Hervé Sibert

Low-Cost cryptography for privacy in RFID systems

Massively deploying RFID systems while preserving peoples privacy and data integrity is a major security challenge of the coming years. Up to now, it was commonly believed that, due to the very limited computational resources of RFID tags, only ad hoc methods could be used to address this problem. Unfortunately, not only those methods generally provide a weak level of security and practicality, but they also require to revise the synopsis of communications between the tag and the reader. In this paper, we give evidence that highly secure solutions can be used in the RFID environment, without substantially impacting the current communication protocols, by adequately choosing and combining low-cost cryptographic algorithms. The main ingredients of our basic scheme are a probabilistic (symmetric or asymmetric) encryption function, e.g. AES, and a coupon-based signature function, e.g. GPS. We also propose a dedicated method allowing the tag to authenticate the reader, which is of independent interest. On the whole, this leads to a privacy-preserving protocol well suited for RFID tags, which is very flexible in the sense that each reader can read and process all and only all the data it is authorized to.

Entity authentication schemes using braid word reduction

Artins braid groups currently provide a promising background for cryptographical applications, since the first cryptosystems using braids were introduced in [I. Anshel, M. Anshel, D. Goldfeld, An algebraic method for public-key cryptography, Math. Res. Lett. 6 (1999) 287-291, I. Anshel, M. Anshel, B. Fisher, D. Goldfeld, New key agreement schemes in braid group cryptography, RSA 2001, K.H. Ko, S.J. Lee, J.H. Cheon, J.W. Han, J.S. Kang, C. Park, New public-key cryptosystem using braid groups, Crypto 2000, pp. 166-184] (see also [V.M. Sidelnikov, M.A. Cherepnev, V.Y. Yashcenko, Systems of open distribution of keys on the basis of noncommutative semigroups, Ross. Acad. Nauk Dokl. 332-5 (1993); English translation: Russian Acad. Sci. Dokl. Math. 48-2 (1194) 384-386]). A variety of key agreement protocols based on braids have been described, but few authentication or signature schemes have been proposed so far. We introduce three authentication schemes based on braids, two of them being zero-knowledge interactive proofs of knowledge. Then we discuss their possible implementations, involving normal forms or an alternative braid algorithm, called handle reduction, which can achieve good efficiency under specific requirements.

Batch Groth-Sahai

In 2008, Groth and Sahai proposed a general methodology for constructing non-interactive zeroknowledge (and witness-indistinguishable) proofs in bilinear groups. While avoiding expensive NP-reductions, these proof systems are still inefficient due to a number of pairing computations required for verification. We apply recent techniques of batch verification to the Groth-Sahai proof systems and manage to improve significantly the complexity of proof verification. We give explicit batch verification formulas for generic Groth-Sahai equations (whose cost is less than a tenth of the original) and also for specific popular protocols relying on their methodology (namely Groth’s group signatures and Belenkiy-Chase-Kohlweiss-Lysyanskaya’s P-signatures).

Achieving optimal anonymity in transferable e-cash with a judge

Electronic cash (e-cash) refers to money exchanged electronically. The main features of traditional cash are usually considered desirable also in the context of e-cash. One such property is off-line transferability, meaning the recipient of a coin in a transaction can transfer it in a later payment transaction to a third person without contacting a central authority. Among security properties, the anonymity of the payer in such transactions has been widely studied. This paper proposes the first efficient and secure transferable e-cash scheme with the strongest achievable anonymity properties, introduced by Canard and Gouget. In particular, it should not be possible for adversaries who receive a coin to decide whether they have owned that coin before. Our proposal is based on two recent cryptographic primitives: the proof system by Groth and Sahai, whose randomizability enables strong anonymity, and the commuting signatures by Fuchsbauer, which allow one to sign values that are only given as encryptions.

Fair E-Cash: Be Compact, Spend Faster

We present the first fair e-cash system with a compact wallet that enables users to spend efficiently k coins while only sending to the merchant

Analysis of the bit-search generator and sequence compression techniques

\mathcal{O}(\lambda\log k)

The GAIA sensor: an early DDoS detection tool

bits, where *** is a security parameter. The best previously known schemes require to transmit data of size at least linear in the number of spent coins. This result is achieved thanks to a new way to use the Batch RSA technique and a tree-based representation of the wallet. Moreover, we give a variant of our scheme with a less compact wallet but where the computational complexity of the spend operation does not depend on the number of spent coins, instead of being linear at best in existing systems.

Active attack against HB+: a provably secure lightweight authentication protocol

Algebraic attacks on stream ciphers apply (at least theoretically) to all LFSR-based stream ciphers that are clocked in a simple and/or easily predictable way. One interesting approach to help resist such attacks is to add a component that de-synchronizes the output bits of the cipher from the clock of the LFSR. The Bit-search generator, recently proposed by Gouget and Sibert, is inspired by the so-called Self-Shrinking Generator which is known for its simplicity (conception and implementation-wise) linked with some interesting properties. In this paper, we introduce two modified versions of the BSG, called MBSG and ABSG, and some of their properties are studied. We apply a range of cryptanalytic techniques in order to compare the security of the BSGs.

An Active Attack Against HB+ - A Provably Secure Lightweight Authentication Protocol.

Distributed Denial of Service (DDoS) attacks are a major network security threat. Most recent host-based DDoS detection mechanisms are dedicated to a particular set of attacks, focusing either on the recent dynamic of the traffic, or on its long range dependence. We propose a DDoS early detection component based on anomaly detection which combines static and dynamic behavior analysis, including experimental results.