Still Wrong Use of Pairings in Cryptography

Several pairing-based cryptographic protocols are recently proposed with a wide variety of new novel applications including the ones in emerging technologies like cloud computing, internet of things (IoT), e-health systems and wearable technologies. There have been however a wide range of incorrect use of these primitives. The paper of Galbraith, Paterson, and Smart (2006) pointed out most of the issues related to the incorrect use of pairing-based cryptography. However, we noticed that some recently proposed applications still do not use these primitives correctly. This leads to unrealizable, insecure or too inefficient designs of pairing-based protocols. We observed that one reason is not being aware of the recent advancements on solving the discrete logarithm problems in some groups. The main purpose of this article is to give an understandable, informative, and the most up-to-date criteria for the correct use of pairing-based cryptography. We thereby deliberately avoid most of the technical details and rather give special emphasis on the importance of the correct use of bilinear maps by realizing secure cryptographic protocols. We list a collection of some recent papers having wrong security assumptions or realizability/efficiency issues. Finally, we give a compact and an up-to-date recipe of the correct use of pairings.Comment: 25 page

Efficient signature verification and key revocation using identity based cryptography

Cryptography deals with the development and evaluation of procedures for securing digital information. It is essential whenever multiple entities want to communicate safely. One task of cryptography concerns digital signatures and the verification of a signer’s legitimacy requires trustworthy authentication and authorization. This is achieved by deploying cryptographic keys. When dynamic membership behavior and identity theft come into play, revocation of keys has to be addressed. Additionally, in use cases with limited networking, computational, or storage resources, efficiency is a key requirement for any solution. In this work we present a solution for signature verification and key revocation in constraned environments, e.g., in the Internet of Things (IoT). Where other mechanisms generate expensive overheads, we achieve revocation through a single multicast message without significant computational or storage overhead. Exploiting Identity Based Cryptography (IBC) complements the approach with efficient creation and verification of signatures. Our solution offers a framework for transforming a suitable signature scheme to a so-called Key Updatable Signature Scheme (KUSS) in three steps. Each step defines mathematical conditions for transformation and precise security notions. Thereby, the framework allows a novel combination of efficient Identity Based Signature (IBS) schemes with revocation mechanisms originally designed for confidentiality in group communications. Practical applicability of our framework is demonstrated by transforming four well-established IBS schemes based on Elliptic Curve Cryptography (ECC). The security of the resulting group Identity Based Signature (gIBS) schemes is carefully analyzed with techniques of Provable Security. We design and implement a testbed for evaluating these kind of cryptographic schemes on different computing- and networking hardware, typical for constrained environments. Measurements on this testbed provide evidence that the transformations are practicable and efficient. The revocation complexity in turn is significantly reduced compared to existing solutions. Some of our new schemes even outperform the signing process of the widely used Elliptic Curve Digital Signature Algorithm (ECDSA). The presented transformations allow future application on schemes beyond IBS or ECC. This includes use cases dealing with Post-Quantum Cryptography, where the revocation efficiency is similarly relevant. Our work provides the basis for such solutions currently under investigation.Die Kryptographie ist ein Instrument der Informationssicherheit und beschäftigt sich mit der Entwicklung und Evaluierung von Algorithmen zur Sicherung digitaler Werte. Sie ist für die sichere Kommunikation zwischen mehreren Entitäten unerlässlich. Ein Bestandteil sind digitale Signaturen, für deren Erstellung man kryptographische Schlüssel benötigt. Bei der Verifikation muss zusätzlich die Authentizität und die Autorisierung des Unterzeichners gewährleistet werden. Dafür müssen Schlüssel vertrauensvoll verteilt und verwaltet werden. Wenn sie in Kommunikationssystemen mit häufig wechselnden Teilnehmern zum Einsatz kommen, müssen die Schlüssel auch widerruflich sein. In Anwendungsfällen mit eingeschränkter Netz-, Rechen- und Speicherkapazität ist die Effizienz ein wichtiges Kriterium. Diese Arbeit liefert ein Rahmenwerk, mit dem Schlüssel effizient widerrufen und Signaturen effizient verifiziert werden können. Dabei fokussieren wir uns auf Szenarien aus dem Bereich des Internets der Dinge (IoT, Internet of Things). Im Gegensatz zu anderen Lösungen ermöglicht unser Ansatz den Widerruf von Schlüsseln mit einer einzelnen Nachricht innerhalb einer Kommunikationsgruppe. Dabei fällt nur geringer zusätzlicher Rechen- oder Speicheraufwand an. Ferner vervollständigt die Verwendung von Identitätsbasierter Kryptographie (IBC, Identity Based Cryptography) unsere Lösung mit effizienter Erstellung und Verifikation der Signaturen. Hierfür liefert die Arbeit eine dreistufige mathematische Transformation von geeigneten Signaturverfahren zu sogenannten Key Updatable Signature Schemes (KUSS). Neben einer präzisen Definition der Sicherheitsziele werden für jeden Schritt mathematische Vorbedingungen zur Transformation festgelegt. Dies ermöglicht die innovative Kombination von Identitätsbasierten Signaturen (IBS, Identity Based Signature) mit effizienten und sicheren Mechanismen zum Schlüsselaustausch, die ursprünglich für vertrauliche Gruppenkommunikation entwickelt wurden. Wir zeigen die erfolgreiche Anwendung der Transformationen auf vier etablierten IBSVerfahren. Die ausschließliche Verwendung von Verfahren auf Basis der Elliptic Curve Cryptography (ECC) erlaubt es, den geringen Kapazitäten der Zielgeräte gerecht zu werden. Eine Analyse aller vier sogenannten group Identity Based Signature (gIBS) Verfahren mit Techniken aus dem Forschungsgebiet der Beweisbaren Sicherheit zeigt, dass die zuvor definierten Sicherheitsziele erreicht werden. Zur praktischen Evaluierung unserer und ähnlicher kryptographischer Verfahren wird in dieser Arbeit eine Testumgebung entwickelt und mit IoT-typischen Rechen- und Netzmodulen bestückt. Hierdurch zeigt sich sowohl die praktische Anwendbarkeit der Transformationen als auch eine deutliche Reduktion der Komplexität gegenüber anderen Lösungsansätzen. Einige der von uns vorgeschlagenen Verfahren unterbieten gar die Laufzeiten des meistgenutzten Elliptic Curve Digital Signature Algorithm (ECDSA) bei der Erstellung der Signaturen. Die Systematik der Lösung erlaubt prinzipiell auch die Transformation von Verfahren jenseits von IBS und ECC. Dadurch können auch Anwendungsfälle aus dem Bereich der Post-Quanten-Kryptographie von unseren Ergebnissen profitieren. Die vorliegende Arbeit liefert die nötigen Grundlagen für solche Erweiterungen, die aktuell diskutiert und entwickelt werden

ID-Based Key Agreement for WANETs

2013 - 2014The increasing interest about wireless ad hoc networks (WANETs) is due to some key features not owned by traditional networks such as nodes mobility, network self-organization and the ability to rely on infrastructure-less setup. WANETs can be used in many application scenarios such as health care, environmental monitoring, military and many others commercial applications. Unfortunately, the open nature of the communication channel exposes WANETs to a great number of security threats (e.g. jamming, eavesdropping, node replication, unfairness, wormhole, packet injection). The security of WANETs hinges on node authentication, which by mean of Cryptography can be obtained through key distribution mechanisms. Moreover, WANET applications often require the establishment of session keys, that will be used for encryption, message authentication and others cryptographic purposes. In this thesis we present a cryptographic framework for WANETs, named JIKA (Java framework for ID-based key agreement) which simulates a key generation center (KGC) and offers an ID-based key distribution service for signature schemes and key agreement protocols. Moreover, JIKA makes use of elliptic curve cryptography (ECC) which allows fast computations, small key size and short signatures of messages. It includes two new ID-based signature schemes (IBS-1 and IBS-2) which get shorter signatures, an ID-based two-party key agreement protocol (eFG) and two new group key agreement protocols (GKA v1 and GKA v2). GKA protocols are full-contributory and offer implicit key authentication through the ID-based signature schemes described above, at the cost of just two rounds... [edited by Author]XIII n.s

Revisiting an Efficient Elliptic Curve Key Agreement Protocol

A recent paper by Wang \emph{et al.} has revealed a vulnerability in the ECKE-1 key agreement protocol. In particular, contrary to the author\u27s claims, protocol ECKE-1 is shown to be susceptible to a key-compromise impersonation attack. This attack was also independently pointed out by the author in another recent paper published in the EURASIP Journal on Embedded Systems. Here we present a revised version of the protocol, ECKE-1R, that is key-compromise impersonation resilient at the expense of a higher computational workload and communication complexity with respect to the original protocol ECKE-1

Still Wrong Use of Pairings in Cryptography

The file attached to this record is the author's final peer reviewed version. The Publisher's final version can be found by following the DOI link.Several pairing-based cryptographic protocols are recently proposed with a wide variety of new novel applications including the ones in emerging technologies like cloud computing, internet of things (IoT), e-health systems and wearable technologies. There have been however a wide range of incorrect use of these primitives. The paper of Galbraith, Paterson, and Smart (2006) pointed out most of the issues related to the incorrect use of pairing-based cryptography. However, we noticed that some recently proposed applications still do not use these primitives correctly. This leads to unrealizable, insecure or too ine cient designs of pairing-based protocols. We observed that one reason is not being aware of the recent advancements on solving the discrete logarithm problems in some groups. The main purpose of this article is to give an understandable, informative, and the most up-to-date criteria for the correct use of pairing-based cryptography. We thereby deliberately avoid most of the technical details and rather give special emphasis on the importance of the correct use of bilinear maps by realizing secure cryptographic protocols. We list a collection of some recent papers having wrong security assumptions or realizability/e ciency issues. Finally, we give a compact and an up-to-date recipe of the correct use of pairings

Lightweight Public Key Encryption in Post-Quantum Computing Era

Confidentiality in our digital world is based on the security of cryptographic algorithms. These are usually executed transparently in the background, with people often relying on them without further knowledge. In the course of technological progress with quantum computers, the protective function of common encryption algorithms is threatened. This particularly affects public-key methods such as RSA and DH based on discrete logarithms and prime factorization. Our concept describes the transformation of a classical asymmetric encryption method to a modern complexity class. Thereby the approach of Cramer-Shoup is put on the new basis of elliptic curves. The system is provable cryptographically strong, especially against adaptive chosen-ciphertext attacks. In addition, the new method features small key lengths, making it suitable for Internet-of-Things. It represents an intermediate step towards an encryption scheme based on isogeny elliptic curves. This approach shows a way to a secure encryption scheme for the post-quantum computing era

Secure and Lightweight Authentication Protocols for Devices in Internet of Things

The Internet of Things (IoT) has become an intriguing trend worldwide as it allows any smart device with an IP address to participate in a highly immersive and connected environment that integrates physical, digital and social aspects of the user’s lives. The perpetual growth of IoT devices is resulting in less attention on the security side allowing attackers to find easy ways to exploit the devices. Hence, security is one of the important and challenging research areas in IoT. Furthermore, the resource-constrained nature of these devices results in poor performance when the traditional security protocols are used. In this thesis, we propose secure and lightweight authentication protocols for devices in IoT. A centralized network model is considered where the devices in the perception layer are mutually authenticated with the gateway of the system. A mutual authentication mechanism which uses symmetric key negotiation using Elliptic Curve Diffie-Hellman(ECDH) in the registration part of the protocol to protect the credentials of the devices and at the same time it minimizes the computation cost on the devices. At the end of the authentication, key agreement based on the symmetric key cryptography is established between the sensor devices and the gateway. Further, Elliptic Curve Integrated Encryption Scheme (ECIES) method is used to avoid the possibility of man-in-the-middle attack(MITM) in the registration phase of the previous protocol. An informal security verification of the protocols is presented which proves that they are resilient against perception layer attacks. The performance evaluation based on the metrics such as execution time, communication cost, computation cost of the protocol has been performed after the protocol is simulated in the Cooja simulator under Contiki OS environment. Further, the comparison results with the existing protocols show that the proposed system is lightweight as it provides low computation cost and better execution time

Security Analysis of CPace

In response to standardization requests regarding password-authenticated key exchange (PAKE) protocols, the IRTF working group CFRG has setup a PAKE selection process in 2019, which led to the selection of the CPace protocol in the balanced setting, in which parties share a common password. In subsequent standardization efforts, the CPace protocol further developed, yielding a protocol family whose actual security guarantees in practical settings are not well understood. In this paper, we provide a comprehensive security analysis of CPace in the universal composability framework. Our analysis is realistic in the sense that it captures adaptive corruptions and refrains from modeling CPace's Map2Pt function that maps field elements to curve points as an idealized function. In order to extend our proofs to different CPace variants optimized for specific elliptic-curve ecosystems, we employ a new approach which represents the assumptions required by the proof as libraries accessed by a simulator. By allowing for the modular replacement of assumptions used in the proof, this new approach avoids a repeated analysis of unchanged protocol parts and lets us efficiently analyze the security guarantees of all the different CPace variants. As a result of our analysis, all of the investigated practical CPace variants enjoy adaptive UC security

Group Key Agreement for Ad Hoc Networks

Over the last 30 years the study of group key agreement has stimulated much work. And as a result of the increased popularity of ad hoc networks, some approaches for the group key establishment in such networks are proposed. However, they are either only for static group or the memory, computation and communication costs are unacceptable for ad-hoc networks. In this thesis some protocol suites from the literature (2^d-cube, 2^d-octopus, Asokan-Ginzboorg, CLIQUES, STR and TGDH) shall be discussed. We have optimized STR and TGDH by reducing the memory, communication and computation costs. The optimized version are denoted by µSTR and µTGDH respectively. Based on the protocol suites µSTR and µTGDH we present a Tree-based group key agreement Framework for Ad-hoc Networks (TFAN). TFAN is especially suitable for ad-hoc networks with limited bandwidth and devices with limited memory and computation capability. To simulate the protocols, we have implemented TFAN, µSTR and µTGDH with J2ME CDC. The TFAN API will be described in this thesis

Security in Key Agreement: Two-Party Certificateless Schemes

The main goal of cryptography is to enable secure communication over a public channel; often a secret shared among the communicating parties is used to achieve this. The process by which these parties agree on such a shared secret is called key agreement. In this thesis, we focus on two-party key agreement protocols in the public-key setting and study the various methods used to establish and validate public keys. We pay particular attention to certificateless key agreement schemes and attempt to formalize a relevant notion of security. To that end, we give a possible extension of the existing extended Canetti-Krawzcyk security model applicable to the certificateless setting. We observe that none of the certificateless protocols we have seen in the literature are secure in this model; it is an open question whether such schemes exist. We analyze several published certificateless key agreement protocols, demonstrating the existence of key compromise impersonation attacks and even a man-in-the-middle attack in one case, contrary to the claims of the authors. We also briefly describe weaknesses exhibited by these protocols in the context of our suggested security model