Alejandro Hevia

A Practice-Oriented Treatment of Pseudorandom Number Generators

We study Pseudorandom Number Generators (PRNGs) as used in practice. We first give a general security frame work for PRNGs, incorporating the attacks that users are typically concerned about. We then analyze the most popular ones, including the ANSI X9.17 PRNG and the FIPS 186 PRNG. Our results also suggest ways in which these PRNGs can be made more efficient and more secure.

Strength of two data encryption standard implementations under timing attacks

We study the vulnerability of two implementations of the Data Encryption Standard (DES) cryptosystem under a timing attack. A timing attack is a method, recently proposed by Paul Kocher, that is designed to break cryptographic systems. It exploits the engineering aspects involved in the implementation of cryptosystems and might succeed even against cryptosys-tems that remain impervious to sophisticated cryptanalytic techniques. A timing attack is, essentially, a way of obtaining some users private information by carefully measuring the time it takes the user to carry out cryptographic operations.In this work, we analyze two implementations of DES. We show that a timing attack yields the Hamming weight of the key used by both DES implementations. Moreover, the attack is computationally inexpensive. We also show that all the design characteristics of the target system, necessary to carry out the timing attack, can be inferred from timing measurements.

An Indistinguishability-Based Characterization of Anonymous Channels

We revisit the problem of anonymous communication, in which users wish to send messages to each other without revealing their identities. We propose a novel framework to organize and compare anonymity definitions. In this framework, we present simple and practical definitions for anonymous channels in the context of computational indistinguishability. The notions seem to capture the intuitive properties of several types of anonymous channels (Pfitzmann and Kohntopp 2001) (eg. sender anonymity and unlinkability). We justify these notions by showing they naturally capture practical scenarios where information is unavoidably leaked in the system. Then, we compare the notions and we show they form a natural hierarchy for which we exhibit non-trivial implications. In particular, we show how to implement stronger notions from weaker ones using cryptography and dummy traffic --- in a provably optimal way. With these tools, we revisit the security of previous anonymous channels protocols, in particular constructions based on broadcast networks (Blaze et al. 2003), anonymous broadcast (Chaum 1981), and mix networks (Groth 2003, Nguyen et al. 2004). Our results give generic, optimal constructions to transform known protocols into new ones that achieve the strongest notions of anonymity.

End-to-end security in the presence of intelligent data adapting proxies: the case of authenticating transcoded streaming media

We consider the problem of maintaining end-to-end security in the presence of intelligent proxies that may adaptively modify data being transmitted across a network. The video coding community considers this problem in the context of transcoding media streams, but their approaches either fail to address authentication or fail to provide meaningful security guarantees. We present two provably-secure schemes, LISSA and TRESSA, that allow an intelligent network intermediary to intercept a stream signed by a content provider, and adapt it dynamically, while preserving the ultimate receivers ability to securely verify the content providers signature (and, hence, authenticity and integrity of the data received). Our schemes allow the intermediary to selectively remove portions of the stream and, thus, permit common media transcoding techniques such as scalable compression and multiple file switching. Moreover, a content provider only has to encode and sign its entire data stream once, as opposed to nondynamically encoding and signing different versions for each anticipated combination of device, network configuration, and channel condition. Our implementation results demonstrate efficiency.

Electronic jury voting protocols

This work stresses the fact that all current proposals for electronic voting schemes disclose the final tally of the votes. In certain situations, like jury voting, this may be undesirable. We present a robust and universally verifiable membership testing scheme (MTS) that allows, among other things, a collection of voters to cast votes and determine whether their tally belongs to some pre-specified small set (e.g., exceeds a given threshold)--our scheme discloses no additional information than that implied from the knowledge of such membership. We discuss several extensions of our basic MTS. All the constructions presented combine features of two parallel lines of research concerning electronic voting schemes, those based on MIX-networks and in homomorphic encryption.

Latent semantic analysis and keyword extraction for phishing classification

Phishing email fraud has been considered as one of the main cyber-threats over the last years. Its development has been closely related to social engineering techniques, where different fraud strategies are used to deceit a naïve email user. In this work, a latent semantic analysis and text mining methodology is proposed for the characterisation of such strategies, and further classification using supervised learning algorithms. Results obtained showed that the feature set obtained in this work is competitive against previous phishing feature extraction methodologies, achieving promising results over different benchmark machine learning classification techniques.

Progress in Cryptology – LATINCRYPT 2012

A number of recent works have considered the problem of constructing constant-time hash functions to various families of elliptic curves over finite fields. In the relevant literature, it has been occasionally asserted that constant-time hashing to certain special elliptic curves, in particular so-called BN elliptic curves, was an open problem. It turns out, however, that a suitably general encoding function was constructed by Shallue and van de Woestijne back in 2006. In this paper, we show that, by specializing the construction of Shallue and van de Woestijne to BN curves, one obtains an encoding function that can be implemented rather efficiently and securely, that reaches about 9/16ths of all points on the curve, and that is well-distributed in the sense of Farashahi et al., so that one can easily build from it a hash function that is indifferentiable from a random oracle.

Short transitive signatures for directed trees

A transitive signature scheme allows us to sign a graph in such a way that, given signatures on edges (a,b) and (b,c), it is possible to compute the signature on edge (a,c) without the signers secret. Constructions for undirected graphs are known but the case of directed graphs remains open. A first solution for the particular case of directed trees (DTTS) was given by Yi at CT-RSA 2007. In Yis construction, the signature for an edge is O(n log(n logn)) bits long in the worst case where n is the number of nodes. A year later in Theoretical Computer Science 396, Neven proposed a simpler scheme where the signature size is reduced to O(n logn) bits. Although this construction is more efficient, O(n logn)-bit long signatures still remain impractical for large n. In this work, we propose a new DTTS scheme such that, for any value λ≥1 and security parameter κ: (a) edge signatures are only O(κλ) bits long, (b) signing or verifying an edge signature requires O(λ) cryptographic operations, and (c) computing (without the secret key) an edge signature in the transitive closure of the tree requires O(λn1/λ) cryptographic operations. To the best of our knowledge this is the first construction with such a trade off. Our construction relies on hashing with common-prefix proofs, a new variant of collision resistance hashing. A family

Strong Accumulators from Collision-Resistant Hashing

\cal H

On the impossibility of batch update for cryptographic accumulators

provides hashing with common-prefix proofs if for any