Serge Vaudenay

Advances in Cryptology - EUROCRYPT 2006

Let g be an element of prime order p in an abelian group and α ∈ Zp. We show that if g, g, and gαd are given for a positive divisor d of p − 1, we can compute the secret α in O(log p · ( p/d + √d)) group operations using O(max{ p/d, √d}) memory. If gαi (i = 0, 1, 2, . . . , d) are provided for a positive divisor d of p + 1, α can be computed in O(log p · ( p/d + d)) group operations using O(max{ p/d, √d}) memory. This implies that the strong Diffie-Hellman problem and its related problems have computational complexity reduced by O( √ d) from that of the discrete logarithm problem for such primes. Further we apply this algorithm to the schemes based on the DiffieHellman problem on an abelian group of prime order p. As a result, we reduce the complexity of recovering the secret key from O( √ p) to O( p/d) for Boldyreva’s blind signature and the original ElGamal scheme when p − 1 (resp. p + 1) has a divisor d ≤ p (resp. d ≤ p) and d signature or decryption queries are allowed.

On privacy models for RFID

We provide a formal model for identification schemes. Under this model, we give strong definitions for security and privacy. Our model captures the notion of a powerful adversary who can monitor all communications, trace tags within a limited period of time, corrupt tags, and get side channel information on the reader output. Adversaries who do not have access to this side channel are called narrow adversaries. Depending on restrictions on corruption, adversaries are called strong, destructive, forward, or weak adversaries. We derive some separation results: strong privacy is impossible. Narrow-strong privacy implies key agreement. We also prove some constructions: narrow-strong and forward privacy based on a public-key cryptosystem, narrow-destructive privacy based on a random oracle, and weak privacy based on a pseudorandom function.

Links between differential and linear cryptanalysis

Linear cryptanalysis, introduced last year by Matsui, will most certainly open-up the way to new attack methods which may be made more efficient when compared or combined with differential cryptanalysis.

Public Key Cryptography - PKC 2005

Cryptanalysis.- A New Related Message Attack on RSA.- Breaking a Cryptographic Protocol with Pseudoprimes.- Experimenting with Faults, Lattices and the DSA.- Key Establishment.- Securing RSA-KEM via the AES.- One-Time Verifier-Based Encrypted Key Exchange.- Password-Based Authenticated Key Exchange in the Three-Party Setting.- Optimization.- On the Optimization of Side-Channel Attacks by Advanced Stochastic Methods.- Symmetric Subgroup Membership Problems.- Building Blocks.- Optimizing Robustness While Generating Shared Secret Safe Primes.- Fast Multi-computations with Integer Similarity Strategy.- Efficient Proofs of Knowledge of Discrete Logarithms and Representations in Groups with Hidden Order.- Efficient k-Out-of-n Oblivious Transfer Schemes with Adaptive and Non-adaptive Queries.- RSA Cryptography.- Converse Results to the Wiener Attack on RSA.- RSA with Balanced Short Exponents and Its Application to Entity Authentication.- The Sampling Twice Technique for the RSA-Based Cryptosystems with Anonymity.- From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited.- Multivariate Asymmetric Cryptography.- Tractable Rational Map Signature.- Cryptanalysis of the Tractable Rational Map Cryptosystem.- Large Superfluous Keys in ultivariate uadratic Asymmetric Systems.- Cryptanalysis of HFEv and Internal Perturbation of HFE.- Signature Schemes.- A Generic Scheme Based on Trapdoor One-Way Permutations with Signatures as Short as Possible.- Cramer-Damgard Signatures Revisited: Efficient Flat-Tree Signatures Based on Factoring.- The Security of the FDH Variant of Chaums Undeniable Signature Scheme.- Efficient Threshold RSA Signatures with General Moduli and No Extra Assumptions.- Identity-Based Cryptography.- Improved Identity-Based Signcryption.- Efficient Multi-receiver Identity-Based Encryption and Its Application to Broadcast Encryption.- CBE from CL-PKE: A Generic Construction and Efficient Schemes.- Best Paper Award.- A Verifiable Random Function with Short Proofs and Keys.

Secure communications over insecure channels based on short authenticated strings

We propose a way to establish peer-to-peer authenticated communications over an insecure channel by using an extra channel which can authenticate very short strings, e.g. 15 bits.We call this SAS-based authentication as for authentication based on Short Authenticated Strings. The extra channel uses a weak notion of authentication in which strings cannot be forged nor modified, but whose delivery can be maliciously stalled, canceled, or replayed. Our protocol is optimal and relies on an extractable or equivocable commitment scheme. This approach offers an alternative (or complement) to public-key infrastructures, since we no longer need any central authority, and to password-based authenticated key exchange, since we no longer need to establish a confidential password. It can be used to establish secure associations in ad-hoc networks. Applications could be the authentication of a public key (e.g. for SSH or PGP) by users over the telephone, the user-aided pairing of wireless (e.g. Bluetooth) devices, or the restore of secure associations in a disaster case, namely when one remote peer had his long-term keys corrupted.

Security Flaws Induced by CBC Padding - Applications to SSL, IPSEC, WTLS ...

In many standards, e.g. SSL/TLS, IPSEC, WTLS, messages are first pre-formatted, then encrypted in CBC mode with a block cipher. Decryption needs to check if the format is valid. Validity of the format is easily leaked from communication protocols in a chosen ciphertext attack since the receiver usually sends an acknowledgment or an error message. This is a side channel.In this paper we show various ways to perform an efficient side channel attack. We discuss potential applications, extensions to other padding schemes and various ways to fix the problem.

Authenticated Multi-Party Key Agreement

We examine key agreement protocols providing (i) key authentication (ii) key confirmation and (iii) forward secrecy. Attacks are presented against previous two-party key agreement schemes and we subsequently present a protocol providing the properties listed above.

How Far Can We Go Beyond Linear Cryptanalysis

Several generalizations of linear cryptanalysis have been proposed in the past, as well as very similar attacks in a statistical point of view. In this paper, we define a rigorous general statistical framework which allows to interpret most of these attacks in a simple and unified way. Then, we explicitely construct optimal distinguishers, we evaluate their performance, and we prove that a block cipher immune to classical linear cryptanalysis possesses some resistance to a wide class of generalized versions, but not all. Finally, we derive tools which are necessary to set up more elaborate extensions of linear cryptanalysis, and to generalize the notions of bias, characteristic, and piling-up lemma.

Password Interception in a SSL/TLS Channel

Simple password authentication is often used e.g. from an email software application to a remote IMAP server. This is frequently done in a protected peer-to-peer tunnel, e.g. by SSL/TLS.

Can D.S.A. be improved? — Complexity trade-offs with the digital signature standard —

The Digital Signature Algorithm (DSA) was proposed in 1991 by the US National Institute of Standards and Technology to provide an appropriate core for applications requiring digital signatures. Undoubtedly, many applications will include this standard in the future and thus, the foreseen domination of DSA as a legal certification tool is sufficiently important to focus research endeavours on the suitability of this scheme to various situations.