717 research outputs found
One-Round Deniable Key Exchange with Perfect Forward Security
In response to the need for secure one-round authenticated key exchange protocols providing both perfect forward secrecy and full deniability, we put forward a new paradigm for constructing protocols from a Diffie-Hellman type protocol plus a non-interactive designated verifier proof of knowledge (DV-PoK) scheme. We define the notion of DV-PoK which is a variant of non-interactive zero-knowledge proof of knowledge, and provide an efficient DV-PoK scheme as a central technical building block of our protocol. The DV-PoK scheme possesses nice properties such as unforgeability and symmetry which help our protocol to achieve perfect forward secrecy and full deniability respectively. Moreover, the security properties are formally proved in the Canetti-Krawczyk model under the Gap Diffie-Hellman assumption. In sum, our protocol offers a remarkable combination of salient security properties and efficiency, and the notion of DV-PoK is of independent interests
Revisiting Deniability in Quantum Key Exchange via Covert Communication and Entanglement Distillation
We revisit the notion of deniability in quantum key exchange (QKE), a topic
that remains largely unexplored. In the only work on this subject by Donald
Beaver, it is argued that QKE is not necessarily deniable due to an
eavesdropping attack that limits key equivocation. We provide more insight into
the nature of this attack and how it extends to other constructions such as QKE
obtained from uncloneable encryption. We then adopt the framework for quantum
authenticated key exchange, developed by Mosca et al., and extend it to
introduce the notion of coercer-deniable QKE, formalized in terms of the
indistinguishability of real and fake coercer views. Next, we apply results
from a recent work by Arrazola and Scarani on covert quantum communication to
establish a connection between covert QKE and deniability. We propose DC-QKE, a
simple deniable covert QKE protocol, and prove its deniability via a reduction
to the security of covert QKE. Finally, we consider how entanglement
distillation can be used to enable information-theoretically deniable protocols
for QKE and tasks beyond key exchange.Comment: 16 pages, published in the proceedings of NordSec 201
Deniable Key Establishment Resistance against eKCI Attacks
In extended Key Compromise Impersonation (eKCI) attack against authenticated key establishment (AKE) protocols the adversary impersonates one party, having the long term key and the ephemeral key of the other peer party. Such an attack can be mounted against variety of AKE protocols, including 3-pass HMQV. An intuitive countermeasure, based on BLS (BonehâLynnâShacham) signatures, for strengthening HMQV was proposed in literature. The original HMQV protocol fulfills the deniability property: a party can deny its participation in the protocol execution, as the peer party can create a fake protocol transcript indistinguishable from the real one. Unfortunately, the modified BLS based version of HMQV is not deniable. In this paper we propose a method for converting HMQV (and similar AKE protocols) into a protocol resistant to eKCI attacks but without losing the original deniability property. For that purpose, instead of the undeniable BLS, we use a modification of Schnorr authentication protocol, which is deniable and immune to ephemeral key leakages
Unilaterally-Authenticated Key Exchange
Key Exchange (KE), which enables two parties (e.g., a client and a server) to securely establish a common private key while communicating over an insecure channel, is one of the most fundamental cryptographic primitives. In this work, we address the setting of unilaterally-authenticated key exchange (UAKE), where an unauthenticated (unkeyed) client establishes a key with an authenticated (keyed) server. This setting is highly motivated by many practical uses of KE on the Internet, but received relatively little attention so far.
Unlike the prior work, defining UAKE by downgrading a relatively complex definition of mutually authenticated key exchange (MAKE), our definition follows the opposite approach of upgrading existing definitions of public key encryption (PKE) and signatures towards UAKE. As a result, our new definition is short and easy to understand. Nevertheless, we show that it is equivalent to the UAKE definition of Bellare-Rogaway (when downgraded from MAKE), and thus captures a very strong and widely adopted security notion, while looking very similar to the simple ``one-oracle\u27\u27 definition of traditional PKE/signature schemes. As a benefit of our intuitive framework, we show two exactly-as-you-expect (i.e., having no caveats so abundant in the KE literature!) UAKE protocols from (possibly interactive) signature and encryption. By plugging various one- or two-round signature and encryption schemes, we derive provably-secure variants of various well-known UAKE protocols (such as a unilateral variant of SKEME with and without perfect forward secrecy, and Shoup\u27s A-DHKE-1), as well as new protocols, such as the first -round UAKE protocol which is both (passively) forward deniable and forward-secure.
To further clarify the intuitive connections between PKE/Signatures and UAKE, we define and construct stronger forms of (necessarily interactive) PKE/Signature schemes, called confirmed encryption and confidential authentication, which, respectively, allow the sender to obtain confirmation that the (keyed) receiver output the correct message, or to hide the content of the message being authenticated from anybody but the participating (unkeyed) receiver. Using confirmed PKE/confidential authentication, we obtain two concise UAKE protocols of the form: ``send confirmed encryption/confidential authentication of a random key .\u27\u2
DABKE: Secure deniable attribute-based key exchange framework
National Research Foundation (NRF) Singapor
The art of post-truth in quantum cryptography
LâĂ©tablissement de clĂ© quantique (abrĂ©gĂ© QKD en anglais) permet Ă deux participants distants, Alice et Bob, dâĂ©tablir une clĂ© secrĂšte commune (mais alĂ©atoire) qui est connue uniquement de ces deux personnes (câest-Ă -dire inconnue dâĂve et de tout autre tiers parti). La clĂ© secrĂšte partagĂ©e est inconditionnellement privĂ©e et peut ĂȘtre plus tard utilisĂ©e, par Alice et Bob, pour transmettre des messages en toute confidentialitĂ©, par exemple sous la forme dâun masque jetable. Le protocole dâĂ©tablissement de clĂ© quantique garantit la confidentialitĂ© inconditionnelle du message en prĂ©sence dâun adversaire (Ăve) limitĂ© uniquement par les lois de la mĂ©canique quantique, et qui ne peut agir sur lâinformation que se partagent Alice et Bob que lors de son transit Ă travers des canaux classiques et quantiques. Mais que se passe-t-il lorsque Ăve a le pouvoir supplĂ©mentaire de contraindre Alice et/ou Bob Ă rĂ©vĂ©ler toute information, jusquâalors gardĂ©e secrĂšte, gĂ©nĂ©rĂ©e lors de lâexĂ©cution (rĂ©ussie) du protocole dâĂ©tablissement de clĂ© quantique (Ă©ventuellement suite Ă la transmission entre Alice et Bob dâun ou plusieurs messages chiffrĂ©s classique Ă lâaide de cette clĂ©), de maniĂšre Ă ce quâĂve puisse reproduire lâentiĂšretĂ© du protocole et retrouver la clĂ© (et donc aussi le message quâelle a chiffrĂ©) ? Alice et Bob peuvent-ils nier la crĂ©ation de la clĂ© de maniĂšre plausible en rĂ©vĂ©lant des informations mensongĂšres pour quâĂve aboutisse sur une fausse clĂ© ? Les protocoles dâĂ©tablissement de clĂ© quantiques peuvent-ils tels quels garantir la possibilitĂ© du doute raisonnable ? Dans cette thĂšse, câest sur cette Ă©nigme que nous nous penchons.
Dans le reste de ce document, nous empruntons le point de vue de la thĂ©orie de lâinformation pour analyser la possibilitĂ© du doute raisonnable lors de lâapplication de protocoles dâĂ©tablissement de clĂ© quantiques. Nous formalisons rigoureusement diffĂ©rents types et degrĂ©s de doute raisonnable en fonction de quel participant est contraint de rĂ©vĂ©ler la clĂ©, de ce que lâadversaire peut demander, de la taille de lâensemble de fausses clĂ©s quâAlice et Bob peuvent prĂ©tendre Ă©tablir, de quand les parties doivent dĂ©cider de la ou des clĂ©s fictives, de quelle est la tolĂ©rance dâĂve aux Ă©vĂ©nements moins probables, et du recours ou non Ă des hypothĂšses de calcul.
Nous dĂ©finissons ensuite rigoureusement une classe gĂ©nĂ©rale de protocoles dâĂ©tablissement de clĂ© quantiques, basĂ©e sur un canal quantique presque parfait, et prouvons que tout protocole dâĂ©tablissement de clĂ© quantique appartenant Ă cette classe satisfait la dĂ©finition la plus gĂ©nĂ©rale de doute raisonnable : Ă savoir, le doute raisonnable universel. Nous en fournissons quelques exemples. Ensuite, nous proposons un protocole hybride selon lequel tout protocole
QKD peut ĂȘtre au plus existentiellement dĂ©niable. De plus, nous dĂ©finissons une vaste classe de protocoles dâĂ©tablissement de clĂ© quantiques, que nous appelons prĂ©paration et mesure, et prouvons lâimpossibilitĂ© dâinstiller lors de ceux-ci tout degrĂ© de doute raisonnable.
Ensuite, nous proposons une variante du protocole, que nous appelons prĂ©paration et mesure floues qui offre un certain niveau de doute raisonnable lorsque Ăve est juste. Par la suite, nous proposons un protocole hybride en vertu duquel tout protocole dâĂ©tablissement de clĂ© quantique ne peut offrir au mieux que lâoption de doute raisonnable existentiel. Finalement, nous proposons une variante du protocole, que nous appelons mono-dĂ©niable qui est seulement Alice dĂ©niable ou Bob dĂ©niable (mais pas les deux).Quantum Key Establishment (QKD) enables two distant parties Alice and Bob to establish a common random secret key known only to the two of them (i.e., unknown to Eve and anyone else). The common secret key is information-theoretically secure. Later, Alice and Bob may use this key to transmit messages securely, for example as a one-time pad. The QKD protocol guarantees the confidentiality of the key from an information-theoretic perspective against an adversary Eve who is only limited by the laws of quantum theory and can act only on the signals as they pass through the classical and quantum channels. But what if Eve has the extra power to coerce Alice and/or Bob after the successful execution of the QKD protocol forcing either both or only one of them to reveal all their private information (possibly also after one or several (classical) ciphertexts encrypted with that key have been transmitted between Alice and Bob) then Eve could go through the protocol and obtain the key (hence also the message)? Can Alice and Bob deny establishment of the key plausibly by revealing fake private information and hence also a fake key? Do QKD protocols guarantee deniability for free in this case? In this Thesis, we investigate this conundrum.
In the rest of this document, we take an information-theoretic perspective on deniability in quantum key establishment protocols. We rigorously formalize different levels and flavours of deniability depending on which party is coerced, what the adversary may ask, what is the size of the fake set that surreptitious parties can pretend to be established, when the parties should decide on the fake key(s), and what is the coercerâs tolerance to less likely events and possibly also computational assumptions.
We then rigorously define a general class of QKD protocols, based on an almost-perfect quantum channel, and prove that any QKD protocol that belongs to this class satisfies the most general flavour of deniability, i.e.,universal deniability. Moreover, we define a broad class of QKD protocols, which we call prepare-and-measure, and prove that these protocols are not deniable in any level or flavour.
Moreover, we define a class of QKD protocols, which we refer to as fuzzy prepare-andmeasure, that provides a certain level of deniability conditioned on Eve being fair. Furthermore, we propose a hybrid protocol under which any QKD protocol can be at most existentially deniable. Finally, we define a class of QKD protocols, which we refer to as mono-deniable, which is either Alice or Bob (but not both) deniable
Authentication and Key Management Automation in Decentralized Secure Email and Messaging via Low-Entropy Secrets
We revisit the problem of entity authentication in decentralized end-to-end encrypted email and secure messaging to propose a practical and self-sustaining cryptographic solution based on
password-authenticated key exchange (PAKE). This not only allows users to authenticate each other via shared low-entropy secrets, e.g., memorable words, without a public key infrastructure or a trusted third party, but it also paves the way for automation and a series of cryptographic enhancements; improves security by minimizing the impact of human error and potentially improves usability. First, we study a few vulnerabilities in voice-based out-of-band authentication, in particular a combinatorial attack against lazy users, which we analyze in the context of a secure email solution. Next, we propose solving the problem of secure equality test using PAKE to achieve entity authentication and to establish a shared high-entropy secret key. Our solution lends itself to offline settings, compatible with the inherently asynchronous nature of email and modern messaging systems. The suggested approach enables enhancements in key management such as automated key renewal and future key pair authentications, multi-device synchronization, secure secret storage and retrieval, and the possibility of post-quantum security as well as facilitating forward secrecy and deniability in a primarily symmetric-key setting. We also discuss the use of auditable PAKEs for mitigating a class of online guess and abort attacks in authentication protocols
Hecate: abuse reporting in secure messengers with sealed sender
End-to-end encryption provides strong privacy protections to billions of people, but it also complicates efforts to moderate content that can seriously harm people. To address this concern, Tyagi et al. [CRYPTO 2019] introduced the concept of asymmetric message franking (AMF), which allows people to report abusive content to a moderator, while otherwise retaining end-to-end privacy by default and even compatibility with anonymous communication systems like Signalâs sealed sender.
In this work, we provide a new construction for asymmetric message franking called Hecate that is faster, more secure, and introduces additional functionality compared to Tyagi et al. First, our construction uses fewer invocations of standardized crypto primitives and operates in the plain model. Second, on top of AMFâs accountability and deniability requirements, we also add forward and backward secrecy. Third, we combine AMF with source tracing, another approach to content moderation that has previously been considered only in the setting of non-anonymous networks. Source tracing allows for messages to be forwarded, and a report only identifies the original source who created a message. To provide anonymity for senders and forwarders, we introduce a model of "AMF with preprocessing" whereby every client authenticates with the moderator out-of-band to receive a token that they later consume when sending a message anonymously.CNS-1718135 - National Science Foundation; CNS-1801564 - National Science Foundation; OAC-1739000 - National Science Foundation; CNS-1931714 - National Science Foundation; CNS-1915763 - National Science Foundation; HR00112020021 - Department of Defense/DARPA; 000000000000000000000000000000000000000000000000000000037211 - SRI Internationalhttps://www.usenix.org/system/files/sec22-issa.pdfPublished versio
Deniable-Based Privacy-Preserving Authentication Against Location Leakage in Edge Computing
This is the author accepted manuscript. The final version is available from IEEE via the DOI in this recordEdge computing provides cloud services at the edge of the network for Internet of Things (IoT) devices. It aims to address low latency of the network and alleviates data processing of the cloud. This âcloud-edge-deviceâ paradigm brings convenience as well as challenges for location-privacy protection of the IoT. In the edge computing environment, the fixed edge equipment supplies computing services for adjacent IoT devices. Therefore, edge computing suffers location leakage as the connection and authentication records imply the location of IoT devices. This article focuses on the location awareness in the edge computing environment. We adopt the âdeniabilityâ of authentication to prevent location leakage when IoT devices connect to the edge nodes. In our solution, an efficient deniable authentication based on a two-user ring signature is constructed. The robustness of authentication makes the fixed edge equipment accept the legal end devices. Besides, the deniability of authentication cannot convince any third party that the fact of this authentication occurred as communication transcript is no longer an evidence for this connection. Therefore, it handles the inherent location risk in edge computing. Compared to efficient deniable authentications, our protocol saves 10.728% and 14.696% computational cost, respectively.Ministry of EducationSichuan Science and Technology ProgramNational Natural Science Foundation of ChinaEuropean Union Horizon 202
- âŠ