177 research outputs found
Soundness of Symbolic Equivalence for Modular Exponentiation
In this paper, we study the Dynamic Decisional Diffie-Hellman (3DH) problem, a powerful generalization of the Decisional Diffie-Hellman (DDH) problem. Our main result is that DDH implies 3DH. This result leads to significantly simpler proofs for protocols by relying directly on the more general problem. Our second contribution is a computationally sound symbolic technique for reasoning about protocols that use symmetric encryption and modular exponentiation. We show how to apply our results in the case of the Burmester & Desmedt protocol
Group theory in cryptography
This paper is a guide for the pure mathematician who would like to know more
about cryptography based on group theory. The paper gives a brief overview of
the subject, and provides pointers to good textbooks, key research papers and
recent survey papers in the area.Comment: 25 pages References updated, and a few extra references added. Minor
typographical changes. To appear in Proceedings of Groups St Andrews 2009 in
Bath, U
Prime, Order Please! Revisiting Small Subgroup and Invalid Curve Attacks on Protocols using Diffie-Hellman
Diffie-Hellman groups are a widely used component in cryptographic protocols in which a
shared secret is needed. These protocols are typically proven to be secure under the assumption they
are implemented with prime order Diffie Hellman groups. However, in practice, many implementations
either choose to use non-prime order groups for reasons of efficiency, or can be manipulated into
operating in non-prime order groups. This leaves a gap between the proofs of protocol security, which
assume prime order groups, and the real world implementations. This is not merely a theoretical
possibility: many attacks exploiting small subgroups or invalid curve points have been found in the
real world.
While many advances have been made in automated protocol analysis, modern tools such as Tamarin
and ProVerif represent DH groups using an abstraction of prime order groups. This means they, like
many cryptographic proofs, may miss practical attacks on real world protocols.
In this work we develop a novel extension of the symbolic model of Diffie-Hellman groups. By more
accurately modelling internal group structure, our approach captures many more differences between
prime order groups and their actual implementations. The additional behaviours that our models
capture are surprisingly diverse, and include not only attacks using small subgroups and invalid curve
points, but also a range of proposed mitigation techniques, such as excluding low order elements,
single coordinate ladders, and checking the elliptic curve equation. Our models thereby capture a
large family of attacks that were previously outside the symbolic model.
We implement our improved models in the Tamarin prover. We find a new attack on the Secure
Scuttlebutt Gossip protocol, independently discover a recent attack on Tendermint’s secure handshake,
and evaluate the effectiveness of the proposed mitigations for recent Bluetooth attacks
Public key exchange using semidirect product of (semi)groups
In this paper, we describe a brand new key exchange protocol based on a
semidirect product of (semi)groups (more specifically, on extension of a
(semi)group by automorphisms), and then focus on practical instances of this
general idea. Our protocol can be based on any group, in particular on any
non-commutative group. One of its special cases is the standard Diffie-Hellman
protocol, which is based on a cyclic group. However, when our protocol is used
with a non-commutative (semi)group, it acquires several useful features that
make it compare favorably to the Diffie-Hellman protocol. Here we also suggest
a particular non-commutative semigroup (of matrices) as the platform and show
that security of the relevant protocol is based on a quite different assumption
compared to that of the standard Diffie-Hellman protocol.Comment: 12 page
Hierarchical combination of intruder theories
International audienceRecently automated deduction tools have proved to be very effective for detecting attacks on cryptographic protocols. These analysis can be improved, for finding more subtle weaknesses, by a more accurate modelling of operators employed by protocols. Several works have shown how to handle a single algebraic operator (associated with a fixed intruder theory) or how to combine several operators satisfying disjoint theories. However several interesting equational theories, such as exponentiation with an abelian group law for exponents remain out of the scope of these techniques. This has motivated us to introduce a new notion of hierarchical combination for non-disjoint intruder theories and to show decidability results for the deduction problem in these theories. We have also shown that under natural hypotheses hierarchical intruder constraints can be decided. This result applies to an exponentiation theory that appears to be more general than the one considered before
Implementing a Unification Algorithm for Protocol Analysis with XOR
In this paper, we propose a unification algorithm for the theory which
combines unification algorithms for E\_{\std} and E\_{\ACUN} (ACUN
properties, like XOR) but compared to the more general combination methods uses
specific properties of the equational theories for further optimizations. Our
optimizations drastically reduce the number of non-deterministic choices, in
particular those for variable identification and linear orderings. This is
important for reducing both the runtime of the unification algorithm and the
number of unifiers in the complete set of unifiers. We emphasize that obtaining
a ``small'' set of unifiers is essential for the efficiency of the constraint
solving procedure within which the unification algorithm is used. The method is
implemented in the CL-Atse tool for security protocol analysis
- …