Results 1  10
of
46
Curve25519: new DiffieHellman speed records
 In Public Key Cryptography (PKC), SpringerVerlag LNCS 3958
, 2006
"... Abstract. This paper explains the design and implementation of a highsecurity ellipticcurveDiffieHellman function achieving recordsetting speeds: e.g., 832457 Pentium III cycles (with several side benefits: free key compression, free key validation, and stateoftheart timingattack protection) ..."
Abstract

Cited by 58 (20 self)
 Add to MetaCart
Abstract. This paper explains the design and implementation of a highsecurity ellipticcurveDiffieHellman function achieving recordsetting speeds: e.g., 832457 Pentium III cycles (with several side benefits: free key compression, free key validation, and stateoftheart timingattack protection), more than twice as fast as other authors ’ results at the same conjectured security level (with or without the side benefits). 1
Another Look at HMQV
 IACR Eprint archive
, 2005
"... Abstract. The HMQV protocols are ‘hashed variants ’ of the MQV key agreement protocols. They were introduced at CRYPTO 2005 by Krawczyk, who claimed that the HMQV protocols have very significant advantages over their MQV counterparts: (i) security proofs under reasonable assumptions in the (extended ..."
Abstract

Cited by 17 (1 self)
 Add to MetaCart
Abstract. The HMQV protocols are ‘hashed variants ’ of the MQV key agreement protocols. They were introduced at CRYPTO 2005 by Krawczyk, who claimed that the HMQV protocols have very significant advantages over their MQV counterparts: (i) security proofs under reasonable assumptions in the (extended) CanettiKrawczyk model for key exchange; and (ii) superior performance in some situations. In this paper we demonstrate that the HMQV protocols are insecure by presenting realistic attacks in the CanettiKrawczyk model that recover a victim’s static private key. We propose HMQV1, patched versions of the HMQV protocols that resists our attacks (but do not have any performance advantages over MQV). We also identify some fallacies in the security proofs for HMQV, critique the security model, and raise some questions about the assurances that proofs in this model can provide. 1.
Errors in Computational Complexity Proofs for Protocols
, 2005
"... Proofs are invaluable tools in assuring protocol implementers about the security properties of protocols. However, several instances of undetected flaws in the proofs of protocols (resulting in flawed protocols) undermine the credibility of provablysecure protocols. In this work, we examine several ..."
Abstract

Cited by 15 (9 self)
 Add to MetaCart
Proofs are invaluable tools in assuring protocol implementers about the security properties of protocols. However, several instances of undetected flaws in the proofs of protocols (resulting in flawed protocols) undermine the credibility of provablysecure protocols. In this work, we examine several protocols with claimed proofs of security by Boyd & González Nieto (2003), Jakobsson & Pointcheval (2001), and Wong & Chan (2001), and an authenticator by Bellare, Canetti, & Krawczyk (1998). Using these protocols as case studies, we reveal previously unpublished flaws in these protocols and their proofs. We hope our analysis will enable similar mistakes to be avoided in the future.
TwoTier Signatures, Strongly Unforgeable Signatures, and FiatShamir without Random Oracles
, 2007
"... We show how the FiatShamir transform can be used to convert threemove identification protocols into twotier signature schemes (a primitive we define) with a proof of security that makes a standard assumption on the hash function rather than modeling it as a random oracle. The result requires secu ..."
Abstract

Cited by 14 (1 self)
 Add to MetaCart
We show how the FiatShamir transform can be used to convert threemove identification protocols into twotier signature schemes (a primitive we define) with a proof of security that makes a standard assumption on the hash function rather than modeling it as a random oracle. The result requires security of the starting protocol against concurrent attacks. We can show that numerous protocols have the required properties and so obtain numerous efficient twotier schemes. Our first application is an efficient transform of any unforgeable signature scheme into a strongly unforgeable one, which uses as a tool any twotier scheme. (This extends work of Boneh, Shen and Waters whose transform only applies to a limited class of schemes.) The second application is new onetime signature schemes that, compared to oneway function based ones of the same computational cost, have smaller key and signature sizes.
How Risky is the RandomOracle Model?
"... Abstract. RSAFDH and many other schemes secure in the RandomOracle Model (ROM) require a hash function with output size larger than standard sizes. We show that the randomoracle instantiations proposed in the literature for such cases are weaker than a random oracle, including the proposals by Be ..."
Abstract

Cited by 11 (0 self)
 Add to MetaCart
Abstract. RSAFDH and many other schemes secure in the RandomOracle Model (ROM) require a hash function with output size larger than standard sizes. We show that the randomoracle instantiations proposed in the literature for such cases are weaker than a random oracle, including the proposals by Bellare and Rogaway from 1993 and 1996, and the ones implicit in IEEE P1363 and PKCS standards: for instance, we obtain a practical preimage attack on BR93 for 1024bit digests (with complexity less than 2 30). Next, we study the security impact of hash function defects for ROM signatures. As an extreme case, we note that any hash collision would suffice to disclose the master key in the IDbased cryptosystem by Boneh et al. from FOCS ’07, and the secret key in the RabinWilliams signature for which Bernstein proved tight security at EUROCRYPT ’08. We also remark that collisions can be found as a precomputation for any instantiation of the ROM, and this violates the security definition of the scheme in the standard model. Hence, this gives an example of a natural scheme that is proven secure in the ROM but that in insecure for any instantiation by a single function. Interestingly, for both of these schemes, a slight modification can prevent these attacks, while preserving the ROM security result. We give evidence that in the case of RSA and Rabin/RabinWilliams, an appropriate PSS padding is more robust than all other paddings known. 1
Another look at generic groups
 Advances in Mathematics of Communications
, 2006
"... (Communicated by Andreas Stein) Abstract. Starting with Shoup’s seminal paper [24], the generic group model has been an important tool in reductionist security arguments. After an informal explanation of this model and Shoup’s theorem, we discuss the danger of flaws in proofs. We next describe an on ..."
Abstract

Cited by 9 (3 self)
 Add to MetaCart
(Communicated by Andreas Stein) Abstract. Starting with Shoup’s seminal paper [24], the generic group model has been an important tool in reductionist security arguments. After an informal explanation of this model and Shoup’s theorem, we discuss the danger of flaws in proofs. We next describe an ontological difference between the generic group assumption and the random oracle model for hash functions. We then examine some criticisms that have been leveled at the generic group model and raise some questions of our own. 1.
On Security Models and Compilers for Group Key Exchange Protocols
 In Proceedings of the 2nd International Workshop on Security (IWSEC 2007
, 2007
"... Abstract. Group key exchange (GKE) protocols can be used to guarantee confidentiality and group authentication formalization (security model) that considers the environment of the protocol and identifies its security goals. The first security model for GKE protocols was proposed by Bresson, Chevassu ..."
Abstract

Cited by 9 (5 self)
 Add to MetaCart
Abstract. Group key exchange (GKE) protocols can be used to guarantee confidentiality and group authentication formalization (security model) that considers the environment of the protocol and identifies its security goals. The first security model for GKE protocols was proposed by Bresson, Chevassut, Pointcheval, and Quisquater in 2001, and has been subsequently applied in many security proofs. Their definitions of AKE and MAsecurity became meanwhile standard. In this paper we analyze the BCPQ model and some of its later appeared modifications and identify several security risks resulting from the technical construction of this model – the notion of partnering. Consequently, we propose a revised model with extended definitions for AKE and MAsecurity capturing, in addition, attacks of malicious protocol participants. Further, we analyze some wellknown generic solutions (compilers) for AKE and MAsecurity of GKE protocols proposed based on the definitions of the BCPQ model and its variants and identify several limitations resulting from the underlying assumptions. In order to remove these limitations and at the same time to show that our revised security model is in fact practical enough for the construction of reductionist security proofs we describe a modified compiler which provides AKE and MAsecurity for any GKE protocol, under standard cryptographic assumptions. Key words: Group key exchange, extended security model, malicious participants, compiler for AKE and
Elliptic curve cryptography: The serpentine course of a paradigm shift
 J. NUMBER THEORY
, 2008
"... Over a period of sixteen years elliptic curve cryptography went from being an approach that many people mistrusted or misunderstood to being a public key technology that enjoys almost unquestioned acceptance. We describe the sometimes surprising twists and turns in this paradigm shift, and compare ..."
Abstract

Cited by 8 (4 self)
 Add to MetaCart
Over a period of sixteen years elliptic curve cryptography went from being an approach that many people mistrusted or misunderstood to being a public key technology that enjoys almost unquestioned acceptance. We describe the sometimes surprising twists and turns in this paradigm shift, and compare this story with the commonly accepted Ideal Model of how research and development function in cryptography. We also discuss to what extent the ideas in the literature on “social construction of technology” can contribute to a better understanding of this history.
A Protocol for Secure Public Instant Messaging
 Proceedings of the Financial Cryptography and Data Security 2006 (FC'06
, 2006
"... Although Instant Messaging (IM) services are now relatively longstanding and very popular as an instant way of communication over the Internet, they have received little attention from the security research community. Despite important di#erences distinguishing IM from other Internet applicatio ..."
Abstract

Cited by 7 (1 self)
 Add to MetaCart
Although Instant Messaging (IM) services are now relatively longstanding and very popular as an instant way of communication over the Internet, they have received little attention from the security research community. Despite important di#erences distinguishing IM from other Internet applications, very few protocols have been designed to address the unique security issues of IM. In light of threats to existing IM networks, we present the Instant Messaging Key Exchange (IMKE) protocol as a step towards secure IM. A discussion of IM threat model assumptions and an analysis of IMKE relative to these using BANlike logic is also provided. Based on our implementation of IMKE using the Jabber protocol, we provide insights on how IMKE may be integrated with popular IM protocols.
Analysis of QUAD
 the proceedings of Fast Software Encryption
, 2007
"... introduced QUAD, a parametrized family of stream ciphers. Speed reports were presented for QUAD instances with 160bit state and output block over the fields GF(2), GF(16), and GF(256). A security reduction was seemingly implied provable for all fields, but “for simplicity ” a proof was given for GF ..."
Abstract

Cited by 6 (1 self)
 Add to MetaCart
introduced QUAD, a parametrized family of stream ciphers. Speed reports were presented for QUAD instances with 160bit state and output block over the fields GF(2), GF(16), and GF(256). A security reduction was seemingly implied provable for all fields, but “for simplicity ” a proof was given for GF(2) only. This reduction deduces the infeasibility of attacks on QUAD from the hypothesized infeasibility (with an extra looseness factor) of attacks on the wellknown hard problem of solving systems of multivariate quadratic equations over finite fields. This paper discusses both theoretical and practical aspects of attacking QUAD and of attacking the underlying hard problem. For example, this paper shows how to use XLWiedemann to break the GF(256) instance QUAD(256, 20, 20) in approximately 2 66 Opteron cycles, and to break the underlying hard problem in approximately 2 45 cycles. The analysis shows, for each of the QUAD parameters mentioned in the paper or the talk (as implementation reports), the implications and limitations of the security proofs, pointing out which QUAD instances are not, and which ones will never be proven secure. Empirical data backs up the theoretical conclusions; in particular, the 2 45cycle attack was carried out successfully.