Catálogo de publicaciones - libros

The main application of cryptography is the establishment of secure channels. The most classical way to achieve this goal is definitely the use of variants of the signed Diffie-Hellman protocol. It applies a signature algorithm on the flows of the basic Diffie-Hellman key exchange, in order to achieve authentication. However, signature-less authenticated key exchange have numerous advantages, and namely from the efficiency point of view. They are thus well-suited for some constrained environments. On the other hand, this efficiency comes at the cost of some uncertainty about the actual security.

This paper focuses on the two most famous signature-less authenticated key exchange protocols, MTI/C0 and MQV. While the formal security of MTI/C0 has never been studied, results for the plain MQV protocol are still debated. We point out algorithmic assumptions on which some security proofs can be built in the random oracle model. The stress is put on implementation aspects that must be properly dealt with in order to obtain the expected security.

Some formalizations about authenticated key exchange, and the generic model, are of independent interest.

We describe the first identity-based key encapsulation mechanism with threshold key delegation and decapsulation that is secure in the standard model against chosen-ciphertext (CCA2) attacks. Our scheme is unconditionally consistent and proved secure under the Bilinear Decisional Diffie-Hellman assumption.

Designing authenticated key exchange algorithms is a problem well understood in cryptography: there are established security models, and proposals proved secure in these models. However, models currently used assume that a honest entity involved in a key exchange is trusted as a whole. In many practical contexts, the entity is divided in an storing a private key and having low computing power, and a , that performs part of the computations required by protocol runs. The computing device might be a PC connected to the Internet, and the authenticating device a smart card. In that case as well in many others, a compromise of the computing device is to be expected. We therefore propose a variant of the MQV and HMQV key exchange protocols secure in that context, unlike the original protocols. The security claim is supported by a proof in a model derived from the Canetti-Krawczyk one, which takes into account more general rogue behaviours of the computing device.

One of the main open problems in secret sharing is the characterization of the access structures of ideal secret sharing schemes. As a consequence of the results by Brickell and Davenport, every one of those access structures is related in a certain way to a unique matroid. We study this open problem for access structures with rank three, that is, structures whose minimal qualified subsets have at most three participants. We prove that all access structures with rank three that are related to matroids with rank greater than three are ideal. After the results in this paper, the only open problem in the characterization of the ideal access structures with rank three is to characterize the matroids with rank three that can be represented by an ideal secret sharing scheme.

Cheating in secret sharing has been considered in several papers. Recently cheating in visual cryptography has been considered in [10], where (2,)-threshold visual cryptography schemes are provided. In this paper we provide new (2,)-threshold visual cryptography schemes. Our model is different from the one considered in [10]; in particular we aim at constructing cheating immune schemes without the use of extra information, like additional shares or images as done in [10]. We have provided a formal definition of cheating which requires that a group of cheaters be able to deterministically force a honest participant to reconstruct a wrong secret. The (2,)-threshold schemes that we provide do not allow such cheating, regardless of the number of cheaters.

We consider the problem of secret sharing among rational players. This problem was introduced by Halpern and Teague (STOC 2004), who claim that a solution is for =2 but show a solution for the case ≥3. Contrary to their claim, we show a protocol for rational secret sharing among =2 players; our protocol extends to the case ≥3, where it is simpler than the Halpern-Teague solution and also offers a number of other advantages. We also show how to avoid the continual involvement of the dealer, in either our own protocol or that of Halpern and Teague.

Our techniques extend to the case of rational players trying to securely compute an arbitrary function, under certain assumptions on the utilities of the players.

HMAC is a widely used message authentication code and a pseudorandom function generator based on cryptographic hash functions such as MD5 and SHA-1. It has been standardized by ANSI, IETF, ISO and NIST. HMAC is proved to be secure as long as the compression function of the underlying hash function is a pseudorandom function. In this paper we devise two new distinguishers of the structure of HMAC, called and , and use them to discuss the security of HMAC based on HAVAL, MD4, MD5, SHA-0 and SHA-1. We show how to distinguish HMAC with reduced or full versions of these cryptographic hash functions from a random function or from HMAC with a random function. We also show how to use our differential distinguisher to devise a forgery attack on HMAC. Our distinguishing and forgery attacks can also be mounted on NMAC based on HAVAL, MD4, MD5, SHA-0 and SHA-1.

This paper presents a new type of distinguisher for the shrinking generator and the alternating-step generator with known feedback polynomial and for the multiplexor generator. For the former the distinguisher is more efficient than existing ones and for the latter it results in a complete breakdown of security. The distinguisher is conceptually very simple and lends itself to theoretical analysis leading to reliable predictions of its probability of success.

Maurer’s test is nowadays a basic statistical tool for testing physical random number generators in cryptographic applications. Based on a statistical analysis of this test we propose simple and effective methods for its improvement. These methods are related to the – spacing technique common in goodness-of-fit problems and the – leave out method used for a noise reduction in the final Maurer test statistic. We also show that the spacing distribution test represents a serious competitor for Maurer’s test in the case when the random number generator is governed by a Markov chain with a long memory.

We present (LES), a simple cryptographic architecture for authenticating email. LES is an extension of DKIM, the recent IETF effort to standardize domain-based email signatures. LES shares DKIM’s ease of deployment: they both use the DNS to distribute a single public key for each domain. Importantly, LES supports common uses of email that DKIM jeopardizes: multiple email personalities, firewalled ISPs, incoming-only email forwarding services, and other common uses that often require sending email via a third-party SMTP server. In addition, LES does not require DKIM’s implied intra-domain mechanism for authenticating users when they send email.

LES provides these features using identity-based signatures. Each domain authority generates a master keypair, publishes the public component in the DNS, and stores the private component securely. Using this private component, the authority delivers to each of its users, via email, an individual secret key whose identity string corresponds to the user’s email address. A sender then signs messages using this individual secret key. A recipient verifies such a signature by querying the appropriate master public key from the DNS, computing the sender’s public key, and verifying the signature accordingly. As an added bonus, the widespread availability of user-level public keys enables deniable authentication, such as ring signatures. Thus, LES provides email authentication with optional repudiability.

We built a LES prototype to determine its practicality. Basic user tests show that the system is relatively easy to use, and that cryptographic performance, even when using deniable authentication, is well within acceptable range.