Efficient Deniable Authentication for Signatures, Application to Machine-Readable Travel Document

Releasing a classical digital signature faces to privacy issues. Indeed, there are cases where the prover needs to authenticate some data without making it possible for any malicious verifier to transfer the proof to anyone else. It is for instance the case for e-passports where the signature from the national authority authenticates personal data. To solve this problem, we can prove knowledge of a valid signature without revealing it. This proof should be non-transferable. We first study deniability for signature verification. Deniability is essentially a weaker form of non-transferability. It holds as soon as the protocol is finished (it is often called offline non-transferability). We introduce Offline Non-Transferable Authentication Protocol (ON-TAP) and we show that it can be built by using a classical signature scheme and a deniable zero-knowledge proof of knowledge. For that reason, we use a generic transform for Σ-protocols. Finally, we give examples to upgrade signature standards based on RSA or ElGamal into an ONTAP. Our examples are well-suited for implementation in e-passports.

Secure communication using authenticated channels

Sylvain Pasini

Our main motivation is to design more user-friendly security protocols. Indeed, if the use of the protocol is tedious, most users will not behave correctly and, consequently, security issues occur. An example is the actual behavior of a user in front of an SSH certificate validation: while this task is of utmost importance, about 99% of SSH users accept the received certificate without checking it. Designing more user-friendly protocols may be difficult since the security should not decrease at the same time. Interestingly, insecure channels coexist with channels ensuring authentication. In practice, these latters may be used for a string comparison or a string copy, e.g., by voice over IP spelling. The shorter the authenticated string is, the less human interaction the protocol requires, and the more user-friendly the protocol is. This leads to the notion of SAS-based cryptography, where SAS stands for Short Authenticated String. In the first part of this thesis, we analyze and propose optimal SAS-based message authentication protocols. By using these protocols, we show how to construct optimal SAS-based authenticated key agreements. Such a protocol enables any group of users to agree on a shared secret key. SAS-based cryptography requires no pre-shared key, no trusted third party, and no public-key infrastructure. However, it requires the user to exchange a short SAS, e.g., five decimal digits. By using the just agreed secret key, the group can now achieve a secure communication based on symmetric cryptography. SAS-based authentication protocols are often used to authenticate the protocol messages of a key agreement. Hence, each new secure communication requires the interaction of the users to agree on the SAS. A solution to reduce the user interaction is to use digital signature schemes. Indeed, in a setup phase, the users can use a SAS-based authentication protocol to exchange long-term verification keys. Then, using digital signatures, users are able to run several key agreements and the authentication of protocol messages is done by digital signatures. In the case where no authenticated channel is available, but a public-key infrastructure is in place, the SAS-based setup phase is avoided since verification keys are already authenticated by the infrastructure. In the second part of this thesis, we also study two problems related to digital signatures: (1) the insecurity of digital signature schemes which use weak hash functions and (2) the privacy issues from signed documents. Digital signatures are often proven to be secure in the random oracle model. The role of random oracles is to model ideal hash functions. However, real hash functions deviate more and more from this idealization. Indeed, weaknesses on hash functions have already been discovered and we are expecting new ones. A question is how to fix the existing signature constructions based on these weak hash functions. In this thesis, we first try to find a better way to model weak hash function. Then, we propose a (randomized) pre-processing to the input message which transforms any weak signature implementation into a strong signature scheme. There remains one drawback due to the randomization. Indeed, the random coins must be sent and thus the signature enlarges. We also propose a method to avoid the increase in signature length by reusing signing coins. Digital signatures may also lead to privacy issues. Indeed, given a message and its signature, anyone can publish the pair which will confirm the authenticity of the message. In certain applications, like in electronic passports (e-passports), publishing the authenticated data leads to serious privacy issues. In this thesis, we define the required security properties in order to protect the data privacy, especially in the case of e-passport verification. The main idea consists for the e-passport to keep the signature secret. The e-passport should only prove that it knows a valid signature instead of revealing it. We propose a new primitive, called Offline Non-Transferable Authentication Protocol (ONTAP), as well as efficient implementations that are compatible with the e-passport standard signature schemes.

EPFL2009

About Machine-Readable Travel Documents

Jean Monnerat, Serge Vaudenay, Martin Vuagnoux

Passports are now equipped with RFID chips that contain private information, biometric data, and a digital signature by issuing authorities. We review most of applicable security and privacy issues. We argue that the main privacy issue is not unauthorized access through radio channel or data skimming as claimed before, but rather the leakage of a digital signature by government authorities for private data. To fix this, we rather need the e-passport to prove the knowledge of a valid signature in a non-transferable way. Besides, several identification protocols such as GPS identification in RFID could lead to challenge semantics attacks that are privacy threats. To fix this, we also need some kind of non-transferability. In 2003, Steinfeld et al. proposed the universal designated-verifier signature (UDVS) primitive. Its drawback is in demanding verifiers to have public keys authenticated by the passport. One compromise was proposed by Baek et al. with the UDVSP primitive. We show that UDVSP does not provide non-transferability and fix it by using zero-knowledge proof of knowledge. We propose a simple method to protect Sigma-protocols against offline Mafia fraud and challenge semantics. We apply this by proposing a simple protocol based on Guillou-Quisquater identification that only requires two RSA computations and would substantially enhance the privacy of the e-passport bearer.

Springer2007

Enhancing Privacy Protection

Rafik Chaabouni

Privacy has recently gained an importance beyond the field of cryptography. In that regard, the main goal behind this thesis is to enhance privacy protection. All of the necessary mathematical and cryptographic preliminaries are introduced at the start of this thesis. We then show in Part I how to improve set membership and range proofs, which are cryptographic primitives enabling better privacy protection. Part II shows how to improve the standards for Machine Readable Travel Documents (MRTDs), such as biometric passports. Regarding set membership proofs, we provide an efficient protocol based on the Boneh-Boyen signature scheme. We show that alternative signature schemes can be used and we provide a general protocol description that can be applied for any secure signature scheme. We also show that signature schemes in our design can be replaced by cryptographic accumulators. For range proofs, we provide interactive solutions where the range is divided in a base u and the u-ary digits are handled by one of our set membership proofs. A general construction is also provided for any set membership proof. We additionally explain how to handle arbitrary ranges with either two range proofs or with an improved solution based on sumset representation. These efficient solutions achieve, to date, the lowest asymptotical communication load. Furthermore, this thesis shows that the first efficient non-interactive range proof is insecure. This thesis thus provides the first efficient and secure non-interactive range proof. In the case of MRTDs, two standards exist: one produced by the International Civil Aviation Organization (ICAO) and the other by the European Union, which is called the Extended Access Control (EAC). Although this thesis focuses on the EAC, which is supposed to solve all privacy concerns, it shows that both standards fail to provide complete privacy protection. Lastly, we provide several solutions to improve them.