Adriana Suárez Corona

Group Key Establishment: Adding Perfect Forward Secrecy at the Cost of One Round

A compiler is presented which, in the random oracle model, allows to add perfect forward secrecy to any secure authenticated group key establishment protocol P which has at least one round. The compiler does not modify the session identifier and does not impose changes on the underlying public key infrastructure. Building on a secure unauthenticated 1-round 2-party key establishment Q with perfect forward secrecy as auxiliary input, P is transformed into an authenticated group key establishment protocol with perfect forward secrecy and with one more round than P.

The Roll of Dices in Cryptology

Probability plays a fundamental role in complexity theory, which in turn is one of the pillars of modern cryptology. However, security practitioners are not always familiar with probability theory, and thus fail to foresee the impact of (seemingly small) deviations from the theoretical description of a scheme at the implementation level. On the other hand, many cryptographic scenarios involve mutually distrusting parties, which need however to cooperate towards a joint goal. In order to attain assurance of the good behavior of one party, interactive validation methods (also known as interactive proof systems) are employed. Randomness is at the core of such methods, which most often will only provide relative assurance, in the sense that they will establish correctness in a probabilistic way. In this paper we will briefly discuss the role of probability theory within modern cryptology, reviewing probabilistic proof systems as a powerful tool towards efficient protocol design, and provable security, as an invaluable framework for deriving formal security proofs.

Group key exchange protocols withstanding ephemeral-key reveals

When a group key exchange protocol is executed, the session key is typically extracted from two types of secrets: long-term keys (for authentication) and freshly generated (often random) values. The leakage of this latter so-called ephemeral keys has been extensively analysed in the 2-party case, yet very few works are concerned with it in the group setting. The authors provide a generic group key exchange construction that is strongly secure, meaning that the attacker is allowed to learn both long-term and ephemeral keys (but not both from the same participant, as this would trivially disclose the session key). Their design can be seen as a compiler, in the sense that it builds on a 2-party key exchange protocol which is strongly secure and transforms it into a strongly secure group key exchange protocol by adding only one extra round of communication. When applied to an existing 2-party protocol from Bergsma et al., the result is a 2-round group key exchange protocol which is strongly secure in the standard model, thus yielding the first construction with this property.

Narrow Bandwidth Is Not Inherent in Reverse Public-Key Encryption

Reverse Public-Key Encryption (RPKE) is a mode of operation exploiting a weak form of key privacy to provide message privacy. In principle, RPKE offers a fallback mode, if the underlying encryption scheme’s message secrecy fails while a weak form of key privacy survives. To date, all published RPKE constructions suffer from a low bandwidth, and low bandwidth seems naturally inherent to reverse encryption. We show how reverse encryption can, in connection with and as a novel application of anonymous broadcast encryption, achieve high-bandwidth. We point out that by using traditional and reverse encryption simultaneously, a form of crypto-steganographic channel inside a cryptosystem can be provided.

Scalable attribute-based group key establishment: from passive to active and deniable

A protocol compiler is presented which transforms any unauthenticated (attribute-based) group key establishment protocol into an authenticated attribute-based group key establishment. If the protocol to which the compiler is applied does not make use of long-term secrets, then the resulting protocol is, in addition, deniable. In particular, applying our compiler to an unauthenticated 2-round protocol going back to Burmester and Desmedt results in a 3-round solution for attribute-based group key establishment, offering both forward secrecy and deniability.