Olivier Pereira

How not to prove yourself: pitfalls of the fiat-shamir heuristic and applications to helios

The Fiat-Shamir transformation is the most efficient construction of non-interactive zero-knowledge proofs. This paper is concerned with two variants of the transformation that appear but have not been clearly delineated in existing literature. Both variants start with the prover making a commitment. The strong variant then hashes both the commitment and the statement to be proved, whereas the weak variant hashes only the commitment. This minor change yields dramatically different security guarantees: in situations where malicious provers can select their statements adaptively, the weak Fiat-Shamir transformation yields unsound/unextractable proofs. Yet such settings naturally occur in systems when zero-knowledge proofs are used to enforce honest behavior. illustrate this point by showing that the use of the weak Fiat-Shamir transformation in the Helios cryptographic voting system leads to several possible security breaches: for some standard types of elections, under plausible circumstances, malicious parties can cause the tallying procedure to run indefinitely and even tamper with the result of the election. On the positive side, we define a form of adaptive security for zero-knowledge proofs in the random oracle model (essentially simulation-sound extractability), and show that a variant which we call strong Fiat-Shamir yields secure non-interactive proofs. This level of security was assumed in previous works on Helios and our results are then necessary for these analyses to be valid. Additionally, we show that strong proofs in Helios achieve non-malleable encryption and satisfy ballot privacy, improving on previous results that required CCA security.

On the Energy Cost of Communication and Cryptography in Wireless Sensor Networks

Energy is a central concern in the deployment of wireless sensor networks. In this paper, we investigate the energy cost of cryptographic protocols, both from a communication and a computation point of view, based on practical measurements on the MICAz and TelosB sensors. We focus on the cost of two key agreement protocols: Kerberos and the elliptic curve Diffie-Hellman key exchange with authentication provided by the elliptic curve digital signature algorithm (ECDH-ECDSA). We find that, in our context, Kerberos is around one order of magnitude less costly than the ECDH-ECDSA key exchange and confirm that it should be preferred in situations where a trusted third party is available. We also observe that the power dedicated to communications can become a central concern when the nodes need to stay in listen mode, e.g. between the protocol rounds, even when reduced using a low power listening (LPL) protocol. Therefore, listening should be considered when assessing the cost of cryptographic protocols on sensor nodes.

The Swiss-Knife RFID Distance Bounding Protocol

Relay attacks are one of the most challenging threats RFID will have to face in the close future. They consist in making the verifier believe that the prover is in its close vicinity by surreptitiously forwarding the signal between the verifier and an out-of-field prover. Distance bounding protocols represent a promising way to thwart relay attacks, by measuring the round trip time of short authenticated messages. Several such protocols have been designed during the last years but none of them combine all the features one may expect in a RFID system. We introduce in this paper the first solution that compounds in a single protocol all these desirable features. We prove, with respect to the previous protocols, that our proposal is the best one in terms of security, privacy, tag computational overhead, and fault tolerance. We also point out a weakness in Tu and Piramuthus protocol, which was considered up to now as one of the most efficient distance bounding protocol.

A security analysis of the cliques protocols suites

Abstract: Secure group protocols are not easy to design: this paper will show new attacks found against a protocol suite for sharing key. The method we propose to analyse these protocols is very systematic, and can be applied to numerous protocols of this type. The A-GDH.2 protocols suite analysed throughout this paper is part of the Cliques suites that propose extensions of the Diffie-Hellman key exchange protocol to a group setting. The A-GDH.2 main protocol is intended to allow a group to share an authenticated key while the other protocols of the suite allow to perform dynamic changes in the group constitution (adding and deleting members, fusion of groups, ...). We are proposing an original method to analyse these protocols and are presenting a number of unpublished flaws with respect to each of the main security properties claimed in protocol definition (key authentication, perfect forward secrecy, resistance to known-keys attacks). Most of these flaws arise from the fact that using a group setting does not allow to reason about security properties in the same way as when only two (or three) parties are concerned. Our method has been easily applied on other Cliques protocols and allowed us to pinpoint similar flaws.

Leakage Resilient Cryptography in Practice

Theoretical treatments of physical attacks have recently attracted the attention of the cryptographic community, as witnessed by various publications, e.g., [1, 17, 22, 24, 29, 31, 33, 34, 42]. These works consider adversaries enhanced with abilities such as inserting faults during a computation or monitoring side-channel leakages.

A block cipher based pseudo random number generator secure against side-channel key recovery

We study the security of a block cipher-based pseudorandom number generator (PRNG), both in the black box world and in the physical world, separately. We first show that the construction is a secure PRNG in the ideal cipher model. Then, we demonstrate its security against a Bayesian side-channel key recovery adversary. As a main result, we show that our construction guarantees that the success rate of the adversary does not increase with the number of physical observations, but in a limited and controlled way. Besides, we observe that, under common assumptions on side-channel attack strategies, increasing the security parameter (typically the block cipher key size) by a polynomial factor involves an increase of a side-channel attack complexity by an exponential factor, making the probability of a successful attack negligible. We believe this work provides a first interesting example of the way the algorithmic design of a cryptographic scheme influences its side-channel resistance.

Measuring vote privacy, revisited

We propose a new measure for privacy of votes. Our measure relies on computational conditional entropy, an extension of the traditional notion of entropy that incorporates both information-theoretic and computational aspects. As a result, we capture in a unified manner privacy breaches due to two orthogonal sources of insecurity: combinatorial aspects that have to do with the number of participants, the distribution of their votes and published election outcome as well as insecurity of the cryptography used in an implementation. Our privacy measure overcomes limitations of two previous approaches to defining vote privacy and we illustrate its applicability through several case studies. We offer a generic way of applying our measure to a large class of cryptographic protocols that includes the protocols implemented in Helios. We also describe a practical application of our metric on Scantegrity audit data from a real election.

Universally Composable Security Analysis of TLS

We present a security analysis of the complete TLS protocol in the Universal Composable security framework. This analysis evaluates the composition of key exchange functionalities realized by the TLS handshake with the message transmission of the TLS record layer to emulate secure communication sessions and is based on the adaption of the secure channel model from Canetti and Krawczyk to the setting where peer identities are not necessarily known prior the protocol invocation and may remain undisclosed. Our analysis shows that TLS, including the Diffie-Hellman and key transport suites in the uni-directional and bi-directional models of authentication, securely emulates secure communication sessions.

Adapting helios for provable ballot privacy

Recent results show that the current implementation of Helios, a practical e-voting protocol, does not ensure independence of the cast votes, and demonstrate the impact of this lack of independence on vote privacy. Some simple fixes seem to be available and security of the revised scheme has been studied with respect to symbolic models. In this paper we study the security of Helios using computational models. Our first contribution is a model for the property known as ballot privacy that generalizes and extends several existing ones. Using this model, we investigate an abstract voting scheme (of which the revised Helios is an instantiation) built from an arbitrary encryption scheme with certain functional properties. We prove, generically, that whenever this encryption scheme falls in the class of voting-friendly schemes that we define, the resulting voting scheme provably satisfies ballot privacy. We explain how our general result yields cryptographic security guarantees for the revised version of Helios (albeit from non-standard assumptions). Furthermore, we show (by giving two distinct constructions) that it is possible to construct voting-friendly encryption, and therefore voting schemes, using only standard cryptographic tools. We detail an instantiation based on ElGamal encryption and Fiat-Shamir noninteractive zero-knowledge proofs that closely resembles Helios and which provably satisfies ballot privacy.

Time-bounded task-PIOAs: a framework for analyzing security protocols

We present the Time-Bounded Task-PIOA modeling framework, an extension of the Probabilistic I/O Automata (PIOA) framework that is intended to support modeling and verification of security protocols. Time-Bounded Task-PIOAs directly model probabilistic and nondeterministic behavior, partial-information adversarial scheduling, and time-bounded computation. Together, these features are adequate to support modeling of key aspects of security protocols, including secrecy requirements and limitations on the knowledge and computational power of adversarial parties. They also support security protocol verification, using methods that are compatible with informal approaches used in the computational cryptography research community. We illustrate the use of our framework by outlining a proof of functional correctness and security properties for a well-known Oblivious Transfer protocol.