Przemysław Kubiak

Kleptographic attacks on e-voting schemes

We analyze electronic voting schemes and show that in many cases it is quite easy to implement a kleptographic channel, which is a profound danger for electronic voting systems. We show serious problems with Neffs scheme. We present also attacks on Chaums visual voting scheme and some related schemes, which work at least when implementation is not careful enough.

Restricted Identification without Group Keys

We present a variant of the protocol stack for anonymous authentication implemented in German personal identity documents. We strengthen the system by eliminating group keys - a potential target of attack for a powerful adversary aiming to undermine Restricted Identification mechanisms. We provide a mechanism of authentication that merges Chip Authentication protocol with Restricted Identification.

Restricted identification scheme and diffie-hellman linking problem

We concern schemes designed for user authentication in different systems (called sectors) with a single private key so that activities of the same person in different sectors are not linkable. In particular, we consider Restricted Identification scheme implemented on personal identity cards (neuer Personalausweis) issued by German authorities. The schemes we concern are devoted for practical application on personal identity cards where limitations of memory size is a critical issue. Unlinkability for German Restricted Identification is silently based on random oracle model. We prove that the construction can be simplified by eliminating hiding certain values with hash functions: we show that unlinkability can be based on a problem that we call Linking Diffie-Hellman Problem (LDHP). We prove that LDHP is as hard as Decisional DHP. Thereby we justify unlinkability in the standard model. We also introduce and analyze a variant of German Restricted Identification providing active authentication. This protocol is intended for application areas where the right to access a sector is not by default (as for German Restricted Identification) and can be both granted and blocked. It is intended to serve as anonymous identity for sectors such as access to medical data and law enforcement, where prevention of Sybil attacks is a fundamental requirement.

Two-Head dragon protocol: preventing cloning of signature keys

Cryptographic techniques based on possession of private keys rely very much on the assumption that the private keys can be used only by the keys owner. As contemporary architectures of operating systems do not provide such a guarantee, special devices such as smart cards and TPM modules are intended to serve as secure storage for such keys. When carefully designed, these devices can be examined and certified as secure devices for holding private keys. However, this approach has a serious drawback: certification procedure is expensive, requires very specialized knowledge and its result cannot be verified independently by an end-user. On the other hand, malicious cryptography techniques can be used to circumvent the security mechanisms installed in a device. Moreover, in practice we often are forced to retreat to solutions such as generation of the private keys outside secure devices. In this case we are forced to trust blindly the parties providing such services. We propose an architecture for electronic signatures and signature creation devices such that in case of key leakage, any use of leaked keys will be detected with a fairly high probability. The main idea is that using the private keys outside the legitimate place leads to disclosure of these keys preventing any claims of validity of signatures in any thinkable legal situation. Our approach is stronger than fail-stop signatures. Indeed, fail-stop signatures protect against derivation of keys via cryptanalysis of public keys, but cannot do anything about key leakage or making a copy of the key by a service provider that generates the key pairs for the clients. Our approach is a simple alternative to the usual attempts to make cryptographic cards and TPM as tamper resistant as possible, that is, to solve the problem alone by hardware means. It also addresses the question of using private keys stored in not highly secure environment without a dramatic redesign of operating systems. It can be used as a stand alone solution, or just as an additional mechanism for building trust of an end-user.

A revocation scheme preserving privacy

We introduce a scheme for anonymous user exclusion in an encrypted broadcast communication. It allows a broadcaster to change the transmission key with a single message broadcasted to N users so that all but z excluded users can retrieve the new key, and volume of the message is O(z). Our scheme is based on Shamirs secret sharing method based on polynomials with dynamic coefficients and shares that evolve in time. No explicit IDs and pseudonyms are used.

Digital Signatures for e-Government - A Long-Term Security Architecture

The framework of digital signature based on qualified certificates and X.509 architecture is known to have many security risks. Moreover, the fraud prevention mechanism is fragile and does not provide strong guarantees that might be regarded necessary for flow of legal documents.

How to protect a signature from being shown to a third party

Many attempts to controlling who and under which circumstances can verify our signatures have been made so far. For this purpose one can use undeniable signatures, designated confirmer signatures or designated verifier signatures. We introduce a model of new kind of signatures, called dedicated digital signatures (or dds for short). The core idea is that a designated verifier can present a standard signature of the signer derived from dds to a third party, but at the price of revealing the private key of the designated verifier or at the price of revealing the designated verifier’s signature of a particular message. Therefore the verifier will show the signature only in very special situations. We present a construction of a dds based on ElGamal signatures and its modifications that allow to obtain additional important features.

Kleptographic Weaknesses in Benaloh-Tuinstra Protocol

During designing of cryptographic protocols, their participants are usually identified with software or hardware they use. However, these supporting tools are not verified at the protocol level. Such carelessness opens the door to kleptographic (SETUP) attacks. In this paper we design such an attack on the classical Benaloh-Tuinstra election protocol. One of the technical tools developed in the paper is a new variant of a Diffie-Hellman SETUP attack, in which Kronecker Decomposition of the group is not known to the attacker. This is especially the case of Goldwasser-Micali cryptosystem.

Technical and Legal Meaning of “Sole Control” – Towards Verifiability in Signing Systems

One of the fundamental ideas of the framework of electronic signatures defined in EU Directive 1999/93/WE is “sole control” over signature creation data. For a long time “sole control” has been understood as using black-box devices for which a certain third party has issued a certificate, whereas the signer was supposed to trust blindly the authorities and certification bodies. This has been claimed as the only feasible solution.

Anonymous Evaluation System

We present a pragmatic evaluation system, where privacy of each evaluator is guaranteed in a cryptographic way. Each evaluation report is signed with a domain signature that is related to the anonymous signer and to the evaluation subject in the way that (a) a given user cannot appear under different pseudonym for a given evaluation subject (no Sybil attack possible), (b) it is infeasible to decide whether the signatures for different subjects have been created by the same evaluator, (c) each evaluator holds a single private key.