Catálogo de publicaciones - libros

Motivated by the proactive security problem, we study the question of maintaining secrecy against a mobile eavesdropper that can eavesdrop to a bounded number of in each round of the protocol. We characterize the networks in which secrecy can be maintained against an adversary that can eavesdrop to channels in each round. Using this characterization, we analyze the number of eavesdropped channels that complete graphs can withhold while maintaining secrecy.

Simultaneous Broadcast protocols allow different parties to broadcast values in parallel while guaranteeing mutual independence of the broadcast values. The problem of simultaneous broadcast was suggested by Chor et al. (FOCS 1985) who proposed a linear-round solution, and later improved by Chor and Rabin (PODC 1987) and Gennaro (IEEE Trans. on Parallel and Distributed Systems 2000). The most efficient solution, in terms of round complexity, is the one due to Gennaro, which is in the common random string model. This construction has constant round complexity but is not very practical, as it requires generic zero-knowledge proofs, non-interactive zero-knowledge proofs of knowledge, and commitment schemes. All the mentioned solutions were proven secure under security definitions with weak or no composition guarantees – only sequential composition for the initial construction by Chor et al.

In this work, we explore the problem of Simultaneous Broadcast under Universally Composable (UC) security (Canetti 2001). We give a definition of Simultaneous Broadcast in this framework, which is shown to imply all past definitions. We also show this notion can be achieved by a computationally efficient, constant-round construction (building on the verifiable secret sharing scheme of Cramer et al. at Eurocrypt 1999), which is secure under an honest majority. Our results rely on (and benefit from) capturing synchronous communication as a functionality within the UC model, as suggested by Canetti (IACR eprint 2005). Indeed, we show that this approach of modeling synchronous communication can lead to better understanding of where synchronicity is needed, and also simpler constructions and proofs.

In this paper, we conduct a thorough study among various notions of security of undeniable signature schemes and establish some relationships among them. We focus on two adversarial goals which are unforgeability and invisibility and two attacks which are chosen message attack and full attack. In particular,we show that unforgeability against chosen message attack is equivalent to unforgeability against full attack, and invisibility against chosen message attack is equivalent to invisibility against full attack. We also present an undeniable signature scheme whose unforgeability is based on the factoring assumption and whose invisibility is based on the composite decision Diffie-Hellman assumption.

We present a blind signature scheme that is efficient and provably secure without random oracles under concurrent attacks utilizing only four moves of short communication. The scheme is based on elliptic curve groups for which a bilinear map exists and on extractable and equivocal commitments. The unforgeability of the employed signature scheme is guaranteed by the LRSW assumption while the blindness property of our scheme is guaranteed by the Decisional Linear Diffie-Hellman assumption. We prove our construction secure under the above assumptions as well as Paillier’s DCR assumption in the concurrent attack model of Juels, Luby and Ostrovsky from Crypto ’97 using a common reference string. Our construction is the first efficient construction for blind signatures in such a concurrent model without random oracles. We present two variants of our basic protocol: first, a blind signature scheme where blindness still holds even if the public-key generation is maliciously controlled; second, a blind signature scheme that incorporates a “public-tagging” mechanism. This latter variant of our scheme gives rise to a partially blind signature with essentially the same efficiency and security properties as our basic scheme.

Universal designated verifier signatures (UDVS) were introduced in 2003 by Steinfeld to allow signature holders to monitor the verification of a given signature in the sense that any plain signature can be publicly turned into a signature which is only verifiable by some specific designated verifier. Privacy issues, like non-dissemination of digital certificates, are the main motivations to study such primitives. In this paper, we propose two fairly efficient UDVS schemes which are secure (in terms of unforgeability and anonymity) in the (i.e. without random oracles). Their security relies on algorithmic assumptions which are much more than assumptions involved in the two only known UDVS schemes in standard model to date. The latter schemes, put forth by Zhang in 2005 and Vergnaud in 2006, rely on the Strong Diffie-Hellman assumption and the strange-looking (KEA). Our schemes are obtained from Waters’s signature and they do not need the KEA assumption. They are also the first random oracle-free constructions with the anonymity property.

In this paper we study the probability of differentials and characteristics over 2 rounds of the AES with the objective to understand how the components of the AES round transformation interact in this respect. We extend and correct the analysis of the differential properties of the multiplicative inverse in GF(2) given in [9]. We study the number of characteristics with EDP >0 whose probability adds up to the probability of a differential and derive formulas that allow to produce a close estimate of this number for any differential. We use the properties discovered in our study to explain the differentials with the maximum EDP values and describe the impact of the linear transformation in the AES S-box in this respect.

Cobra-F64a and Cobra-F64b, designed for firmware-oriented applications, are 64-bit Data-dependent Permutation based block ciphers with 128 key bits, which consist of 16 and 20 rounds, respectively. In this paper, we investigate their security against related-key attacks. Our investigation shows that the full 16-round Cobra-F64a can be broken by our related-key rectangle attack and that the full 20-round Cobra-F64b can be broken by our related-key differential attack.

-times anonymous authentication (-TAA) schemes allow members of a group to be authenticated anonymously by application providers for a bounded number of times. Dynamic -TAA allows application providers to independently grant or revoke users from their own access group so as to provide better control over their clients. In terms of time and space complexity, existing dynamic -TAA schemes are of complexities O(), where is the allowed number of authentication. In this paper, we construct a dynamic -TAA scheme with space and time complexities of (log()). We also outline how to construct dynamic -TAA scheme with a constant proving effort. Public key size of this variant, however, is ().

We then construct an ordinary -TAA scheme from the dynamic scheme. We also describe a trade-off between efficiency and setup freeness of AP, in which AP does not need to hold any secret while maintaining control over their clients.

To build our system, we modify the short group signature scheme into a signature scheme and provide efficient protocols that allow one to prove in zero-knowledge the knowledge of a signature and to obtain a signature on a committed block of messages. We prove that the signature scheme is secure in the standard model under the -SDH assumption.

Finally, we show that our dynamic -TAA scheme, constructed from bilinear pairing, is secure in the random oracle model.

We present specifications and provably-secure protocol, for fully automated resolution of disputes between a provider of digital goods and services, and its customers. Disputes may involve the timely receipt of orders and goods, due to communication failures and malicious faults, as well as disputes on the fitness of the goods to the order. Our design is a part of a layered architecture for secure e-commerce applications [1], with precise yet general-purpose interfaces, agreements and validation functions (e.g. automatically resolving disputes on quality or fitness of goods). The modular design of the protocol and specifications, allows usage as an underlying service to different e-commerce, e-banking and other distributed systems. Our protocol operates efficiently, reliably and securely under realistic failure and delay conditions.

In an electronic cash (e-cash) system, a user can withdraw coins from the bank, and then spend each coin anonymously and unlinkably. For some applications, it is desirable to set a limit on the dollar amounts of anonymous transactions. For example, governments require that large transactions be reported for tax purposes. In this work, we present the first e-cash system that makes this possible without a trusted party. In our system, a user’s anonymity is guaranteed so long as she does not: (1) double-spend a coin, or (2) exceed the publicly-known spending limit with any merchant. The spending limit may vary with the merchant. Violation of either condition can be detected, and can (optionally) lead to identification of the user and discovery of her other activities. While it is possible to balance accountability and privacy this way using e-cash, this is impossible to do using regular cash.

Our scheme is based on our recent compact e-cash system. It is secure under the same complexity assumptions in the random-oracle model. We inherit its efficiency: 2 coins can be stored in (ℓ+) bits and the complexity of the withdrawal and spend protocols is (ℓ+), where is the security parameter.