CryptoDB
Marc Fischlin
Publications
Year
Venue
Title
2022
ASIACRYPT
Nostradamus goes Quantum
📺
Abstract
In the Nostradamus attack, introduced by Kelsey and Kohno (Eurocrypt 2006), the adversary has to commit to a hash value y of an iterated hash function H such that, when later given a message prefix P, the adversary is able to find a suitable "suffix explanation" S with H(P||S)=y. Kelsey and Kohno show a herding attack with $2^{2n/3}$ evaluations of the compression function of H (with n bits output and state), locating the attack between preimage attacks and collision search in terms of complexity. Here we investigate the security of Nostradamus attacks for quantum adversaries. We present a quantum herding algorithm for the Nostradamus problem making approximately $\sqrt[3]{n}\cdot 2^{3n/7}$ compression function evaluations, significantly improving over the classical bound. We also prove that quantum herding attacks cannot do better than $2^{3n/7}$ evaluations for random compression functions, showing that our algorithm is (essentially) optimal. We also discuss a slightly less tight bound of roughly $2^{3n/7-s}$ for general Nostradamus attacks against random compression functions, where s is the maximal block length of the adversarially chosen suffix S.
2021
PKC
Single-to-Multi-Theorem Transformations for Non-Interactive Statistical Zero-Knowledge
📺
Abstract
Non-interactive zero-knowledge proofs or arguments allow a prover to show validity of a statement without further interaction. For non-trivial statements such protocols require a setup assumption in form of a common random or reference string (CRS). Generally, the CRS can only be used for one statement (single-theorem zero-knowledge) such that a fresh CRS would need to be generated for each proof. Fortunately, Feige, Lapidot and Shamir (FOCS 1990) presented a transformation for any non-interactive zero-knowledge proof system that allows the CRS to be reused any polynomial number of times (multi-theorem zero-knowledge). This FLS transformation, however, is only known to work for either computational zero-knowledge or requires a structured, non-uniform common reference string.
In this paper we present FLS-like transformations that work for non-interactive statistical zero-knowledge arguments in the common random string model. They allow to go from single-theorem to multi-theorem zero-knowledge and also preserve soundness, for both properties in the adaptive and non-adaptive case. Our first transformation is based on the general assumption that one-way permutations exist, while our second transformation uses lattice-based assumptions. Additionally, we define different possible soundness notions for non-interactive arguments and discuss their relationships.
2021
ASIACRYPT
Cryptographic Analysis of the Bluetooth Secure Connection Protocol Suite
📺
Abstract
We give a cryptographic analysis of the Bluetooth Secure Connection Protocol Suite. Bluetooth supports several subprotocols such as numeric comparison, passkey entrance, and just works, in order to match the devices' different input/output capabilities. Previous analyses (e.g., Lindell, CT-RSA'09, or Troncoso and Hale, NDSS'21) often considered (and confirmed) the security of single subprotocols only. Recent practically verified attacks, however, such as the Method Confusion Attack (von Tschirschnitz et al., S&P 21) against Bluetooth's authentication and key secrecy property often exploit the bad interplay of different subprotocols. Even worse, some of these attacks show that one cannot show the Bluetooth protocol suite to be a secure authenticated key exchange protocol. We therefore aim at the best we can hope for, and show that the protocol still matches the common key secrecy requirements of a key-exchange protocol if one assumes a trust-on-first-use relationship. This means that the adversary needs to mount an active attack during the first connection, otherwise the subsequent reconnections remain secure.
Investigating the cryptographic strength of the Bluetooth protocol we also look into the privacy mechanism of address randomization in Bluetooth (which is only available in the Low Energy version). We show that the cryptography indeed provides a decent level of address privacy, although this does not rule out identification of devices via other means, such as physical characteristics.
2021
JOFC
A Cryptographic Analysis of the TLS 1.3 Handshake Protocol
Abstract
We analyze the handshake protocol of the Transport Layer Security (TLS) protocol, version 1.3. We address both the full TLS 1.3 handshake (the one round-trip time mode, with signatures for authentication and (elliptic curve) Diffie–Hellman ephemeral ((EC)DHE) key exchange), and the abbreviated resumption/“PSK” mode which uses a pre-shared key for authentication (with optional (EC)DHE key exchange and zero round-trip time key establishment). Our analysis in the reductionist security framework uses a multi-stage key exchange security model, where each of the many session keys derived in a single TLS 1.3 handshake is tagged with various properties (such as unauthenticated versus unilaterally authenticated versus mutually authenticated, whether it is intended to provide forward security, how it is used in the protocol, and whether the key is protected against replay attacks). We show that these TLS 1.3 handshake protocol modes establish session keys with their desired security properties under standard cryptographic assumptions.
2020
EUROCRYPT
Signatures from Sequential-OR Proofs
📺
Abstract
OR-proofs enable a prover to show that it knows the witness for one of many statements, or that one out of many statements is true. OR-proofs are a remarkably versatile tool, used to strengthen security properties, design group and ring signature schemes, and achieve tight security. The common technique to build OR-proofs is based on an approach introduced by Cramer, Damgaard, and Schoenmakers (CRYPTO'94), where the prover splits the verifier's challenge into random shares and computes proofs for each statement in parallel.
In this work we study a different, less investigated OR-proof technique, highlighted by Abe, Ohkubo, and Suzuki (ASIACRYPT'02). The difference is that the prover now computes the individual proofs sequentially. We show that such sequential OR-proofs yield signature schemes which can be proved secure in the non-programmable random oracle model. We complement this positive result with a black-box impossibility proof, showing that the same is unlikely to be the case for signatures derived from traditional OR-proofs. We finally argue that sequential-OR signature schemes can be proved secure in the quantum random oracle model, albeit with very loose bounds and by programming the random oracle.
2020
ASIACRYPT
Security Reductions for White-Box Key-Storage in Mobile Payments
📺
Abstract
The goal of white-box cryptography is to provide security even when the cryptographic implementation is executed in adversarially controlled environments. White-box implementations nowadays appear in commercial products such as mobile payment applications, e.g., those certified by Mastercard. Interestingly, there, white-box cryptography is championed as a tool for secure storage of payment tokens, and importantly, the white-boxed storage functionality is bound to a hardware functionality to prevent code-lifting attacks.
In this paper, we show that the approach of using hardware-binding and obfuscation for secure storage is conceptually sound. Following security specifications by Mastercard and also EMVCo, we first define security for a white-box key derivation functions (WKDF) that is bound to a hardware functionality. WKDFs with hardware-binding model a secure storage functionality, as the WKDFs in turn can be used to derive encryption keys for secure storage. We then provide a proof-of-concept construction of WKDFs based on pseudorandom functions (PRF) and obfuscation. To show that our use of cryptographic primitives is sound, we perform a cryptographic analysis and reduce the security of our WKDF to the cryptographic assumptions of indistinguishability obfuscation and PRF-security. The hardware-functionality that our WKDF is bound to is a PRF-like functionality. Obfuscation helps us to hide the secret key used for the verification, essentially emulating a signature functionality as is provided by the Android key store.
We rigorously define the required security properties of a hardware-bound white-box payment application (WPAY) for generating and encrypting valid payment requests. We construct a WPAY, which uses a WKDF as a secure building block. We thereby show that a WKDF can be securely combined with any secure symmetric encryption scheme, including those based on standard ciphers such as AES.
2018
ASIACRYPT
Simulatable Channels: Extended Security that is Universally Composable and Easier to Prove
Abstract
Ever since the foundational work of Goldwasser and Micali, simulation has proven to be a powerful and versatile construct for formulating security in various areas of cryptography. However security definitions based on simulation are generally harder to work with than game based definitions, often resulting in more complicated proofs. In this work we challenge this viewpoint by proposing new simulation-based security definitions for secure channels that in many cases lead to simpler proofs of security. We are particularly interested in definitions of secure channels which reflect real-world requirements, such as, protecting against the replay and reordering of ciphertexts, accounting for leakage from the decryption of invalid ciphertexts, and retaining security in the presence of ciphertext fragmentation. Furthermore we show that our proposed notion of channel simulatability implies a secure channel functionality that is universally composable. To the best of our knowledge, we are the first to study universally composable secure channels supporting these extended security goals. We conclude, by showing that the Dropbear implementation of SSH-CTR is channel simulatable in the presence of ciphertext fragmentation, and therefore also realises a universally composable secure channel. This is intended, in part, to highlight the merits of our approach over prior ones in admitting simpler security proofs in comparable settings.
2011
ASIACRYPT
2008
CRYPTO
1999
EUROCRYPT
Program Committees
- Asiacrypt 2022
- Crypto 2022
- Eurocrypt 2021
- PKC 2020
- TCC 2019
- Crypto 2018
- TCC 2018
- Eurocrypt 2016 (Program chair)
- Eurocrypt 2015 (Program chair)
- Asiacrypt 2014
- TCC 2014
- PKC 2013
- Eurocrypt 2012
- Asiacrypt 2012
- Crypto 2012
- PKC 2012 (Program chair)
- PKC 2011
- Asiacrypt 2010
- PKC 2010
- TCC 2009
- Eurocrypt 2009
- Crypto 2009
- TCC 2008
- Eurocrypt 2007
- Eurocrypt 2005
- PKC 2004
- PKC 2002
Coauthors
- Paul Baecher (3)
- Mihir Bellare (2)
- Barbara Jiabao Benedikt (1)
- David Bernhard (2)
- Estuardo Alpirez Bock (1)
- Alexandra Boldyreva (4)
- Dan Boneh (1)
- Jacqueline Brendel (1)
- Chris Brzuska (5)
- Ran Canetti (1)
- David Cash (1)
- Özgür Dagdelen (2)
- Jean Paul Degabriele (1)
- Alexander W. Dent (1)
- Benjamin Dowling (1)
- Pooya Farshim (1)
- Roger Fischlin (3)
- Nils Fleischhacker (1)
- Tobias Freudenreich (1)
- Tommaso Gagliardoni (1)
- Shafi Goldwasser (1)
- Felix Günther (3)
- Patrick Harasser (1)
- Amir Herzberg (1)
- Moritz Huppert (1)
- Christian Janson (3)
- Stefan Katzenbeisser (1)
- Anja Lehmann (8)
- Benoît Libert (1)
- Mark Manulis (2)
- Giorgia Azzurra Marson (1)
- Silvio Micali (1)
- Wil Michiels (1)
- Hod Bin Noon (1)
- Adam O'Neill (1)
- Marcus Page (1)
- Adriana Palacio (1)
- Kenneth G. Paterson (1)
- Krzysztof Pietrzak (1)
- Thomas Ristenpart (2)
- Felix Rohrbach (1)
- Olga Sanina (1)
- Christian Schaffner (1)
- Jakob Schelbert (1)
- Heike Schröder (1)
- Dominique Schröder (5)
- Thomas Shrimpton (1)
- Haya Shulman (1)
- Martijn Stam (3)
- Douglas Stebila (1)
- Stefano Tessaro (1)
- Florian Volk (1)
- Bogdan Warinschi (4)
- Mark Zhandry (1)