Towards Practical Security of Pseudonymous Signature on the BSI eIDAS Token

In this paper we present an extension of Pseudonymous Signature introduced by the German Federal BSI authority as a part of technical recommendations for electronic identity documents. Without switching to pairing friendly groups we enhance the scheme so that: (a) the issuer does not know the private keys of the citizen (so it cannot impersonate the citizen), (b) a powerful adversary that breaks any number of ID cards created by the Issuer cannot forge new cards that could be proven as fake ones, (c) deanonymization of the pseudonyms used by a citizen is a multi-party protocol, where the consent of each authority is necessary to reveal the identity of a user. (d) we propose extended features concerning fully anonymous signatures and a pragmatic revocation approach. (e) we present an argument for unlinkability (cross-domain anonymity) of the presented schemes. In this way we make a step forwards to overcome the substantial weaknesses of the Pseudonymous Signature scheme. Moreover, the extension is on top of the original scheme with relatively small number of changes, following the strategy of reusing the previous schemes -- thereby reducing the costs of potential technology update

Anonymous Deniable Identification in Ephemeral Setup & Leakage Scenarios

In this paper we concern anonymous identification, where the verifier can check that the user belongs to a given group of users (just like in case of ring signatures), however a transcript of a session executed between a user and a verifier is deniable. That is, neither the verifier nor the prover can convice a third party that a given user has been involved in a session but also he cannot prove that any user has been interacting with the verifier. Thereby one can achieve high standards for protecting personal data according to the General Data Protection Regulation – the fact that an interaction took place might be a sensitive data from information security perspective. We show a simple realization of this idea based on Schnorr identification scheme arranged like for ring signatures. We show that with minor modifications one can create a version immune to leakage of ephemeral keys. We extend the above scenario to the case of k out of n, where the prover must use at least k private keys corresponding to the set of n public keys. With the most probable setting of k = 2 or 3, we are talking about the practical case of multifactor authentication that might be necessary for applications with higher security level

Multihead one-way finite automata

AbstractWe consider one-way non-sensing multihead finite automata. Let Pm={1a1∗1a2∗μ∗1am#1am∗1am−1∗…∗a1:a1,…,am∈N}. We show that no k-head automaton can recognize the language Pm if m>12k3. It partially confirms the conjecture of Rosenberg. It shows that the languages Pm and the languages Lm, where Lm={W1∗W2∗…∗WM#Wm∗Wm−1∗…∗W1:W1…,Wm∈{0, 1}∗}, are of similar complexity for one-way multihead finite automata. We present a technique which can be used in some cases to estimate computational complexit of languages with respect to multihead automata

COMPUTATIONAL POWER OF ONE-WAY MULTIHEAD FINITE AUTOMATA

In this paper we sketch our results concerning one-way multihead finite automata (1-MFA). The full version with complete proofs can be found in a series of papers ([3],[4],[5],[6]). 1-MFA belong to the weakest models of computational devices. Despite that, they recognize many interesting and important languages. They work in linear time, so the algorithms running on 1-MFA are in some sense practical. Unfortunately, many important questions concerning 1-MFA have turned out to be hard to answer, despite the simplicity of the computational model. We get the results which answer some of such open questions. Before we proceed, we recall shortly the definition of 1-MFA. A 1-MFA consists of an input tape, some number of read-only heads and a control unit with finitely many internal states (see figure 1). Input words are placed on the input tape, each symbol occupying one cell. The heads are placed initially at the first from the left input symbol. During a computation the heads move independently on the tape (no moves to the left are allowed) and read different symbols of the input word. The computation consists of several steps, during which the internal state can change and the heads can move to the right. These actions are determined at each step by

Computing average value in ad hoc networks

Abstract. We consider a single-hop sensor network with n = Θ(N) stations using R independent communication channels. Communication between the stations can fail at random or be scrambled by an adversary so that it cannot be distinguished from a random noise. Assume that each station Si holds an integer value Ti. The problem that we consider is to replace the values Ti by their average (rounded to integer values). A typical situation is that we have a local sensor network that needs to make a decision based on the values read by sensors by computing the average value or some kind of voting. We design a protocol that solves this problem in O(N/R · log N) steps. The protocol is robust: a constant random fraction of messages can be lost (by communication channel failure, by action of an adversary or by synchronization problems). Also a constant fraction of stations may go down (or be destroyed by an adversary) without serious consequences for the rest. The algorithm is well suited for dynamic systems, for which the values Ti may change and the protocol once started works forever