Group key establishment protocols: Pairing cryptography and verifiable secret sharing scheme

Thesis (Master)--Izmir Institute of Technology, Computer Engineering, Izmir, 2013Includes bibliographical references (leaves: 97-103)Text in English; Abstract: Turkish and Englishx, 154 leavesThe aim of this study is to establish a common secret key over an open network for a group of user to be used then symmetrical secure communication between them. There are two methods of GKE protocol which are key agreement and key distribution. Key agreement is a mechanism whereby the parties jointly establish a common secret. As to key distribution, it is a mechanism whereby one of the parties creates or obtains a secret value and then securely distributes it to other parties. In this study, both methods is applied and analyzed in two different GKE protocols. Desirable properties of a GKE are security and efficiency. Security is attributed in terms of preventing attacks against passive and active adversary. Efficiency is quantified in terms of computation, communication and round complexity. When constructing a GKE, the challenge is to provide security and efficiency according to attributed and quantified terms. Two main cryptographic tools are selected in order to handle the defined challenge. One of them is bilinear pairing which is based on elliptic curve cryptography and another is verifiable secret sharing which is based on multiparty computation. In this thesis, constructions of these two GKE protocols are studied along with their communication models, security and efficiency analysis. Also, an implementation of four-user group size is developed utilizing PBC, GMP and OpenSSL Libraries for both two protocols

Towards an auditable cryptographic access control to high-value sensitive data

We discuss the challenge of achieving an auditable key management for cryptographic access control to high-value sensitive data. In such settings it is important to be able to audit the key management process - and in particular to be able to provide verifiable proofs of key generation. The auditable key management has several possible use cases in both civilian and military world. In particular, the new regulations for protection of sensitive personal data, such as GDPR, introduce strict requirements for handling of personal data and apply a very restrictive definition of what can be considered a personal data. Cryptographic access control for personal data has a potential to become extremely important for preserving industrial ability to innovate, while protecting subject's privacy, especially in the context of widely deployed modern monitoring, tracking and profiling capabilities, that are used by both governmental institutions and high-tech companies. However, in general, an encrypted data is still considered as personal under GDPR and therefore cannot be, e.g., stored or processed in a public cloud or distributed ledger. In our work we propose an identity-based cryptographic framework that ensures confidentiality, availability, integrity of data while potentially remaining compliant with the GDPR framework

Aggregatable Distributed Key Generation

In this paper, we introduce a distributed key generation (DKG) protocol with aggregatable and publicly-verifiable transcripts. Compared with prior publicly-verifiable approaches, our DKG reduces the size of the final transcript and the time to verify it from O(n2) to O(nlogn) , where n denotes the number of parties. As compared with prior non-publicly-verifiable approaches, our DKG leverages gossip rather than all-to-all communication to reduce verification and communication complexity. We also revisit existing DKG security definitions, which are quite strong, and propose new and natural relaxations. As a result, we can prove the security of our aggregatable DKG as well as that of several existing DKGs, including the popular Pedersen variant. We show that, under these new definitions, these existing DKGs can be used to yield secure threshold variants of popular cryptosystems such as El-Gamal encryption and BLS signatures. We also prove that our DKG can be securely combined with a new efficient verifiable unpredictable function (VUF), whose security we prove in the random oracle model. Finally, we experimentally evaluate our DKG and show that the per-party overheads scale linearly and are practical. For 64 parties, it takes 71 ms to share and 359 ms to verify the overall transcript, while for 8192 parties, it takes 8 s and 42.2 s respectively

Finding Safety in Numbers with Secure Allegation Escrows

For fear of retribution, the victim of a crime may be willing to report it only if other victims of the same perpetrator also step forward. Common examples include 1) identifying oneself as the victim of sexual harassment, especially by a person in a position of authority or 2) accusing an influential politician, an authoritarian government, or ones own employer of corruption. To handle such situations, legal literature has proposed the concept of an allegation escrow: a neutral third-party that collects allegations anonymously, matches them against each other, and de-anonymizes allegers only after de-anonymity thresholds (in terms of number of co-allegers), pre-specified by the allegers, are reached. An allegation escrow can be realized as a single trusted third party; however, this party must be trusted to keep the identity of the alleger and content of the allegation private. To address this problem, this paper introduces Secure Allegation Escrows (SAE, pronounced "say"). A SAE is a group of parties with independent interests and motives, acting jointly as an escrow for collecting allegations from individuals, matching the allegations, and de-anonymizing the allegations when designated thresholds are reached. By design, SAEs provide a very strong property: No less than a majority of parties constituting a SAE can de-anonymize or disclose the content of an allegation without a sufficient number of matching allegations (even in collusion with any number of other allegers). Once a sufficient number of matching allegations exist, the join escrow discloses the allegation with the allegers' identities. We describe how SAEs can be constructed using a novel authentication protocol and a novel allegation matching and bucketing algorithm, provide formal proofs of the security of our constructions, and evaluate a prototype implementation, demonstrating feasibility in practice.Comment: To appear in NDSS 2020. New version includes improvements to writing and proof. The protocol is unchange

A Practical (Non-interactive) Publicly Verifiable Secret Sharing Scheme

A publicly verifiable secret sharing (PVSS) scheme, proposed by Stadler in \cite{DBLP:conf/eurocrypt/Stadler96}, is a VSS scheme in which anyone, not only the shareholders, can verify that the secret shares are correctly distributed. PVSS can play essential roles in the systems using VSS. Achieving simultaneously the following two features for PVSS is a challenging job: \begin{itemize} \item Efficient non-interactive public verification. \item Proving security for the public verifiability in the standard model. \end{itemize} In this paper we propose a $(t, n)$-threshold PVSS scheme which satisfies both of these properties. Efficiency of the non-interactive public verification step of the proposed scheme is optimal (in terms of computations of bilinear maps (pairing)) while comparing with the earlier solution by \cite{DBLP:conf/sacrypt/HeidarvandV08}. In public verification step of \cite{DBLP:conf/sacrypt/HeidarvandV08}, one needs to compute $2n$ many pairings, where $n$ is the number of shareholders, whereas in our scheme the number of pairing computations is $4$ only. This count is irrespective of the number of shareholders. We also provide a formal proof for the semantic security (IND) of our scheme based on the hardness of a problem that we call the $(n,t)$-multi-sequence of exponents Diffie-Hellman problem (MSE-DDH). This problem falls under the general Diffie-Hellman exponent problem framework \cite{DBLP:conf/eurocrypt/BonehBG05}

Contributions to secret sharing and other distributed cryptosystems

The present thesis deals with primitives related to the eld of distributed cryptography. First, we study signcryption schemes, which provide at the same time the functionalities of encryption and signature, where the unsigncryption operation is distributed. We consider this primitive from a theoretical point of view and set a security framework for it. Then, we present two signcryption schemes with threshold unsigncryption, with di erent properties. Furthermore, we use their authenticity property to apply them in the development of a di erent primitive: digital signatures with distributed veri cation. The second block of the thesis deals with the primitive of multi-secret sharing schemes. After stating some e ciency limitations of multi-secret sharing schemes in an information-theoretic scenario, we present several multi-secret sharing schemes with provable computational security. Finally, we use the results in multi-secret sharing schemes to generalize the traditional framework of distributed cryptography (with a single policy of authorized subsets) into a multipolicy setting, and we present both a multi-policy distributed decryption scheme and a multi-policy distributed signature scheme. Additionally, we give a short outlook on how to apply the presented multi-secret sharing schemes in the design of other multi-policy cryptosystems, like the signcryption schemes considered in this thesis. For all the schemes proposed throughout the thesis, we follow the same formal structure. After de ning the protocols of the primitive and the corresponding security model, we propose the new scheme and formally prove its security, by showing a reduction to some computationally hard mathematical problem.Avui en dia les persones estan implicades cada dia més en diferents activitats digitals tant en la seva vida professional com en el seu temps lliure. Molts articles de paper, com diners i tiquets, estan sent reemplaçats més i més per objectes digitals. La criptografia juga un paper crucial en aquesta transformació, perquè proporciona seguretat en la comunicació entre els diferents participants que utilitzen un canal digital. Depenent de la situació específica, alguns requisits de seguretat en la comunicació poden incloure privacitat (o confidencialitat), autenticitat, integritat o no-repudi. En algunes situacions, repartir l'operació secreta entre un grup de participants fa el procés més segur i fiable que quan la informació secreta està centralitzada en un únic participant; la criptografia distribuïda és l’àrea de la criptografia que estudia aquestes situacions. Aquesta tesi tracta de primitives relacionades amb el camp de la criptografia distribuïda. Primer, estudiem esquemes “signcryption”, que ofereixen a la vegada les funcionalitats de xifrat i signatura, on l'operació de “unsigncryption” està distribuïda. Considerem aquesta primitiva des d’un punt de vista teòric i establim un marc de seguretat per ella. Llavors, presentem dos esquemes “signcryption” amb operació de “unsigncryption” determinada per una estructura llindar, cada un amb diferents propietats. A més, utilitzem la seva propietat d’autenticitat per desenvolupar una nova primitiva: signatures digitals amb verificació distribuïda. El segon bloc de la tesi tracta la primitiva dels esquemes de compartició de multi-secrets. Després de demostrar algunes limitacions en l’eficiència dels esquemes de compartició de multi-secrets en un escenari de teoria de la informació, presentem diversos esquemes de compartició de multi-secrets amb seguretat computacional demostrable. Finalment, utilitzem els resultats obtinguts en els esquemes de compartició de multi-secrets per generalitzar el paradigma tradicional de la criptografia distribuïda (amb una única política de subconjunts autoritzats) a un marc multi-política, i presentem un esquema de desxifrat distribuït amb multi-política i un esquema de signatura distribuïda amb multi-política. A més, donem indicacions de com es poden aplicar els nostres esquemes de compartició de multi-secrets en el disseny d’altres criptosistemes amb multi-política, com per exemple els esquemes “signcryption” considerats en aquesta tesi. Per tots els esquemes proposats al llarg d’aquesta tesi, seguim la mateixa estructura formal. Després de definir els protocols de la primitiva primitius i el model de seguretat corresponent, proposem el nou esquema i demostrem formalment la seva seguretat, mitjançant una reducció a algun problema matemàtic computacionalment difícil

Mitte-interaktiivsed nullteadmusprotokollid nõrgemate usalduseeldustega

Väitekirja elektrooniline versioon ei sisalda publikatsiooneTäieliku koosluskindlusega (TK) kinnitusskeemid ja nullteadmustõestused on ühed põhilisemad krüptograafilised primitiivid, millel on hulgaliselt päriselulisi rakendusi. (TK) Kinnitusskeem võimaldab osapoolel arvutada salajasest sõnumist kinnituse ja hiljem see verifitseeritaval viisil avada. Täieliku koosluskindlusega protokolle saab vabalt kombineerida teiste täieliku koosluskindlusega protokollidega ilma, et see mõjutaks nende turvalisust. Nullteadmustõestus on protokoll tõestaja ja verifitseerija vahel, mis võimaldab tõestajal veenda verifitseerijat mingi väite paikapidavuses ilma rohkema informatsiooni lekitamiseta. Nullteadmustõestused pakuvad suurt huvi ka praktilistes rakendustes, siinkohal on olulisemateks näideteks krüptorahad ja hajusandmebaasid üldisemalt. Siin on eriti asjakohased just lühidad mitteinteraktiivsed nullteadmustõestused (SNARKid) ning kvaasiadaptiivsed mitteinteraktiivsed nullteadmustõestused (QA-NIZKid). Mitteinteraktiivsetel nullteadmustõestustel juures on kaks suuremat praktilist nõrkust. Esiteks on tarvis usaldatud seadistusfaasi osapoolte ühisstringi genereerimiseks ja teiseks on tarvis täielikku koosluskindlust. Käesolevas doktoritöös me uurime neid probleeme ja pakume välja konkreetseid konstruktsioone nende leevendamiseks. Esmalt uurime me õõnestuskindlaid SNARKe juhu jaoks, kus seadistusfaasi ühisstring on õõnestatud. Me konstrueerime õõnestuskindla versiooni seni kõige tõhusamast SNARKist. Samuti uurime me QA-NIZKide õõnestuskindlust ja konstrueerime kõige efektiivsemate QA-NIZKide õõnestuskindla versiooni. Mis puutub teise uurimissuunda, nimelt täielikku koosluskindlusesse, siis sel suunal kasutame me pidevaid projektiivseid räsifunktsioone. Me pakume välja uue primitiivi, kus eelmainitud räsifunktsioonid on avalikult verifitseeritavad. Nende abil me konstrueerime seni kõige tõhusama mitteinteraktiivse koosluskindla kinnitusskeemi. Lõpetuseks me töötame välja uue võtte koosluskindlate kinnitusskeemide jaoks, mis võimaldab ühisarvutuse abil luua nullteadmustõestuste ühisstringe.Quite central primitives in cryptographic protocols are (Universally composable (UC)) commitment schemes and zero-knowledge proofs that getting frequently employed in real-world applications. A (UC) commitment scheme enables a committer to compute a commitment to a secret message, and later open it in a verifiable manner (UC protocols can seamlessly be combined with other UC protocols and primitives while the entire protocol remains secure). A zero-knowledge proof is a protocol usually between a prover and a verifier that allows the prover to convince the verifier of the legality of a statement without disclosing any more information. Zero-knowledge proofs and in particular Succinct non-interactive zero-knowledge proofs (SNARKs) and quasi adaptive NIZK (QA-NIZK) are of particular interest in the real-world applications, with cryptocurrencies or more generally distributed ledger technologies being the prime examples. The two serious issues and the main drawbacks of the practical usage of NIZKs are (i) the demand for a trusted setup for generating the common reference string (CRS) and (ii) providing the UC security. In this thesis, we essentially investigate the aforementioned issues and propose concrete constructions for them. We first investigate subversion SNARKs (Sub zk-SNARKs) when the CRS is subverted. In particular, we build a subversion of the most efficient SNARKs. Then we initiate the study of subversion QA-NIZK (Sub-QA-NIZK) and construct subversion of the most efficient QA-NIZKs. For the second issue, providing UC-security, we first using hash proof systems or smooth projective hash functions (SPHFs), we introduce a new cryptographic primitive called publicly computable SPHFs (PC-SPHFs) and construct the currently most efficient non-interactive UC-secure commitment. Finally, we develop a new technique for constructing UC-secure commitments schemes that enables one to generate CRS of NIZKs by using MPC in a UC-secure mannerhttps://www.ester.ee/record=b535926