Identification and Privacy: Zero-Knowledge is not Enough

At first glance, privacy and zero-knowledgeness seem to be similar properties. A scheme is private when no information is revealed on the prover and in a zero-knowledge scheme, communications should not leak provers\u27 secrets. Until recently, privacy threats were only partially formalized and some zero-knowledge (ZK) schemes have been proposed so far to ensure privacy. We here explain why the intended goal is not reached. Following the privacy model proposed by Vaudenay at Asiacrypt 2007, we then reconsider the analysis of these schemes and thereafter introduce a general framework to modify identification schemes leading to different levels of privacy. Our new protocols can be useful, for instance, for identity documents, where privacy is a great issue. Furthermore, we propose efficient implementations of zero-knowledge and private identification schemes based on modifications of the GPS scheme. The security and the privacy are based on a new problem: the Short Exponent Strong Diffie-Hellman (SESDH) problem. The hardness of this problem is related to the hardness of the Strong Diffie-Hellman (SDH) problem and to the hardness of the Discrete Logarithm with Short Exponent (DLSE) problem. The security and privacy of these new schemes are proved in the random oracle paradigm

Password Based Key Exchange with Hidden Elliptic Curve Public Parameters

We here describe a new Password-based Authenticated Key Exchange (PAKE) protocol based on elliptic curve cryptography. We prove it secure in the Bellare-Pointcheval-Rogaway (BPR) model. Our proposal is conceived in a such a way that it ensures that the elliptic curve public parameters remain private. This is important in the context of ID contactless devices as, in this case, it is easy to link these parameters with the nationality of the ID document owners

Supplemental Access Control (PACE v2): Security Analysis of PACE Integrated Mapping

We describe and analyze the password-based key establishment protocol PACE v2 Integrated Mapping (IM), an evolution of PACE v1 jointly proposed by Gemalto and Sagem Sécurité. PACE v2 IM enjoys the following properties: patent-freeness3 (to the best of current knowledge in the field); full resistance to dictionary attacks, secrecy and forward secrecy in the security model agreed upon by the CEN TC224 WG16 group; optimal performances. The PACE v2 IM protocol is intended to provide an alternative to the German PACE v1 protocol, which is also the German PACE v2 Generic Mapping (GM) protocol, proposed by the German Federal Office for Information Security (BSI). In this document, we provide a description of PACE v2 IM, a description of the security requirements one expects from a password-based key establishment protocol in order to support secure applications, and a security proof of PACE v2 IM in the so-called Bellare-Pointcheval-Rogaway (BPR) security model

Efficient Indifferentiable Hashing into Ordinary Elliptic Curves

We provide the first construction of a hash function into ordinary elliptic curves that is indifferentiable from a random oracle, based on Icart\u27s deterministic encoding from Crypto 2009. While almost as efficient as Icart\u27s encoding, this hash function can be plugged into any cryptosystem that requires hashing into elliptic curves, while not compromising proofs of security in the random oracle model. We also describe a more general (but less efficient) construction that works for a large class of encodings into elliptic curves, for example the Shallue-Woestijne-Ulas (SWU) algorithm. Finally we describe the first deterministic encoding algorithm into elliptic curves in characteristic 3

Antiplatelet therapy with aspirin, clopidogrel, and dipyridamole versus clopidogrel alone or aspirin and dipyridamole in patients with acute cerebral ischaemia (TARDIS): a randomised, open-label, phase 3 superiority trial

Background: Intensive antiplatelet therapy with three agents might be more effective than guideline treatment for preventing recurrent events in patients with acute cerebral ischaemia. We aimed to compare the safety and efficacy of intensive antiplatelet therapy (combined aspirin, clopidogrel, and dipyridamole) with that of guideline-based antiplatelet therapy. Methods: We did an international, prospective, randomised, open-label, blinded-endpoint trial in adult participants with ischaemic stroke or transient ischaemic attack (TIA) within 48 h of onset. Participants were assigned in a 1:1 ratio using computer randomisation to receive loading doses and then 30 days of intensive antiplatelet therapy (combined aspirin 75 mg, clopidogrel 75 mg, and dipyridamole 200 mg twice daily) or guideline-based therapy (comprising either clopidogrel alone or combined aspirin and dipyridamole). Randomisation was stratified by country and index event, and minimised with prognostic baseline factors, medication use, time to randomisation, stroke-related factors, and thrombolysis. The ordinal primary outcome was the combined incidence and severity of any recurrent stroke (ischaemic or haemorrhagic; assessed using the modified Rankin Scale) or TIA within 90 days, as assessed by central telephone follow-up with masking to treatment assignment, and analysed by intention to treat. This trial is registered with the ISRCTN registry, number ISRCTN47823388. Findings: 3096 participants (1556 in the intensive antiplatelet therapy group, 1540 in the guideline antiplatelet therapy group) were recruited from 106 hospitals in four countries between April 7, 2009, and March 18, 2016. The trial was stopped early on the recommendation of the data monitoring committee. The incidence and severity of recurrent stroke or TIA did not differ between intensive and guideline therapy (93 [6%] participants vs 105 [7%]; adjusted common odds ratio [cOR] 0·90, 95% CI 0·67–1·20, p=0·47). By contrast, intensive antiplatelet therapy was associated with more, and more severe, bleeding (adjusted cOR 2·54, 95% CI 2·05–3·16, p<0·0001). Interpretation: Among patients with recent cerebral ischaemia, intensive antiplatelet therapy did not reduce the incidence and severity of recurrent stroke or TIA, but did significantly increase the risk of major bleeding. Triple antiplatelet therapy should not be used in routine clinical practice

Antiplatelet therapy with aspirin, clopidogrel, and dipyridamole versus clopidogrel alone or aspirin and dipyridamole in patients with acute cerebral ischaemia (TARDIS): a randomised, open-label, phase 3 superiority trial

Background: Intensive antiplatelet therapy with three agents might be more effective than guideline treatment for preventing recurrent events in patients with acute cerebral ischaemia. We aimed to compare the safety and efficacy of intensive antiplatelet therapy (combined aspirin, clopidogrel, and dipyridamole) with that of guideline-based antiplatelet therapy.Methods: We did an international, prospective, randomised, open-label, blinded-endpoint trial in adult participants with ischaemic stroke or transient ischaemic attack (TIA) within 48 h of onset. Participants were assigned in a 1:1 ratio using computer randomisation to receive loading doses and then 30 days of intensive antiplatelet therapy (combined aspirin 75 mg, clopidogrel 75 mg, and dipyridamole 200 mg twice daily) or guideline-based therapy (comprising either clopidogrel alone or combined aspirin and dipyridamole). Randomisation was stratified by country and index event, and minimised with prognostic baseline factors, medication use, time to randomisation, stroke-related factors, and thrombolysis. The ordinal primary outcome was the combined incidence and severity of any recurrent stroke (ischaemic or haemorrhagic; assessed using the modified Rankin Scale) or TIA within 90 days, as assessed by central telephone follow-up with masking to treatment assignment, and analysed by intention to treat. This trial is registered with the ISRCTN registry, number ISRCTN47823388.Findings: 3096 participants (1556 in the intensive antiplatelet therapy group, 1540 in the guideline antiplatelet therapy group) were recruited from 106 hospitals in four countries between April 7, 2009, and March 18, 2016. The trial was stopped early on the recommendation of the data monitoring committee. The incidence and severity of recurrent stroke or TIA did not differ between intensive and guideline therapy (93 [6%] participants vs 105 [7%]; adjusted common odds ratio [cOR] 0·90, 95% CI 0·67–1·20, p=0·47). By contrast, intensive antiplatelet therapy was associated with more, and more severe, bleeding (adjusted cOR 2·54, 95% CI 2·05–3·16,

Efficient Scalar Multiplication by Isogeny Decompositions

On an elliptic curve, the degree of an isogeny corresponds essentially to the degrees of the polynomial expressions involved in its application. The multiplication by ℓ map [ℓ] has degree ℓ², therefore the complexity to directly evaluate [ℓ](P) is O(ℓ²). For a small prime ℓ ( = 2, 3) such that the additive binary representation provides no better performance, this represents the true cost of application of scalar multiplication. If an elliptic curves admits an isogeny ϕ of degree ℓ then the costs of computing ϕ(P) should in contrast be O(ℓ) field operations. Since we then have a product expression [ℓ] = ˆϕϕ, the existence of an ℓ-isogeny ϕ on an elliptic curve yields a theoretical improvement from O(ℓ 2) to O(ℓ) operations for the evaluation of [ℓ](P) by naïve application of the defining polynomials. In this work we investigate actual improvements for small ℓ of this asymptotic complexity. For this purpose, we describe the general construction of families of curves with a suitable decomposition [ℓ] = ˆϕϕ, and provide explicit examples of such a family of curves with simple decomposition for [3]. Finally we derive a new tripling algorithm to find complexity improvements to triplication on a curve in certain projective coordinate systems, then combine this new operation to non-adjacent forms for ℓ-adic expansions in order to obtain an improved strategy for scalar multiplication on elliptic curves