Description
Authentication protocols, run between a prover and a verifier, allow the verifier to check the legitimacy of the prover. A legitimate prover should always authenticate (the correctness requirement), while illegitimate parties (adversaries) should not authenticate (the soundness or impersonation resistance requirement). Secure authentication protocols thwart most Man-in-the-Middle (MIM) attacks, such as replays, but they do not prevent relay attacks , where a coalition of two adversaries, a leech and a ghost , forwards messages between an honest verifier and an honest, far-away prover so as to let the illegitimate ghost authenticate.<br/> Distance-bounding protocols strengthen the security of authentication so as to prevent pure relaying, by enabling the verifier to upper-bound his distance to the prover. This is done by adding a number of time-critical challenge-response rounds, where bits are exchanged over a fast channel; the verifier measures the challenge-response roundtrip and compares it to a time-based proximity bound. There are four attacks such protocols should prevent: mafia fraud, where a MIM adversary tries to authenticate in the presence of a far-away (honest) prover, without purely relaying messages (the clock prevents this); terrorist fraud, where the prover is dishonest and helps the MIM adversary authenticate insofar as this help does not give the adversary any advantage for future (unaided) authentication; distance fraud, where a far-away prover wants to prove he is within the verifier's proximity; and (lazy-round) impersonation security, requiring a degree of impersonation security even for the exchanges that are not timed. Constructing distance-bounding protocols is a highly non-trivial task, since often providing security against one requirement creates a vulnerability with respect to a different requirement. I propose to describe how to construct distance-bounding protocols which are probably secure and also guarantee the prover's privacy.
Next sessions
-
Lightweight (AND, XOR) Implementations of Large-Degree S-boxes
Speaker : Marie Bolzer - LORIA
The problem of finding a minimal circuit to implement a given function is one of the oldest in electronics. In cryptography, the focus is on small functions, especially on S-boxes which are classically the only non-linear functions in iterated block ciphers. In this work, we propose new ad-hoc automatic tools to look for lightweight implementations of non-linear functions on up to 5 variables for[…]-
Cryptography
-
Symmetrical primitive
-
Implementation of cryptographic algorithm
-
-
Algorithms for post-quantum commutative group actions
Speaker : Marc Houben - Inria Bordeaux
At the historical foundation of isogeny-based cryptography lies a scheme known as CRS; a key exchange protocol based on class group actions on elliptic curves. Along with more efficient variants, such as CSIDH, this framework has emerged as a powerful building block for the construction of advanced post-quantum cryptographic primitives. Unfortunately, all protocols in this line of work are[…] -
Endomorphisms via Splittings
Speaker : Min-Yi Shen - No Affiliation
One of the fundamental hardness assumptions underlying isogeny-based cryptography is the problem of finding a non-trivial endomorphism of a given supersingular elliptic curve. In this talk, we show that the problem is related to the problem of finding a splitting of a principally polarised superspecial abelian surface. In particular, we provide formal security reductions and a proof-of-concept[…]-
Cryptography
-