Frédéric Lafitte

Mental voting booths

In this paper, we introduce the notion of mental voting booths, i.e., a building block for voting schemes that provides remote voters with similar protection as that offered by physical voting booths, essentially protecting them from over-the-shoulder coercion attacks (shoulder-surfing). We introduce a framework to model voting booths and formulate a property of the modelled booths that is sufficient to ensure over-the-shoulder coercion resistance. Next, we propose an example of mental booth that is simple enough to be used by any voter without prior training and show that an execution of the remote booth in the presence of the adversary is equivalent to that execution in his absence (e.g., inside a physical booth). The only cost lies in the use of an untappable channel in order to transmit a piece of information before the voting phase. Mental booths also allow for the voter to safely delegate his own voice to an untrusted person while still being able to verify that the untrusted person followed his instructions while voting.

SAT based analysis of LTE stream cipher ZUC

Mobile security is of paramount importance. The security of LTE (long term evolution of radio networks), which is currently widely deployed as a long-term standard for mobile networks, relies upon three cryptographic primitives, among which the stream cipher ZUC. In this paper, we point out that the linear feedback shift register (LFSR) used in ZUC has about 225 encodings of the zero state (i.e. all LFSR variables are 0) due to the fact that operations are performed modulo 231 -- 1 on 32-bit operands. We use SAT solvers to show that these states are reachable when 64 bits of ZUCs initial state can be chosen (i.e. R1, R2). That is, for each key there are many initial vectors that lead to a weak state after ZUCs initialization. We also use SAT-solvers to disprove the existence of such weak inputs when the initial values of R1, R2 are set to zero as required by the official specifications. Finally, we discuss how the redundancy introduced in ZUCs output function might help mounting SAT-solver based guess-and-determine attacks given a few keystream digits.

Secure and practical threshold RSA

This article describes a scheme that outputs RSA signatures using a threshold mechanism in which each share has a bitlength close to the bitlength of the RSA modulus. The scheme is proven unforgeable under the standard RSA assumption against an honest but curious adversary that has static corruption capabilities. Previous practical and provably secure schemes require to introduce a factor n! [33] and 2kt [15] in the exponent when computing the partial signatures, where n is the RSA modulus, t + 1 the threshold and k a fixed parameter. Our scheme requires only t + 1 modular exponentiations and l + 1 modular multiplications, with t the threshold and l the number of participants.

Safe cryptographic random number generation using untrusted generators

The security of many cryptographic applications relies heavily on the quality of the random numbers used. Therefore, random number generation is one of the most critical primitives for cryptography. This paper focuses on true random number generators (TRNGs) and the analysis of their security requirements. After illustrating issues associated with adversarial influences on TRNGs, we propose a simple method to obtain a secure TRNG based on n TRNGs originating from (potentially) untrusted vendors. The untrusted generators are combined such that as long as one out of the n vendors does not collude with the other vendors, the generator is secure, i.e., the output is unpredictable and uniformly distributed even in the presence of an active attacker. In order to achieve this, we review several choices of functions to be used as combiner. The advantage of our design is that only the (black-box) input-output behavior of the vendors TRNGs needs to be evaluated. No overhead is introduced by the combiner. The resulting generator offers faultresilience and ease of maintenance.

A Note on a Signature Building Block and Relevant Security Reduction in the Green-Hohenberger OT Scheme

In Asiacrypt’08, Green and Hohenberger presented an adaptive oblivious transfer (OT) scheme which makes use of a signature built from the Boneh-Boyen Identity Based Encryption. In this note, we show that the signature scheme is vulnerable to known-message attacks and the reduction used in the proof of Lemma A.6 is flawed. We also remark that the paradigm of “encryption and proof of knowledge” adopted in the OT scheme is unnecessary because the transferred message must be “recognizable” in practice, otherwise the receiver cannot decide which message to retrieve. However, we would like to stress that this work does not break the OT scheme itself.

Blinded additively homomorphic encryption schemes for self-tallying voting

In this paper, we propose a self-tallying election protocol based public key homomorphic encryption. The additive homomorphism allows a set of participants (voters) to publish an encrypted value (ballot) and to compute the encrypted sum of all these values based on their ciphertexts. Our scheme has the particularity that anyone can decrypt the sum, but only once all participants have contributed to its computation. More precisely, the sum can be decrypted at all times, but remains blinded until all participants have contributed their vote, which contains a share of the unblinding key. Additionally, we propose an adaptation of Helios in order to provide self-tallying.

Authenticated key agreement in wireless networks with automated key management

Authenticated key agreement protocols provide wireless technologies with fundamental mechanisms such as session key generation and device authentication. Many of these protocols have been designed specifically for those technologies, but most of them do not integrate all the security requirements, and others have been attacked. Another important issue that arises in practice is related to key management, since the deployement and replacement of keying material is costly and may potentially lead to security vulnerabilities. For these reasons, we propose a generic authenticated key agreement protocol in which the long term secret is automatically and periodically renewed. The focus of this work is to formally assess the security offered by the protocols key renewing in the case of a long term use of the system. The formal analysis is carried using the automated tools ProVerif and AVISPA. The protocol is designed to rely only on symmetric key algorithms and is suitable for devices that have limited hardware capabilities.