Post-Quantum Security of Authenticated Key Establishment Protocols

We present a security model for authenticated key establishment that allows for quantum interactions between the adversary and quantum oracles that emulate classical parties, resulting in a truly post-quantum security definition. We then give a generic construction for a secure protocol in the quantum random oracle model by combining a signature scheme which is existentially unforgeable under adaptive quantum chosen message attack in the quantum random oracle model (EUF-qCMA-QRO secure) with an unauthenticated key establishment protocol which is secure against a passive adversary. This construction allows us to give an explicit example of a secure protocol whose security is based on a variant of the Diffie-Hellman problem for isogenies of supersingular elliptic curves; in particular, generic security-strengthening transformations allow us to take a signature scheme which is EUF-CMA-RO secure against a quantum adversary and transform it into an EUF-qCMA-QRO signature scheme, which we combine with a standard secure unauthenticated key establishment protocol to achieve the desired result

Security of two-way quantum cryptography against asymmetric Gaussian attacks

Recently, we have shown the advantages of two-way quantum communications in continuous variable quantum cryptography. Thanks to this new approach, two honest users can achieve a non-trivial security enhancement as long as the Gaussian interactions of an eavesdropper are independent and identical. In this work, we consider asymmetric strategies where the Gaussian interactions can be different and classically correlated. For several attacks of this kind, we prove that the enhancement of security still holds when the two-way protocols are used in direct reconciliation.Comment: Proceeding of the SPIE Conference "Quantum Communications and Quantum Imaging VI" - San Diego 2008. This paper is connected with arXiv:quant-ph/0611167 (for the last version see: Nature Physics 4, 726 (2008)

Concurrently Non-Malleable Zero Knowledge in the Authenticated Public-Key Model

We consider a type of zero-knowledge protocols that are of interest for their practical applications within networks like the Internet: efficient zero-knowledge arguments of knowledge that remain secure against concurrent man-in-the-middle attacks. In an effort to reduce the setup assumptions required for efficient zero-knowledge arguments of knowledge that remain secure against concurrent man-in-the-middle attacks, we consider a model, which we call the Authenticated Public-Key (APK) model. The APK model seems to significantly reduce the setup assumptions made by the CRS model (as no trusted party or honest execution of a centralized algorithm are required), and can be seen as a slightly stronger variation of the Bare Public-Key (BPK) model from \cite{CGGM,MR}, and a weaker variation of the registered public-key model used in \cite{BCNP}. We then define and study man-in-the-middle attacks in the APK model. Our main result is a constant-round concurrent non-malleable zero-knowledge argument of knowledge for any polynomial-time relation (associated to a language in $\mathcal{NP}$), under the (minimal) assumption of the existence of a one-way function family. Furthermore,We show time-efficient instantiations of our protocol based on known number-theoretic assumptions. We also note a negative result with respect to further reducing the setup assumptions of our protocol to those in the (unauthenticated) BPK model, by showing that concurrently non-malleable zero-knowledge arguments of knowledge in the BPK model are only possible for trivial languages

Pairing-based identification schemes

We propose four different identification schemes that make use of bilinear pairings, and prove their security under certain computational assumptions. Each of the schemes is more efficient and/or more secure than any known pairing-based identification scheme

Security of discrete log cryptosystems in the random oracle and the generic model

We introduce novel security proofs that use combinatorial counting arguments rather than reductions to the discrete logarithm or to the Diffie-Hellman problem. Our security results are sharp and clean with no polynomial reduction times involved. We consider a combination of the random oracle model and the generic model. This corresponds to assuming an ideal hash function H given by an oracle and an ideal group of prime order q, where the binary encoding of the group elements is useless for cryptographic attacks In this model, we first show that Schnorr signatures are secure against the one-more signature forgery : A generic adversary performing t generic steps including l sequential interactions with the signer cannot produce l+1 signatures with a better probability than (t 2)/q. We also characterize the different power of sequential and of parallel attacks. Secondly, we prove signed ElGamal encryption is secure against the adaptive chosen ciphertext attack, in which an attacker can arbitrarily use a decryption oracle except for the challenge ciphertext. Moreover, signed ElGamal encryption is secure against the one-more decryption attack: A generic adversary performing t generic steps including l interactions with the decryption oracle cannot distinguish the plaintexts of l + 1 ciphertexts from random strings with a probability exceeding (t 2)/q

Formal Computational Unlinkability Proofs of RFID Protocols

We set up a framework for the formal proofs of RFID protocols in the computational model. We rely on the so-called computationally complete symbolic attacker model. Our contributions are: i) To design (and prove sound) axioms reflecting the properties of hash functions (Collision-Resistance, PRF); ii) To formalize computational unlinkability in the model; iii) To illustrate the method, providing the first formal proofs of unlinkability of RFID protocols, in the computational model