Papers by Bogdan Warinschi
Computing the Hermite Normal Form of an n n matrix using the best current algorithms typically re... more Computing the Hermite Normal Form of an n n matrix using the best current algorithms typically requires O(n 3 log M ) space, where M is a bound on the length of the columns of the input matrix. Although polynomial in the input size (which is O(n 2 log M )), this space blow-up can easily become a serious issue in practice when working on big integer matrices. In this paper we present a new algorithm for computing the Hermite Normal Form which uses only O(n 2 log M ) space (i.e., essentially the same as the input size). When implemented using standard integer arithmetic, our algorithm has the same time complexity of the asymptotically fastest (but space ine cient) algorithms. We also suggest simple heuristics that when incorporated in our algorithm result in essentially the same asymptotic running time of the theoretically fastest solutions, still maintaining our algorithm extremely practical.
Lecture Notes in Computer Science, 2008
We study the security of the widely deployed Secure Session Layer/Transport Layer Security (TLS) ... more We study the security of the widely deployed Secure Session Layer/Transport Layer Security (TLS) key agreement protocol. Our analysis identifies, justifies, and exploits the modularity present in the design of the protocol: the application keys offered to higher level applications are obtained from a master key, which in turn is derived, through interaction, from a pre-master key.
Lecture Notes in Computer Science, 2005
The only known blind signature scheme that is secure in the standard model (20) is based on gener... more The only known blind signature scheme that is secure in the standard model (20) is based on general results about multi-party com- putation, and thus it is extremely inecient. The main result of this paper is the first provably secure blind signature scheme which is also ef- ficient. We develop our construction as follows. In the first step, which is
Lecture Notes in Computer Science, 2009
Computational puzzles are mildly difficult computational problems that require resources (process... more Computational puzzles are mildly difficult computational problems that require resources (processor cycles, memory, or both) to solve. Puzzles have found a variety of uses in security. In this paper we are concerned with client puzzles: a type of puzzle used as a defense against Denial of Service (DoS) attacks. Before engaging in a resource consuming protocol with a client, a server demands that the client solves a freshly generated client puzzle. Despite their widespread use, the lack of formal models for security of client puzzles prevents a full analysis of proposed puzzles and, more importantly, prevents rigorous proofs for the effectiveness of puzzles as a DoS defense. The main contribution of this paper is a formal model for the security of client puzzles as a stepping stone towards solving the above problems. We clarify the interface that client puzzles should offer and give two security notions for puzzles. Both functionality and security are inspired by, and tailored to, the use of puzzles as a defense against DoS attacks. The first notion -puzzle unforgeability -requires that an adversary is unable to produce valid looking puzzles on its own. The second notion -puzzle-difficulty -requires that an adversary spends at least an appropriate amount of resources solving puzzles. Our definitions fill an important gap: breaking either of the two properties immediately leads to successful DoS attacks. We illustrate this point with an attack against a previously proposed puzzle construction. We show that a subtle flaw renders the construction forgeable and we explain how to exploit this flaw to mount a DoS attack on certain protocols that use this puzzle. We also provide a generic construction of a client puzzle. Our construction uses a pseudorandom function family to provide unforgeability and a one way function for the difficulty. We prove our generic construction meets our definitions of unforgeability and difficulty for client puzzles. Finally, we discuss and analyze (in the random oracle model) a practical instantiation of our construction based on hash functions. c c c c Pj = (zj, yj)
Lecture Notes in Computer Science, 2006
The indistinguishability of two pieces of data (or two lists of pieces of data) can be represente... more The indistinguishability of two pieces of data (or two lists of pieces of data) can be represented formally in terms of a relation called static equivalence. Static equivalence depends on an underlying equational theory. The choice of an inappropriate equational theory can lead to overly pessimistic or overly optimistic notions of indistinguishability, and in turn to security criteria that require protection against impossible attacks or-worse yet-that ignore feasible ones. In this paper, we define and justify an equational theory for standard, fundamental cryptographic operations. This equational theory yields a notion of static equivalence that implies computational indistinguishability. Static equivalence remains liberal enough for use in applications. In particular, we develop and analyze a principled formal account of guessing attacks in terms of static equivalence.
Lecture Notes in Computer Science, 2003
This paper provides theoretical foundations for the group signature primitive. We introduce stron... more This paper provides theoretical foundations for the group signature primitive. We introduce strong, formal definitions for the core requirements of anonymity and traceability. We then show that these imply the large set of sometimes ambiguous existing informal requirements in the literature, thereby unifying and simplifying the requirements for this primitive. Finally we prove the existence of a construct meeting our definitions based only on the assumption that trapdoor permutations exist.
Lecture Notes in Computer Science, 2010
The Fiat-Shamir (FS) transform is a popular tool to produce particularly efficient digital signat... more The Fiat-Shamir (FS) transform is a popular tool to produce particularly efficient digital signature schemes out of identification protocols. It is known that the resulting signature scheme is secure (in the random oracle model) if and only if the identification protocol is secure against passive impersonators. A similar results holds for constructing ID-based signature schemes out of ID-based identification protocols. The transformation had also been applied to identification protocols with additional privacy properties. So, via the FS transform, ad-hoc group identification schemes yield ring signatures and identity escrow schemes yield group signature schemes. Unfortunately, results akin to those above are not known to hold for these latter settings and the security of the resulting schemes needs to be proved from scratch, or worse, it is often simply assumed. Therefore, the security of the schemes obtained this way does not clearly follow from that of the base identification protocol and needs to be proved from scratch. Even worse, some papers seem to simply assume that the transformation works without proof. In this paper we provide the missing foundations for the use of the FS transform in these more complex settings. We start with defining a formal security model for identity escrow schemes (a concept proposed earlier but never rigorously formalized). Our main result constists of necessary and sufficient conditions for an identity escrow scheme to yield (via the FS transform) a secure group signature schemes. In addition, we discuss several variants of this result that account for the constructions of group signatures that fulfill weaker notions of security. In addition, using the similarity between group and ring signature schemes we give analogous results for the latter primitive.
Lecture Notes in Computer Science, 2012
ABSTRACT The Fiat-Shamir transformation is the most efficient construction of non-interactive zer... more ABSTRACT The Fiat-Shamir transformation is the most efficient construction of non-interactive zero-knowledge proofs. This paper is concerned with two variants of the transformation that appear but have not been clearly delineated in existing literature. Both variants start with the prover making a commitment. The strong variant then hashes both the commitment and the statement to be proved, whereas the weak variant hashes only the commitment. This minor change yields dramatically different security guarantees: in situations where malicious provers can select their statements adaptively, the weak Fiat-Shamir transformation yields unsound/unextractable proofs. Yet such settings naturally occur in systems when zero-knowledge proofs are used to enforce honest behavior. illustrate this point by showing that the use of the weak Fiat-Shamir transformation in the Helios cryptographic voting system leads to several possible security breaches: for some standard types of elections, under plausible circumstances, malicious parties can cause the tallying procedure to run indefinitely and even tamper with the result of the election. On the positive side, we define a form of adaptive security for zero-knowledge proofs in the random oracle model (essentially simulation-sound extractability), and show that a variant which we call strong Fiat-Shamir yields secure non-interactive proofs. This level of security was assumed in previous works on Helios and our results are then necessary for these analyses to be valid. Additionally, we show that strong proofs in Helios achieve non-malleable encryption and satisfy ballot privacy, improving on previous results that required CCA security.
Lecture Notes in Computer Science, 2004
We present a general method to prove security properties of cryptographic protocols against activ... more We present a general method to prove security properties of cryptographic protocols against active adversaries, when the messages exchanged by the honest parties are arbitrary expressions built using encryption and concatenation operations. The method allows to express security properties and carry out proofs using a simple logic based language, where messages are represented by syntactic expressions, and does not require dealing with probability distributions or asymptotic notation explicitly. Still, we show that the method is sound, meaning that logic statements can be naturally interpreted in the computational setting in such a way that if a statement holds true for any abstract (symbolic) execution of the protocol in the presence of a Dolev-Yao adversary, then its computational interpretation is also correct in the standard computational model where the adversary is an arbitrary probabilistic polynomial time program. This is the first paper providing a simple framework for translating security proofs from the logic setting to the standard computational setting for the case of powerful active adversaries that have total control of the communication network.
Lecture Notes in Computer Science, 2009
A number of previous papers explored the notion of identity-based group signature. We present a g... more A number of previous papers explored the notion of identity-based group signature. We present a generic construction of identity-based group signatures. Our construction is based on the Naor transformation of a identity-based signature out of an identity-based encryption, adjusted to hierarchical identity-based encryption. We identify sufficient conditions on the underlying HIBE so that the scheme that results from our transformation meets our security definitions. Finally, we suggest a couple of extensions enabled by our construction, one of which is to hierarchical identity-based group signatures.
Proceedings of the 2001 international symposium on Symbolic and algebraic computation - ISSAC '01, 2001
ABSTRACT Computing the Hermite Normal Form of an nxn integer matrix using the best current algori... more ABSTRACT Computing the Hermite Normal Form of an nxn integer matrix using the best current algorithms typically requires O(n 3 log M) space, where M is a bound on the entries of the input matrix. Although polynomial in the input size (which is O(n 2 log M)), this space blow-up ...
... Usenix, August 2009. 3. M. Bellare, A. Desai, D. Pointcheval, and P. Rogaway. ... Springer, 1... more ... Usenix, August 2009. 3. M. Bellare, A. Desai, D. Pointcheval, and P. Rogaway. ... Springer, 1997. 12. Ronald Cramer, Goichiro Hanaoka, Dennis Hofheinz, Hideki Imai, Eike Kiltz, Rafael Pass,Abhi Shelat, and Vinod Vaikuntanathan. Bounded cca2-secure encryption. ...
Since their introduction in 2008, the non interactive zeroknowledge (NIZK) and non interactive wi... more Since their introduction in 2008, the non interactive zeroknowledge (NIZK) and non interactive witness indistinguishable (NIWI) proofs designed by Groth and Sahai have been used in numerous applications. In this paper we offer two contributions to the study of these proof systems. First we identify and correct some errors, present in the oringal online manuscript, that occur in two of the three instantiations of the Groth-Sahai NIWI proofs for which the equation checked by the verifier is not valid for honest executions of the protocol. (In particular, implementations of these proofs would not work correctly.) We explain why, perhaps surprisingly, the NIZK proofs that are built from these NIWI proofs do not suffer from a similar problem. Secondly, we study the efficiency of existing instantiations and note that only one of the three instantiations has the potential of being practical. We therefore propose a natural extension of an existing assumption from symmetric pairings to asymmetric ones which in turn enables Groth-Sahai proofs based on new classes of efficient pairings.
In this paper, we study the Dynamic Decisional Diffie-Hellman (3DH) problem,a powerfulgeneralizat... more In this paper, we study the Dynamic Decisional Diffie-Hellman (3DH) problem,a powerfulgeneralizationoftheDecisionalDiffie-Hellman(DDH)prob- lem. Our main result is that DDH implies 3DH. This result leads to significantly simpler proofs for protocols by relying directly on the more general problem. Our second contribution is a computationally sound symbolic technique for reasoning about protocols that use symmetric encryption and modular exponentiation. We show how to apply our results in the case of the Burmester & Desmedt protocol.
Lecture Notes in Computer Science, 2009
ABSTRACT Showing that a circuit is satisfiable without revealing information is a key problem in ... more ABSTRACT Showing that a circuit is satisfiable without revealing information is a key problem in modern cryptography. The related (and more general) problem of showing that a circuit evaluates to a particular value if executed on the input contained in a public commitment has potentially multiple practical applications. Although numerous solutions for the problem had been proposed, their practical applicability is poorly understood. In this paper, we take an important step towards moving existent solutions to practice. We implement and evaluate four solutions for the problem. We investigate solutions both in the common reference string model and the random oracle model. In particular, in the CRS model we use the recent techniques of Groth–Sahai for proofs that use bilinear groups in the asymmetric pairings environment. We provide various optimizations to the different solutions we investigate. We present timing results for two circuits the larger of which is an implementation of AES that uses about 30000 gates.
Lecture Notes in Computer Science, 2007
Some cryptographic tasks, such as contract signing and other related tasks, need to ensure comple... more Some cryptographic tasks, such as contract signing and other related tasks, need to ensure complex, branching time security properties. When defining such properties one needs to deal with subtle problems regarding the scheduling of non-deterministic decisions, the delivery of messages sent on resilient (non-adversarially controlled) channels, fair executions (executions where no party, both honest and dishonest, is unreasonably precluded to perform its actions), and defining strategies of adversaries against all possible non-deterministic choices of parties and arbitrary delivery of messages via resilient channels. These problems are typically not addressed in cryptographic models and these models therefore do not suffice to formalize branching time properties, such as those required of contract signing protocols. In this paper, we develop a cryptographic model that deals with all of the above problems. One central feature of our model is a general definition of fair scheduling which not only formalizes fair scheduling of resilient channels but also fair scheduling of actions of honest and dishonest principals. Based on this model and the notion of fair scheduling, we provide a definition of a prominent branching time property of contract signing protocols, namely balance, and give the first cryptographic proof that the Asokan-Shoup-Waidner two-party contract signing protocol is balanced. a signed contract from A (no matter how A, the TTP, and the resilient channels behave) and ii) a (possibly different) strategy to prevent A from obtaining a signed contract from B (no matter how A, the TTP, and the resilient channels behave). Since, when following one of these strategies, the adversary, i.e., B, has to achieve his goal-obtaining a signed contract or preventing A from obtaining a signed contract-against the behavior of other entities that he cannot control or foresee (non-deterministic choices of A and delivery of messages on resilient channels), in a computational model it is necessary to determine the behavior of these entities by a scheduler which is independent of the adversary, and in fact, may work against the adversary. Moreover, for the balance property to make sense, the scheduler should not stop the run of a system if one of the entities in the system (A, the T T P , the resilient channels, the adversary) "can still take an action". In other words, the scheduling should be fair for all entities (both honest and dishonest). For example, if at some point A could still contact the TTP, then the scheduler should not stop the run of the system at this point but should eventually schedule A: contacting the TTP might enable A to get the contract. Stopping the system before scheduling A would be unfair and unrealistic since no one stops A from contacting the TTP in a real protocol run. Note that a scheduler is just an imaginary entity that is only needed to model how things are potentially scheduled in a real protocol run. Conversely, if B (the adversary) wants to send a message to the TTP, the scheduler should not stop the run of the system but eventually schedule B: sending a message to the TTP might enable B to obtain a signed contract which he otherwise might not be able to get. Again, stopping the system before scheduling B would be unfair and unrealistic since no one stops B from contacting the TTP in a real protocol run. Note that B is an arbitrary adversary (machine), and hence, a general notion of fair scheduling is needed to capture whether "B can still take an action" (e.g., send a message).
Lecture Notes in Computer Science, 2006
The standard symbolic, deducibility-based notions of secrecy are in general insufficient from a c... more The standard symbolic, deducibility-based notions of secrecy are in general insufficient from a cryptographic point of view, especially in presence of hash functions. In this paper we devise and motivate a more appropriate secrecy criterion which exactly captures a standard cryptographic notion of secrecy for protocols involving public-key enryption and hash functions: protocols that satisfy it are computationally secure while any violation of our criterion directly leads to an attack. Furthermore, we prove that our criterion is decidable via an NP decision procedure. Our results hold for standard security notions for encryption and hash functions modeled as random oracles.
Uploads
Papers by Bogdan Warinschi