Abstract. Symbolic analysis of cryptographic protocols is dramatically simpler than full-fledged cryptographic analysis. In particular, it is simple enough to be automated. However, symbolic analysis does not, by itself, provide any cryptographic soundness guarantees. Following recent work on cryptographically sound symbolic analysis, we demonstrate how Dolev-Yao style symbolic analysis can be used to assert the security of cryptographic protocols within the universally composable (UC) security framework. Consequently, our methods enable security analysis that is completely symbolic, and at the same time cryptographically sound with strong composability properties. More specifically, we concentrate on mutual authentication and keyexchange protocols. We restrict attention to protocols that use public-key encryption as their only cryptographic primitive and have a specific restricted format. We define a mapping from such protocols to Dolev-Yao style symbolic protocols, and show that the symbolic protocol satisfies a certain symbolic criterion if and only if the corresponding cryptographic protocol is UC-secure. For mutual authentication, our symbolic criterion is similar to the traditional Dolev-Yao criterion. For key exchange, we demonstrate that the traditional Dolev-Yao style symbolic criterion is insufficient, and formulate an adequate symbolic criterion. Finally, to demonstrate the viability of our treatment, we use an existing tool to automatically verify whether some prominent key-exchange protocols are UC-secure. 1

Quite often on the Internet, cryptography is used to protect private, personal communications. However, most commonly, systems such as PGP are used, which use long-lived encryption keys (subject to compromise) for confidentiality, and digital signatures (which provide strong, and in some jurisdictions, legal, proof of authorship) for authenticity. In this paper, we argue that most social communications online should have just the opposite of the above two properties; namely, they should have perfect forward secrecy and repudiability. We present a protocol for secure online communication, called “off-the-record messaging”, which has properties better-suited for casual conversation than do systems like PGP or S/MIME. We also present an implementation of off-the-record messaging as a plugin to the Linux GAIM instant messaging client. Finally, we discuss how to achieve similar privacy for high-latency communications such as email.

Joux's protocol [29] is a one round, tripartite key agreement protocol that is more bandwidth-efficient than any previous three-party key agreement protocol. But it is insecure, suffering from a simple man-in-the-middle attack. This paper shows how to make Joux's protocol secure, presenting several tripartite, authenticated key agreement protocols that still require only one round of communication and no signature computations. A pass-optimal authenticated and key confirmed tripartite protocol that generalises the station-to-station protocol is also presented. The security properties of the new protocols are studied using provable security methods and heuristic approaches. Applications for the protocols are also discussed.

Abstract In wireless ad-hoc broadcast networks the pairing problem consists of establishing a (long-term) connection between two specific physical nodes in the network that do not yet know each other. We focus on the ephemeral version of this problem. Ephemeral pairings occur, for example, when electronic business cards are exchanged between two people that meet, or when one pays at a check-out using a wireless wallet. This problem can, in more abstract terms, be phrased as an ephemeral key exchange problem: given a low bandwidth authentic (or private) communication channel between two nodes, and a high bandwidth broadcast channel, can we establish a high-entropy shared secret session key between the two nodes without relying on any a priori shared secret information. Apart from introducing this new problem, we present several ephemeral key exchange protocols, both for the case of authentic channels as well as for the case of private channels.

this paper appeared as [Aiello et al. 2003]

We use the probabilistic polynomial-time process calculus introduced in [15] to derive compositionality properties of cryptographic protocols in the presence of computationally bounded adversaries. We focus on four types of protocols: oblivious transfer (OT), secure function evaluation, zero-knowledge proofs and secure channel implementation. A general de nition for all these cases is established following the general paradigm that a protocol is secure i it can emulate an ideal protocol. To this end, we capitalize on the semantics of the calculus and extract a Markov process of observations to set up the notion of emulation. Emulation turns out to be a congruence relation and this result leads to a general composition theorem. We derive as a corollary an associated composition result for each of the four types of protocols considered, encompassing in some cases both active and passive adversaries. As an illustration of the concepts and results in an intuitive and simple manner, we give special emphasis to the simple case of OT, incorporating an example of the protocol. Finally, we compare our approach with the approaches by Canetti in [5] and P tzmann et al in [22].

Abstract. Security against adaptive chosen ciphertext attacks (or, CCA security) has been accepted as the standard requirement from encryption schemes that need to withstand active attacks. In particular, it is regarded as the appropriate security notion for encryption schemes used as components within general protocols and applications. Indeed, CCA security was shown to suffice in a large variety of contexts. However, CCA security often appears to be somewhat too strong: there exist encryption schemes (some of which come up naturally in practice) that are not CCA secure, but seem sufficiently secure “for most practical purposes.” We propose a relaxed variant of CCA security, called Replayable CCA (RCCA) security. RCCA security accepts as secure the non-CCA (yet arguably secure) schemes mentioned above; furthermore, it suffices for most existing applications of CCA security. We provide three formulations of RCCA security. The first one follows the spirit of semantic security and is formulated via an ideal functionality in the universally composable security framework. The other two are formulated following the indistinguishability and non-malleability approaches, respectively. We show that the three formulations are equivalent in most interesting cases. 1

This paper takes the pairing-based tripartite key agreement protocol of Joux and develops it to produce three-party key agreement protocols offering additional security properties. We present a number of tripartite, one round, authenticated protocols related to the MTI and MQV protocols. We also present pass-optimal authenticated and key confirmed tripartite protocols that generalise the station-to-station protocol.

A family of authenticators based on static shared keys is identified and proven secure. The authenticators can be used in a variety of settings, including identity-based ones. Application of the authenticators to Di#e-Hellman variants in appropriate groups leads to authenticated key agreement protocols which have attractive properties in comparison with other proven-secure protocols. We explore two key agreement protocols that result.

We introduce a new method of achieving intrusion-resilience in the cryptographic protocols. More precisely we show how to preserve security of such protocols, even if a malicious program (e.g. a virus) was installed on a computer of an honest user (and it was later removed). The security of our protocols relies on the assumption that the amount of data that the adversary can transfer from the infected machine is limited (however, we allow the adversary to perform any efficient computation on user's private data, before deciding on what to transfer). We focus on two cryptographic tasks, namely: authenticated key exchange and entity authentication. Our method is based on the results from the Bounded-Storage Model.