Post-Quantum Account Recovery for Passwordless Authentication

WebAuthn is a passwordless authentication protocol which allows users to authenticate to online services using public-key cryptography. Users prove their identity based on possession of a private key, which is stored on a device such as a cell phone or a USB security token. This approach avoids many of the common security problems with password-based authentication. The reliance on possession as opposed to knowledge leads to a usability issue, however: a user who loses access to their authenticator device either loses access to their accounts or is required to fall back on a weaker authentication mechanism for recovery. Yubico has proposed a protocol which allows a user to link two tokens in such a way that one (the primary authenticator) can generate public keys on behalf of the other (the backup authenticator). This allows users to use WebAuthn with a single token, only using their backup token if necessary for account recovery. However, Yubico's protocol relies on the hardness of the discrete log problem for its security and hence is vulnerable to an attacker with a powerful enough quantum computer. We present a WebAuthn backup protocol which can be instantiated with quantum-safe primitives. We also critique the security model used in previous analysis of Yubico's protocol, proposing a new framework which we use to evaluate the security of both the group-based and the post-quantum protocol. This leads us to uncover a weakness in Yubico's proposal which escaped detection in prior work but was revealed by our model. In our security analysis, we find that a number of novel security properties of cryptographic primitives underlying the protocols are required; we formalize these and prove that well-known algorithms satisfy the properties required for analysis of our post-quantum protocol. For the group-based protocol, we require a novel Diffie–Hellman-like assumption; we leave further evaluation of this property to future work

A Novel Blind Signature Scheme Based On Discrete Logarithm Problem With Un-traceability

Blind Signatures are a special type of digital signatures which possess two special properties of blindness and untraceability, which are important for today’s real world applications that require authentication , integrity , security , anonymity and privacy. David Chaum[2] was the first to propose the concept of blind signatures. The scheme's security was based on the difficulty of solving the factoring problem [3, 4]. Two properties that are important for a blind signature scheme in order to be used in various modern applications are blindness and untraceability[2, 5, 6] . Blindness means that the signer is not able to know the contents of the message while signing it, which is achieved by disguising (or blinding) the message through various methods. Untraceability refers to preventing the signer from linking the blinded message it signs to a later unblinded version that it may be called upon to verify. Blind signatures based on discrete logarithm problem are still an area with much scope for research. We aim to propose a novel blind signature scheme with untraceability , based on the discrete logarithm problem

Security Analysis of Signature Schemes with Key Blinding

Digital signatures are fundamental components of public key cryptography. They allow a signer to generate verifiable and unforgeable proofs---signatures---over arbitrary messages with a private key, and allow recipients to verify the proofs against the corresponding and expected public key. These properties are used in practice for a variety of use cases, ranging from identity or data authenticity to non-repudiation. Unsurprisingly, signature schemes are widely used in security protocols deployed on the Internet today. In recent years, some protocols have extended the basic syntax of signature schemes to support key blinding, a.k.a., key randomization. Roughly speaking, key blinding is the process by which a private signing key or public verification key is blinded (randomized) to hide information about the key pair. This is generally done for privacy reasons and has found applications in Tor and Privacy Pass. Recently, Denis, Eaton, Lepoint, and Wood proposed a technical specification for signature schemes with key blinding in an IETF draft. In this work, we analyze the constructions in this emerging specification. We demonstrate that the constructions provided satisfy the desired security properties for signature schemes with key blinding. We experimentally evaluate the constructions and find that they introduce a very reasonable 2-3x performance overhead compared to the base signature scheme. Our results complement the ongoing standardization efforts for this primitive

Inductive analysis of security protocols in Isabelle/HOL with applications to electronic voting

Security protocols are predefined sequences of message exchanges. Their uses over computer networks aim to provide certain guarantees to protocol participants. The sensitive nature of many applications resting on protocols encourages the use of formal methods to provide rigorous correctness proofs. This dissertation presents extensions to the Inductive Method for protocol verification in the Isabelle/HOL interactive theorem prover. The current state of the Inductive Method and of other protocol analysis techniques are reviewed. Protocol composition modelling in the Inductive Method is introduced and put in practice by holistically verifying the composition of a certification protocol with an authentication protocol. Unlike some existing approaches, we are not constrained by independence requirements or search space limitations. A special kind of identity-based signatures, auditable ones, are specified in the Inductive Method and integrated in an analysis of a recent ISO/IEC 9798-3 protocol. A side-by-side verification features both a version of the protocol with auditable identity-based signatures and a version with plain ones. The largest part of the thesis presents extensions for the verification of electronic voting protocols. Innovative specification and verification strategies are described. The crucial property of voter privacy, being the impossibility of knowing how a specific voter voted, is modelled as an unlinkability property between pieces of information. Unlinkability is then specified in the Inductive Method using novel message operators. An electronic voting protocol by Fujioka, Okamoto and Ohta is modelled in the Inductive Method. Its classic confidentiality properties are verified, followed by voter privacy. The approach is shown to be generic enough to be re-usable on other protocols while maintaining a coherent line of reasoning. We compare our work with the widespread process equivalence model and examine respective strengths

PrivDRM : a privacy-preserving secure Digital Right Management system

Digital Right Management (DRM) is a technology developed to prevent illegal reproduction and distribution of digital contents. It protects the rights of content owners by allowing only authorised consumers to legitimately access associated digital content. DRM systems typically use a consumer's identity for authentication. In addition, some DRM systems collect consumer's preferences to obtain a content license. Thus, the behaviour of DRM systems disadvantages the digital content consumers (i.e. neglecting consumers' privacy) focusing more on securing the digital content (i.e. biased towards content owners). This paper proposes the Privacy-Preserving Digital Rights Management System (PrivDRM) that allows a consumer to acquire digital content with its license without disclosing complete personal information and without using any third parties. To evaluate the performance of the proposed solution, a prototype of the PrivDRM system has been developed and investigated. The security analysis (attacks and threats) are analysed and showed that PrivDRM supports countermeasures for well-known attacks and achieving the privacy requirements. In addition, a comparison with some well-known proposals shows that PrivDRM outperforms those proposals in terms of processing overhead

SoK: Signatures With Randomizable Keys

Digital signature schemes with specific properties have recently seen various real-world applications with a strong emphasis on privacy-enhancing technologies. They have been extensively used to develop anonymous credentials schemes and to achieve an even more comprehensive range of functionalities in the decentralized web. Substantial work has been done to formalize different types of signatures where an allowable set of transformations can be applied to message-signature pairs to obtain new related pairs. Most of the previous work focused on transformations with respect to the message being signed, but little has been done to study what happens when transformations apply to the signing keys. A first attempt to thoroughly formalize such aspects was carried by Derler and Slamanig (ePrint \u2716, Designs, Codes and Cryptography \u2719), followed by the more recent efforts by Backes et. al (ASIACRYPT \u2718) and Eaton et. al (ePrint \u2723). However, the literature on the topic is vast and different terminology is used across contributions, which makes it difficult to compare related works and understand the range of applications covered by a given construction. In this work, we present a unified view of signatures with randomizable keys and revisit their security properties. We focus on state-of-the-art constructions and related applications, identifying existing challenges. Our systematization allows us to highlight gaps, open questions and directions for future research on signatures with randomizable keys

Bitcoin Protocol Main Threats

In this paper we explain the basics of Bitcoin protocol and the state of the art of the main attacks to it. We first present an overview of digital currencies, showing what they are and the social need they aim to satisfy. We then focus on the main digital currency up to date, Bitcoin. We treat the basics of the protocol showing what are addresses and transactions and how they are used in a distributed consensus protocol to build the blockchain. After that the main part of this paper presents the state of the art of the three main attacks on the protocol: fraudulent mining techniques, double spending attempts and deanonymization attacks

Cryptography for Bitcoin and friends

Numerous cryptographic extensions to Bitcoin have been proposed since Satoshi Nakamoto introduced the revolutionary design in 2008. However, only few proposals have been adopted in Bitcoin and other prevalent cryptocurrencies, whose resistance to fundamental changes has proven to grow with their success. In this dissertation, we introduce four cryptographic techniques that advance the functionality and privacy provided by Bitcoin and similar cryptocurrencies without requiring fundamental changes in their design: First, we realize smart contracts that disincentivize parties in distributed systems from making contradicting statements by penalizing such behavior by the loss of funds in a cryptocurrency. Second, we propose CoinShuffle++, a coin mixing protocol which improves the anonymity of cryptocurrency users by combining their transactions and thereby making it harder for observers to trace those transactions. The core of CoinShuffle++ is DiceMix, a novel and efficient protocol for broadcasting messages anonymously without the help of any trusted third-party anonymity proxies and in the presence of malicious participants. Third, we combine coin mixing with the existing idea to hide payment values in homomorphic commitments to obtain the ValueShuffle protocol, which enables us to overcome major obstacles to the practical deployment of coin mixing protocols. Fourth, we show how to prepare the aforementioned homomorphic commitments for a safe transition to post-quantum cryptography.Seit seiner revolutionären Erfindung durch Satoshi Nakamoto im Jahr 2008 wurden zahlreiche kryptographische Erweiterungen für Bitcoin vorgeschlagen. Gleichwohl wurden nur wenige Vorschläge in Bitcoin und andere weit verbreitete Kryptowährungen integriert, deren Resistenz gegen tiefgreifende Veränderungen augenscheinlich mit ihrer Verbreitung wächst. In dieser Dissertation schlagen wir vier kryptographische Verfahren vor, die die Funktionalität und die Datenschutzeigenschaften von Bitcoin und ähnlichen Kryptowährungen verbessern ohne deren Funktionsweise tiefgreifend verändern zu müssen. Erstens realisieren wir Smart Contracts, die es erlauben widersprüchliche Aussagen einer Vertragspartei mit dem Verlust von Kryptogeld zu bestrafen. Zweitens schlagen wir CoinShuffle++ vor, ein Mix-Protokoll, das die Anonymität von Benutzern verbessert, indem es ihre Transaktionen kombiniert und so deren Rückverfolgung erschwert. Sein Herzstück ist DiceMix, ein neues und effizientes Protokoll zur anonymen Veröffentlichung von Nachrichten ohne vertrauenswürdige Dritte und in der Präsenz von bösartigen Teilnehmern. Drittens kombinieren wir dieses Protokoll mit der existierenden Idee, Geldbeträge in Commitments zu verbergen, und erhalten so das ValueShuffle-Protokoll, das uns ermöglicht, große Hindernisse für den praktischen Einsatz von Mix-Protokollen zu überwinden. Viertens zeigen wir, wie die dabei benutzten Commitments für einen sicheren Übergang zu Post-Quanten-Kryptographie vorbereitet werden können