Łukasz Krzywiecki

Simplified PACE|AA Protocol

We present SPACE|AA protocol that merges Chip Authentication of a smart card with card owner authorization via PACE protocol implemented in German personal identity documents. It is an improvement of PACE|AA protocol presented at Financial Cryptography 2012. Moreover, we explicitly formulate privacy model implicitely used by the authors of PACE|AA.

Step-Out Ring Signatures

We propose a version of ring signatures for which the set of potential signers may be reduced: the real signer can prove that he or she has created the signature, while every other member of the ring can prove not to be the signer. Possibility to run these protocols is triggered by publishing certain secret information. The proposed scheme is an intermediate solution between the classical ring and group signatures, and can be used for instance for e-auction schemes.

Proof of possession for cloud storage via lagrangian interpolation techniques

We consider Provable Data Possesion (PDP) - a protocol which enables an owner of data stored in the cloud to verify whether this data is still available in the cloud without holding a copy of the file. We propose a PDP framework based on Lagrangian interpolation in the exponent for groups with hard discrete logarithm problem. We reuse properties of this arithmetic exploited so far in broadcast encryption systems.

Restricted identification scheme and diffie-hellman linking problem

We concern schemes designed for user authentication in different systems (called sectors) with a single private key so that activities of the same person in different sectors are not linkable. In particular, we consider Restricted Identification scheme implemented on personal identity cards (neuer Personalausweis) issued by German authorities. The schemes we concern are devoted for practical application on personal identity cards where limitations of memory size is a critical issue. Unlinkability for German Restricted Identification is silently based on random oracle model. We prove that the construction can be simplified by eliminating hiding certain values with hash functions: we show that unlinkability can be based on a problem that we call Linking Diffie-Hellman Problem (LDHP). We prove that LDHP is as hard as Decisional DHP. Thereby we justify unlinkability in the standard model. We also introduce and analyze a variant of German Restricted Identification providing active authentication. This protocol is intended for application areas where the right to access a sector is not by default (as for German Restricted Identification) and can be both granted and blocked. It is intended to serve as anonymous identity for sectors such as access to medical data and law enforcement, where prevention of Sybil attacks is a fundamental requirement.

Random Subsets of the Interval and P2P Protocols

In this paper we compare two methods for generating finite families of random subsets according to some sequence of independent random variables i¾? 1 , ..., i¾? n distributed uniformly over the interval [0,1]. The first method called uniform splituses i¾? i values straightforwardly to determine points of division of [0,1] into subintervals. The second method called binary splituses i¾? i only to perform subsequent divisions of already existing subintervals into exact halves. We show that the variance of lengthes of obtained intervals in the first method is approximately

Mutual Restricted Identification

\frac{1}{n^2}

Schnorr-Like Identification Scheme Resistant to Malicious Subliminal Setting of Ephemeral Secret

and that the variance of lengthes of obtained intervals in the second method is approximately

A revocation scheme preserving privacy

\frac{1}{n^2}(\frac{1}{\ln 2}-1)

Optical PUF for Non-Forwardable Vehicle Authentication

. The uniform split is used in the Chord peer-to-peer protocol while the binary split is used in the CAN protocol. Therefore our analysis applies to this protocols and shows that CAN has a better probabilistic properties than Chord. We propose also a simple modification of the Chord protocol which improves its statistical properties.

Technical and Legal Meaning of “Sole Control” – Towards Verifiability in Signing Systems

We extend the idea of Restricted Identification deployed in the personal identity documents in Germany. Our protocol, Mutual Restricted Authentication (MRI for short), is designed for direct anonymous authentication between users who belong to the same domain (called also a sector). MRI requires only one private key per user. Still there are no limitations to which domain a user may belong and the domains are not fixed in advance. This enables an implementation of MRI when a strictly limited secure memory is available (like for smart cards). MRI guarantees that a user has exactly one identity within a domain, while the identities from different domains of the same user are not linkable. The main difference between RI and MRI is that for MRI the privacy of both participants are protected, while in case of RI the terminal is fully exposed. The protocol is efficient, extremely simple (in particular, it outperforms RI) and well suited for an implementation on resource limited devices such as smart cards.