Relating two standard notions of secrecy

Two styles of definitions are usually considered to express that a security protocol preserves the confidentiality of a data s. Reachability-based secrecy means that s should never be disclosed while equivalence-based secrecy states that two executions of a protocol with distinct instances for s should be indistinguishable to an attacker. Although the second formulation ensures a higher level of security and is closer to cryptographic notions of secrecy, decidability results and automatic tools have mainly focused on the first definition so far. This paper initiates a systematic investigation of the situations where syntactic secrecy entails strong secrecy. We show that in the passive case, reachability-based secrecy actually implies equivalence-based secrecy for digital signatures, symmetric and asymmetric encryption provided that the primitives are probabilistic. For active adversaries, we provide sufficient (and rather tight) conditions on the protocol for this implication to hold.Comment: 29 pages, published in LMC

New Insights on cryptographic hierarchical access control: models, schemes and analysis

2014 - 2015Nowadays the current network-centric world has given rise to several security concerns regarding the access control management, which en- sures that only authorized users are given access to certain resources or tasks. In particular, according to their respective roles and respon- sibilities, users are typically organized into hierarchies composed of several disjoint classes (security classes). A hierarchy is characterized by the fact that some users may have more access rights than others, according to a top-down inclusion paradigm following speci c hier- archical dependencies. A user with access rights for a given class is granted access to objects stored in that class, as well as to all the de- scendant ones in the hierarchy. The problem of key management for such hierarchies consists in assigning a key to each class of the hierar- chy, so that the keys for descendant classes can be e ciently obtained from users belonging to classes at a higher level in the hierarchy. In this thesis we analyze the security of hierarchical key assignment schemes according to di erent notions: security with respect to key indistinguishability and against key recovery [4], as well as the two recently proposed notions of security with respect to strong key in- distinguishability and against strong key recovery [42]. More precisely, we rst explore the relations between all security notions and, in par- ticular, we prove that security with respect to strong key indistin- guishability is not stronger than the one with respect to key indistin- guishability. Afterwards, we propose a general construction yielding a hierarchical key assignment scheme that ensures security against strong key recovery, given any hierarchical key assignment scheme which guarantees security against key recovery. Moreover, we de ne the concept of hierarchical key assignment schemes supporting dynamic updates, formalizing the relative secu- rity model. In particular, we provide the notions of security with respect to key indistinguishability and key recovery, by taking into ac- count the dynamic changes to the hierarchy. Furthermore, we show how to construct a hierarchical key assignment scheme supporting dy- namic updates, by using as a building block a symmetric encryption scheme. The proposed construction is provably secure with respect to key indistinguishability, provides e cient key derivation and updat- ing procedures, while requiring each user to store only a single private key. Finally, we propose a novel model that generalizes the conventional hierarchical access control paradigm, by extending it to certain addi- tional sets of quali ed users. Afterwards, we propose two construc- tions for hierarchical key assignment schemes in this new model, which are provably secure with respect to key indistinguishability. In par- ticular, the former construction relies on both symmetric encryption and perfect secret sharing, whereas, the latter is based on public-key threshold broadcast encryption. [edited by author]XIV n.s

Privacy-preserving scheme for mobile ad hoc networks.

This paper proposes a decentralized trust establishment protocol for mobile ad hoc networks (MANETs), where nodes establish security associations. In order to achieve privacy and security, we use homomorphic encryption and polynomial intersection so as to find the intersection of two sets. The first set represents a list of recommenders of the initiator and the second set is a list of trusted recommenders of the responder. The intersection of the sets represents a list of nodes that recommend the first node and their recommendations are trusted by the second node. In our experimental results we show that our scheme is effective even if there are 30 trusted nodes

Unforgeable Quantum Encryption

We study the problem of encrypting and authenticating quantum data in the presence of adversaries making adaptive chosen plaintext and chosen ciphertext queries. Classically, security games use string copying and comparison to detect adversarial cheating in such scenarios. Quantumly, this approach would violate no-cloning. We develop new techniques to overcome this problem: we use entanglement to detect cheating, and rely on recent results for characterizing quantum encryption schemes. We give definitions for (i.) ciphertext unforgeability , (ii.) indistinguishability under adaptive chosen-ciphertext attack, and (iii.) authenticated encryption. The restriction of each definition to the classical setting is at least as strong as the corresponding classical notion: (i) implies INT-CTXT, (ii) implies IND-CCA2, and (iii) implies AE. All of our new notions also imply QIND-CPA privacy. Combining one-time authentication and classical pseudorandomness, we construct schemes for each of these new quantum security notions, and provide several separation examples. Along the way, we also give a new definition of one-time quantum authentication which, unlike all previous approaches, authenticates ciphertexts rather than plaintexts.Comment: 22+2 pages, 1 figure. v3: error in the definition of QIND-CCA2 fixed, some proofs related to QIND-CCA2 clarifie