Results 11  20
of
112
RIPPFS: an RFID Identification, Privacy Preserving protocol with Forward Secrecy.
"... This paper presents a new RFID identification protocol: RIPPFS. The proposed protocol is based on hash chains and it enforces privacy and forward secrecy. Further, unlike other protocols based on hash chains, our proposal is resilient to a specific DoS attack, in which the attacker attempts to exha ..."
Abstract

Cited by 13 (5 self)
 Add to MetaCart
(Show Context)
This paper presents a new RFID identification protocol: RIPPFS. The proposed protocol is based on hash chains and it enforces privacy and forward secrecy. Further, unlike other protocols based on hash chains, our proposal is resilient to a specific DoS attack, in which the attacker attempts to exhaust the hash chain the tag is programmed to spend. The computations required on the tag side are very limited, just three hash functions; on the reader side RIPPFS allows to leverage precomputations, in such a way that tag identification resolves to a lookup in precomputed tables, speeding up the identification process. To the best of our knowledge this is the first protocol providing all these features at once. 1
Efficient and PrivacyPreserving Data Aggregation in Mobile Sensing
"... Abstract—The proliferation and everincreasing capabilities of mobile devices such as smart phones give rise to a variety of mobile sensing applications. This paper studies how an untrusted aggregator in mobile sensing can periodically obtain desired statistics over the data contributed by multiple ..."
Abstract

Cited by 11 (7 self)
 Add to MetaCart
(Show Context)
Abstract—The proliferation and everincreasing capabilities of mobile devices such as smart phones give rise to a variety of mobile sensing applications. This paper studies how an untrusted aggregator in mobile sensing can periodically obtain desired statistics over the data contributed by multiple mobile users, without compromising the privacy of each user. Although there are some existing works in this area, they either require bidirectional communications between the aggregator and mobile users in every aggregation period, or has high computation overhead and cannot support large plaintext spaces. Also, they do not consider the Min aggregate which is quite useful in mobile sensing. To address these problems, we propose an efficient protocol to obtain the Sum aggregate, which employs an additive homomorphic encryption and a novel key management technique to support large plaintext space. We also extend the sum aggregation protocol to obtain the Min aggregate of timeseries data. Evaluations show that our protocols are orders of magnitude faster than existing solutions. I.
Instantiating Random Oracles via UCEs
, 2013
"... This paper provides a (standardmodel) notion of security for (keyed) hash functions, called UCE, that we show enables instantiation of random oracles (ROs) in a fairly broad and systematic way. Goals and schemes we consider include deterministic PKE; messagelocked encryption; hardcore functions; p ..."
Abstract

Cited by 9 (3 self)
 Add to MetaCart
(Show Context)
This paper provides a (standardmodel) notion of security for (keyed) hash functions, called UCE, that we show enables instantiation of random oracles (ROs) in a fairly broad and systematic way. Goals and schemes we consider include deterministic PKE; messagelocked encryption; hardcore functions; pointfunction obfuscation; OAEP; encryption secure for keydependent messages; encryption secure under relatedkey attack; proofs of storage; and adaptivelysecure garbled circuits with short tokens. We can take existing, natural and efficient ROM schemes and show that the instantiated scheme resulting from replacing the RO with a UCE function is secure in the standard model. In several cases this results in the first standardmodel schemes for these goals. The definition of UCEsecurity itself is quite simple, asking that outputs of the function look random given some “leakage, ” even if the adversary knows the key, as long as the leakage does not permit the adversary to compute the inputs.
V.: Provablesecurity analysis of authenticated encryption
"... Kerberos is a widelydeployed network authentication protocol that is being considered for standardization. Many works have analyzed its security, identifying flaws and often suggesting fixes, thus helping the protocol’s evolution. Several recent results present successful formalmethodsbased verif ..."
Abstract

Cited by 9 (0 self)
 Add to MetaCart
(Show Context)
Kerberos is a widelydeployed network authentication protocol that is being considered for standardization. Many works have analyzed its security, identifying flaws and often suggesting fixes, thus helping the protocol’s evolution. Several recent results present successful formalmethodsbased verification of a significant portion of the current version 5, and some even imply security in the computational setting. For these results to be meaningful, encryption in Kerberos should satisfy strong cryptographic security notions. However, neither currently deployed as part of Kerberos encryption schemes nor their proposed revisions are known to provably satisfy such notions. We take a close look at Kerberos ’ encryption and confirm that most of the options in the current version provably provide privacy and authenticity, some with slight modification that we suggest. Our results complement the formalmethodsbased analysis of Kerberos that justifies its current design.
Message Authentication, Revisited
, 2012
"... Traditionally, symmetrickeymessage authentication codes (MACs) are easily built from pseudorandom functions (PRFs). In this work we propose a wide variety of other approaches to building efficient MACs, without going through a PRF first. In particular, unlike deterministic PRFbased MACs, where eac ..."
Abstract

Cited by 8 (2 self)
 Add to MetaCart
(Show Context)
Traditionally, symmetrickeymessage authentication codes (MACs) are easily built from pseudorandom functions (PRFs). In this work we propose a wide variety of other approaches to building efficient MACs, without going through a PRF first. In particular, unlike deterministic PRFbased MACs, where each message has a unique valid tag, we give a number of probabilistic MAC constructions from various other primitives/assumptions. Our main results are summarized as follows: • We showseveralnew probabilisticMAC constructionsfromavarietyofgeneralassumptions, including CCAsecure encryption, Hash Proof Systems and keyhomomorphic weak PRFs. By instantiating these frameworks under concrete number theoretic assumptions, we get several schemes which are more efficient than just using a stateoftheart PRF instantiation under the corresponding assumption. For example, we obtain elegant DDHbased MACs with much shorter keys than the quadraticsized key of the NaorReingold PRF. We also show that several natural (probabilistic) digital signature schemes, such as those by BonehBoyen and Waters, can be significantly optimized when “downgraded ” into a MAC, both in
Tracker: security and privacy for RFIDbased supply chains
 In NDSS’11, 18th Annual Network and Distributed System Security Symposium, 69 February 2011
"... Abstract. The counterfeiting of pharmaceutics or luxury objects is a major threat to supply chains today. As different facilities of a supply chain are distributed and difficult to monitor, malicious adversaries can inject fake objects into the supply chain. This paper presents TRACKER, a protocol f ..."
Abstract

Cited by 7 (1 self)
 Add to MetaCart
(Show Context)
Abstract. The counterfeiting of pharmaceutics or luxury objects is a major threat to supply chains today. As different facilities of a supply chain are distributed and difficult to monitor, malicious adversaries can inject fake objects into the supply chain. This paper presents TRACKER, a protocol for object genuineness verification in RFIDbased supply chains. More precisely, TRACKER allows to securely identify which (legitimate) path an object/tag has taken through a supply chain. TRACKER provides privacy: an adversary can neither learn details about an object’s path, nor can it trace and link objects in the supply chain. TRACKER’s security and privacy is based on an extension of polynomial signature techniques for runtime fault detection using homomorphic encryption. Contrary to related work, RFID tags in this paper are not required to perform any computation, but only feature a few bytes of storage such as ordinary EPC Class 1 Gen 2 tags. 1
Provable Security Support for the Skein Hash Family. http://www.skeinhash.info/sites/default/files/skeinproofs.pdf Draft
, 2009
"... ..."
A new mode of operation for block ciphers and lengthpreserving MACs
 of Lecture Notes in Computer Science
, 2008
"... Abstract. We propose a new mode of operation, enciphered CBC, for domain extension of lengthpreserving functions (like block ciphers), which is a variation on the popular CBC mode of operation. Our new mode is twice slower than CBC, but has many (propertypreserving) properties not enjoyed by CBC a ..."
Abstract

Cited by 6 (2 self)
 Add to MetaCart
(Show Context)
Abstract. We propose a new mode of operation, enciphered CBC, for domain extension of lengthpreserving functions (like block ciphers), which is a variation on the popular CBC mode of operation. Our new mode is twice slower than CBC, but has many (propertypreserving) properties not enjoyed by CBC and other known modes. Most notably, it yields the first constantrate Variable Input Length (VIL) MAC from any length preserving Fixed Input Length (FIL) MAC. This answers the question of Dodis and Puniya from Eurocrypt 2007. Further, our mode is a secure domain extender for PRFs (with basically the same security as encrypted CBC). This provides a hedge against the security of the block cipher: if the block cipher is pseudorandom, one gets a VILPRF, while if it is “only ” unpredictable, one “at least ” gets a VILMAC. Additionally, our mode yields a VIL random oracle (and, hence, a collisionresistant hash function) when instantiated with lengthpreserving random functions, or even random permutations (which can be queried from both sides). This means that one does not have to rekey the block cipher during the computation, which was critically used in most previous constructions (analyzed in the ideal cipher model). 1
Analysis of Multivariate Hash Functions
"... Abstract. We analyse the security of new hash functions whose compression function is explicitly defined as a sequence of multivariate equations. First we prove nonuniversality of certain proposals with sparse equations, and deduce trivial collisions holding with high probability. Then we introduce ..."
Abstract

Cited by 6 (1 self)
 Add to MetaCart
(Show Context)
Abstract. We analyse the security of new hash functions whose compression function is explicitly defined as a sequence of multivariate equations. First we prove nonuniversality of certain proposals with sparse equations, and deduce trivial collisions holding with high probability. Then we introduce a method inspired from coding theory for solving underdefined systems with a low density of nonlinear monomials, and apply it to find collisions in certain functions. We also study the security of message authentication codes HMAC and NMAC built on multivariate hash functions, and demonstrate that families of lowdegree functions over GF(2) are neither pseudorandom nor unpredictable. 1