implementation may still be exploitable by adversaries.

This paper wants to give a snapshot at our research in progress. At the time of writing, our specificationlanguage for security protocols is still in flux, and the compiler is still a prototype, though already able tocompile some protocol specifications. The current prototype is still restricted to one target language, namelyJava.

2 The Idea of the Cryptographic Compiler

As we pointed out in the motivation, bridging the semantic gap from an abstract specification of a protocolto a concrete implementation in some programming language is dangerous and error-prone. Thus, we wouldlike to have a tool which takes some more-or-less abstract specification of a security protocol as its input andproduces an implementation of the protocol in some programming language. In a nutshell, this is what ourcryptographic compiler will do. Of course, finding a proper input language is a precondition for implementingthe compiler. The major requirements for compiler and language are:

High Abstraction Level. The semantic gap between the specification of the protocol in some verificationlanguage (if it is proven secure by the means of automated reasoning) or in the context of some theorem(if proven secure manually) must be minimized.

Flexibility and protocol constraints. Language and Compiler shall support flexible protocols. E.g.,when specifying protocols employing a cryptographic hash function, the designers shall be allowed toleave the concrete choice of the hash function open. On the other hand, the designers shall be able toimpose constraints, e.g., on the minimum length of a hash value.

Avoid Dependence on a Programming Language. The compiler shall be able to generate source codein different programming languages. Additionally, only one protocol definition should be created bythe designer, being able to both verify and generate source code from that without having to adjustthe input file(s).

131

Message-based ↔ Role-Based. Typically, protocols are specified in a message based way, like, e.g.: First,a message is sent from A to B, second, a message is sent from B to C, third, another message is sentfrom C to A, . . . On the other hand, protocol implementations typically are role-based with differentprogram fragments (threads, methods, . . . ) for each party, e.g.: A sends a message to B and thenwaits for a message from C . . . See also Figure 1.

in: XA, Rand

B −> C: XB + FromA −> FromB

A: Result := FromC − RandC −> A: XC + FromB −> FromC

send(to −> A, XC+FromB)

message based view

local: FromBin: XA

receive(FromB)

local: FromA

send(to −> C, XB+FromA)

in: XB

receive(FromA)

role of party Crole of party B

role of party A

local: FromC

send(to −> B, XA+Rand)receive(FromC)Result := FromC−Rand

out: Result

A −> B: XA + Rand −> FromA

Figure 1: Message- and role-based view at a joint three-party computation of Result:=XA+XB+XC.

2.1 Example Application: a Mobile Business Project

Developing a compiler never should end in itself, so we aim to use it for the implementation of secureapplications in the context of a mobile business (m-business) project at the University of Mannheim [MBP].The project’s goal is to develop a generic framework to enable context-aware mobile services. Handlingsecurity issues diligently is of vital importance for the project’s success.

The need to integrate the compiler’s output (i.e., the security logic) into the remaining parts of theapplications (the application logic),11 has been a major source of inspiration for our design decisions. Infact, some of our major requirements mentioned above are inspired by necessities for the m-business project.For example, the requirement for flexibility corresponds to dynamically supporting different security policiesin the m-business project.

3 Previous Work: Specification Languages and Issues

At the beginning of this research, we considered using one of the existing languages for specifying securityprotocols. In general, these languages have been developed with automatic protocol analysis and protocolverification in mind, rather than defined for automatically generating implementations. Specifically, weconsidered [CAPSL], [HLPSL], [CASPER] and [EVA].

For the instance of CAPSL, Millen and Muller (MM) even documented their approach to implementinga Java-targeted cryptographic compiler in [MM01]. At a first glance, their work seems provide all requestedproperties, but our further investigations revealed that this is not the case. The biggest problem arises fromthe fact, that the MM compiler is restricted to generating Java output only. Besides some other critisim, theoutput requires some common information storage, which Millen und Muller named ”environment server”.We therefore rejected this approach. Nevertheless, the MM compiler was a source of inspiration for us:understanding both its achievements and its limitations turned out to be quite useful for making our owndesign decisions.

11Defining the interface between application logic and security logic can be quite tricky. Even when the applicationjust needs to send a signed or encrypted message to some communication partner, the application context determineswhich keys to use for signing/encrypting.

132

Another interesting attempt is based on the extension of a given specification language. Didelot usesan enriched variant of CASPER as input language for his compiler called COSPJ (documented in [COSPJ,Section 3.2]). At first glance, this approach seems to implement an easy way of producing source code froma given protocol specification written for analysis. Currently, however, Didelot does not provide any toolor automated way to retrieve a CASPER style input file from a file of his extended language. If a protocolspecification in CASPER is changed, the annotations have to be updated manually, which hinders flexibility.

Based on this approach we checked theoretically, if protocol languages suitable for protocol analysiswill suffice our requirements. It turned out that the aims do not contradict, but often are in competitionregarding flexibility and readability with each other. Even worse, all protocol languages we investigatedproved to not have any mean of stopping the execution flow of the protocol by issuing some error or failuremessage.

4 The Compiler Architecture

Instead of modifying and extending an existing protocol specification language to suit our needs, we decidedto define our own. The major task therefore was to find a language definition which is both suitable forcryptographic protocol analysis and its immediate translation into plain, non-interpreted source code. Aswe demanded in 2, the abstract protocol definition must be target language independent. Thus, if we changethe target language, we have (of course) to modify the compiler, but we do not want to additionally haveto change any protocol definition. It seems natural to separate the compiler into two parts (see [UAS99, p.24-25]):

• The front end generates tokens from the abstract definition, parses them into a parse tree and storesthis information into an external XML file. Almost all of the handling of user errors will be done bythe front end – the back end is at large relieved from error handling.

• The back end takes the parse tree and forms the language dependent output. We split up the back endinto the “Connector” and the “Target Translator” (often referred as “Translator”). When choosinganother target language, only the Translator needs to be adopted.

This is illustrated in Figure 2.

high−level

translatortarget

(target language)source codeback end

front end connector

templatefile

(optional)

(XML)definitionparse tree

Figure 2: The information flow of our cryptographic compiler

4.1 The Template File

The abstract protocol specification does not need to specify concrete instances of block ciphers, hash func-tions, asymmetric schemes and similar cryptographic building blocks. However, the compiler needs to replace,say, some abstract “block cipher” by a concrete one (AES, triple-DES, . . . ). The template file defines thesematchings. Hence, the template mechanism allows the protocol designer to delegate the choice of crypto-graphic primitives to “security architects”, who then are responsible for selecting good primitives. Additionalassertions can provide some guidelines for the architects – and even prevent them from generating “appar-ently insecure” protocol instantiations. E.g., a 64-bit block cipher, such as triple-DES, may be consideredsecure in the context of one protocol, but, simply due to its small block size, harmful for another protocol.

133

Accordingly, the designer can assert, e.g., “the block size of block cipher E is at least 128 bit”. Violatingsuch a constraint results in an error message without generating any source code. This assertion is grantedby special keywords during the local type definition within the input language.

4.2 Protocol’s interface

A core issue of many cryptographic protocol implementations is the clean specification of the interfacebetween the protocol itself and the surrounding application logic. Being motivated by the programmingparadigm of contract, we introduced ”Parameters”, some sort of external variables. They can be found bothon the inbound side, typically used for providing security parameters or public keys, and on the outboundside, mostly used for returning values like common session keys. By using the constraint mechanism whichis, described in the section before, one can be sure that the assertions on validity of the input is checkedautomatically.

As part of the answering side of interface specification, we created the keyword ”fail” which can be usedon any meaningful position during the message declaration12. By providing a mandatory integer parameterto this keyword, the Target Translator is able to supply a way to inform the underlying application logicthat a particular protocol error has occurred.

5 Verification languages

As discussed in Section 3, there exist quite a few similar languages. But all of them have been developed tosupport automatic analysis and protocol verification. On the other hand, our language has been developedto be automatically compiled into a practical programming language, and the design of our language reflectsthis.

However, we are not at all willing to sacrifice the option of automatic protocol analysis! It is possibleto implement analysis tools for our language13. But doing so would duplicate the effort done for otherspecification languages. Our compiler architecture provides another option: Recall that it is rather simpleto adapt the compiler back end to another target language. Instead of a practical programming language,the target language can be another specification language – which then allows us to use existing analysistools for other specification languages. As part of the current research, we are writing a compiler back endfor CAPSL.

Thus, we will be able to specify protocols, verify their correctness by automatic analysis techniquesand automatically generate implementations. If an abstract protocol is proven secure, the implementationmight still be insecure – our compiler could be buggy. We take great care to ensure correct compilationbut proving correctness is beyond our current capabilities and can only be the goal for a long-time researchproject. In the meantime, we recommend to review the source code generated by the compiler for securityproblems – as the code generated by a human programmer should be. But note that the compiler cannotdeliberately deviate from the specifications, cannot “misunderstand” protocol descriptions, and does neverbehave hectically, not even under the pressure of close deadlines.

6 Conclusion

Working in an m-business project, we have to both verify and implement the security protocols in ourframework. Implementing security protocols manually is a very slow and error-prone process, and thereforeautomatic code generation tools is something to aim for. Unfortunately, existing verification tools either donot offer the possibility of automatic code generation or their code generation mechanism does not satisfyour requirements. We therefore have aimed to build an automatic code generation framework which canenable both fast development and error-free codes.

12Please note that using “fail” inaccurately, one could introduce a vulnerary to a variant of the Bleichenbacherattack [B98]!

13This implies a syntactic element to specify the security goals of the protocol, which is not shown in our examplesbecause the information is not needed for code generation.

134

In this paper, we explained the proposed cryptographic compiler that can generate source code in differentprogramming languages from our experimental high-level specification language for security protocols. Inaddition, with suitable connectors to verification tools, our compiler can bridge the gap between source codegenerating languages and automatic protocol verification.

In our framework, one can so far specify security protocols and generate source code in Java. Generatingsource code for different languages like C++, Ada and implementing Translators to verification tools arewithin our further goals.

References

[MBP] The mobile business research group.URL: http://www.m-business.uni-mannheim.de.

[CAPSL] J. Millen. CAPSL: Common Authentication Protocol Specification Language.URL: http://www.csl.sri.com/users/millen/capsl, 1997.

[HLPSL] Chevalier et al.. A high level protocol specification language for industrial security-sensitiveprotocols. In Proceedings of Workshop on Specification and Automated Processing of SecurityRequirements (SAPS 2004), 2004.

[CASPER] Gavin Lowe. Casper: A compiler for the analysis of security protocols.URL: http://web.comlab.ox.ac.uk/oucl/work/gavin.lowe/Security/Casper/casper.ps, July 1998.

[EVA] Florent Jacquemard and Daniel Le Metayer. Language de specification de protocoles cryp-tographiques de EVA : syntaxe concrete.URL: http://www-eva.imag.fr/bib/EVA-TR1.pdf, November 2001.

[MM01] Jonathan Millen and Frederic Muller. Cryptographic Protocol Generation from CAPSL. SRITechnical Report, SRI-CSL-01-07, December 2001.

[UAS99] J. Ullmann A. Aho, R. Sethi. Compilerbau Teil 1 (Compiler’s principles, Techniques and Tools),1999.

[COSPJ] Xavier Didelot. COSP-J: A compiler for security protocols.URL: http://web.comlab.ox.ac.uk/oucl/work/gavin.lowe/Security/Casper/COSPJ/secu.pdf.

[B98] Daniel Bleichenbacher. Chosen ciphertext attacks against protocols based on RSA encryptionstandard PKCS#1. In Advances in Cryptology – CRYPTO’ 98, volume 1462 of Lecture Notesin Computer Science, pages 1–12. Lucent Technologies, 1998.

135

The Subset Sum Problem and (Universal) One-Way Functions based on it

Luis Carlos Coronado Garcıa

FB 20, Technische Universitat DarmstadtHochschulstr. 10, D-64289, Darmstadt. Germany.

http://www.cdc.informatik.tu-darmstadt.de/mitarbeiter/[email protected]

Abstract. We present an equivalence between the subset sum problem and its modular version. We provethat a certain family of functions are (universal) one-way if the underlying subset sum problem is hard.

Keywords. Hash function, Subset Sum Problem.

1 Introduction

Coster et al. [CLOS91] presented an algorithm to solve in polynomial time the Subset Sum Problem (SSP)whose density is lower than 0, 9408 . . . with only one call to an oracle which solves the short vector problem(SVP). Ajtai [Ajt96] showed that the modular SSP is hard to solve if O(nc)-uSVP is also hard. Regev[Reg03] presented a modular-SSP functions as collision resistant hash functions, if the O(n1,5)-uSVP is hardto solve, where m = O(n2) and M = 2O(n2). In both cases n is the dimension of the lattice. For the hashfunctions resulting of the SSP which security is based on the one of the previous SVP is needed impracticalvalues of m and M . We are interested in using one-way and hash functions from the modular SSP whosedensity d is between c < d ≤ c + c

s−1 , where c = 1, 2 and s ≥ 160.We give an equivalence between the SSP and its modular version. We also prove that certain family of

functions is (universal) one way if the modular SSP is difficult to solve.

2 Subset Sum Problem and modular Subset Sum Problem

In this Section we describe the subset sum problem and its modular version. We provide a relation betweenthese two version under some assumptions.

Definition 2.1 (SSP) Let a1, . . . , am ∈ Z be chosen random integers and let t ∈ Z. The Subset-SumProblem (SSP) consists in finding e1, . . . , em ∈ {0, 1} such that t =

∑mi=1 aiei.

It is known that the subset sum Problem is NP-hard [GJ79].

Definition 2.2 The density of a set {a1, . . . , am} is defined as d = mlog2 max1≤i≤m ai

Definition 2.3 (modular SSP) Let M ∈ Z, a1, . . . , am ∈R ZM and τ ∈ Z. The modular subset-sumProblem consists in finding ε1, . . . , εm ∈ {0, 1} such that τ =

∑mi=1 aiεi mod M .

2.1 Equivalence between SSP and modular SSP under some assumptions

Theorem 2.4 Let s,m ∈ N such that m ≤ poly(s). Let a1, . . . , am ∈ Z be randomly chosen integers suchthat s − 1 ≤ log2 max1≤i≤m ai < s. If there exists an oracle such that it solves the SSP in polynomial timein m for fixed a1, . . . , am and any t ∈ Z, then τ ∼=

∑mi=1 aiei mod 2s can be solved in polynomial time in s

for τ ∈ Z2s .

Proof.Because

∑mi=1 ai < m2s, we call the oracle with a1, . . . , am, tq ∈ Z, where tq = τ + q2s and 0 ≤ q < m.

�

136

Theorem 2.5 Let s,m ∈ Z and a1, . . . , am, τ ∈R Z2s such that m ≤ poly(s). If there exists an oracle suchthat answers the decision modular SSP in polynomial time in s for any A ⊂ {a1, . . . , am} and any τ ′ ∈ Z2s ,then we can obtain all the solutions e = (e1, . . . , em) for τ =

∑mi=1 aiei mod 2s with only Q queries to the

oracle, where Q is poly(s) times the number of all solutions of τ ∼=∑m

i=1 aiei mod 2s.

Proof.All sets are represented in a non-decreasing sequence. For sake of simplicity we assume without lost of

generality that ai 6= aj if i 6= j.Let O the oracle and A = {a1, . . . , am}.To find the solutions with only one summand and preparation for solution with at least two summands:

For each a ∈ A we verify if a ∼= τ mod 2s. When that happens, a is a solution. We define the set A0 ⊂ Aas a ∈ A0 ⇔ O(A \ {a}, τ − a mod 2s) answers “yes”. If A0 = ∅, there is not any solution with at least twosummands. Otherwise we have A0 = {α1, . . . , αm0}.

To find solutions with only two summands and preparation for solutions with at least three summands:We define ταi = τ − αi mod 2s and for each a ∈ A0 \ {α1, . . . , αi} we verify if a ∼= ταi mod 2s. When thathappens, αi + a is a solution. We define the set Aαi

⊂ A0 as a ∈ Aαi⇔ O(A0 \ {a, α1, . . . , αi}, ταi

− amod 2s) answers “yes”. If Aαi

= ∅, there is not any solution which starts with αi and has at least 3summands. We have Aαi

= {βαi,1, . . . , βαi,mαi}.

To find solution with only three summands and preparation for solutions with at least four summands:We define ταiβj = ταi − βαi,j mod 2s and for each a ∈ Aαi \ {βαi,1, . . . , βαi,j} we verify if a ∼= ταiβj

mod 2s. When that happens, αi + βj + a is a solution. We define the set Aαiβj ⊂ Aαi as a ∈ Aαiβj ⇔O(Aαi

\ {a, βαi,1, . . . , βαi,j}, ταiβj− a mod 2s) answers “yes”. If Aαiβj

= ∅, there is not any solution whichstarts with αi + βj and has at least four summands. We have Aαiβj

= {γαiβj ,1, . . . , γαiβj ,mαiβj}.

To find solution with only l (l < m0) summands and preparation for solutions with at least l + 1 sum-mands: We define ταi···δdκk

= ταi···δd− καi···δd,k mod 2s and for each a ∈ Aαi···δd

\ {καi···δd,1, . . . , καi···δd,k}we verify if a ∼= ταi···δdκk

mod 2s. When that happens, αi + · · · + δd + κk + a is a solution. We define theset Aαi···δdκk

⊂ Aαi···δdas a ∈ Aαi···δdκk

⇔ O(Aαi···δd\ {a, καi···δd,1, . . . , καi···δd,k}, ταi···δdκk

− a mod 2s)answers “yes”. If Aαi···δdκk

= ∅, there is not any solution which starts with αi + βj + . . . + κk and has atleast l + 1 summands. We have Aαi···δdκk

= {ιαi···δdκk,1, . . . , ιαi···δdκk,mαi···δdκk}.

We have that 0 ≤ |Aαi···δdκk| < |Aαi···δd

| < · · · < |Aαiβj | < |Aαi | < |A0| ≤ |A| = m ∀ i, j, . . . , d, k.If e1 + . . . + el is a solution, then we have that: The number of calls to the oracle for solutions in the

phase for starting with e1 and having at least two summands are at most m0 − 1. The number of calls tothe oracle for solutions in the phase for starting with e1 + e2 and having at least three summands are atmost m0 − 2. The number of calls to the oracle for solutions in the phase for starting with e1 + · · · + el−2

and having at least l − 1 summands are at most m0 − l + 2. The number of calls to the oracle for solutionsin the phase for starting with e1 + · · ·+ el−1 and having at least l summands are at most m0 − l + 1.

Therefore, for each solution e1+. . .+el the oracle must be called no more than∑l−1

i=1(m0−i) ≤ m0(m0−1)2

times. If Q is the number of solutions for τ ∼=∑m

i=1 aixi, we must call the oracle less than m +Qm(m−1)2 ≤

Qm(m+1)2 times.

�

We give a pseudo-code implementation in Algorithm in Appendix for obtaining the solutions of themodular SSP as is described in the proof of Proposition 2.5.

Theorem 2.6 Let s,m ∈ Z and a1, . . . , am ∈R Z2s such that m ≤ poly(s). If there exists an oracle whichsolves the modular Subset Sum Problem in polynomial time in s for A ⊂ {a1, . . . , am} and any τ ∈ Z2s , thenwe can solve t =

∑mi=1 aiei for t ∈ Z with upto Q queries to the oracle, where Q is poly(s) times the number

of all solutions of τ ∼=∑m

i=1 aiei mod 2s.

Proof.Let O be the oracle and let τ be such that τ ∼= t mod 2s. We proceed as in the proof of the Proposition

2.5. This time for each found solution of τ ∼=∑m

i=1 aiei mod 2s, we verify if t =∑m

i=1 aiei.�

137

Conjecture 2.7 Let s,m ∈ Z such that m ≤ poly(s). Then, there exists a polynomial P = p(s) such thatfor randomly chosen a1, . . . , am ∈ Z2s , the number of all solutions of τ ∼=

∑mi=1 aiei mod 2s for each τ ∈ Z2s

is bounded by P.

Theorem 2.8 Let s,m ∈ Z and a1, . . . , am ∈R Z2s such that m ≤ poly(s). Under the assumption of theConjecture 2.7 and of the existence of an oracle which solves the modular Subset Sum Problem in polynomialtime in s for A ⊂ {a1, . . . , am} and any τ ∈ Z2s , then t =

∑mi=1 aiei can be solved in polynomial time in s

for t ∈ Z.

3 Functions based on the modular SSP

Let s0 ∈ N. Let F = {Fs}s≥s0 be the family of functions defined by Fs = {f~a : {0, 1}m(s) → {0, 1}s | ~a ∈(Z/2sZ)m and f~a(x) =

∑mi=1 aixi mod 2s}. We say that Fs is (t, ε) hard if for all algorithm A which run

within time t, Adv(A) = Pr[τ = f~a(x)|x ← A(τ,~a);∃sol] − Pr[x 6= λ|x ← A(τ,~a); 6 ∃sol] < ε, where λ isthe null string, τ ∈R Z/2sZ and ~a ∈R (Z/2sZ)m. In this Section we prove that Fs is a (universal) one-wayfamily of functions.

Definition 3.1 Let H = K × {0, 1}m → {0, 1}s be a family of functions. H is (t, ε) one-way if ∀A whichrun within time t, Adv(A) = Pr[HK(M ′) = HK(M)|M ′ ← A(K, HK(M));M ∈R {0, 1}m;K ∈R K] < ε.H is (t, ε) universal one-way if ∀A which run within time t, Adv(A) = Pr[(HK(M ′) = HK(M)) ∧ (M 6=M ′)|M ′ ← A(K);K ∈R K] < ε, where M ← A is an initial value provided by the adversary. Here, A is anadversary modeled by a probabilistic algorithm.

Theorem 3.2 If Fs is (t, ε) hard, then Fs is (t, ε) one-way and if mε ≤ 1, Fs is (t, εuow) universal one-way,where εuow = mε.

Proof.If Fs is not (t, ε) one-way, then there exists an AdversaryA such that it runs within time t and Pr[f~a(x) =

f~a(y)|y ← A(~a, f~a(x));x ∈R {0, 1}m;~a ∈R (Z/2sZ)m] ≥ ε. We construct an algorithm B for solving themodular SSP within time t and Adv(B) ≥ ε. On input τ and ~a, B calls A(~a, τ). If the time t is over, Boutputs λ. If y ← A(~a, τ) within time t, B outputs y if f~a(y) = τ and outputs λ otherwise.

Note that if there exists x ∈ {0, 1}m such that f~a(x) = τ , A returns y within time t with Adv(A) ≥ ε.Hence, Pr[τ = f~a(x)|x ← B(τ,~a);∃sol] = Adv(A). If f~a(x) 6= τ ∀x ∈ {0, 1}m, then A could not end withintime t or its output y satisfies f~a(y) 6= τ . In this case, B outputs λ and then Pr[x 6= λ|x← B(τ,~a); 6 ∃sol] = 0.Therefore, Adv(B) = Adv(A)− 0 ≥ ε which contradicts that Fs is (t, ε) hard.

If Fs is not (t, εuow) universal one-way, then there exists an Adversary A such that it runs within timet and Pr[(f~a(x) = f~a(y)) ∧ (x 6= y)|y ← A(~a);~a ∈R (Z/2sZ)m] ≥ εuow, where x ∈ {0, 1}m is an initial valueprovided by A. We construct an algorithm B for solving the modular SSP within time t and Adv(B) ≥ ε.On input τ and ~a, B obtains the initial value x from A. B chooses a random 1 ≤ i0 ≤ m. B sets w ← f~a(x).B defines ~a′ as a′i = ai ∀i 6= i0 and a′i0 = ai0 + (−1)xi0 (w − τ) mod 2s. B calls A(~a′). B returns λ if time tis over or the output y of A satisfies f~a(y) 6= τ . B returns y otherwise.

If f~a(x) 6= τ ∀x ∈ {0, 1}m, then A could not end within time t or its output y satisfies f~a(y) 6= τ . In thiscase, B outputs λ and we have that Pr[y 6= λ|y ← B(τ,~a); 6 ∃sol] = 0.

Note that a′i0 = ai0 +C mod 2s, where C is a constant and ai0 is random, then a′i0 is uniform distributedon {0, 1}s. If y is obtained from A(~a′), there exists 1 ≤ j ≤ m such that yj 6= xj . Because of the election of i0,the probability that i0 = j is at least 1

m . If xi0 = 1 and yi0 = 0, we obtain that τ = f~a′(x) = f~a′(y) = f~a(y).If xi0 = 0 and yi0 = 1, then w = f~a(x) = f~a′(x) = f~a′(y) = f~a(y) − τ + w which implies τ = f~a(y).Hence, Pr[τ = f~a(y)|y ← B(τ,~a);∃sol] = Pr[j = i0|i0 ∈R [1,m];xj 6= yj ; y ← A(~a′)]Adv(A). Therefore,Adv(B) = Adv(A)

m − 0 ≥ ε which contradicts that Fs is (t, ε) hard.�

138

A Pseudo code for solving SSP

Algorithm 3.1 solve SSP with an oracle O: Under the assumption of the oracle solves the modularSSP for s and any subset of fixed a1, . . . , am and fixed m, s.Input: τ.Output: all solutions (e1, . . . , em) such that τ ∼=

∑mi=1 aiei mod 2s.

Procedure:

E ← ∅;level ← −1;τ ′ ← τ;AL ← 0;B ← Alevel = {a1, . . . , am}; /* i.e. B[i] = ai and B.card = m */while (true) {level++;for (Alevel ← ∅; B 6= ∅; B ← B << 1) {/*i.e. B[i]←B[i+1], 1≤i<B.card and then B.card=B.card-1*/if (τ ′ ∼=B[1] mod 2s)AL++;E∪{B[1]} output as a solution;

}if (O(B\{B[1]}, τ ′−B[1] mod 2s) == there is a solution)

Alevel ← Alevel∪{B[1]}}

}while (Alevel == ∅) {if (level == 0) {if (AL == 0) {output ‘‘there is not any solution’’;

}exit();

}else {level--;τ ′ ← τ ′+Alevel[1];E← E\{Alevel[1]};Alevel← Alevel <<1;

}}E← E∪{Alevel[1]};τ ′ ← τ ′−Alevel[1];Alevel← Alevel <<1;B← Alevel;

}

References

[Ajt96] M. Ajtai. Generating hard instances of lattice problems. In 28th Annual ACM Symposium onTheory of Computing, pages 99–108, 1996.

[CLOS91] M. J. Coster, B. A. LaMacchia, A. M. Odlyzko, and C. P. Schnorr. An improved low-densitysubset sum algorithm. 1991.

139

[GJ79] Michael R. Garey and David S. Johnson. Computers and intractability: a guide to the theory ofNP-completeness. W. H. Freeman and company, 1979.

[Reg03] O. Regev. New lattice based cryptographic constructions. In Proc. 35th ACM Symp. on Theory ofComputing (STOC), pages 407–416, 2003.

Collisions for simplified variants of SHA-256

Krystian Matusiewicz and Josef Pieprzyk

Department of Computing,Macquarie University,NSW 2106 Australia


Abstract. In this paper we investigate the applicability of the disturbance-corrections strategy to SHA-256. Using this technique, we present a method of finding collisions for two simplified variants of SHA-256consisting of fully ADD-linear version of SHA-256 and a variant without functions σ0, σ1, Σ0, Σ1.

Keywords. hash functions, SHA-256 variants, collisions, disturbance-corrections strategy

1 Introduction

Recent results on the practical cryptanalysis of many hash functions from the MD family, including MD4,MD5 [WL+05, WY05] and SHA-0 [BC+05], as well as the announcement of a successful attack on fullSHA-1 [WYY05], drew much attention to the security of hash functions and raised some questions aboutthe security of the latest function in this family, namely SHA-256. In our paper we investigate the limits ofapplying the disturbance-correction strategy, firstly proposed to cryptanalyse SHA-0 [CJ98], and prove theimportance of the S-boxes introduced in SHA-256.

SHA-256 [NIS02] is an iterated cryptographic hash function based on a compression function that updatesthe state of eight 32-bit chaining variables A, . . . , H according to the value of 16 32-bit words M0, . . . , M15

of the message. Compression function consists of 64 identical steps presented in Fig. 1. Step transformationemploys bitwise Boolean functions Maj(A,B,C) = (A ∧ B) ∨ (A ∧ C) ∨ (B ∧ C) and Ch(E,F,G) = (E ∧F )∨ (¬E ∧G) and two S-boxes Σ0(x) = ROTR2(x)⊕ROTR13(x)⊕ROTR22(x) and Σ1(x) = ROTR6(x)⊕ROTR11(x)⊕ROTR25(x) built from right word rotations (ROTR). The i-th step uses a fixed constant Ki

and a word Wi which is generated from the initial message M according to the formula

Wi =

{Mi for 0 ≤ i < 16,

σ1(Wi−2) + Wi−7 + σ0(Wi−15) + Wi−16 for 16 ≤ i < 64.(9)

Functions σ0(x) = ROTR2(x)⊕ROTR18(x)⊕SHR3(x) and σ1(x) = ROTR17(x)⊕ROTR19(x)⊕SHR10(x)are S-boxes using right word rotations (ROTR) and shifts (SHR).

2 Computing Collisions for Linear Version of SHA-256

In order to analyse the usefulness of a disturbance-corrections strategy applied to the SHA-2 architecture,we investigated a fully linear variant of SHA-256, where S-boxes were replaced with the identity function,

σ0 = σ1 = Σ0 = Σ1 = id , (10)

140

Figure 1: One step of SHA-256 compression function

~

�

��

�?

Σ0

Maj

---

-

-

-?

Σ1

Ch??

?- -

�

?

�

Ki

Wi

Ai+1 Ei+1 Hi+1

Ai Bi Ci Di Ei Fi Gi Hi

Table 1: Correcting single disturbance ∆i introduced in step i in linearised version of SHA-256

step s ∆As ∆Bs ∆Cs ∆Ds ∆Es ∆Fs ∆Gs ∆Hs ∆Ws

i 0 0 0 0 0 0 0 0 ∆i

i + 1 ∆i 0 0 0 ∆i 0 0 0 −4∆i

i + 2 0 ∆i 0 0 −2∆i ∆i 0 0 2∆i

i + 3 0 0 ∆i 0 −∆i −2∆i ∆i 0 2∆i

i + 4 0 0 0 ∆i −∆i −∆i −2∆i ∆i 4∆i

i + 5 0 0 0 0 ∆i −∆i −∆i −2∆i 2∆i

i + 6 0 0 0 0 0 ∆i −∆i −∆i ∆i

i + 7 0 0 0 0 0 0 ∆i −∆i 0i + 8 0 0 0 0 0 0 0 ∆i −∆i

i + 9 0 0 0 0 0 0 0 0

and Boolean functions were substituted with additions modulo 232,

Maj(x, y, z) = Ch(x, y, z) = x + y + z . (11)

Now the whole function consists solely of linear operations with respect to modular addition. If we introducea difference ∆i = W ′

i −Wi, we can cancel this disturbance by introducing in the next 8 steps i+1, . . . , i+8the following corrections

−4∆i, 2∆i, 2∆i, 4∆i, 2∆i, ∆i, 0, −∆i . (12)

The whole process of correcting single disturbance is presented in Table 1. In the first 4 steps we usecorrections which keep differences from influencing register A and later from step i+4 we successively canceldifferences in register H.

The next step is to find a disturbance pattern ∆ that follows the expansion process and can give raiseto a corrective pattern. We will use reasoning similar to the one used for finding disturbance patterns forSHA-1 [MP05, RO05]. If we denote expanded message as a vector W ∈ Z 64

232 then a difference ∆ = W ′ −Wis a valid disturbance pattern if

C1. the last 8 words of ∆ are zero,

C2. ∆ with prepended 8 zero block must also be a result of the expansion process.

Condition C1 is necessary to allow enough time to correct the last difference before the end of the functionas 8 steps are needed to correct each disturbance. Condition C2 is necessary for constructing a correctivepattern as a linear combination of ∆ and “delayed” disturbance vectors

[0,∆0, . . . ,∆62]T , [0, 0,∆0, . . . ,∆61]T , . . . , [0, 0, 0, 0, 0, 0, 0, 0,∆0, . . . ,∆55]T . (13)

141

If all eight vectors (13) are results of the expansion and ∆ ends with 8 zeros then their linear combinationwith coefficients defined by (12) is a complete expanded differential pattern C,

C = ∆− 4 · [0,∆0, . . . ,∆62]T + 2 · [0, 0,∆0, . . . ,∆61]T + · · · − [0, 0, 0, 0, 0, 0, 0, 0,∆0, . . . ,∆55]T . (14)

Indeed, it is easy to see that for each disturbance word ∆i, there is a corresponding set of corrections of theform (12) and as all vectors (13) are results of expansion process, so is also their linear combination C.

The message expansion process can be seen as a Z232-linear transformation E : Z 16232 → Z 64

232 . This meansthat E can be written as a 64× 16 matrix

E =

I16

AA2

A3

, (15)

where I16 stands for identity matrix and A denotes matrix of the linear transformation producing 16 newwords out of 16 old ones according to the recurrence relation (9). Now we are looking for such messagedifferences ∆M = M ′ −M that expanded differences ∆ = E(∆M ) satisfy conditions C1 and C2. They canbe written as

0 = A3[8 :: 16] ·∆M the last 8 elements of ∆ are zero (16)

0 = A−1[8 :: 16] ·∆M 8 prepended elements of ∆ would be zero (17)

where M [a :: b] means a matrix consisting of rows of matrix M from a-th row to b-th row, inclusive.Equation (17) ensures that all the delayed vectors of the form (13) will be results of expansion. After obtainingexplicit forms of matrices A3 and A−1 (it is possible since A is a bijection) we solved the system (16–17)over Z232 and obtained the result

∆M = [0x10000000, 0xa0000000, 0xc0000000, 0xa0000000, 0xe0000000, 0x20000000,

0x40000000, 0x40000000, 0x80000000, 0xd0000000, 0x10000000, 0x60000000,

0x50000000, 0x40000000, 0x70000000, 0x30000000]T .

(18)

This shows that solution space is just one-dimensional. Any multiple of ∆M is also a solution, but since inall words only up to four most significant digits are non-zero, there are only 16 distinct disturbance patterns.Using any of them results in a collision for linearised SHA-256.

3 Incorporating Boolean Functions

Now let us consider a variant of SHA-256 still without S-Boxes, but with both Boolean functions Maj(A,B,C) =(A ∧ B) ∨ (A ∧ C) ∨ (B ∧ C) and Ch(E,F,G) = (E ∧ F ) ∨ (¬E ∧ G) in place. If we multiply the basicpattern (18) by 8 (so shift it left by 3 bits), we get a disturbance pattern ∆∗ = E(8∆M ) that has non-zerobits at the most significant bits only. The most significant bits of ∆∗ are as follows

1000000001101011 1011100110100110 0000011100101111 1011100000000000 . (19)

∆∗ is a disturbance pattern that not only follows the message expansion but also allows to treat it as abinary pattern with relatively low weight of 27.

We can approximate both Boolean functions with probability at least 1/2 by a “function” that producesoutput difference each time input difference is non zero. This approximation is shown in Table 2. It influencesthe way of composing corrective pattern out of differential pattern as now a single bit disturbance ∆∗

i instep i is corrected by the following sequence of steps

0, 0, ∆i, ∆i, 0, 0, 0, ∆i . (20)

A complete differential pattern is obtained the same way as in the previous case, by adding delayed distur-bance pattern multiplied by corresponding coefficients.

142

Table 2: Probabilities of non zero output differences for Boolean functions Ch and Maj

input difference Ch function Maj function(δx, δy, δz) conditions Prob conditions Prob

(1,0,0) y + z = 1 1/2 y + z = 1 1/2(0,1,0) x = 1 1/2 x + z = 1 1/2(0,0,1) x = 0 1/2 x + y = 1 1/2(1,1,0) x + y + z = 0 1/2 x + y = 0 1/2(1,0,1) x + y = 0 1/2 x + z = 0 1/2(0,1,1) – 1 y + z = 0 1/2(1,1,1) y + z = 0 1/2 – 1

This time however, correction process is probabilistic as each active Boolean function almost always(except for input differences (0, 1, 1) for Ch and (1, 1, 1) for Maj) introduces a factor of 1/2. Detailed analysisof these probabilities is presented in Table 3. After multiplication of all factors we obtain a probability ofsuccessful correction equal to 2−84. Further optimizations are also possible as we can choose messages insuch a way that conditions for successful correction will be always satisfied for the first 16 rounds, whatcould increase the probability to around 2−64. This shows that the use of substitution boxes σ0, σ1 and Σ0,Σ1 is vital for the security of SHA-256.

Table 3: Negative exponents e of probabilities introduced in step s by Boolean functions Maj and Ch. ColumnsMaj and Ch show input differences to Boolean functions and 2−e gives probability factor introduced by each step.

s Maj Ch e s Maj Ch e s Maj Ch e s Maj Ch e0 000 000 0 16 110 010 2 32 011 100 2 48 111 110 11 100 100 2 17 111 101 1 33 001 010 2 49 111 011 02 010 010 2 18 011 010 2 34 000 001 1 50 011 101 23 001 101 2 19 101 001 2 35 000 100 1 51 101 010 24 000 110 1 20 110 100 2 36 000 010 1 52 110 101 25 000 111 1 21 111 110 1 37 000 001 1 53 111 110 16 000 011 0 22 011 011 1 38 100 100 2 54 011 011 17 000 001 1 23 001 101 2 39 110 110 2 55 001 101 28 000 000 0 24 100 110 2 40 111 011 0 56 000 010 19 000 000 0 25 110 011 1 41 011 001 2 57 000 101 110 100 100 2 26 011 101 2 42 001 100 2 58 000 010 111 110 110 2 27 101 110 2 43 100 110 2 59 000 001 112 011 111 2 28 010 011 1 44 010 111 2 60 000 000 013 101 111 2 29 001 001 2 45 101 011 1 61 000 000 014 010 011 1 30 100 000 1 46 110 001 2 62 000 000 015 101 101 2 31 110 000 1 47 111 100 1 63 000 000 0

4 The Role of S-Boxes

Substitution boxes Σ0 and Σ1 constitute the essential part of the hash function and fulfil two tasks: theyadd bit diffusion and break ADD-linearity of the function. There are modular differentials for Σ0 and Σ1

that hold for one bit input difference e with probability 2−3 (necessary for S-boxes used in steps i + 1,i + 5) and with probability around 2−10 for input difference equal to Σ0(e) (used for Σ1 in step i + 2).

143

Using the approach of modular differentials it is possible to obtain a corrective pattern for complete roundstructure with probability around 2−42, but better result of 2−39 was obtained by P. Hawkes et al. [HPR04]by explicit computation of modular differences for Σ0 and Σ1, rather than approximating them with constantdifferential.

Similar role play s-boxes σ0 and σ1, they provide nonlinearity and better diffusion for message expansionprocess. These two properties of the message expansion process constitute a foundation of the security offull SHA-256, as in order to apply corrective patterns one would need at least 37 expanded words equal tozero (because at most three corrective patterns can be applied) and this seems unlikely.

5 Conclusions and future work

In this paper we presented methods for finding collisions for two simplified variants of SHA-256. These resultsshow that the presence of S-Boxes is essential for the security of SHA-256 and that better understanding ofthe properties of recurrence sequences of the form (9) is the next step in the cryptanalysis of SHA-256.

References

[BC+05] E. Biham, R. Chen, A. Joux, P. Carribault, C. Lemuet, and W. Jalby. Collisions of SHA-0 andreduced SHA-1. In R. Cramer, editor, Advances in Cryptology – EUROCRYPT’05, vol. 3494 of LNCS,pp. 36–57. Springer-Verlag, 2005.

[CJ98] F. Chabaud and A. Joux. Differential collisions in SHA-0. In H. Krawczyk, editor, Advances inCryptology - CRYPTO’98, vol. 1462 of LNCS, pp. 56–71. Springer-Verlag, 1998.

[HPR04] P. Hawkes, M. Paddon, and G. G. Rose. On corrective patterns for the SHA-2 family. CryptologyePrint Archive, Report 2004/207, August 2004. http://eprint.iacr.org/.

[MP05] K. Matusiewicz and J. Pieprzyk. Finding good differential patterns for attacks on SHA-1. In Proc.International Workshop on Coding and Cryptography, WCC’2005, LNCS, 2005. to appear.

[NIS02] National Institute of Standards and Technology. Secure hash standard (SHS). FIPS 180-2, August2002.

[RO05] V. Rijmen and E. Oswald. Update on SHA-1. In A. Menezes, editor, Topics in Cryptology – CT-RSA2005, vol. 3376 of LNCS, pp. 58–71. Springer-Verlag, Feb 2005.

[WL+05] X. Wang, X. Lai, D. Feng, H. Chen, and X. Yu. Cryptanalysis of the hash functions MD4 andRIPEMD. In R. Cramer, editor, Advances in Cryptology – EUROCRYPT’05, vol. 3494 of LNCS, pp.1–18. Springer-Verlag, 2005.

[WYY05] X. Wang, Y. L. Yin, and H. Yu. Collision search attacks on SHA-1. http://theory.csail.mit.edu/~yiqun/shanote.pdf, 13 Feb 2005.

[WY05] X. Wang and H. Yu. How to break MD5 and other hash functions. In R. Cramer, editor, Advancesin Cryptology – EUROCRYPT’05, vol. 3494 of LNCS, pp. 19–35. Springer-Verlag, 2005.

144

Preliminary Analysis of the SHA-256 Message Expansion

Norbert Pramstaller and Christian Rechberger and Vincent Rijmen

Institute for Applied Information Processing and Communciations (IAIK), Graz University of Technology,Inffeldgasse 16a, A–8010 Graz

www.iaik.tugraz.at/research/krypto/{norbert.pramstaller,christian.rechberger,vincent.rijmen}@iaik.tugraz.at

Abstract. Recently, results on popular hash functions like MD5 and SHA-1 have been announced. In thisarticle we analyze the message expansion of the newer SHA-2 family of hash functions. Upper bounds on theminimal weight of different versions of the message expansion of SHA-256 are given. Using this results, weexpect to find collision-producing differences which in turn allow to find collisions of step-reduced variantsof SHA-256 faster than by brute-force search.

Keywords. SHA-256, Message Expansion, low weight words, collision search attack

1 Introduction

After recent advances in the analysis of popular and widely used hash functions like MD5 [WY05] and SHA-1 [WYY05], the analysis of the SHA-2 family of hash functions becomes an increasingly interesting topic.Throughout this article, we consider SHA-256. Having an output size of 256 bits, the expected effort to finda pair of colliding inputs is in the order of 2128 hash function executions.

Previous Results. Being standardized by NIST in 2000 [Nat02], the first published independentanalysis on members of the SHA-2 family was done by Gilbert and Handschuh [GH04]. They show thatthere exists a 9-step local collision with probability 2−66. Later on, the result has been improved by Hawkes,Paddon and Rose [HPR04]. By considering modular differences, they increased the probability to 2−39.

Our contribution. The local collisions shown so far serve as an important tool to assess the securityof members of the SHA-2 family against collisions search attacks. However a crucial thing is missing so far:in order to be able to produce a collision, an attacker has to produce as little local collisions as possiblewhen applying a non-zero difference at the input of the hash function. For SHA-0 and SHA-1 it wasshown [CJ98, RO05, BCJ+05] that differences between input blocks exist which produce a number of localcollisions that is small enough to allow faster than brute-force collision search attacks on the full version (asin the case of SHA-0) or step-reduced versions (as in the case of SHA-1).

To the best of our knowledge there is so far no non-trivial analysis of the message expansion of any ofthe members of the SHA-2 family. In this article we analyze the message expansion of SHA-256. We derivesome non-trivial upper bounds for the weight of a difference between two expanded messages. Additionally,we consider simplified versions of the message expansion to allow for a comparison at the level of buildingblocks. We expect to find collision-producing differences without truncated collisions which can be usedto perform collision-search attacks faster than by brute-force search for step-reduced variants of SHA-256having a linearized message expansion but the original state update. However, at this point no conclusionson the resistance of SHA-256 against recent attacks on SHA-1 can be given.

Outline of the article. In Section 2 we give a short description of the SHA-256 message expansion.In Section 3 we derive some upper bounds for the minimum weight of the linearized message expansion. InSection 4 we give some basic observations on the used building blocks. We conclude in Section 5.

2 Description of the SHA-256 message expansion

In this section we shortly describe the message expansion of SHA-256. For a full description of SHA-256 orother members of the SHA-2 family, refer to [Nat02]. In the remainder of this article we use the notationgiven in Table 1.

145

Table 1: Used notationNotation MeaningA⊕B exclusive or of two bit-strings A and BA + B addition of A and B modulo 232

Mt input message word t (32-bits), index t starts with 0Wt expanded input message word t (32-bits), index t starts with 0

A ≫ n bit-rotation of A by n positions to the rightA� n bit-shift of A by n positions to the right

N number of steps of a variable-step compression-function

The input message is split into 512-bit message blocks (after padding). A single message block is denotedby a row vector m. The message is also represented by 16 32-bit words, denoted by Mt, with 0 ≤ t ≤ 15.In the message expansion, this input is expanded into 64 32-bit words Wt, also denoted as the 2048-bitexpanded message row-vector w. The words Wt are defined as follows:

σ0(x) = (x ≫ 7)⊕ (x ≫ 18)⊕ (x� 3)σ1(x) = (x ≫ 17)⊕ (x ≫ 19)⊕ (x� 10)

Wt = Mt, 0 ≤ t ≤ 15Wt = σ1(Wt−2) + Wt−7 + σ0(Wt−15) + Wt−16 16 ≤ t ≤ 63

Note that the message expansions of members of the SHA-2 family are the first which use modular additions.

3 Finding low-weight codewords in the code describing the lin-earized SHA-256 message expansion

In a first attempt to get an idea about the effect of all the changes between the SHA-1 message expansionand the SHA-256 message expansion, we consider single bit differences. Table 2 illustrates this comparison.We consider versions reduced to 40 steps as well as full versions (80 steps for SHA-1 variations and 64 stepsfor SHA-256 variations).

Table 2: Comparison of the effect of a single bit difference for various message expansions

orig. SHA-1 mod. SHA-1 mod. SHA-256 orig. SHA-256min (40 steps) 18 18 110 137max (40 steps) 30 41 297 307

min (full) 107 247 467 507max (full) 174 354 694 709

By the modified SHA-1 message expansion we refer to a version where every XOR is replaced by anaddition modulo 232. By the modified SHA-256 message expansion, we refer to a version where everyaddition is replaced by an XOR. We observe that both the introduction of modular additions and thereplacement of a single bit-shift by a structure using σ0 and σ1 heavily increases the number of affected bitsin the expanded message.

When talking about the SHA-1 message expansion, it was already observed in [MP05, RO05] that weightsmuch smaller than 107 (as given in Table 2) can be achieved. Both give 44 as the minimal weight found forthe message expansion of SHA-1.

146

Table 3: Low-weight expanded message for linearized 40-step message expansion of SHA-25600000001 00040088 00000000 00000000

00000000 00000001 00000000 00000000

00000000 15522028 00000000 00000000

00000000 000A0400 00000000 00000000

00000000 00000000 00000000 00000000

00000000 00000000 00004050 00000000

00000000 00000000 00000000 00000000

00000000 00040088 00000001 00000000

00000000 00000001 00000000 00000000

00000001 00000000 00000000 00000000

Due to the non-linear behavior of the modular addition, no linear code can describe the SHA-256 messageexpansion. If the modular addition is however replaced by XOR, a linear code can be constructed. Thiscode can be represented by a 512× 32N generator matrix E. The following equations holds: w = mE.

Due to the linearization, every possible difference of two expanded words is also a valid word in this code.Therefore efficient probabilistic algorithms from coding theory [Leo88, Ste89] can be used to find low-weightdifferences for the linearized SHA-256 message expansion. Some results of this codeword search are depictedin Figure 1.

20 25 30 35 40 45 50 55 600

100

200

300

400

500

600

700

lowest weights found by probabilistic algorithmweights of expanded 40-step low-weight word

Figure 1: Low weight words found for step-reduced versions of the SHA-256 message expansion

All lowest weights found for versions of the message expansion up to the full 64 steps are shown. Until the40-step version, our algorithms found reasonable low weights. This is depicted by the solid line. For versionswith more than 40 steps, the running time of our algorithms is currently too high to return reasonable lowweights. The sudden jump after step 40 is not an intrinsic property of the SHA-256 message expansion, butdue to the limited running time of our algorithm.

To show that there indeed are low-weight words for N > 40, we proceed as follows. A straightforwardapplication of the recursive expansion rule on a given low-weight word leads to the weight depicted by thedashed line. A 40-step word of weight 25 is used there as a starting point. Expanding to 64 steps givesus a weight of 356 which is considerable lower than the minimal weight given for a single bit difference inTable 2 (467). However, there is room for improvements. Considering the 40-step variant, the weight of 25 islow compared to a minimal weight of 110 for single-bit differences given in Table 2. The 40-word expandedmessage is given in Table 3.

In contrast to the words we find for the SHA-1 message expansion, there are no zero-bands anymore.Note that the expanded message given is not necessarily a valid difference in the case of the real messageexpansion since we approximated the modular addition by an XOR. Also note that the given vector can notdirectly be used as a collision-producing perturbation pattern as originally described by Chabaud and Joux

147

in their original attack on SHA-0 [CJ98]. The reason is that there are truncated collisions due to non-zerowords in the backwards expansion. However, we expect to find words for reduced versions of the messageexpansion that can be used to build a collision-producing difference.

A number of conditions on chaining variables need to be fulfilled in order to ensure that concatenationof local collisions (which hold with probability 2−39) results in a collision at the output of the compressionfunction. If we do not assume any pre-fulfilled conditions, the maximal weight we allow for this perturbationpattern is 3 (since 2−39·4 < 2−128). Considering the weights in Figure 1, this would mean a maximum of 24steps. However, all recent collision search attacks use the fact that conditions on chaining variables in thefirst steps of the compression are easy to pre-fulfill. Therefore, even vectors with considerable higher weights(if they do not have any truncated collisions) can still be used to mount collision-search attacks faster than2128 elementary operations.

4 Observations on used building blocks

In this section, we list some observation we made on the SHA-256 message expansion.

• σ0 and σ1 have both the property to increase the Hamming weight of low-weight inputs. This increaseis upper bounded by a factor of 3. The average increase of Hamming weight for low-weight inputs iseven higher if three rotations are used instead of two rotations and one bit-shift. However, a reasonfor this bit-shift is given by the next observation.

• If we consider inputs of high Hamming weight, the bit-shift inside σ0 and σ1 helps to reduce the weightof the output. An example is given below. Eq. 21 gives the recurrence relation for the reverse messageexpansion of SHA-256

Wi = Wi+16 − σ1(Wi+14)−Wi+9 − σ0(Wi+1) (21)

Now it is easy to construct examples where we first calculate 0 − 1 = FFFF . Some steps later thisresult is input to σ0 or σ1, which leads to the described behavior.

• In contrast to all members of the MD4-family including SHA-1, rotating expanded message words toget new expanded message words is not possible anymore (even in the linearized case). This is againdue to the bit-shift being used in σ0 and σ1.

5 Conclusions and future work

Our results naturally apply to the message expansions of SHA-224, since the message expansion is exactlythe same there. In the case of SHA-384 and SHA-512, a slightly changed recurrence relations for themessage expansion is used. Additionally, 80 instead of 64 steps are computed. Therefore the results willbe different, the basic observations are however expected to hold. We expect to find collision-producingdifferences without truncated collisions. For step-reduced versions of SHA-256 having a linearized messageexpansion but the original state update, they could be used to perform collision-search attacks faster thanby brute-force search.

Acknowledgements

The work described in this paper has been supported by the European Commission through the IST Pro-gramme under Contract IST-2002-507932 ECRYPT.

Disclaimer

The information in this document reflects only the author’s views, is provided as is and no guarantee orwarranty is given that the information is fit for any particular purpose. The user thereof uses the informationat its sole risk and liability.

148

References

[BCJ+05] Eli Biham, Rafi Chen, Antoine Joux, Patrick Carribault, Christophe Lemuet, and William Jalby.Collisions of SHA-0 and Reduced SHA-1. In Ronald Cramer, editor, Advances in CryptologyEUROCRYPT 2005: 24th Annual International Conference on the Theory and Applications ofCryptographic Techniques, Aarhus, Denmark, May 22-26, 2005. Proceedings, volume 3494 of Lec-ture Notes in Computer Science, pages 36–57. Springer, 2005.

[CJ98] Florent Chabaud and Antoine Joux. Differential Collisions in SHA-0. In Hugo Krawczyk, editor,Advances in Cryptology - CRYPTO ’98, 18th Annual International Cryptology Conference, SantaBarbara, California, USA, August 23-27, 1998, Proceedings, volume 1462, pages 56–71. Springer,1998.

[GH04] Henri Gilbert and Helena Handschuh. Security Analysis of SHA-256 and Sisters. In MitsuruMatsui and Robert J. Zuccherato, editors, Selected Areas in Cryptography, 10th Annual Interna-tional Workshop, SAC 2003, Ottawa, Canada, August 14-15, 2003, Revised Papers, volume 3006of Lecture Notes in Computer Science, pages 175–193. Springer, 2004.

[HPR04] Philip Hawkes, Michael Paddon, and Gregory G. Rose. On Corrective Patterns for the SHA-2Family. Cryptology ePrint Archive, Report 2004/207, 2004. http://eprint.iacr.org/.

[Leo88] Jeffrey S. Leon. A probabilistic algorithm for computing minimum weights of large error-correctingcodes. IEEE Transactions on Information Theory, 34(5):1354–1359, 1988.

[MP05] Krystian Matusiewicz and Josef Pieprzyk. Finding good differential pattern for attacks on SHA-1.In International Workshop on Coding and Cryptography - WCC 2005, Bergen, Norway, March14-18, Proceedings to appear, Lecture Notes in Computer Science. Springer, 2005.

[Nat02] National Institute of Standards and Technology (NIST). FIPS-180-2: Secure Hash Standard,August 2002. Available online at http://www.itl.nist.gov/fipspubs/.

[RO05] Vincent Rijmen and Elisabeth Oswald. Update on SHA-1. In Alfred Menezes, editor, Proceedingsof CT-RSA 2005, volume 3376 of LNCS, pages 58–71. Springer, 2005.

[Ste89] Jacques Stern. A method for finding codewords of small weight. In G. Cohen and J. Wolfmann, ed-itors, Coding Theory and Applications, 3rd International Colloquium, Toulon, France, November,1988, Proceedings, volume 388 of Lecture Notes in Computer Science, pages 106–113. Springer,1989.

[WY05] Xiaoyun Wang and Hongbo Yu. How to Break MD5 and Other Hash Functions. In Ronald Cramer,editor, Advances in Cryptology EUROCRYPT 2005: 24th Annual International Conference onthe Theory and Applications of Cryptographic Techniques, Aarhus, Denmark, May 22-26, 2005.Proceedings, volume 3494 of Lecture Notes in Computer Science, pages 19–35. Springer, 2005.

[WYY05] Xiaoyun Wang, Yiqun Lisa Yin, and Hongbo Yu. Collisions Search Attacks on SHA1, 2005.Research summary, available at http://theory.csail.mit.edu/~yiqun/shanote.pdf.

149

An overview of the security weaknesses in Bluetooth

Dave Singelee, Bart Preneel

ESAT-COSIC, K.U. Leuven, Belgiumhttp://www.esat.kuleuven.ac.be/cosic/[email protected]

Abstract. In this paper, we give a short overview of the security flaws in the Bluetooth standard. Mostof these problems can be exploited by an attacker and are not only important from theoretical point of view.Some of these security problems were only discovered recently.

Keywords. Bluetooth, Network security, Stream ciphers

1 Security weaknesses

There are a lot of security weaknesses in the Bluetooth standard [JW01]. Some of these problems can veryeasily be exploited by an attacker, other security weaknesses are rather theoretical. A brief overview of themost important problems will now be given. We will not focus on implementation flaws.

Security depends on security of PIN: The initialization key is a function of a random number, ashared PIN and the length of the PIN. The random number is known by an attacker that is present duringthe initialization phase. This means that if an attacker obtains the PIN, (s)he knows the initialization key.All the other keys are derived from this initialization key. Note that it is always possible to verify a PIN.The reason is that a mutual authentication protocol is executed after the generation of the initialization key.If an attacker observes this protocol, he obtains a challenge and the corresponding response and can use thisto verify guesses of the PIN. The shorter the PIN, the faster this brute force attack can be executed.

Encryption algorithm: Bluetooth uses the encryption algorithm E0. This stream cipher has somesecurity flaws. A lot of attacks on E0 are published, but most of these attacks do not work on the algorithmwhich implements E0 in Bluetooth. There are however exceptions. Golic [BGM02] has found an attack onthe Bluetooth stream cipher which can be implemented for E0. The attack reconstructs the 128-bit secretkey with complexity about 270 from about 45 initializations. In the precomputation stage, a database ofabout 280 103-bit words has to be sorted out. The attack uses a general linear iterative cryptanalysis methodfor solving binary systems of approximate linear equations.

Unit key: The unit key is used if one of the Bluetooth devices does not have enough memory to storesession keys. This key is stored in non-volatile memory and almost never changed. The unit key is sentencrypted (with the initialization key) to the other device. This opens the door for an impersonation attack.It is recommended to avoid the use of unit keys.

Location Privacy: When two or more Bluetooth devices are communicating, the transmitted packetsalways contain the Bluetooth addresses of the sender and the receiver. When an attacker eavesdrops on thetransmitted data, (s)he can keep track of the place and the time the two devices were communicating.

Denial of Service attacks: Mobile networks are vulnerable to Denial of Service attacks. They consistof mobile devices and these devices are often battery fed. The exhaustion of the battery power (e.g., bysending dummy traffic) is called the sleep deprivation attack. There are also some Denial of Service attackscaused by implementation decisions. A nice example is the black list which is used during the mutualauthentication protocol. To avoid that a device would start the authentication protocol over and over again,each device has a black list of the Bluetooth addresses of the devices which failed to authenticate themselvescorrectly. These devices can not start an authentication protocol during some period. This mechanism canbe exploited in several Denial of Service attacks [C00].

150

References

[BGM02] V. Bagini J. Golic and G. Morgari. Linear Cryptanalysis of Bluetooth Stream Cipher. Advances inCryptology - EUROCRYPT 2002, Lecture Notes in Computer Science, LNCS 2332, pages 238–255.Springer-Verlag, 2002.

[C00] C. Candolin. Security issues for wearable computing and bluetooth technology. http://www.tml.hut.fi/~candolin/Publications/BT/, 2000.

[JW01] M. Jakobsson and S. Wetzel. Security Weaknesses in Bluetooth. Proceedings of the Cryptographer’sTrack at the RSA Conference (CT–RSA ’01), Lecture Notes in Computer Science, LNCS 2020,pages 176–191. Springer-Verlag, 2001.

A pseudo-random function family with a group structure,and an application to multiparty computations

Kristian Gjøsteen

Dept. of telematics, NTNU, Norwayhttp://www.item.ntnu.no/

[email protected]

Abstract. We describe a pseudo-random function family with a group structure. We show that in therandom oracle model, distinguishing the family from a random family is equivalent to the Decision Diffie-Hellman problem.

As an example where such a family is useful, we show how to do many multiparty multiplications withfewer communications than just repeating the standard protocol many times.

Keywords. Pseudo-random function, multiparty computation, random-oracle

1 Introduction

There are very simple algorithms available that allow for several parties to jointly compute a product, withoutrevealing their input. When they want to compute several products, they can obviously just run the sameprotocol for each product. It is however, an interesting question if better solutions can be found with respectto communication complexity.

Franklin and Yung [FY92] investigated how parallelizing the computation can decrease the communi-cation complexity, but their goal is information-theoretic security. Our interest is only in computationalsecurity. We shall show how to produce a protocol in the random-oracle model that has computationalsecurity, and where the asymptotic communication complexity is in a certain sense optimal.

2 The pseudo-random function

%labelsec:pseudo-rand-functLet S1 and S2 be sets, and denote by Map(S1, S2) the set of functions from S1 to S2. Let F be a subset

of Map(S1, S2). A distinguisher for F is an algorithm that is allowed to see the values of a function at pointsof its choice, and then decide if the function was sampled from F or from Map(S1, S2). If E is the event thata distinguisher A making q queries guesses correctly where the function was sampled from, the advantage ofA is

AdvF,qA = 2|Pr[E]− 1/2|.

151

A random-input distinguisher for F is an algorithm that is allowed to see the values of a function at qpoints sampled uniformly (i.e. not by the distinguisher) from S1. Alternatively, a random-input distinguisherfor F is an algorithm that takes as input w0, . . . , wq−1 ∈ S1, z0, . . . , zq−1 ∈ S2, and outputs 0 or 1.

Let z0, z1, . . . , zq−1 be sampled uniformly at random from S1. Let w0, w1, . . . , wq−1 ∈ S2 either be deter-mined by wi = f(zi), or sampled uniformly at random from S2. Let E0 be the event that the distinguisheroutputs 0 when its input satisfies wi = f(zi), 0 ≤ i < q, for some f ∈ F , and let E1 be the event that thedistinguisher outputs 0 when w0, w1, . . . , wq−1 was sampled uniformly from S2. It is easy to show that

AdvF,qA = |Pr[E0]− Pr[E1]|. (22)

Let G be a finite cyclic group of prime order m, written multiplicatively, and fix x ∈ G. For any y ∈ G,the pair (x, y) generates a cyclic subgroup Hy of G×G.

Definition 2.1 The DDH problem for G is, given y sampled uniformly at random from G, decide if (z, w) ∈G×G was sampled uniformly at random from Hy or from G×G. Let A be an algorithm A taking (x, y, z, w)as input and outputting 0 or 1. Let E0, respectively E1 be the event that A outputs 0 when (z, w) is sampleduniformly from Hy, respectively from G×G. The advantage of A is

AdvDDHA = |Pr[E0]− Pr[E1]|. (23)

We remark that the DDH problem is random self-reducible, since given (z, w) and a, b sampled uniformly atrandom from {0, 1, . . . ,m − 1}, the element (xazb, yawb) is uniformly distributed in Hy if (z, w) ∈ Hy, andotherwise uniformly distributed in G×G.

Theorem 2.2 Let F be the exponentiation maps on G, {ζ 7→ ζa | 0 ≤ a < m}. Let A be a random-inputdistinguisher for F on q queries with advantage ε. Then there exists an adversary A′ against the DDHproblem with advantage ε, using the same time as A plus time for 4q group exponentiations.

Proof. We employ the random self-reducibility of the DDH problem. Our distinguisher takes (x, y, z, w) asinput. It samples the sequences a0, a1, . . . , aq−1 and b0, b1, . . . , bq−1 uniformly at random from {0, 1, . . . ,m−1}, and sets zi = xaizbi , wi = yaiwbi . It runs A, and outputs the output of A.

We claim that if (z, w) ∈ Hy, then for some integer a, wi = zai for 0 ≤ i < q−1. Otherwise, the sequence

(zi, wi) is uniformly and independently distributed in G×G.Let a ∈ {0, 1, . . . ,m− 1} be the unique integer such that y = xa. Set v = wz−a. We have that

wi = yaiwbi = xaai(vza)bi = (xaizbi)avbi = zai vbi .

If (z, w) ∈ Hy, then v = 1 and wi = zai . Otherwise v is a generator for G, and every wi is uniformly and

independently distributed.From (22) and (23), we get that AdvDDH

A′ = AdvF,qA . �

This next element of the construction is to choose a function h : {0, 1, . . . , q − 1} → G uniformly atrandom (we are working in the random oracle model). Our pseudo-random family of functions is then

F = {i 7→ h(i)a | 0 ≤ a < m} ⊆ Map({0, 1, . . . , q − 1}, G).

Note that this family has a group structure isomorphic to Zm under addition, where f ∗ f ′ is the function(f ∗ f ′)(i) = f(i)f ′(i).

Corollary 2.3 Let A be a random-oracle model distinguisher for F making q distinct queries to the randomoracle or the function, and with advantage ε. Then there exists an adversary against the DDH problem withadvantage ε, using the same time as A plus time for 4q group exponentiations.

Proof. This follows from the previous theorem, plus the fact that we can simulate the random oracle. Notethat whether the adversary queries the random oracle or the function does not matter, but we need to countthe total number of distinct queries, not just the function queries. �

152

3 Shared computation of multiple products

Let G be a finite cyclic group of prime order m. Let F be the pseudo-random function family described inthe previous section. For a number 0 ≤ x < m, denote by fx the function i 7→ h(i)x from F .

Suppose three players, Alice, Bob and Carol, have sequences of group elements (ai), (bi), and (ci), andwant to compute the product sequence (aibici) without revealing the respective sequences.

The protocol has a setup phase, and a computation phase. In the setup phase, Alice samples uniformly atrandom a number A from {0, 1, . . . ,m− 1}, Bob a number B and Carol a number C. Using an information-theoretically secure multiparty multiplication protocol, they compute the product S ≡ A+B +C (mod m).That completes the description of the setup phase.

The computation phase will proceed in rounds, computing in the ith round the product aibici. To dothis, Alice broadcasts fA(i)ai, Bob fB(i)bi, and Carol fC(i)ci. Each then computes the product of thebroadcasts, which is

fA(i)aifB(i)bifC(i)ci = aibici(fA ∗ fB ∗ fC)(i) = aibicifS(i).

Since everyone knows fS , everyone can recover the product aibici.Suppose Carol wants to know ai and bi. She knows the function fA+B(i), and can obviously find the

product aibi. Can she learn more than that from fA(i)ai and fB(i)bi? It is quite clear that if fA(i) reallyis a random function, and fB(i) = fA+B(i)/fA(i), she will learn nothing. Therefore, if she is able to learnsomething, we will find a distinguisher for fA. As we established in the previous section, a random-oracledistinguisher for fA will lead to a distinguisher for DDH problem.

Note that the setup phase will typically require each player to send two broadcast messages, whileeach round of the computation phase only requires a single broadcast message per player. This is clearlyasymptotically optimal when the communication primitive is the broadcast message.

4 Concluding remarks

We have described a useful pseudo-random function family along with an application to multiparty com-putation. The main drawback of this method is that unless Decision Diffie-Hellman holds for the group inquestion, the protocol is not secure.

Acknowledgements

Thanks to Susanna tom Raad for posing the problem in Section 3, and to David Wagner for helpful discus-sions.

References

[FY92] Franklin og Yung: Communication Complexity of Secure Computation, STOC 92.

153

Index

Adams, C., 13Agreste, Santa, 20Alsaid, Adil, 65Andaloro, Guido, 20Armknecht, Frederik, 42

Bangerter, Endre, 105Bate, Julia C., 109Benenson, Zinaida, 92Bojanic, Slobodan, 117Braeken, An, 89

Camenisch, Jan, 124Choi, Su-Jeong, 119

Elmufti, Kalid, 90

Freiling, Felix C., 92Fujitai, Takaaki, 18Fujiwara, Akira, 83Fujiwara, Toru, 18, 83

Gajparia, Anand S., 74Garcıa, Luis Carlos Coronado , 136Gastaud, Nicolas, 58Gjøsteen, Kristian, 151Gomi, Takeshi, 30

Hong, Seokhie, 81Hu, Shenglan, 122Hufschmitt, Emeline, 8

Imai, Hideki, 30, 32, 38, 45, 85

Kesdogan, Dogan, 92Kim, Jongsung, 81Kobara, Kazukuni, 30, 45, 85

Lacourt, Pierre–Ambroise, 58Larger, Laurent, 58Lee, Changhoon, 81Lefranc, David, 8Leung, Adrian, 34Lucks, Stefan, 131

Matusiewicz, Krystian, 140Minier, Marine, 98Miri, A., 13Mitchell, Chris J., 34, 65, 70, 90, 111, 122, 126Mohammed, Anish, 70Montreuil, Audrey, 26Morillo, Paz, 22

Nı Fhloinn, Eabhnat, 107Nachtigal, S. , 126Nakano, Toshihisa, 30Nakayama, Satoshi, 83Nali, D., 13Nonaka, Masao, 30

Okamoto, Kunihoro, 18Okamura, Shingo, 83

Pantelic, Goran, 117Patarin, Jacques, 26Pieprzyk, Josef, 140Poinsot, Stephane, 58Pramstaller, Norbert, 61, 145Preneel, Bart, 150Prestipino, Daniela, 20Puccio, Luigia, 20Purser, Michael, 107

Rafols, Carla, 22Rechberger, Christian, 61, 145Rijmen, Vincent, 61, 145Rohe, Markus, 124Ruiz, Alexandre, 120Rupp, Andy, 105

Sadeghi, Ahmad-Reza, 105, 124Schmoigl, Nico , 131Schoenmakers, Berry, 79Shigetomi, Rie, 32, 38Shin, SeongHan, 45, 85Shin, SeonHo, 109Sibert, Herve, 8Sidorenko, Andrey, 79Singelee, Dave, 150Stoyanov, Borislav, 103Sung, Jaechul, 81

Tabet, Abdelilah, 85Tang, Qiang, 111Tatlı, Emin Islam, 131Tuyls, Pim, 55

Udaltsov, Vladimir, 58

Videau, Marion, 87Villar, Jorge, 120Virat, Marie, 50

Wolf, Christopher, 40

154

Xenitellis, Simos, 115

Yoshida, Maki, 18, 83Yoshida, Masanori, 32Yoshimoto, Haruhiro, 38

Zhang, Qing, 36

155

WEWoRC 2005 - COSICWEWoRC 2005 Western European Workshop on Research in Cryptology Chairs:...

Documents

Transcript of WEWoRC 2005 - COSICWEWoRC 2005 Western European Workshop on Research in Cryptology Chairs:...