Adversarial Wiretap Channel with Public Discussion

Wyner's elegant model of wiretap channel exploits noise in the communication channel to provide perfect secrecy against a computationally unlimited eavesdropper without requiring a shared key. We consider an adversarial model of wiretap channel proposed in [18,19] where the adversary is active: it selects a fraction $\rho_r$ of the transmitted codeword to eavesdrop and a fraction $\rho_w$ of the codeword to corrupt by "adding" adversarial error. It was shown that this model also captures network adversaries in the setting of 1-round Secure Message Transmission [8]. It was proved that secure communication (1-round) is possible if and only if $\rho_r + \rho_w <1$. In this paper we show that by allowing communicants to have access to a public discussion channel (authentic communication without secrecy) secure communication becomes possible even if $\rho_r + \rho_w >1$. We formalize the model of \awtppd protocol and for two efficiency measures, {\em information rate } and {\em message round complexity} derive tight bounds. We also construct a rate optimal protocol family with minimum number of message rounds. We show application of these results to Secure Message Transmission with Public Discussion (SMT-PD), and in particular show a new lower bound on transmission rate of these protocols together with a new construction of an optimal SMT-PD protocol

Special Soundness in the Random Oracle Model

We generalize the knowledge extractor for constant-round special sound protocols presented by Wikström (2018) to a knowledge extractor for the corresponding non-interactive Fiat-Shamir proofs in the random oracle model and give an exact analysis of the extraction error and running time. Relative the interactive case the extraction error is increased by a factor $\ell$ and the running time is increased by a factor $O(\ell)$, where $\ell$ is the number of oracle queries made by the prover. Through carefully chosen notation and concepts, and a technical lemma, we effectively recast the extraction problem of the notoriously complex non-interactive case to the interactive case. Thus, our approach may be of independent interest

How to Explain Modern Security Concepts to your Children

International audienceAt the main cryptography conference CRYPTO in 1989, Quisquater et al. published a paper showing how to explain the complex notion of zero-knowledge proof in a simpler way that children can understand. In the same line of work, we present simple and intuitive explanations of various modern security concepts and technologies, including symmetric encryption, public key encryption, homomorphic encryption, intruder models (CPA, CCA1, CCA2) and security properties (OW, IND, NM). The explanations given in this paper may also serve in demystifying such complex security notions for non-expert adults

Fast Privacy-Preserving Punch Cards

Loyalty programs in the form of punch cards that can be redeemed for benefits have long been a ubiquitous element of the consumer landscape. However, their increasingly popular digital equivalents, while providing more convenience and better bookkeeping, pose a considerable privacy risk. This paper introduces a privacy-preserving punch card protocol that allows firms to digitize their loyalty programs without forcing customers to submit to corporate surveillance. We also present a number of extensions that allow our scheme to provide other privacy-preserving customer loyalty features. Compared to the best prior work, we achieve a $14\times$ reduction in the computation and a $11\times$ reduction in the communication required to perform a "hole punch," a $55\times$ reduction in the communication required to redeem a punch card, and a $128\times$ reduction in the computation time required to redeem a card. Much of our performance improvement can be attributed to removing the reliance on pairings or range proofs present in prior work, which has only addressed this problem in the context of more general loyalty systems. By tailoring our scheme to punch cards and related loyalty systems, we demonstrate that we can reduce communication and computation costs by orders of magnitude

Weakly Extractable One-Way Functions

A family of one-way functions is extractable if given a random function in the family, an efficient adversary can only output an element in the image of the function if it knows a corresponding preimage. This knowledge extraction guarantee is particularly powerful since it does not require interaction. However, extractable one-way functions (EFs) are subject to a strong barrier: assuming indistinguishability obfuscation, no EF can have a knowledge extractor that works against all polynomial-size non-uniform adversaries. This holds even for non-black-box extractors that use the adversary’s code. Accordingly, the literature considers either EFs based on non-falsifiable knowledge assumptions, where the extractor is not explicitly given, but it is only assumed to exist, or EFs against a restricted class of adversaries with a bounded non-uniform advice. This falls short of cryptography’s gold standard of security that requires an explicit reduction against non-uniform adversaries of arbitrary polynomial size. Motivated by this gap, we put forward a new notion of weakly extractable one-way functions (WEFs) that circumvents the known barrier. We then prove that WEFs are inextricably connected to the long standing question of three-message zero knowledge protocols. We show that different flavors of WEFs are sufficient and necessary for three-message zero knowledge to exist. The exact flavor depends on whether the protocol is computational or statistical zero knowledge and whether it is publicly or privately verifiable. Combined with recent progress on constructing three message zero-knowledge, we derive a new connection between keyless multi-collision resistance and the notion of incompressibility and the feasibility of non-interactive knowledge extraction. Another interesting corollary of our result is that in order to construct three-message zero knowledge arguments, it suffices to construct such arguments where the honest prover strategy is unbounded

Witness-Indistinguishable Arguments with Σ\Sigma-Protocols for Bundled Witness Spaces and its Application to Global Identities

We propose a generic construction of a $\Sigma$-protocol of commit-and-prove type, which is an AND-composition of $\Sigma$-protocols on statements that include a common commitment. Our protocol enables a prover to convince a verifier that the prover knows a bundle of witnesses that have a common component which we call a base witness point. When the component $\Sigma$-protocols are of witness-indistinguishable argument systems, our $\Sigma$-protocol is also a witness-indistinguishable argument system as a whole. As an application, we propose a decentralized multi-authority anonymous authentication scheme. We first give a syntax and security definitions of the scheme. Then we give a generic construction of the scheme. There a witness is a bundle of witnesses each of which decomposes into a common global identity string and a digital signature on it. We mention an instantiation in the setting of bilinear groups

Security Analysis and Improvements of Session Key Establishment for Clustered Sensor Networks

WSN (wireless sensor network) is one of the main technologies in IoT (Internet of Things) applications or services. To date, several schemes have been proposed to establish a pair-wise key between two nodes in WSN, and most of them are designed to establish long-term keys used throughout the network lifetime. However, in the near future, if WSN will be used for information infrastructures in various fields such as manufacturing, distribution, or public facilities management and its life cycle can be as long as that of other common networks, it will definitely be advantageous in terms of security to encrypt messages using session keys instead of long-term keys. In this paper, we propose a session key establishment scheme for clustered sensor networks that is based on elliptic curve Diffie-Hellman (ECDH) key exchange and hash chain. The proposed scheme eliminates vulnerabilities of existing schemes for WSN and has improved security. The proposed scheme is efficient in terms of energy costs compared to related schemes