Philippe Elbaz-Vincent

A new security model for authenticated key agreement

The Canetti-Krawczyk (CK) and extended Canetti-Krawczyk (eCK) security models, are widely used to provide security arguments for key agreement protocols. We discuss security shades in the (e)CK models, and some practical attacks unconsidered in (e)CK-security arguments. We propose a strong security model which encompasses the eCK one. We also propose a new protocol, called Strengthened MQV (SMQV), which in addition to provide the same efficiency as the (H)MQV protocols, is particularly suited for distributed implementations wherein a tamper-proof device is used to store long-lived keys, while session keys are used on an untrusted host machine. The SMQV protocol meets our security definition under the Gap Diffie-Hellman assumption and the Random Oracle model.

A secure and efficient authenticated Diffie-Hellman protocol

The Exponential Challenge Response (XRC) and Dual Exponential Challenge Response (DCR) signature schemes are the building blocks of the HMQV protocol. We propose a complementary analysis of these schemes; on the basis of this analysis we show how impersonation and man in the middle attacks can be mounted against HMQV, when some session specific information leakages happen. We define the Full Exponential Challenge Response (FXRC) and Full Dual Exponential Challenge Response (FDCR) signature schemes; using these schemes we propose the Fully Hashed MQV protocol, which preserves the performance and security attributes of the (H)MQV protocols and resists the attacks we present.

Polynomial multipliers for fully homomorphic encryption on FPGA

Fully Homomorphic Encryption (FHE) becomes an important encryption scheme in the frame of Cloud computing. Current software implementations are however very slow and require a huge computing power. This work investigates the possibility to accelerate FHE by implementing it in off-the-shelf FPGAs. The focus is on one critical function in the FHE scheme: the polynomial multiplication. In this paper, three algorithms are considered and an optimized architecture is proposed for each of them. The major contribution of this paper is the comparison of the different multiplication algorithms on a programmable device: results show that the simplest algorithm is the most efficient for a hardware implementation, in the case of polynomials of order 511 with 32-bit coefficients. The acceleration is about one order of magnitude compared with a software reference implementation.

On the Security of the FHMQV Protocol

The HMQV protocol is under consideration for IEEE P1363 standardization. We provide a complementary analysis of the HMQV protocol. Namely, we point a Key Compromise Impersonation KCI attack showing that the two and three pass HMQV protocols cannot achieve their security goals. Next, we revisit the FHMQV building blocks, design and security arguments; we clarify the security and efficiency separation between HMQV and FHMQV, showing the advantages of FHMQV over HMQV.

A complementary analysis of the (s)YZ and DIKE protocols

The Canetti---Krawczyk (CK) model remains widely used for the analysis of key agreement protocols. We recall the CK model, and its variant used for the analysis of the HMQV protocol, the CK

On the separation between the FHMQV and HMQV protocols

_\text{HMQV}

Finite Polylogarithms, Their Multiple Analogues and the Shannon Entropy

model; we recall also some of the limitations of these models. Next, we show that the (s)YZ protocols do not achieve their claimed CK

Milnor K-theory of rings, higher Chow groups and applications

_\text{HMQV}

Perfect forms, K-theory and the cohomology of modular groups

security. Furthermore, we show that they do not achieve their claimed computational fairness. Our attack suggests that no two---pass key establishment protocol can achieve this attribute. We show also that the Deniable Internet Key Exchange fails in authentication; this illustrates the inability of capturing some impersonation attacks in the CK model. Besides, we propose a secure, efficient, and deniable protocol, geared to the post peer specified model.

PERFECT FORMS AND THE COHOMOLOGY OF MODULAR GROUPS

The HMQV protocol is under consideration for IEEE P1363 standardisation. We provide a complementary analysis of the HMQV(-C) protocol. Namely, we point out a key compromise impersonation and a man-in-the-middle attack in the case of a static private key leakage, showing that the HMQV(-C) protocols cannot achieve their security goals. Next, we revisit the FHMQV building blocks, design and security arguments. We clarify the security and efficiency separation between HMQV and FHMQV, showing the advantages of FHMQV over HMQV.