References of "Skrobot, Marjan 50003109"
     in
Bookmark and Share    
Full Text
Peer Reviewed
See detailTightly-Secure PAK(E)
Lopez Becerra, José Miguel UL; Iovino, Vincenzo UL; Ostrev, Dimiter UL et al

in Cryptology and Network Security (2017, December 02)

We present a security reduction for the PAK protocol instantiated over Gap Diffie-Hellman Groups that is tighter than previously known reductions. We discuss the implications of our results for concrete ... [more ▼]

We present a security reduction for the PAK protocol instantiated over Gap Diffie-Hellman Groups that is tighter than previously known reductions. We discuss the implications of our results for concrete security. Our proof is the first to show that the PAK protocol can provide meaningful security guarantees for values of the parameters typical in today’s world. [less ▲]

Detailed reference viewed: 151 (35 UL)
Full Text
See detailOn the Relation Between SIM and IND-RoR Security Models for PAKEs
Lopez Becerra, José Miguel UL; Iovino, Vincenzo UL; Skrobot, Marjan UL

Presentation (2017, March 09)

Security models for PAKE protocols aim to capture the desired security properties that such protocols must satisfy when executed in the presence of an active adversary. They are usually classified into i ... [more ▼]

Security models for PAKE protocols aim to capture the desired security properties that such protocols must satisfy when executed in the presence of an active adversary. They are usually classified into i) indistinguishability-based (IND-based) or ii) simulation-based (SIM-based). The relation between these two security notions is unclear and mentioned as a gap in the literature. In this work, we prove that the SIM-based model of Boyko, Mackenzie and Patel [EUROCRYPT00] and the IND-based model of Abdalla, Fouque and Pointcheval are equivalent, in the sense that a protocol proven secure in one model is also secure in the other model. [less ▲]

Detailed reference viewed: 40 (3 UL)
Full Text
See detailOn Composability and Security of Game-based Password-Authenticated Key Exchange
Skrobot, Marjan UL

Doctoral thesis (2017)

The main purpose of Password-Authenticated Key Exchange (PAKE) is to allow secure authenticated communication over insecure networks between two or more parties who only share a low-entropy password. It ... [more ▼]

The main purpose of Password-Authenticated Key Exchange (PAKE) is to allow secure authenticated communication over insecure networks between two or more parties who only share a low-entropy password. It is common practice that the secret key derived from a PAKE execution is used to authenticate and encrypt some data payload using symmetric key protocols. Unfortunately, most PAKEs of practical interest, including three protocols considered in this thesis, are studied using so-called game-based models, which -- unlike simulation models -- do not guarantee secure composition per se. However, Brzuska et al. (CCS 2011) have shown that a middle ground is possible in the case of authenticated key exchange that relies on Public-Key Infrastructure (PKI): the game-based models do provide secure composition guarantees when the class of higher-level applications is restricted to symmetric-key protocols. The question that we pose in this thesis is whether or not a similar result can be exhibited for PAKE. Our work answers this question positively. More specifically, we show that PAKE protocols secure according to the game-based Real-or-Random (RoR) definition of Abdalla et al. (PKC 2005) allow for automatic, secure composition with arbitrary, higher-level symmetric key protocols. Since there is evidence that most PAKEs secure in the Find-then-Guess (FtG) model of Bellare et al. (EUROCRYPT 2000) are in fact secure according to the RoR definition, we can conclude that nearly all provably secure PAKEs enjoy a certain degree of composition, one that at least covers the case of implementing secure channels. Although many different protocols that accomplish PAKE have been proposed over last two decades, only a few newcomers managed to find their way to real world applications - albeit lacking an intense and prolonged public scrutiny. As a step in the direction of providing one, this dissertation considers the security and efficiency of two relatively recently proposed PAKE protocols - Dragonfly and J-PAKE. In particular, we prove the security of a very close variant of Dragonfly employing the standard FtG model which incorporates forward secrecy. Thus, our work confirms that Dragonfly's main flows are sound. Furthermore, we contribute to the discussion by proposing and examining (in the RoR model of security) two variants of J-PAKE - which we call RO-J-PAKE and CRS-J-PAKE - that each makes the use of two less zero-knowledge proofs than the original protocol, at the cost of an additional security assumption. Our work reveals that CRS-J-PAKE has an edge in terms of efficiency over J-PAKE for both standard group choices: subgroups of finite fields and elliptic curves. The same is true for RO-J-PAKE, but only when instantiated with elliptic curves. [less ▲]

Detailed reference viewed: 217 (35 UL)
Full Text
Peer Reviewed
See detailOn the Relation Between SIM and IND-RoR Security Models for PAKEs
Lopez Becerra, José Miguel UL; Iovino, Vincenzo UL; Ostrev, Dimiter UL et al

in Proceedings of the International Conference on Security and Cryptography (2017)

Password-based Authenticated Key-Exchange (PAKE) protocols allow users, who need only to share a password, to compute a high-entropy shared session key despite passwords being taken from a dictionary ... [more ▼]

Password-based Authenticated Key-Exchange (PAKE) protocols allow users, who need only to share a password, to compute a high-entropy shared session key despite passwords being taken from a dictionary. Security models for PAKE protocols aim to capture the desired security properties that such protocols must satisfy when executed in the presence of an active adversary. They are usually classified into i) indistinguishability-based (IND-based) or ii) simulation-based (SIM-based). The relation between these two security notions is unclear and mentioned as a gap in the literature. In this work, we prove that SIM-BMP security from Boyko et al.~(EUROCRYPT 2000) implies IND-RoR security from Abdalla et al.~(PKC 2005) and that IND-RoR security implies a slightly modified version of SIM-BMP security. We also investigate whether IND-RoR security implies (unmodified) SIM-BMP security. [less ▲]

Detailed reference viewed: 103 (13 UL)
Full Text
Peer Reviewed
See detailTwo More Efficient Variants of the J-PAKE Protocol
Skrobot, Marjan UL; Lancrenon, Jean UL; Tang, Qiang UL

in ACNS 2016 (2016, June)

Recently, the password-authenticated key exchange protocol J-PAKE of Hao and Ryan (Workshop on Security Protocols 2008) was formally proven secure in the algebraic adversary model by Abdalla et al. (IEEE ... [more ▼]

Recently, the password-authenticated key exchange protocol J-PAKE of Hao and Ryan (Workshop on Security Protocols 2008) was formally proven secure in the algebraic adversary model by Abdalla et al. (IEEE S&P 2015). In this paper, we propose and examine two variants of J-PAKE - which we call RO-J-PAKE and CRS-J-PAKE - that each makes the use of two less zero-knowledge proofs than the original protocol. We show that they are provably secure following a similar strategy to that of Abdalla et al. We also study their efficiency as compared to J-PAKE's, also taking into account how the groups are chosen. Namely, we treat the cases of subgroups of finite fields and elliptic curves. Our work reveals that, for subgroups of finite fields, CRS-J-PAKE is indeed more efficient than J-PAKE, while RO-J-PAKE is much less efficient. On the other hand, when instantiated with elliptic curves, both RO-J-PAKE and CRS-J-PAKE are more efficient than J-PAKE, with CRS-J-PAKE being the best of the three. We illustrate this experimentally, making use of recent research by Brier et al. (CRYPTO 2010). Regardless of implementation, we note that RO-J-PAKE enjoys a looser security reduction than both J-PAKE and CRS-J-PAKE. CRS-J-PAKE has the tightest security proof, but relies on an additional trust assumption at setup time. We believe our results can be useful to anyone interested in implementing J-PAKE, as perhaps either of these two new protocols may also be options, depending on the deployment context. [less ▲]

Detailed reference viewed: 175 (30 UL)
Full Text
Peer Reviewed
See detailOn the Provable Security of the Dragonfly Protocol
Skrobot, Marjan UL; Lancrenon, Jean UL

in Lopez, Javier; Mitchell, Chris J. (Eds.) Information Security - 18th International Conference, ISC 2015, Trondheim, Norway, September 9-11, 2015 (2015, September)

Detailed reference viewed: 101 (16 UL)