We provide a formal model for identification schemes. Under this model, we give strong definitions for security and privacy. Our model captures the notion of a powerful adversary who can monitor all communications, trace tags within a limited period of time, corrupt tags, and get side channel information on the reader output. Adversaries who do not have access to this side channel are called narrow adversaries. Depending on restrictions on corruption, adversaries are called strong, destructive, forward, or weak adversaries. We derive some separation results: strong privacy is impossible. Narrow-strong privacy implies key agreement. We also prove some constructions: narrow-strong and forward privacy based on a public-key cryptosystem, narrow-destructive privacy based on a random oracle, and weak privacy based on a pseudorandom function.
Abstract. Linear cryptanalysis, introduced last year by Matsui, will most certainly open-up the way to new attack methods which may be made more efficient when compared or combined with differential cryptanalysis. This paper exhibits new relations between linear and differential cryptanalysis and presents new classes of functions which are optimally resistant to these attacks. In particular, we prove that linear-resistant functions, which generally present Bent properties, are differential-resistant as well and thus, present Perfect Nonlinear properties.
Abstract. Several generalizations of linear cryptanalysis have been proposed in the past, as well as very similar attacks in a statistical point of view. In this paper, we define a rigorous general statistical framework which allows to interpret most of these attacks in a simple and unified way. Then, we explicitely construct optimal distinguishers, we evaluate their performance, and we prove that a block cipher immune to classical linear cryptanalysis possesses some resistance to a wide class of generalized versions, but not all. Finally, we derive tools which are necessary to set up more elaborate extensions of linear cryptanalysis, and to generalize the notions of bias, characteristic, and piling-up lemma.Keywords: Block ciphers, linear cryptanalysis, statistical cryptanalysis. A Decade of Linear CryptanalysisLinear cryptanalysis is a known-plaintext attack proposed in 1993 by Matsui [21,22] to break DES [26], exploiting specific correlations between the input and the output of a block cipher. Namely, the attack traces the statistical correlation between one bit of information about the plaintext and one bit of information about the ciphertext, both obtained linearly with respect to GF (2) L (where L is the block size of the cipher), by means of probabilistic linear expressions, a concept previously introduced by Tardy-Corfdir and Gilbert [30].Soon after, several attempts to generalize linear cryptanalysis are published: Kaliski and Robshaw [13] demonstrate how it is possible to combine several independent linear correlations depending on the same key bits. In [31], Vaudenay defines another kind of attack on DES, called χ 2 -attack, and shows that one can obtain an attack slightly less powerful than a linear cryptanalysis, but without the need to know precisely what happens in the block cipher. Harpes, Kramer, and Massey [7] replace the linear expressions with so-called I/O sums, i.e., balanced binary-valued functions; they prove the potential effectiveness of such a generalization by exhibiting a block cipher secure against conventional linear cryptanalysis but vulnerable to their generalization. Practical examples are the attack of Knudsen and Robshaw [15] against LOKI91 and the one of Shimoyama and Kaneko [28] against DES which both use non-linear approximations.In [8], Harpes and Massey generalize the results of [7] by considering partitions pairs of the input and output spaces. Let X = {X 1 , X 2 , . . . , X n } and P
Abstract. We propose a way to establish peer-to-peer authenticated communications over an insecure channel by using an extra channel which can authenticate very short strings, e.g. 15 bits. We call this SAS-based authentication as for authentication based on Short Authenticated Strings. The extra channel uses a weak notion of authentication in which strings cannot be forged nor modi£ed, but whose delivery can be maliciously stalled, canceled, or replayed. Our protocol is optimal and relies on an extractable or equivocable commitment scheme. This approach offers an alternative (or complement) to public-key infrastructures, since we no longer need any central authority, and to password-based authenticated key exchange, since we no longer need to establish a con£dential password. It can be used to establish secure associations in ad-hoc networks. Applications could be the authentication of a public key (e.g. for SSH or PGP) by users over the telephone, the user-aided pairing of wireless (e.g. Bluetooth) devices, or the restore of secure associations in a disaster case, namely when one remote peer had his long-term keys corrupted. On Building Secure CommunicationsOne of the key issue of modern cryptography is the problem of establishing a secure peer-to-peer communication over an insecure channel. Assuming that we can establish a private and authenticated key, standard tunneling techniques can achieve it. In the seminal work of Merkle [32] and Dif£e and Hellman [18], the private and authenticated key establishment problem was reduced to establishing a communication in which messages are authenticated. Public key cryptosystems such as RSA [39] further reduce to the establishment of an authenticated public key. Note that the seed authentication is also a limiting factor for quantum cryptography [10].Another major step was the notion of password-based authenticated key agreement which was £rst proposed by Bellovin and Merritt [8,9] and whose security was proven by Bellare, Pointcheval, and Rogaway [5] in the random oracle model. Another protocol, provably secure in the standard model, was proposed by Katz, Ostrovsky, and Yung [29]. Here, we assume that a private and authenticated short password was set up prior to the protocol. The key agreement protocol is such that no of¤ine dictionary attack is feasible against the password so that the threat model restricts to online passwordguessing attacks which are easily detectable. 1 When compared to the above approach, we thus reduce the size of the initial key, but we require its con£dentiality again.1 See Chapter 7 of [12] for a survey on password-based authenticated key agreement.
In RFID protocols, tags identify and authenticate themselves to readers. At Asiacrypt 2007, Vaudenay studied security and privacy models for these protocols. We extend this model to protocols which offer reader authentication to tags. Whenever corruption is allowed, we prove that secure protocols cannot protect privacy unless we assume tags have a temporary memory which vanishes by itself. Under this assumption, we study several protocols. We enrich a few basic protocols to get secure mutual authentication RFID protocols which achieve weak privacy based on pseudorandom functions only, narrow-destructive privacy based on random oracles, and narrow-strong and forward privacy based on public-key cryptography.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.
Contact Info
customersupport@researchsolutions.com
10624 S. Eastern Ave., Ste. A-614
Henderson, NV 89052, USA
Product
Resources
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Copyright © 2024 scite LLC. All rights reserved.
Made with 💙 for researchers
Part of the Research Solutions Family.
