Ivan Visconti

Enhancing RFID Security and Privacy by Physically Unclonable Functions

Radio frequency identification (RFID) is a technology that enables RFID readers to perform fully automatic wireless identification of objects that are labeled with RFID tags. Initially, this technology was mainly used for electronic labeling of pallets, cartons, and products to enable seamless supervision of supply chains. Today, RFID technology is widely deployed to many other applications as well, including animal and product identification [2, 42], access control [2, 47], electronic tickets [47] and passports [27], and even human implantation [30].

Universally Composable Secure Computation with (Malicious) Physically Uncloneable Functions

Physically Uncloneable Functions (PUFs) [28] are noisy physical sources of randomness. As such, they are naturally appealing for cryptographic applications, and have caught the interest of both theoreticians and practitioners. A major step towards understanding and securely using PUFs was recently taken in [Crypto 2011] where Brzuska, Fischlin, Schroder and Katzenbeisser model PUFs in the Universal Composition (UC) framework of Canetti [FOCS 2001]. A salient feature of their model is that it considers trusted PUFs only; that is, PUFs which have been produced via the prescribed manufacturing process and are guaranteed to be free of any adversarial influence. However, this does not accurately reflect real-life scenarios, where an adversary could be able to create and use malicious PUFs.

Anonymizer-Enabled Security and Privacy for RFID

RFID-based systems are becoming a widely deployed pervasive technology that is more and more used in applications where privacy-sensitive information is entrusted to RFID tags. Thus, a careful analysis in appropriate security and privacy models is needed before deployment to practice. Recently, Vaudenay presented a comprehensive security and privacy model for RFID that captures most previously proposed privacy models. The strongest achievable notion of privacy in this model (narrow-strong privacy ) requires public-key cryptography, which in general exceeds the computational capabilities of current cost-efficient RFIDs. Other privacy notions achievable without public-key cryptography heavily restrict the power of the adversary and thus are not suitable to realistically model the real world. In this paper, we extend and improve the current state-of-the art for privacy-protecting RFID by introducing a security and privacy model for anonymizer -enabled RFID systems. Our model builds on top of Vaudenays model and supports anonymizers, which are separate devices specifically designated to ensure the privacy of tags. We present a privacy-preserving RFID protocol that uses anonymizers and achieves narrow-strong privacy without requiring tags to perform expensive public-key operations (i.e., modular exponentiations), thus providing a satisfying notion of privacy for cost-efficient tags.

Secure set intersection with untrusted hardware tokens

Secure set intersection protocols are the core building block for a manifold of privacy-preserving applications. In a recent work, Hazay and Lindell (ACM CCS 2008) introduced the idea of using trusted hardware tokens for the set intersection problem, devising protocols which improve over previous (in the standard model of two-party computation) protocols in terms of efficiency and secure composition. Their protocol uses only a linear number of symmetrickey computations and the amount of data stored in the token does not depend on the sizes of the sets. The security proof of the protocol is in the universal composability model and is based on the strong assumption that the token is trusted by both parties. In this paper we revisit the idea and model of hardware-based secure set intersection, and in particular consider a setting where tokens are not necessarily trusted by both participants to additionally cover threats like side channel attacks, firmware trapdoors and malicious hardware. Our protocols are very efficient and achieve the same level of security as those by Hazay and Lindell for trusted tokens. For untrusted tokens, our protocols ensure privacy against malicious adversaries, and correctness facing covert adversaries.

Constant-Round Concurrent Non-malleable Zero Knowledge in the Bare Public-Key Model

One of the central questions in Cryptography is the design of round-efficient protocols that are secure under concurrent man-in-the-middle attacks. In this paper we present the first constant-round concurrent non-malleable zero-knowledgeargument system for NP in the Bare Public-Key model [Canetti et al., STOC 2000], resolving one of the major open problems in this area. To achieve our result, we introduce and study the notion of non-malleable witness indistinguishability, which is of independent interest. Previous results either achieved relaxed forms of concurrency/security or needed stronger setup assumptions or required a non-constant round complexity.

Mercurial commitments: minimal assumptions and efficient constructions

(Non-interactive) Trapdoor Mercurial Commitments (TMCs) were introduced by Chase et al. [8] and form a key building block for constructing zero-knowledge sets (introduced by Micali, Rabin and Kilian [28]). TMCs are quite similar and certainly imply ordinary (non-interactive) trapdoor commitments (TCs). Unlike TCs, however, they allow for some additional freedom in the way the message is opened: informally, by allowing one to claim that “if this commitment can be opened at all, then it would open to this message”. Prior to this work, it was not clear if this addition is critical or not, since all the constructions of TMCs presented in [8] and [28] used strictly stronger assumptions than TCs. We give an affirmative answer to this question, by providing simple constructions of TMCs from any trapdoor bit commitment scheme. Moreover, by plugging in various trapdoor bit commitment schemes, we get, in the trusted parameters (TP) model, all the efficient constructions from [28] and [8], as well as several immediate new (either generic or efficient) constructions. In particular, we get a construction of TMCs from any one-way function in the TP model, and, by using a special flavor of TCs, called hybridTCs [6], even in the (weaker) shared random string (SRS) model. Our results imply that (a) mercurial commitments can be viewed as surprisingly simple variations of trapdoor commitments; and (b) the existence of non-interactive zero-knowledge sets is equivalent to the existence of collision-resistant hash functions. Of independent interest, we also give a stronger and yet much simpler definition of mercurial commitments than that of [8], which is also met by our constructions in the TP model.

Concurrent zero knowledge in the public-key model

The concurrent setting for Zero-Knowledge protocols is very challenging as it requires protocols to remain secure even when several parties execute the same protocol concurrently. Indeed, it has been proved that achieving concurrent security for (black-box-simulation) zero-knowledge protocols in standard models requires a non-constant number of rounds, thus severely limiting efficiency. As a result, a few models with additional setup or network assumptions have been introduced to present constant-round concurrently-secure zero-knowledge protocols for all languages in

A secure and private system for subscription-based remote services

{\mathcal NP}

Collusion-Free Multiparty Computation in the Mediated Model

. In this paper we consider the bare public-key model, which is known to have very minimal setup assumptions, and we present the first constant round and concurrently secure zero-knowledge argument for any languages in

User privacy issues regarding certificates and the TLS protocol: the design and implementation of the SPSL protocol

{\mathcal NP}