Kenneth G. Paterson

Certificateless Public Key Cryptography

This paper introduces and makes concrete the concept of certificateless public key cryptography (CL-PKC), a model for the use of public key cryptography which avoids the inherent escrow of identity-based cryptography and yet which does not require certificates to guarantee the authenticity of public keys. The lack of certificates and the presence of an adversary who has access to a master key necessitates the careful development of a new security model. We focus on certificateless public key encryption (CL-PKE), showing that a concrete pairing-based CL-PKE scheme is secure provided that an underlying problem closely related to the Bilinear Diffie-Hellman Problem is hard.

Generalised Reed-Muller codes and power control in OFDM modulation

Controlling the peak-to-mean envelope power ratio (PMEPR) of orthogonal frequency-division multiplexed (OFDM) transmissions is a notoriously difficult problem, though one which is of vital importance for the practical application of OFDM in low-cost applications. The utility of Golay complementary sequences in solving this problem has been recognized for some time. In this paper, a powerful theory linking Golay complementary sets of polyphase sequences and Reed-Muller codes is developed. Our main result shows that any second-order coset of a q-ary generalization of the first order Reed-Muller code can be partitioned into Golay complementary sets whose size depends only on a single parameter that is easily computed from a graph associated with the coset. As a first consequence, recent results of Davis and Jedwab (see Electron. Lett., vol.33, p.267-8, 1997) on Golay pairs, as well as earlier constructions of Golay (1949, 1951, 1961), Budisin (1990) and Sivaswamy (1978) are shown to arise as special cases of a unified theory for Golay complementary sets. As a second consequence, the main result directly yields bounds on the PMEPRs of codes formed from selected cosets of the generalized first order Reed-Muller code. These codes enjoy efficient encoding, good error-correcting capability, and tightly controlled PMEPR, and significantly extend the range of coding options for applications of OFDM using small numbers of carriers.

Security of symmetric encryption in the presence of ciphertext fragmentation

In recent years, a number of standardized symmetric encryption schemes have fallen foul of attacks exploiting the fact that in some real world scenarios ciphertexts can be delivered in a fragmented fashion. We initiate the first general and formal study of the security of symmetric encryption against such attacks. We extend the SSH-specific work of Paterson and Watson (Eurocrypt 2010) to develop security models for the fragmented setting. We also develop security models to formalize the additional desirable properties of ciphertext boundary hiding and robustness against Denial-of-Service (DoS) attacks for schemes in this setting. We illustrate the utility of each of our models via efficient constructions for schemes using only standard cryptographic components, including constructions that simultaneously achieve confidentiality, ciphertext boundary hiding and DoS robustness.

On the existence and construction of good codes with low peak-to-average power ratios

The first lower bound on the peak-to-average power ratio (PAPR) of a constant energy code of a given length n, minimum Euclidean distance and rate is established. Conversely, using a nonconstructive Varshamov-Gilbert style argument yields a lower bound on the achievable rate of a code of a given length, minimum Euclidean distance and maximum PAPR. The derivation of these bounds relies on a geometrical analysis of the PAPR of such a code. Further analysis shows that there exist asymptotically good codes whose PAPR is at most 8 log n. These bounds motivate the explicit construction of error-correcting codes with low PAPR. Bounds for exponential sums over Galois fields and rings are applied to obtain an upper bound of order (log n)/sup 2/ on the PAPRs of a constructive class of codes, the trace codes. This class includes the binary simplex code, duals of binary, primitive Bose-Chaudhuri-Hocquenghem (BCH) codes and a variety of their nonbinary analogs. Some open problems are identified.

Lucky Thirteen: Breaking the TLS and DTLS Record Protocols

The Transport Layer Security (TLS) protocol aims to provide confidentiality and integrity of data in transit across untrusted networks. TLS has become the de facto secure protocol of choice for Internet and mobile applications. DTLS is a variant of TLS that is growing in importance. In this paper, we present distinguishing and plaintext recovery attacks against TLS and DTLS. The attacks are based on a delicate timing analysis of decryption processing in the two protocols. We include experimental results demonstrating the feasibility of the attacks in realistic network environments for several different implementations of TLS and DTLS, including the leading OpenSSL implementations. We provide countermeasures for the attacks. Finally, we discuss the wider implications of our attacks for the cryptographic design used by TLS and DTLS.

CBE from CL-PKE: a generic construction and efficient schemes

We present a new Certificateless Public Key Encryption (CL-PKE) scheme whose security is proven to rest on the hardness of the Bilinear Diffie-Hellman Problem (BDHP) and that is more efficient than the original scheme of Al-Riyami and Paterson. We then give an analysis of Gentrys Certificate Based Encryption (CBE) concept, repairing a number of problems with the original definition and security model for CBE. We provide a generic conversion showing that a secure CBE scheme can be constructed from any secure CL-PKE scheme. We apply this result to our new efficient CL-PKE scheme to obtain a CBE scheme that improves on the original scheme of Gentry.

Pairing-Based Cryptography – Pairing 2008

This book constitutes the thoroughly refereed proceedings of the Second International Conference on Pairing-Based Cryptography, Pairing 2008, held in London, UK, in September 2008. The 20 full papers, presented together with the contributions resulting from 3 invited talks, were carefully reviewed and selected from 50 submissions. The contents are organized in topical sections on cryptography, mathematics, constructing pairing-friendly curves, implementation of pairings, and hardware implementation.

On the Security of the TLS Protocol: A Systematic Analysis

TLS is the most widely-used cryptographic protocol on the Internet. It comprises the TLS Handshake Protocol, responsible for authentication and key establishment, and the TLS Record Protocol, which takes care of subsequent use of those keys to protect bulk data. In this paper, we present the most complete analysis to date of the TLS Handshake protocol and its application to data encryption (in the Record Protocol). We show how to extract a key-encapsulation mechanism (KEM) from the TLS Handshake Protocol, and how the security of the entire TLS protocol follows from security properties of this KEM when composed with a secure authenticated encryption scheme in the Record Protocol. The security notion we achieve is a variant of the ACCE notion recently introduced by Jager et al. (Crypto ’12). Our approach enables us to analyse multiple different key establishment methods in a modular fashion, including the first proof of the most common deployment mode that is based on RSA PKCS #1v1.5 encryption, as well as Diffie-Hellman modes. Our results can be applied to settings where mutual authentication is provided and to the more common situation where only server authentication is applied.

Tripartite Authenticated Key Agreement Protocols from Pairings

Joux’s protocol [29] is a one round, tripartite key agreement protocol that is more bandwidth-efficient than any previous three-party key agreement protocol. But it is insecure, suffering from a simple man-in-the-middle attack. This paper shows how to make Joux’s protocol secure, presenting several tripartite, authenticated key agreement protocols that still require only one round of communication and no signature computations. A pass-optimal authenticated and key confirmed tripartite protocol that generalises the station-to-station protocol is also presented. The security properties of the new protocols are studied using provable security methods and heuristic approaches. Applications for the protocols are also discussed.

Trusted computing: providing security for peer-to-peer networks

In this paper, we demonstrate the application of trusted computing to securing peer-to-peer (P2P) networks. We identify a central challenge in providing many of the security services within these networks, namely the absence of stable verifiable peer identities. We employ the functionalities provided by trusted computing technology to establish a pseudonymous authentication scheme for peers and extend this scheme to build secure channels between peers for future communications. In support of our work, we illustrate how commands from the trusted computing group (TCG) specifications can be used to implement our approach in P2P networks.