Security Proofs for Identity-Based Identification and Signature Schemes

This paper provides either security proofs or attacks for a large number of identity-based identification and signature schemes defined either explicitly or implicitly in existing literature. Underlying these is a framework that on the one hand helps explain how these schemes are derived, and on the other hand enables modular security analyses, thereby helping to understand, simplify and unify previous work. We also analyze a generic folklore construction that in particular yields identity-based identification and signature schemes without random oracles

A Pairing-free Provable Secure and Efficient Identity-based Identification Scheme with Anonymity

In this paper, we propose a Blind Identity-Based Identification (Blind IBI) scheme based on the Guillou-Quisquater (GQ) scheme. Our proposed scheme combines the benefits of traditional Identity-Based Identification (IBI) schemes that can authenticate a user’s identity without rely ing on a trusted third party with the Blind Signature (BS) scheme that provides anonymity. As a result, the proposed scheme assures absolute user privacy during the authentication process. It does not rely on a third party, yet the verifier can still be assured of the user’s identity with out the user actually revealing it. In our work, we show that the proposed scheme is provably secure under the random oracle model, with the assumption that the one-more-RSA-inversion problem is difficult. Furthermore, we demonstrate that the proposed scheme is secure against passive, active, and concurrent impersonation attacks. In conclusion, the proposed scheme is able to achieve the desired blindness property without compromising the security of the GQ-IBI scheme it is based upon

Trapdoor commitment schemes and their applications

Informally, commitment schemes can be described by lockable steely boxes. In the commitment phase, the sender puts a message into the box, locks the box and hands it over to the receiver. On one hand, the receiver does not learn anything about the message. On the other hand, the sender cannot change the message in the box anymore. In the decommitment phase the sender gives the receiver the key, and the receiver then opens the box and retrieves the message. One application of such schemes are digital auctions where each participant places his secret bid into a box and submits it to the auctioneer. In this thesis we investigate trapdoor commitment schemes. Following the abstract viewpoint of lockable boxes, a trapdoor commitment is a box with a tiny secret door. If someone knows the secret door, then this person is still able to change the committed message in the box, even after the commitment phase. Such trapdoors turn out to be very useful for the design of secure cryptographic protocols involving commitment schemes. In the first part of the thesis, we formally introduce trapdoor commitments and extend the notion to identity-based trapdoors, where trapdoors can only be used in connection with certain identities. We then recall the most popular constructions of ordinary trapdoor protocols and present new solutions for identity-based trapdoors. In the second part of the thesis, we show the usefulness of trapdoors in commitment schemes. Deploying trapdoors we construct efficient non-malleable commitment schemes which basically guarantee indepency of commitments. Furthermore, applying (identity-based) trapdoor commitments we secure well-known identification protocols against a new kind of attack. And finally, by means of trapdoors, we show how to construct composable commitment schemes that can be securely executed as subprotocols within complex protocols

Quantum Cryptography Beyond Quantum Key Distribution

Quantum cryptography is the art and science of exploiting quantum mechanical effects in order to perform cryptographic tasks. While the most well-known example of this discipline is quantum key distribution (QKD), there exist many other applications such as quantum money, randomness generation, secure two- and multi-party computation and delegated quantum computation. Quantum cryptography also studies the limitations and challenges resulting from quantum adversaries---including the impossibility of quantum bit commitment, the difficulty of quantum rewinding and the definition of quantum security models for classical primitives. In this review article, aimed primarily at cryptographers unfamiliar with the quantum world, we survey the area of theoretical quantum cryptography, with an emphasis on the constructions and limitations beyond the realm of QKD.Comment: 45 pages, over 245 reference

Attribute-based Anonymous Credential: Optimization for Single-Use and Multi-Use

User attributes can be authenticated by an attribute-based anonymous credential while keeping the anonymity of the user. Most attribute-based anonymous credential schemes are designed specifically for either multi-use or single-use. In this paper, we propose a unified attribute-based anonymous credential system, in which users always obtain the same format of credential from the issuer. The user can choose to use it for an efficient multi-use or single-use show proof. It is a more user-centric approach than the existing schemes. Technically, we propose an interactive approach to the credential issuance protocol using a two-party computation with an additive homomorphic encryption. At the same time, it keeps the security property of impersonation resilience, anonymity, and unlinkability. Apart from the interactive protocol, we further design the show proofs for efficient single-use credentials which maintain the user anonymity

Cryptographic Protocols, Sensor Network Key Management, and RFID Authentication

This thesis includes my research on efficient cryptographic protocols, sensor network key management, and radio frequency identification (RFID) authentication protocols. Key exchange, identification, and public key encryption are among the fundamental protocols studied in cryptography. There are two important requirements for these protocols: efficiency and security. Efficiency is evaluated using the computational overhead to execute a protocol. In modern cryptography, one way to ensure the security of a protocol is by means of provable security. Provable security consists of a security model that specifies the capabilities and the goals of an adversary against the protocol, one or more cryptographic assumptions, and a reduction showing that breaking the protocol within the security model leads to breaking the assumptions. Often, efficiency and provable security are not easy to achieve simultaneously. The design of efficient protocols in a strict security model with a tight reduction is challenging. Security requirements raised by emerging applications bring up new research challenges in cryptography. One such application is pervasive communication and computation systems, including sensor networks and radio frequency identification (RFID) systems. Specifically, sensor network key management and RFID authentication protocols have drawn much attention in recent years. In the cryptographic protocol part, we study identification protocols, key exchange protocols, and ElGamal encryption and its variant. A formal security model for challenge-response identification protocols is proposed, and a simple identification protocol is proposed and proved secure in this model. Two authenticated key exchange (AKE) protocols are proposed and proved secure in the extended Canetti-Krawczyk (eCK) model. The proposed AKE protocols achieve tight security reduction and efficient computation. We also study the security of ElGamal encryption and its variant, Damgard’s ElGamal encryption (DEG). Key management is the cornerstone of the security of sensor networks. A commonly recommended key establishment mechanism is based on key predistribution schemes (KPS). Several KPSs have been proposed in the literature. A KPS installs pre-assigned keys to sensor nodes so that two nodes can communicate securely if they share a key. Multi-path key establishment (MPKE) is one component of KPS which enables two nodes without a shared key to establish a key via multiple node-disjoint paths in the network. In this thesis, methods to compute the k-connectivity property of several representative key predistribution schemes are developed. A security model for MPKE and efficient and secure MPKE schemes are proposed. Scalable, privacy-preserving, and efficient authentication protocols are essential for the success of RFID systems. Two such protocols are proposed in this thesis. One protocol uses finite field polynomial operations to solve the scalability challenge. Its security is based on the hardness of the polynomial reconstruction problem. The other protocol improves a randomized Rabin encryption based RFID authentication protocol. It reduces the hardware cost of an RFID tag by using a residue number system in the computation, and it provides provable security by using secure padding schemes

From Identification to Signatures, Tightly: A Framework and Generic Transforms

This paper provides a framework to treat the problem of building signature schemes from identification schemes in a unified and systematic way. The outcomes are (1) Alternatives to the Fiat-Shamir transform that, applied to trapdoor identification schemes, yield signature schemes with tight security reductions to standard assumptions (2) An understanding and characterization of existing transforms in the literature. One of our transforms has the added advantage of producing signatures shorter than produced by the Fiat-Shamir transform. Reduction tightness is important because it allows the implemented scheme to use small parameters (thereby being as efficient as possible) while retaining provable security

Towards secure communication and authentication: Provable security analysis and new constructions

Secure communication and authentication are some of the most important and practical topics studied in modern cryptography. Plenty of cryptographic protocols have been proposed to accommodate all sorts of requirements in different settings and some of those have been widely deployed and utilized in our daily lives. It is a crucial goal to provide formal security guarantees for such protocols. In this thesis, we apply the provable security approach, a standard method used in cryptography to formally analyze the security of cryptographic protocols, to three problems related to secure communication and authentication. First, we focus on the case where a user and a server share a secret and try to authenticate each other and establish a session key for secure communication, for which we propose the first user authentication and key exchange protocols that can tolerate strong corruptions on the client-side. Next, we consider the setting where a public-key infrastructure (PKI) is available and propose models to thoroughly compare the security and availability properties of the most important low-latency secure channel establishment protocols. Finally, we perform the first provable security analysis of the new FIDO2 protocols, the promising proposed standard for passwordless user authentication from the Fast IDentity Online (FIDO) Alliance to replace the world's over-reliance on passwords to authenticate users, and design new constructions to achieve stronger security.Ph.D

Identity-based cryptography from paillier cryptosystem.

Au Man Ho Allen.Thesis (M.Phil.)--Chinese University of Hong Kong, 2005.Includes bibliographical references (leaves 60-68).Abstracts in English and Chinese.Abstract --- p.iAcknowledgement --- p.iiiChapter 1 --- Introduction --- p.1Chapter 2 --- Preliminaries --- p.5Chapter 2.1 --- Complexity Theory --- p.5Chapter 2.2 --- Algebra and Number Theory --- p.7Chapter 2.2.1 --- Groups --- p.7Chapter 2.2.2 --- Additive Group Zn and Multiplicative Group Z*n --- p.8Chapter 2.2.3 --- The Integer Factorization Problem --- p.9Chapter 2.2.4 --- Quadratic Residuosity Problem --- p.11Chapter 2.2.5 --- Computing e-th Roots (The RSA Problem) --- p.13Chapter 2.2.6 --- Discrete Logarithm and Related Problems --- p.13Chapter 2.3 --- Public key Cryptography --- p.16Chapter 2.3.1 --- Encryption --- p.17Chapter 2.3.2 --- Digital Signature --- p.20Chapter 2.3.3 --- Identification Protocol --- p.22Chapter 2.3.4 --- Hash Function --- p.24Chapter 3 --- Paillier Cryptosystems --- p.26Chapter 3.1 --- Introduction --- p.26Chapter 3.2 --- The Paillier Cryptosystem --- p.27Chapter 4 --- Identity-based Cryptography --- p.30Chapter 4.1 --- Introduction --- p.31Chapter 4.2 --- Identity-based Encryption --- p.32Chapter 4.2.1 --- Notions of Security --- p.32Chapter 4.2.2 --- Related Results --- p.35Chapter 4.3 --- Identity-based Identification --- p.36Chapter 4.3.1 --- Security notions --- p.37Chapter 4.4 --- Identity-based Signature --- p.38Chapter 4.4.1 --- Security notions --- p.39Chapter 5 --- Identity-Based Cryptography from Paillier System --- p.41Chapter 5.1 --- Identity-based Identification schemes in Paillier setting --- p.42Chapter 5.1.1 --- Paillier-IBI --- p.42Chapter 5.1.2 --- CGGN-IBI --- p.43Chapter 5.1.3 --- GMMV-IBI --- p.44Chapter 5.1.4 --- KT-IBI --- p.45Chapter 5.1.5 --- Choice of g for Paillier-IBI --- p.46Chapter 5.2 --- Identity-based signatures from Paillier system . . --- p.47Chapter 5.3 --- Cocks ID-based Encryption in Paillier Setting . . --- p.48Chapter 6 --- Concluding Remarks --- p.51A Proof of Theorems --- p.53Chapter A.1 --- "Proof of Theorems 5.1, 5.2" --- p.53Chapter A.2 --- Proof Sketch of Remaining Theorems --- p.58Bibliography --- p.6