Most recent issue published online for the International Journal of Applied Cryptography.

Session-StateReveal is stronger than eCKs EphemeralKeyReveal: using automatic analysis to attack the NAXOS protocol

Cas J.F. Cremers — 2011-01-28T23:20:50-05:00

Session-StateReveal is stronger than eCKs EphemeralKeyReveal: using automatic analysis to attack the NAXOS protocol
Cas J.F. Cremers
International Journal of Applied Cryptography, Vol. 2, No. 2 (2010) pp. 83 - 99
In the paper, 'stronger security of authenticated key exchange' (LaMacchia et al., 2006, 2007), a new security model for authenticated key exchange protocols (eCK) is proposed. The new model is suggested to be at least as strong as previous models for key exchange protocols, such as the CK model (Canetti and Krawczyk, 2001; Krawczyk, 2005). The model includes a new notion of an EphemeralKeyReveal adversary query, which is claimed in e.g., LaMacchia et al. (2006), Okamoto (2007), and Ustaoglu (2008), to be at least as strong as the Session-StateReveal query. We investigate the relation between the two models by focusing on the difference in adversary queries. We formally model the NAXOS protocol and a variant of the eCK model, called eCK', in which the EphemeralKeyReveal query is replaced by the Session-StateReveal query. Using Scyther, a formal protocol analysis tool, we automatically find attacks on the protocol, showing that the protocol is insecure in the eCK' model. Our attacks prove that the Session-StateReveal query is stronger than the EphemeralKeyReveal query and that the eCK security model is incomparable to the CK model, disproving several claims made in the literature.

On message recognition protocols: recoverability and explicit confirmation

Ian Goldberg — 2011-01-28T23:20:50-05:00

On message recognition protocols: recoverability and explicit confirmation
Ian Goldberg, Atefeh Mashatan, Douglas R. Stinson
International Journal of Applied Cryptography, Vol. 2, No. 2 (2010) pp. 100 - 120
We look at message recognition protocols (MRPs) and prove that there is a one-to-one correspondence between stateless non-interactive MRPs and digital signature schemes. Next, we examine the Jane Doe protocol and note its inability to recover in case of a certain adversarial disruption. We propose a variant of this protocol which is equipped with a resynchronisation technique that allows users to resynchronise whenever they wish. Moreover, we propose another protocol which self-recovers in case of an intrusion. This protocol incorporates the resynchronisation technique within itself. Further, we enumerate all possible attacks against this protocol and show that none of the attacks can occur. Finally, we prove the security of the new protocol and its ability to self-recover once the disruption has stopped. Finally, we propose an MRP which provides explicit confirmation to the sender on whether or not the message was accepted by the receiver.

Theoretical and practical aspects of mutual information-based side channel analysis

E. Prouff — 2011-01-28T23:20:50-05:00

Theoretical and practical aspects of mutual information-based side channel analysis
E. Prouff, M. Rivain
International Journal of Applied Cryptography, Vol. 2, No. 2 (2010) pp. 121 - 138
A large variety of side channel analyses performed on embedded devices involve the linear correlation coefficient as wrong-key distinguisher. This coefficient is actually a sound statistical tool to quantify linear dependencies between univariate variables. At CHES 2008, Gierlichs et al. proposed to use the mutual information measure as an alternative to the correlation coefficient since it detects any kind of statistical dependency. Substituting it for the correlation coefficient may indeed be considered as a natural extension of the existing attacks. Nevertheless, the first published applications have raised several open issues. In this paper, we conduct a theoretical analysis of MIA in the Gaussian leakage model to explore the reasons why and when it is a sound key recovery attack. Also, we generalise MIA to higher-orders (i.e., against masked implementations). Secondly, we address the main practical issue of MIA: the mutual information estimation which itself relies on the estimation of statistical distributions. We describe three classical estimation methods and we apply them in the context of MIA. Eventually, we present various attack simulations and practical attack experiments that allow us to check the efficiency of MIA in practice and to compare it to classical correlation-based attacks.

Fair threshold decryption with semi-trusted third parties

Jeongdae Hong — 2011-01-28T23:20:50-05:00

Fair threshold decryption with semi-trusted third parties
Jeongdae Hong, Jinil Kim, Jihye Kim, Matthew K. Franklin, Kunsoo Park
International Journal of Applied Cryptography, Vol. 2, No. 2 (2010) pp. 139 - 153
A threshold decryption scheme is a multi-party public key cryptosystem that allows any sufficiently large subset of participants to decrypt a ciphertext, but disallows the decryption otherwise. Many threshold cryptographic schemes have been proposed so far, but fairness is not generally considered in this earlier work. In this paper, we present fair threshold decryption schemes, where either all of the participants can decrypt or none of them can. Our solutions employ semi-trusted third parties (STTP) and offline semi-trusted third parties (OTTP) previously used for fair exchange. We consider a number of variants of our schemes to address realistic alternative trust scenarios. Although we describe our schemes using a simple hashed version of ElGamal encryption, our methods generalise to other threshold decryption schemes and threshold signature schemes as well.

On reusing ephemeral keys in Diffie-Hellman key agreement protocols

Alfred Menezes — 2011-01-28T23:20:50-05:00

On reusing ephemeral keys in Diffie-Hellman key agreement protocols
Alfred Menezes, Berkant Ustaoglu
International Journal of Applied Cryptography, Vol. 2, No. 2 (2010) pp. 154 - 158
A party may choose to reuse ephemeral public keys in a Diffie-Hellman key agreement protocol in order to reduce its computational workload or to mitigate against denial-of-service attacks. In this note, we show that small-subgroup attacks can be successfully launched on some Diffie-Hellman protocols that reuse ephemeral keys if domain parameters are not appropriately selected or if public keys are not appropriately validated.

Unconditionally reliable and secure message transmission in undirected synchronous networks: possibility, feasibility and optimality

Arpita Patra — 2011-01-28T23:20:50-05:00

Unconditionally reliable and secure message transmission in undirected synchronous networks: possibility, feasibility and optimality
Arpita Patra, Ashish Choudhury, C. Pandu Rangan, Kannan Srinathan
International Journal of Applied Cryptography, Vol. 2, No. 2 (2010) pp. 159 - 197
We study the interplay of network connectivity and the issues related to the 'possibility', 'feasibility' and 'optimality' for unconditionally reliable message transmission (URMT) and unconditionally secure message transmission (USMT) in an undirected synchronous network, under the influence of an adaptive mixed adversary having unbounded computing power, who can corrupt some of the nodes in the network in Byzantine, omission, fail-stop and passive fashion respectively. We consider two types of adversary, namely threshold and non-threshold. One of the important conclusions we arrive at from our study is that allowing a negligible error probability significantly helps in the 'possibility', 'feasibility' and 'optimality' of both reliable and secure message transmission protocols. To design our protocols, we propose several new techniques which are of independent interest.