## CryptoDB

### Feng Hao

#### Publications

Year
Venue
Title
2015
EPRINT
2015
EPRINT
2014
EPRINT
2014
EPRINT
2010
EPRINT
This paper discusses public-key authenticated key agreement protocols. First, we critically analyze several authenticated key agreement protocols and uncover various theoretical and practical flaws. In particular, we present two new attacks on the HMQV protocol, which is currently being standardized by IEEE P1363. The first attack presents a counterexample to invalidate the basic authentication in HMQV. The second attack is applicable to almost all past schemes, despite that many of them have formal security proofs. These attacks highlight the difficulty to design a crypto protocol correctly and suggest the caution one should always take. We further point out that many of the design errors are caused by sidestepping an important engineering principle, namely Do not assume that a message you receive has a particular form (such as $g^{r}$ for known $r$) unless you can check this''. Constructions in the past generally resisted this principle on the grounds of efficiency: checking the knowledge of the exponent is commonly seen as too expensive. In a concrete example, we demonstrate how to effectively integrate the zero-knowledge proof primitive into the protocol design and meanwhile achieve good efficiency. Our new key agreement protocol, YAK, has comparable computational efficiency to the MQV and HMQV protocols with clear advantages on security. Among all the related techniques, our protocol appears to be the simplest so far. We believe simplicity is also an important engineering principle.
2010
EPRINT
The small subgroup confinement attack works by confining cryptographic operations within a small subgroup, in which exhaustive search is feasible. This attack is overt and hence can be easily thwarted by adding a public key validation: verifying the received group element has proper order. In this paper, we present a different aspect of the small subgroup attack. Sometimes, the fact that an operation does not fall into the small subgroup confinement may provide an oracle to an attacker, leaking partial information about the long-term secrets. This attack is subtle and reflects structural weakness of a protocol; the question of whether the protocol has a public key validation is completely irrelevant. As a concrete example, we show how this attack works on the Secure Remote Password (SRP-6) protocol.
2010
EPRINT
Password Authenticated Key Exchange (PAKE) is one of the important topics in cryptography. It aims to address a practical security problem: how to establish secure communication between two parties solely based on a shared password without requiring a Public Key Infrastructure (PKI). After more than a decade of extensive research in this field, there have been several PAKE protocols available. The EKE and SPEKE schemes are perhaps the two most notable examples. Both techniques are however patented. In this paper, we review these techniques in detail and summarize various theoretical and practical weaknesses. In addition, we present a new PAKE solution called J-PAKE. Our strategy is to depend on well-established primitives such as the Zero-Knowledge Proof (ZKP). So far, almost all of the past solutions have avoided using ZKP for the concern on efficiency. We demonstrate how to effectively integrate the ZKP into the protocol design and meanwhile achieve good efficiency. Our protocol has comparable computational efficiency to the EKE and SPEKE schemes with clear advantages on security.
2010
EPRINT
The Direct Recording Electronic (DRE) system commonly uses touch-screen technology to directly record votes. It can provide several benefits in large-scale electronic voting, including usability, accessibility and efficiency. Unfortunately, a lack of tallying integrity in many existing products has largely discredited the entire approach along with its merits. To address this problem, we propose a cryptographic protocol called DRE-i, where i stands for integrity. We take a broad interpretation of the DRE: which includes not only touch-screen machines, as deployed at polling stations, but also remote voting systems conducted over the Internet or mobile phones. In all cases, the system records electronic votes directly, although the implementations are different. Our DRE-i protocol provides a drop-in solution to add integrity assurance to any DRE voting system without altering the voter's intuitive voting experience. It preserves election tallying integrity even if the DRE machine is completely corrupted, although in that case, vote secrecy will be compromised. The protocol requires a medium (e.g., an attached printer, email, or SMS) that the DRE machine can write the commitment data to. In addition, it requires a public bulletin board that everyone can read. Whilst past electronic voting protocols generally assume trusted computing or rely on trustees (i.e., tallying authorities), our proposal depends on neither. The protocol is self-tallying -- that is, anyone can tally the votes, without involving tallying authorities at all.

PKC 2019