Integrity, authentication and confidentiality in public-key cryptography Houda Ferradi To cite this version: Houda Ferradi. Integrity, authentication and confidentiality in public-key cryptography. Cryptography and Security [cs.CR]. Université Paris sciences et lettres, 2016. English. NNT : 2016PSLEE045. tel- 01745919 HAL Id: tel-01745919 https://tel.archives-ouvertes.fr/tel-01745919 Submitted on 28 Mar 2018 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. THÈSE DE DOCTORAT de l’Université de recherche Paris Sciences et Lettres PSL Research University Préparée à l’École normale supérieure Integrity, Authentication and Confidentiality in Public-Key Cryptography École doctorale n◦386 Sciences Mathématiques de Paris Centre Spécialité Informatique COMPOSITION DU JURY M. FOUQUE Pierre-Alain Université Rennes 1 Rapporteur M. YUNG Moti Columbia University et Snapchat Rapporteur M. FERREIRA ABDALLA Michel Soutenue par Houda FERRADI CNRS, École normale supérieure le 22 septembre 2016 Membre du jury M. CORON Jean-Sébastien Université du Luxembourg Dirigée par Membre du jury David NACCACHE École normale supérieure M. GOUBIN Louis Université de Versailles Saint-Quentin-en- Yvelines Membre du jury M. PAILLIER Pascal CryptoExperts Membre du jury M. TIBOUCHI Mehdi RESEARCH UNIVERSITY PARIS NTT Secure Platform Laboratories ÉCOLE NORMALE SUPÉRIEURE Invité Intégrité, authentification et confidentialité en cryptographie à clé publique Thèse de Doctorat en vue de l’obtention du grade de Docteur de l’École normale supérieure (spécialité informatique) présentée et soutenue publiquement le 22 septembre 2016 par HOUDA FERRADI devant le jury composé de : Directeur de thèse : David Naccache (École normale supérieure) Rapporteurs : Pierre-Alain Fouque (Université Rennes 1) Moti Yung (Columbia University et Snapchat) Examinateurs : Michel Abdalla (CNRS, École normale supérieure) Jean-Sébastien Coron (Université du Luxembourg) Louis Goubin (Université de Versailles Saint-Quentin-en-Yvelines) Pascal Paillier (CryptoExperts) Invité : Mehdi Tibouchi (NTT Secure Platform Laboratories) École doctorale 386: Sciences mathématiques de Paris Centre Unité de recherche: UMR 8548 - Département d’Informatique de l’École normale supérieure Laboratoire de recherche affilié au CNRS et a INRIA Integrity, Authentication and Confidentiality in Public-Key Cryptography Doctorate Dissertation submitted in fulfillment of the requirements for the degree of Doctor of the École normale supérieure (Specialty: Computer Science) publicly defended and presented on September 22nd, 2016 by HOUDA FERRADI to the jury consisting of : Supervisor : David Naccache (École normale supérieure) Referees : Pierre-Alain Fouque (Université Rennes 1) Moti Yung (Columbia University and Snapchat) Examiners : Michel Abdalla (CNRS, École normale supérieure) Jean-Sébastien Coron (Université du Luxembourg) Louis Goubin (Université de Versailles Saint-Quentin-en-Yvelines) Pascal Paillier (CryptoExperts) Guest member : Mehdi Tibouchi (NTT Secure Platform Laboratories) Doctoral School 386: Mathematical Sciences – Paris Centre Research unit: UMR 8548 - The École normale supérieure’s Computer Science Department A research laboratory affiliated to CNRS and INRIA ACKNOWLEDGMENTS I very warmly thank David Naccache for his advisory role, continuous good humor, friendliness and for his scientific guidance throughout the years. I am very grateful to David Pointcheval for admitting me in his research group and for funding my thesis through the French ANR Project ANR-12-INSE-0014 SIMPATIC. I express my affection to the numerous members of the ENS’ Cryptography and Security teams. I will always cherish the souvenirs of thought-provoking talks in the laboratory, of your friendship and of your witty humor. The feverish intellectual thrill of discovering together the cutting edge of scientific research at Eurocrypt’15, Eurocrypt’16, Crypto’16, CHES’16 and ACNS’16 was a unique experience that words can hardly express. I am indebted to the team’s permanent members for their guidance, life-wisdom and for entrusting me with the review of several papers. The ensuing exchanges with program committee members were an unforgettable scientific experience. I am grateful to EIT ICT Labs for funding my participation at the 2014 Security & Privacy in Digital Life summer school (Trento) and to ENS for sponsoring my participation at the IACR 2016 School on Design for a Secure IoT, (Tenerife) and at the IACR 2015 School on Design and Security of Cryptographic Algorithms and Devices (Sardinia). A tribute is due to Rémi Géraud for his friendship and efforts invested in our common papers and to Fabrice Ben Hamouda for his gentleness and dedication. I thank my co-authors Michel Abdalla, Ehsan Aerabi, A. Elhadi Amirouche, Fabrice Ben Hamouda, Thomas Bourgeat, Julien Bringer, Robin Champenois, Jean-Michel Cioranesco, Jérémie Clément, Simon Cogliani, Rémi Géraud, Marc Heinrich, Julien Jainski, Diana Maimu¸t, Kostas (Konstantinos) Markanton- akis, Mehari Msgna, Paul Melotti, David Naccache, Raja Naeem Akram, David Pointcheval, Assia Tria, Antoine Voizard, Jean Vuillemin, Amaury de Wargny and Hang Zhou. I am very grateful to the academic institutions who entrusted me with lecturing duties during my Ph.D.: Université Panthéon-Assas Paris II, Université Paris Diderot-Paris VII, Université Paris-XIII-Nord and, in particular, the École normale supérieure for letting me supervise full-fledged research projects at the Informatique scientifique par la pratique master course. It my hope that my efforts motivated my students and made my courses an intellectual adventure as much as a curricular obligation. I express my recognition to Michel Abdalla, Jean-Sébastien Coron, Pierre-Alain Fouque, Louis Goubin, Pascal Paillier, Mehdi Tibouchi and Moti Yung for agreeing to serve in my thesis committee. I particularly thank my thesis referees Pierre-Alain Fouque and Moti Yung for their availability and their detailed comments on my work. I am very honored to have such a prestigious committee. The research results contained in this thesis were supported by three high-tech firms. Seeing my scientific results applied in products used by millions of customers is a thrilling feeling, for which I warmly thank Ingenico, Huawei and Tanker. I thank Google for inviting me to the Münich Ph.D. Security Summit. The intense intellectual exchanges with Google’s technical teams were an unforgettable experience. Paris, Septembre 13th, 2016. Houda Ferradi 1 CONTENTS 1 Introduction 7 1.1 Confidentiality Throughout History . .7 1.2 Integrity, Authentication & Fairness . .8 2 Mathematical and Cryptographic Preliminaries 11 2.1 Computational Hardness Assumptions . 11 2.2 Computational Security . 15 2.3 One-Way Functions . 16 2.4 Provable Security . 17 2.4.1 Theoretical Framework . 17 2.4.2 The Random Oracle Paradigm . 19 2.5 Digital Signatures . 19 2.5.1 General Framework . 19 2.5.2 Some Examples . 20 2.5.3 Security Notions for Digital Signatures . 22 2.6 Public-Key Cryptography . 24 2.6.1 General Framework . 25 2.6.2 Security Notions for Public-Key Cryptography . 25 2.7 Proof Systems . 27 2.7.1 Interactive Proofs . 27 2.7.2 Zero-Knowledge Proofs . 27 2.7.3 Applications . 28 2.7.4 Zero-Knowledge Proofs of Knowledge . 28 2.7.5 Non-Interactive Zero-Knowledge Proofs . 28 3 Results & Contributions 29 3.1 Thesis Results . 29 3.1.1 Fairness & Attestation in Cryptographic Protocols . 29 3.1.2 Zero-Knowledge Proof Systems & Authentication Protocols . 30 3.1.3 Exploring Interactions Between Natural Language, Vision & Encryption . 32 3.1.4 Generalization & Applications of Hierarchical Identity-Based Encryption (HIBE) . 32 3.2 Additional Results . 33 3.2.1 Trusted Computing for Embedded Devices: Defenses & Attacks . 33 3.2.2 Creating Covert Channels & Preventing Their Exploitation . 34 3.2.3 Efficient Hardware & Software Implementations . 35 3.2.4 Finding Security Flaws in Server Software . 36 3.3 Personal Bibliography . 37 3.3.1 Journal Papers . 37 3.3.2 Conference Papers . 37 3.3.3 Manuscripts & Pre-Prints . 38 4 Designing Integrity Primitives 41 4.1 Non-Interactive Attestations for Arbitrary RSA Prime Generation Algorithms . 43 4.1.1 Introduction . 43 3 4.1.2 Outline of the Approach . 44 4.1.3 Model and Analysis . 45 4.1.4 Multi-Modulus Attestation Scheme (u 2, ` = 2)................... 48 ≥ 4.1.5 Security and Parameter Choice . 49 4.1.6 Compressing the Attestation . 51 4.1.7 Parameter Settings . 51 4.1.8 Conclusion and Further Research . 52 4.1.9 Implementing the Second Hash Function 0 ...................... 53 H 4.2 Legally Fair Contract Signing Without Keystones . 55 4.2.1 Introduction . 55 4.2.2 Preliminaries . 56 4.2.3 Legally Fair Co-Signatures . 60 5 Designing Authentication Protocols 69 5.1 Slow Motion Zero Knowledge – Identifying With Colliding Commitments . 71 5.1.1 Introduction . 71 5.1.2 Building Blocks . 71 5.1.3 Commitment Pre-Processing . 72 5.1.4 Time-Lock Puzzles . 72 5.1.5 Slow Motion Zero-Knowledge Protocols . 73 5.1.6 An Example Slow Motion Zero Knowledge . 74 5.1.7 Security Proof . 77 5.1.8 Conclusion and Further Research . 81 5.2 Thrifty Zero-Knowledge: When Linear Programming Meets Cryptography . 82 5.2.1 Introduction . 82 5.2.2 Preliminaries . 82 5.2.3 Optimizing E( ) ................................... 84 P $ V 5.2.4 Thrifty Zero-Knowledge Protocols . 85 5.2.5 Thrifty SD, PKP and PPP . 86 5.3 Public-Key Based Lightweight Swarm Authentication . 89 5.3.1 Preliminaries . 89 5.3.2 Distributed Fiat-Shamir Authentication . 91 5.3.3 Security Proofs . 92 5.3.4 Variants and Implementation Trade-offs . 94 5.4 When Organized Crime Applies Academic Results . 97 5.4.1 Introduction . 97 5.4.2 Physical Analysis . 98 5.4.3 Protocol Analysis .