Aline Gouget

Sosemanuk, a Fast Software-Oriented Stream Cipher

Sosemanuk is a new synchronous software-oriented stream cipher, corresponding to Profile 1 of the ECRYPT call for stream cipher primitives. Its key length is variable between 128 and 256 bits. It accommodates a 128-bit initial value. Any key length is claimed to achieve 128-bit security. The Sosemanuk cipher uses both some basic design principles from the stream cipher SNOW 2.0 and some transformations derived from the block cipher SERPENT. Sosemanuk aims at improving SNOW 2.0 both from the security and from the efficiency points of view. Most notably, it uses a faster IV-setup procedure. It also requires a reduced amount of static data, yielding better performance on several architectures.

Divisible E-Cash Systems Can Be Truly Anonymous

This paper presents an off-line divisible e-cash scheme where a user can withdraw a divisible coin of monetary value 2Lthat he can parceled and spend anonymously and unlinkably. We present the construction of a security tag that allows to protect the anonymity of honest users and to revoke anonymity only in case of cheat for protocols based on a binary tree structure without using a trusted third party. This is the first divisible e-cash scheme that provides both full unlinkability and anonymity without requiring a trusted third party.

Fault analysis of GRAIN-128

GRAIN-v1 is a stream cipher that has been selected in the final portfolio of the eSTREAM project. GRAIN-128 is a variant of GRAIN-v1. The best known mathematical attack against GRAIN-128 is the brute force key-search. This paper introduces a fault attack on GRAIN-128 based on a realistic fault model and explores possible improvements of the attack. We also discuss countermeasures to counteract our fault attack.

Anonymity in transferable e-cash

Regular cash systems provide both the anonymity of users and the transferability of coins. In this paper, we study the anonymity properties of transferable e-cash. We define two natural additional levels of anonymity directly related to transferability and not reached by existing schemes that we call full anonymity (FA) and perfect anonymity (PA). We show that the FA property can be reached by providing a generic construction and that the PAs cannot. Next, we define two restricted perfect anonymity properties and we prove that it is possible to design a transferable e-cash scheme where a bounded adversary not playing the bank cannot recognize a coin he has already owned.

Multiple denominations in e-cash with compact transaction data

We present a new construction of divisible e-cash that makes use of 1) a new generation method of the binary tree of keys; 2) a new way of using bounded accumulators. The transaction data sent to the merchant has a constant number of bits while spending a monetary value 2l. Moreover, the spending protocol does not require complex zero-knowledge proofs of knowledge such as proofs about double discrete logarithms. We then propose the first strongly anonymous scheme with standard unforgeability requirement and realistic generation parameters while improving the efficiency of the spending phase.

Improvement of Efficiency in (Unconditional) Anonymous Transferable E-Cash

The practical advantage expected from transferable e-cash compare to non-transferable is the significant reduction of the interaction number between the bank and the users. However, this property is not fulfilled by anonymoustransferable e-cash schemes of the state-of-the art. In this paper, we first present a transferable e-cash scheme with a reduced number of communications between the bank and the users that fulfils the computational anonymityproperty. Next, we present a transferable e-cash scheme with a reduced interaction number that fulfils the unconditional anonymity. This latter scheme is quite less efficient.

Plaintext-Checkable encryption

We study the problem of searching on encrypted data, where the search is performed using a plaintext message or a keyword, rather than a message-specific trapdoor as done by state-of-the-art schemes. The use cases include delegation of key-word search e.g. to a cloud data storage provider or to an email server, using a plaintext message. We define a new cryptographic primitive called plaintext-checkable encryption (PCE), which extends public-key encryption by the following functionality: given a plaintext, a ciphertext and a public key, it is universally possible to check whether the ciphertext encrypts the plaintext under the key. We provide efficient generic random-oracle constructions for PCE based on any probabilistic or deterministic encryption scheme; we also give a practical construction in the standard model. As another application we show how PCE can be used to improve the efficiency in group signatures with verifier-local revocation (VLR) and backward unlinkability. These group signatures provide efficient revocation of group members, which is a key issue in practical applications.

Achieving optimal anonymity in transferable e-cash with a judge

Electronic cash (e-cash) refers to money exchanged electronically. The main features of traditional cash are usually considered desirable also in the context of e-cash. One such property is off-line transferability, meaning the recipient of a coin in a transaction can transfer it in a later payment transaction to a third person without contacting a central authority. Among security properties, the anonymity of the payer in such transactions has been widely studied. This paper proposes the first efficient and secure transferable e-cash scheme with the strongest achievable anonymity properties, introduced by Canard and Gouget. In particular, it should not be possible for adversaries who receive a coin to decide whether they have owned that coin before. Our proposal is based on two recent cryptographic primitives: the proof system by Groth and Sahai, whose randomizability enables strong anonymity, and the commuting signatures by Fuchsbauer, which allow one to sign values that are only given as encryptions.

Supplemental access control (PACE v2): security analysis of PACE integrated mapping

We describe and analyze the password-based key establishment protocol PACE v2 Integrated Mapping (IM), an evolution of PACE v1 jointly proposed by Gemalto and Sagem Securite. PACE v2 IM enjoys the following properties: patent-freeness (to the best of current knowledge in the field); full resistance to dictionary attacks, secrecy and forward secrecy in the security model agreed upon by the CEN TC224 WG16 group; optimal performances. The PACE v2 IM protocol is intended to provide an alternative to the German PACE v1 protocol, which is also the German PACE v2 Generic Mapping (GM) protocol, proposed by the German Federal Office for Information Security (BSI). In this document, we provide a description of PACE v2 IM, a description of the security requirements one expects from a password-based key establishment protocol in order to support secure applications, a security proof of PACE v2 IM in the so-called Bellare-Pointcheval-Rogaway (BPR) security model.

Fair E-Cash: Be Compact, Spend Faster

We present the first fair e-cash system with a compact wallet that enables users to spend efficiently k coins while only sending to the merchant