SECURE COMMUNICATION
USING AUTHENTICATED CHANNELS
THE`SE No 4452 (2009)
PRE´SENTE´E A` LA FACULTE´ INFORMATIQUE ET COMMUNICATIONS
Institut de syste`mes de communications
SECTION DES SYSTE`MES DE COMMUNICATION
E´COLE POLYTECHNIQUE FE´DE´RALE DE LAUSANNE
POUR L’OBTENTION DU GRADE DE DOCTEUR E`S SCIENCES
PAR
Sylvain PASINI
inge´nieur en syste`mes de communications diplome´ EPF
de nationalite´ suisse et originaire de Lancy (GE)
accepte´e sur proposition du jury:
Prof. B. Faltings, pre´sident du jury
Prof. S. Vaudenay, directeur de the`se
Prof. A. Lenstra, rapporteur
Prof. K. Nyberg, rapporteur
Prof. D. Pointcheval, rapporteur
Lausanne, EPFL
2009

Sylvain Pasini
ii

To my son, Matteo, and to my wife, Nadia.
iii

Sylvain Pasini
iv

Abstract
Our main motivation is to design more user-friendly security protocols. Indeed, if the use
of the protocol is tedious, most users will not behave correctly and, consequently, security
issues occur. An example is the actual behavior of a user in front of an SSH certificate
validation: while this task is of utmost importance, about 99% of SSH users accept the
received certificate without checking it. Designing more user-friendly protocols may be
difficult since the security should not decrease at the same time. Interestingly, insecure
channels coexist with channels ensuring authentication. In practice, these latters may be
used for a string comparison or a string copy, e.g., by voice over IP spelling. The shorter
the authenticated string is, the less human interaction the protocol requires, and the more
user-friendly the protocol is. This leads to the notion of SAS-based cryptography, where
SAS stands for Short Authenticated String.
In the first part of this thesis, we analyze and propose optimal SAS-based message authen-
tication protocols. By using these protocols, we show how to construct optimal SAS-based
authenticated key agreements. Such a protocol enables any group of users to agree on a
shared secret key. SAS-based cryptography requires no pre-shared key, no trusted third
party, and no public-key infrastructure. However, it requires the user to exchange a short
SAS, e.g., five decimal digits. By using the just agreed secret key, the group can now achieve
a secure communication based on symmetric cryptography.
SAS-based authentication protocols are often used to authenticate the protocol messages
of a key agreement. Hence, each new secure communication requires the interaction of
the users to agree on the SAS. A solution to reduce the user interaction is to use digital
signature schemes. Indeed, in a setup phase, the users can use a SAS-based authentication
protocol to exchange long-term verification keys. Then, using digital signatures, users are
able to run several key agreements and the authentication of protocol messages is done by
digital signatures. In the case where no authenticated channel is available, but a public-key
infrastructure is in place, the SAS-based setup phase is avoided since verification keys are
already authenticated by the infrastructure.
In the second part of this thesis, we also study two problems related to digital signatures:
v

Sylvain Pasini
(1) the insecurity of digital signature schemes which use weak hash functions and (2) the
privacy issues from signed documents.
Digital signatures are often proven to be secure in the random oracle model. The role of
random oracles is to model ideal hash functions. However, real hash functions deviate more
and more from this idealization. Indeed, weaknesses on hash functions have already been
discovered and we are expecting new ones. A question is how to fix the existing signature
constructions based on these weak hash functions. In this thesis, we first try to find a better
way to model weak hash function. Then, we propose a (randomized) pre-processing to the
input message which transforms any weak signature implementation into a strong signature
scheme. There remains one drawback due to the randomization. Indeed, the random coins
must be sent and thus the signature enlarges. We also propose a method to avoid the
increase in signature length by reusing signing coins.
Digital signatures may also lead to privacy issues. Indeed, given a message and its sig-
nature, anyone can publish the pair which will confirm the authenticity of the message. In
certain applications, like in electronic passports (e-passports), publishing the authenticated
data leads to serious privacy issues. In this thesis, we define the required security properties
in order to protect the data privacy, especially in the case of e-passport verification. The
main idea consists for the e-passport to keep the signature secret. The e-passport should
only prove that it knows a valid signature instead of revealing it. We propose a new primi-
tive, called Offline Non-Transferable Authentication Protocol (ONTAP), as well as efficient
implementations that are compatible with the e-passport standard signature schemes.
Keywords: cryptography, message authentication protocol, short authenticated string,
SAS, key agreement protocol, digital signature, voice over IP, hash-and-sign paradigm, weak
hash function, offline non-transferable authentication protocol, ONTAP, electronic passport.
vi

Re´sume´
La motivation principale de ce travail est de concevoir des protocoles de se´curite´ restant
simples d’utilisation. Si l’application demande des taˆches trop importantes, les utilisateurs
ne se comporteront pas correctement et cela engendrera des proble`mes de se´curite´. Un
exemple est le comportement actuel d’un utilisateur lorsqu’il e´tablit une connexion SSH.
Il est sense´ authentifier la cle´ publique qu’il rec¸oit. Cette ope´ration ne´cessite l’obtention
d’une empreinte de la cle´ distante ce qui est, en ge´ne´ral, trop imposant. Au final, 99% des
utilisateurs acceptent simplement la cle´ publique du serveur sans meˆme la controˆler. La
conception d’un protocole plus simple d’utilisation n’est pas une chose facile e´tant donne´
le niveau de se´curite´ escompte´. Une chose inte´ressante est la coexistence des canaux de
communication non se´curise´s avec des canaux qui permettent d’authentifier des donne´es.
En pratique, ces derniers peuvent eˆtre une simple comparaison de deux chaˆınes, la copie
d’un nombre d’un appareil a` un autre, ou encore la diction par te´le´phone. Clairement, plus
la chaˆıne a` authentifier est courte, moins l’utilisateur aura de travail et plus le protocole
sera simple d’usage. Ceci nous ame`ne a` la notion de cryptographie base´e sur les SAS (en
anglais, SAS-based cryptography). Le terme SAS provient de Short Authenticated String qui
signifie chaˆıne authentifie´e courte.
La premie`re partie de cette the`se est consacre´e a` l’analyse des protocoles d’authentification
de messages base´s sur les SAS. En particulier, nous analyserons leur se´curite´ de manie`re glo-
bale puis nous proposerons plusieurs protocoles optimaux. En utilisant ces protocoles, nous
montrerons comment construire des protocoles d’e´changes de cle´s authentifie´s e´galement
base´s sur les SAS. Ce type de protocoles permet a` un groupe d’utilisateurs de se mettre
d’accord sur une cle´ secre`te. L’avantage de la cryptographie base´e sur les SAS est qu’elle
ne ne´cessite pas d’information pre´e´tablie, ni de faire confiance a` une tierce personne, ni
d’infrastructure a` cle´s publiques. Par contre, elle demande a` l’utilisateur d’e´changer de
manie`re authentifie´e une courte chaˆıne, par exemple un SAS de cinq chiffres. En utilisant
cette cle´ secre`te, le groupe pourra communiquer de manie`re se´curise´e en utilisant un algo-
rithme de chiffrement conventionnel.
Les protocoles d’authentification de messages base´s sur les SAS sont souvent utilise´s pour
vii

Sylvain Pasini
authentifier les messages d’un protocole d’e´change de cle´. Par conse´quent, chaque nouvelle
communication ne´cessite l’intervention des utilisateurs pour e´changer le SAS. Une solution
permettant de re´duire la charge des utilisateurs est l’utilisation de signatures digitales. En ef-
fet, dans une phase d’initialisation, il est possible d’utiliser le protocole d’authentification de
messages pour e´changer des cle´s publiques permanentes permettant la ve´rification de signa-
tures digitales. Apre`s cela, les utilisateurs peuvent exe´cute´s plusieurs protocoles d’e´change
de cle´s et l’authentification sera faite graˆce aux signatures digitales. Dans le cas ou` il n’y
aurait pas de canal authentifie´ disponible, mais une infrastructure a` cle´s publiques, la phase
d’initialisation peut eˆtre e´vite´e puisque les cle´s de ve´rification sont de´ja` authentifie´es par
l’infrastructure.
La seconde partie de cette the`se est consacre´e a` deux proble`mes lie´s aux signatures digi-
tales : (1) l’inse´curite´ des signatures digitales qui utilisent des fonctions de hachage faibles
et (2) la violation de la sphe`re prive´e re´sultant de documents signe´s.
Les signatures digitales sont souvent prouve´es suˆres dans le mode`le de l’oracle ale´atoire.
Le roˆle de l’oracle ale´atoire est de mode´liser des fonctions de hachage. Malheureusement,
les fonctions de hachage re´elles de´vient de plus en plus de cette ide´alisation. En effet,
des faiblesses ont de´ja` e´te´ de´couvertes et ce ne sont certainement pas les dernie`res. La
re´paration des signatures imple´mente´es avec ces faibles fonctions de hachage est donc un
proble`me. Dans cette the`se, nous rechercherons un meilleur mode`le pour les fonctions de
hachage. Apre`s cela, nous proposerons un pre´-traitement pour le message qui permettra
de transformer une imple´mentation de signature faible en une re´sistante. Il restera un
inconve´nient: la longueur de la signature accroˆıt duˆ a` l’ale´a ajoute´ dans le pre´-traitement.
Nous proposerons e´galement une me´thode pour e´viter cette allongement de signature en
recyclant l’ale´a de l’algorithme de signature.
Les signatures digitales peuvent e´galement engendrer des proble`mes de sphe`re prive´e. En
effet, n’importe qui posse´dant un message ainsi que sa signature peut les publier, la signa-
ture confirme l’authenticite´ du message. Dans certains cas, comme pour les passeports
e´lectroniques, la publication des donne´es authentifie´es (et personnelles) engendre de se´rieux
proble`mes de sphe`re prive´e. Dans cette the`se, nous de´finirons les proprie´te´s ne´cessaires pour
prote´ger la sphe`re prive´e, spe´cialement pour le cas des passeports e´lectroniques. L’ide´e prin-
cipale pour le passeport est de prouver qu’il posse`de la signature des donne´es tout en la con-
servant secre`te. Nous proposerons une nouvelle primitive nomme´e Offline Non-Transferable
Authentication Protocol (ONTAP). Nous proposerons e´galement des imple´mentations ef-
ficaces qui sont compatibles avec les standards de signatures utilise´s par les passeports
e´lectroniques.
Mots cle´s : cryptographie, protocole d’authentification de messages, short authenticated
string, SAS, protocole d’e´change de cle´s, voix sur IP, signature digitale, le paradigme hash-
and-sign, fonction de hachage faible, protocole d’authentification non transfe´rable, ONTAP,
passeport e´lectronique.
viii

Contents
Abstract/Re´sume´. . . . . . . . . . . . . . . . . . . . . . . iii
Acknowledgments/Remerciements . . . . . . . . . . . . . . . xvii
1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.1 SAS-Based Cryptography (Part I) . . . . . . . . . . . . . . . 4
1.2 Signatures Schemes (Part II) . . . . . . . . . . . . . . . . . 7
1.3 Keyboard Compromising Electromagnetic Emanations . . . . . . . 8
2 The Authentication Problem . . . . . . . . . . . . . . . . . 13
2.1 Basics in Cryptography . . . . . . . . . . . . . . . . . . . 14
2.1.1 Symmetric Cryptography . . . . . . . . . . . . . . . . . 14
2.1.2 Agreeing on a Secret Key without Confidential Channel . . . . . . 16
2.1.3 Public-Key Cryptography . . . . . . . . . . . . . . . . . 17
2.2 Communication Channels . . . . . . . . . . . . . . . . . . 21
2.3 Towards Usable Solutions to Setup Secure Communications . . . . . 23
2.4 Message Authentication . . . . . . . . . . . . . . . . . . . 25
2.5 Other Ways for Message Authentication . . . . . . . . . . . . . 26
2.5.1 Protocols Using Time Bounding. . . . . . . . . . . . . . . 26
2.5.2 Protocols Using Distance Bounding . . . . . . . . . . . . . 29
2.6 Setting up a Secure Communication in a Nutshell . . . . . . . . . 31
ix

I SAS-based Message Authentication and Key Agreement Protocols
59
I.4 Security Model . . . . . . . . . . . . . . . . . . . . . . . . 61
4.1 Network Model . . . . . . . . . . . . . . . . . . . . . . . 61
4.2 Communication Model . . . . . . . . . . . . . . . . . . . . 62
4.3 Adversarial Model . . . . . . . . . . . . . . . . . . . . . 64
4.4 Authenticated Channel Models . . . . . . . . . . . . . . . . 66
4.4.1 Weak Authenticated Channels . . . . . . . . . . . . . . . 67
4.4.2 Stronger Authenticated Channels . . . . . . . . . . . . . . 67
4.4.3 Examples . . . . . . . . . . . . . . . . . . . . . . . 68
4.4.4 SAS-based Cryptography . . . . . . . . . . . . . . . . . 69
I.5 On the Optimal Entropy of Authenticated Communication . . . . 71
5.1 Probability of Collision Between Random Variables . . . . . . . . 72
5.2 A Generic One-Shot Attack . . . . . . . . . . . . . . . . . . 77
5.3 A Generic Multi-Shot Attack . . . . . . . . . . . . . . . . . 79
5.4 A Generic Multi-Shot Attack Against Non-Interactive Protocols . . . 81
5.5 A Short Overview on Generic Attacks Against Unilateral Protocols . . 82
5.6 Extension to Two-Party Bilateral Protocols . . . . . . . . . . . 84
5.7 Optimality of a Protocol . . . . . . . . . . . . . . . . . . . 84
5.8 Unconditional Security . . . . . . . . . . . . . . . . . . . . 85
I.6 Stand-Alone Security versus Complex Settings Security . . . . . 87
6.1 Stand-Alone Security . . . . . . . . . . . . . . . . . . . . 87
6.2 Security in Complex Settings . . . . . . . . . . . . . . . . . 93
6.2.1 Reminder on Universal Composability . . . . . . . . . . . . 94
6.2.2 Composability Guarantees of a SAS-based Message Authentication Protocol
95
6.3 SAS-based Protocol Security in a Nutshell . . . . . . . . . . . . 99
xi

Sylvain Pasini
I.7 Two-Party Unilateral Message Authentication . . . . . . . . . 101
7.1 Unilateral Message Authentication Primitive . . . . . . . . . . . 102
7.2 Prior Work on Non-Interactive Protocols . . . . . . . . . . . . 102
7.2.1 A CRHF-based NIMAP. . . . . . . . . . . . . . . . . . 102
7.2.2 A NIMAP with Strong Authentication: MANA . . . . . . . . . 103
7.3 An Optimal NIMAP: PV-NIMAP . . . . . . . . . . . . . . . 105
7.4 Following Works . . . . . . . . . . . . . . . . . . . . . . 110
7.5 On Interactive Protocols . . . . . . . . . . . . . . . . . . . 112
7.6 Applications . . . . . . . . . . . . . . . . . . . . . . . . 114
I.8 Two-party Bilateral Message Authentication . . . . . . . . . . 121
8.1 Bilateral Message Authentication Primitives . . . . . . . . . . . 121
8.1.1 Message Mutual-Authentication . . . . . . . . . . . . . . . 122
8.1.2 Message Cross-Authentication . . . . . . . . . . . . . . . 122
8.1.3 MCA versus MMA Protocols . . . . . . . . . . . . . . . . 123
8.2 Prior Work . . . . . . . . . . . . . . . . . . . . . . . . 123
8.2.1 A Trivial MMA. . . . . . . . . . . . . . . . . . . . . 123
8.2.2 The Original SAS-based MCA Protocol: Vau-SAS-MCA . . . . . . 124
8.3 An Optimal MMA Protocol: PV-SAS-MMA . . . . . . . . . . . 125
8.4 An Optimal MCA Protocol: PV-SAS-MCA . . . . . . . . . . . 129
8.5 Following Works . . . . . . . . . . . . . . . . . . . . . . 135
8.6 Applications . . . . . . . . . . . . . . . . . . . . . . . . 136
I.9 Group Message Authentication . . . . . . . . . . . . . . . . 137
9.1 Group Message Authentication Primitive . . . . . . . . . . . . 137
9.2 Prior Work . . . . . . . . . . . . . . . . . . . . . . . . 138
9.2.1 Group-MANA IV . . . . . . . . . . . . . . . . . . . . 139
9.3 An Optimal GMA Protocol: LP-SAS-GMA . . . . . . . . . . . 139
9.4 Applications . . . . . . . . . . . . . . . . . . . . . . . . 148
xii

I.10 From Message Authentication to Key Agreement . . . . . . . . 149
10.1 Authenticated Key Agreement Primitive. . . . . . . . . . . . . 150
10.2 (Non-Authenticated) Key Agreement . . . . . . . . . . . . . . 151
10.2.1 The Diffie-Hellman Key Agreement Protocol . . . . . . . . . . 151
10.2.2 The Burmester-Desmedt Group Key Agreement Protocol . . . . . 151
10.3 Prior Authenticated Key Agreements . . . . . . . . . . . . . . 152
10.3.1 The Hoepman AKA Protocol. . . . . . . . . . . . . . . . 153
10.3.2 PGPfone . . . . . . . . . . . . . . . . . . . . . . . 154
10.4 KA+MA = AKA . . . . . . . . . . . . . . . . . . . . . . 154
10.5 An Optimal AKA Protocol: PV-SAS-AKA. . . . . . . . . . . . 157
10.6 An Optimal GKA Protocol: LP-SAS-GKA . . . . . . . . . . . . 158
10.7 Applications . . . . . . . . . . . . . . . . . . . . . . . . 159
xiii

Sylvain Pasini
14 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . 235
14.1 SAS-based Cryptography . . . . . . . . . . . . . . . . . . . 236
14.2 Preserving the Privacy of Signed Documents . . . . . . . . . . . 240
14.3 Strengthening Signature Schemes Based on the Hash-and-Sign Paradigm 240
14.4 Final Notes and Further Work. . . . . . . . . . . . . . . . . 241
A Birthday Paradox. . . . . . . . . . . . . . . . . . . . . . . 243
Bibliography . . . . . . . . . . . . . . . . . . . . . . . . . 245
Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
List of Figures . . . . . . . . . . . . . . . . . . . . . . . . 269
List of Definitions . . . . . . . . . . . . . . . . . . . . . . 275
List of Theorems . . . . . . . . . . . . . . . . . . . . . . . 279
Curriculum Vitæ . . . . . . . . . . . . . . . . . . . . . . . 283
xvi

Acknowledgments
My attraction for security, particularly for cryptography, was developed during my studies.
To understand how I got here today, it is necessary to quickly overview my route: At the end
of the normal school, I was directly admitted at the Engineering School of Geneva (EIG). I
had the chance to explore different areas of interest, such as computer science, engineering
or physics, and I found that all seemed “logical” for me. The most mysterious part remained
the cluster of electronic components in a device. Indeed, when we open one, we immediately
think “how is it possible to understand what is happening there?”. An engineer is not only
able to understand, but more, he is able to design it. So, when I entered in the HES cycle, I
chose the electronic field. At the end of the EIG, I did my diploma work in image processing
with Prof. Michel Kocher. Michel changed my academic career by convincing me to continue
my studies at the EPFL. During my studies at the EIG, I learned a lot about the functioning
of a computer, in both hardware and software levels. The remaining mysterious point for
me was the functioning of the Internet: how the Web works, how an email finds its way,
and so on. So, at the EPFL, I chose to study communication systems. I discovered that the
area was not so complicated and only one question remained: “how to ensure security?”.
Through the courses Network security, given by Dr. Philippe Oechslin, and Cryptography,
given by Prof. Serge Vaudenay, I discovered a fascinating field. During my semester project
and my master thesis, my interest for the field of security increased and I decided to pursue
my career as teaching and research assistant in the security and cryptography laboratory
while doing my PhD thesis under the supervision of Prof. Serge Vaudenay.
Here, I would like to express here my gratitude to those who have marked my career, and
those who supported me during these years.
xvii

Sylvain Pasini
I start with my PhD supervisor, Professor Serge Vaudenay, who offered me the chance to
carry out my PhD thesis in the Security and Cryptography laboratory (LASEC). Everything
started in March 2004 with the first course “Security and Cryptography”. I would like to
thank Serge for having introduced me to the fascinating field of cryptography. Cryptogra-
phy is a mysterious world and I always appreciated how math and computer tools can be
combined to build (or break) real systems. A cryptographer has a special way of thinking:
every time, everywhere, he tries to find “holes in every wall”. One example is the famous
“replay attack” in a all you can eat restaurant. Indeed, it is possible to feed the entire
table by paying only once, the first plate is used as a kind of ticket. Serge offered me the
opportunity to discover the world of research. Thanks to his experience, his vivacity, his
vast knowledge, his rigor, and his assistance, I was able to learn a huge amount of things,
in cryptography of course, but also in other areas. Thank you Serge!
I thank Prof. Boi Faltings, the president of the jury, as well as Prof. Arjen Lenstra, Prof.
Kaisa Nyberg, and Dr. David Pointcheval for having accepted to take time for reviewing
this work. I also express my thanks to the the Swiss National Science Foundation (SNSF)
which supported this research project (grant 200021-113329).
During these years, I had the chance to meet and to work with many colleagues. A PhD
thesis is time limited. There was a kind of rotation among the PhD students in the lab:
when a PhD student arrives, he is the newest, and as time goes, the old ones leave and the
new ones take their place. In our laboratory, the LASEC, there was always a positive and
dynamic atmosphere that was suitable for work, but also for fun. I want to thank all my
former colleagues for their welcome and all the moments we have shared together, in order of
arrival: Serge Vaudenay, Martine Corval, Pascal Junod, Philippe Oechslin, Gildas Avoine, Yi
Lu, Jean Monnerat, Thomas Baigne`res, Claude Barral, Julien Brouchier, Matthieu Finiasz,
and Martin Vuagnoux. I also thank all my colleagues who came after I did with whom I have
shared great moments, in order of arrival: Raphael Phan, Khaled Ouafi, Raphae¨l Overbeck,
Rafik Chaabouni, Jorge Nakahara Jr., Pouyan Sepehrdad, and Atefeh Mashatan. I believe
that many of them deserve special thanks, in alphabetical order:
As in all reference sections, Gildas Avoine is the first one. I remember very good moments
spent with my big friend “Gigi”. I also remember our trip to New York filled with many
anecdotes. I thank him for his friendship and for all his advice, especially when I arrived
and I had difficulties with LATEX. Between motorcyclists, the current is always on...
The next person who deserves special thanks is Thomas Baigne`res. Thomas became also
one of my very good friends. Thomas was my supervisor during my semester project, he
learned me the basics, and advised me to carry out my master thesis as well as my PhD
thesis at the LASEC. Without him, I would not be part of the crypto world today. Thanks
Thomas!
I also thank Rafik Chaabouni who recently arrived at the lab, for trying to make everyday
xviii

of our life more joyful. I think about the jokes he made for the April fool’s day or birthdays,
and also the ones he makes to people forgetting to lock their machines, and so on.
Our secretary Matine Corval deserves of course to be thanked. She was always friendly and
smiling and it was a pleasure to share these years with her. She was like the “academic
mother” of the lab. Her assistance was essential for all of us, especially for administrative
tasks (to which I really don’t understand anything).
I would especially like to thank Matthieu Finiasz for all his help. Thanks to his very good
availability, his friendliness, his patience, and his knowledge, I had many opportunities to
exchange ideas and to expose problems with him and I often came out of his office with a
solution. I get along very well with him and we built a strong friendship.
Jean Monnerat, always of good mood and ready to defend Switzerland and his native canton
(the beautiful Jura), gave openings to many animated debates. I thank him for his help,
especially in mathematics and LATEX. Jean also became for me a very good friend and I
keep very good memories of moments spent with him.
I would thank Philippe Oechslin with whom I shared my office for over two years. It was an
honor for me to share my office with Philippe. Philippe is also the person who introduced
me to the world of security through its exciting course “network security”. His course
encouraged me to follow “Security and Cryptography” mentioned above.
The last person of the lab who deserves my special thanks is Martin Vuagnoux. I would like
to thank him for being an excellent co-author, for being a very pleasant office-mate, and for
the funny stories which made us laugh so much especially at the coffee breaks. Martin also
became a very good friend and I guess that both of us will never forget the Vietnam story
(it’s a long story but Martin will understand). Thanks for all “Martino”!
I finally would like to thank a few virtual persons from the LASEC and theirs authors
would certainly recognize them, in alphabetical order: Diablotin, ElGringo, Kevin Mitnick,
kpts44, and Mojean is back.
I would like to thank France Faille, the secretary of the neighbor laboratory. During the
years, we had the chance to get to know each other better and I would say that France is
one of the most kindly and the most friendly person that I know. I especially thank her for
her good mood and her support, but also for its assistance during various administrative
matters.
I would like to thank Sven Laur, also known as Swen, with whom I wrote two papers.
He was a very pleasant and very competent co-author. By coincidence we share the same
hobby: model airplanes.
Dr. Michel Kocher, my supervisor during my first diploma at the Engineering School of
Geneva, who motivated, and encouraged me also deserves my thanks. I would like to thank
xix

Sylvain Pasini
him for his collaboration during my months of diploma work and for advising me to continue
my studies at the EPFL. Without him, I would never have known the EPFL.
I thank those who helped me to improve the readability of this thesis, namely: Martine
Corval, France Faille, Atefeh Mashatan, Jorge Nakahara Jr., Serge Vaudenay and Martin
Vuagnoux. Special thanks to Jorge who did a great job.
My parents should obviously not be forgotten. Thanks to them, I had the chance (amongst
many other things!) to get an excellent education and I greatly thank them. I also would
like to thank my wife, Nadia. No matter when and why, she always kept encouraging me
and took it upon herself to leave me enough spare time to conclude this thesis (even if it
sometimes required a few negotiations!). My final thanks go to my son, Matteo. I share
moments of intense happiness with him and this gives me everyday a huge motivation. I
finally thank all four of them for their Love which is essential for me to live.
Thanks to everyone!
Sylvain
After this pleasant period spent within the LASEC, I started a new adventure: working as cryp-
tographer at Nagravision (a Kudelski group company). I thank all my new collegues for their warm
welcome, especially Olivier Brique, Nicolas Fischer, Pascal Junod, Alexander Karlov, and Karl Osen.
xx

Sylvain Pasini
also introduced the concept of SAS-based cryptography to a wider cryptographic audience.
In Part I, we start with the formal security model in Chapter 4. In particular, we define
the network, the devices, the channels, and the adversarial capabilities. In Chapter 5 we
analyze generic SAS-based message authentication protocols. We propose generic attacks
against any SAS-based message authentication protocol and we deduce some bounds on
their security according to the SAS length. As a result, we will define the notion of opti-
mality. Chapter 6 presents two security models: security in the stand-alone model and
security in more complex settings. The stand-alone model only considers one protocol exe-
cution and one adversary. It allows us to prove the security of protocols in a formalized way.
The latter is an important methodical advance, since one can pose many complex design
requirements on message authentication protocols. As an important theoretical result, we
prove that stand-alone security guarantees are preserved in complex settings as long as a
simple set of usage restrictions are satisfied. The latter significantly simplifies the security
analysis of SAS-based message authentication protocols. Indeed, since they do not rely on
common secrets, they preserve stand-alone security guarantees even in the Bellare-Rogaway
model. More precisely, we show that all SAS-based message authentication protocols are
universally composable as soon as they are secure in the stand-alone model. Chapters 7
and 8 focus on SAS-based message authentication protocols, unilateral and bilateral re-
spectively. Both chapters start with a state-of-the-art, propose new protocol(s), study the
works done between the publication of the protocols and the redaction of this thesis, and
finally present some applications. In short, Non-Interactive Message Authentication Proto-
col (NIMAP) were not well studied. Indeed, there were a remaining gap between the used
protocol and an optimal protocol. In this thesis, we propose an optimal NIMAP, called
PV-NIMAP. Note that it allows to use 100 authenticated bits only while currently 160 are
required. Regarding Interactive Message Authentication Protocols (IMAP), an optimal pro-
tocol was already been proposed by Vaudenay [Vau05b]. We concluded that there is no need
for further work. However, as small additional contribution, Vaudenay [Vau05b] proposed a
bilateral construction based on its unilateral one. Clearly, this construction is not optimal
with respect to the move complexity and no formal security proof was given. In this the-
sis, we propose two optimal bilateral protocols, a message mutual-authentication protocol,
called PV-SAS-MMA, and a message cross-authentication protocol, called PV-SAS-MCA.
The next natural step is to extend the above two-party protocols to any number of partic-
ipants. Chapter 9 has the same structure as the two previous chapters and propose an
optimal SAS-based group message authentication protocol, called LP-SAS-GMA. Finally,
Chapter 10 presents solutions to really build SAS-based Authenticated Key Agreement
(AKA) by using the previous SAS-based message authentication protocols. In particular,
this chapter gives two ready-to-use SAS-based key agreements: PV-SAS-AKA for two-party
settings and LP-SAS-GKA for group settings.
6

Chapter 1 - Introduction
Existing attacks on keyboards. There already exists some hardware-based attacks on
keyboards. One of them consists in putting a small token, called key-logger, between the
keyboard and the computer. This device eavesdrops all typed keystrokes and stores them
into a memory.
A simple video camera may be used to capture pressed keys [BCV08]. If no direct vision
is possible, one may use optical reflections [BDU08]. A blinking keyboard LED can also be
used as a covert channel [LU02].
Several works focused on the use of microphones. Each key emits a unique acoustic pattern
when it is pressed or released [AA04, ZZT05, BWY06].
Passive timing analysis may also be used to recover keystrokes. For instance, older SSH
implementations may be used to recover encrypted passwords [SWT01].
Electromagnetic emanations. Compromising electromagnetic emanation problems ap-
peared already at the end of the 19th century. Wire networks became extremely dense due
to the extensive use of telephone. As a consequence, people could sometimes hear other con-
versations on their phone line (crosstalk) due to undesired coupling between parallel wires.
These crosstalks may be easily canceled by twisting the cables.
Academic research on compromising electromagnetic emanations started in the mid 1980’s
and a significant progress has been done recently [QS01, AARR03]. The threat related
to compromising emanations has been constantly confirmed by practical attacks such as
Cathode Ray Tubes (CRT) displays image recovery [EL85], RS-232 communications re-
covery [Smu90], Liquid Crystal Display (LCD) image recovery [KA98], secret key disclo-
sure [GMO01], video displays risks [Kuh05, Tan07], and radiations from FPGAs [MO¨PV07].
Our contribution. Since keyboards contain electronic components, they eventually emit
electromagnetic waves. These electromagnetic radiation may reveal sensitive information
such as keystrokes. Although Anderson and Kuhn [KA98, AK99, Kuh03] already tagged
keyboards as risky. They also proposed countermeasures (see US patent [AK04]). However,
we did not find any experiment or evidence proving or refuting the practical feasibility to
remotely eavesdrop keystrokes, especially on modern keyboards.
To detect compromising emanations, we generally use a receiver tuned on a specific fre-
quency. However, this method may not be optimal since a significant amount of information
is lost during the acquisition of the signal. Our approach is to acquire raw signal directly
from the antenna and to process the entire captured electromagnetic spectrum.
Thanks to our method, we uncovered four different ways to fully or partially recover
keystrokes from wired and wireless keyboards. We implemented a practical attack based
on these weaknesses. It recovers 95% of the keystrokes at a distance up to 20 meters, even
through walls.
We tested 12 different keyboard models bought between 2001 and 2008 (PS/2, USB,
9

Chapter 1 - Introduction
Academic Contributions from the Author
[PV06a] An Optimal Non-interactive Message Authentication Protocol.
Sylvain Pasini and Serge Vaudenay.
In the proceedings of the Cryptographers’ Track at the RSA Conference –
CT-RSA ’06.
Contribution of this paper can be found on Chapters 4, 5, and 7.
[PV06b] SAS-based Authenticated Key Agreement.
Sylvain Pasini and Serge Vaudenay.
In the proceedings of Public Key Cryptography – PKC ’06.
Contribution of this paper can be found on Chapters 4, 8 and 10.
[PV07] Hash-and-sign with Weak Hashing Made Secure.
Sylvain Pasini and Serge Vaudenay.
In the the proceedings of the Australasian Conference on Information Se-
curity and Privacy – ACISP ’07.
Contribution of this paper can be found on Chapter 13.
[LP08] SAS-Based Group Authentication and Key Agreement Protocols.
Sven Laur and Sylvain Pasini.
In the proceedings of Public Key Cryptography – PKC ’08.
Contribution of this paper can be found in Chapters 4, 6, 9, and 10.
[LP09] User-Aided Data Authentication.
Sven Laur and Sylvain Pasini.
In the International Journal of Security and Networks, 2009.
Contribution of this paper can be mainly found on Chapters 4 and 6.
[MPV09] Efficient Deniable Authentication for Standard Signatures.
Jean Monnerat, Sylvain Pasini, and Serge Vaudenay.
In the the proceedings of the International Conference on Applied Cryp-
tography and Network Security – ACNS ’09.
Contribution of this paper can be found on Chapters 11 and 12.
[VP09] Compromising Electromagnetic Emanations of Wired and Wireless Key-
boards.
Martin Vuagnoux and Sylvain Pasini.
In the proceedings of USENIX Security ’09.
Not a part of this thesis.
11

Sylvain Pasini
12

Chapter
TWO
The Authentication Problem
One of the main issues in cryptography is the establishment of a secure peer-to-peer (or
group) communication over an insecure channel. With no assumption, such as availability
of an extra secure channel, this task is impossible. However, given some assumption(s),
there exists many ways to setup a secure communication. The application designer chooses
the most suitable solution depending mainly on the assumptions, the requirements, the
efficiency, and of course the required security.
Section 2.1 surveys some cryptographic primitives. Of course, most of the readers can
skip this folklore section which is here for completeness and to make the reader familiar
with the terminology. Section 2.2 surveys some different communication ways that human
beings are able to use to communicate. Section 2.3 points out that setting up a secure
communication can be practically done simply by authenticating some data. Section 2.4
recalls that authenticated messages are in general long and thus their authentication may
be tedious, e.g., by phone. This section shows how protocols are able to reduce the amount
of authenticated data. Section 2.5 presents techniques for message authentication that are
different of usual ones. Finally, Section 2.6 summarizes the chapter and motivates the
separation of this thesis in two parts.
13

Sylvain Pasini
Note that MACs can be built using hash functions or ciphers. HMAC by Bellare-Canetti-
Krawczyk [BCK96] is an example of a construction based on hash functions while the One-
Key CBC MAC (OMAC) by Iwata and Kurosawa [IK03] is an example based on block
ciphers.
2.1.2 Agreeing on a Secret Key without Confidential Channel
In the previous model, confidentiality on the extra channel is mandatory to achieve confi-
dentiality on the insecure channel. There is no gain except the extra channel bandwidth.
Merkle [Mer78] and Diffie-Hellman [DH76] discovered at the same time that the confiden-
tiality on the extra channel can be relaxed. Indeed, their model reduce the confidential
extra channel to an authenticated extra channel. As depicted in Figure 2.3, the extra chan-
nel is still used to agree on a private key but the difference is that the key itself is not
sent directly. Indeed, the secret key is the result of a protocol execution, also called a key
agreement protocol.
Source Encryption Decryption Destination
Adversary
mˆcˆcm
kk
Agreement AgreementA-I
Figure 2.3. The Merkle-Diffie-Hellman (MDH) Model.
One of the most well-known key agreement protocol is due to Diffie and Hellman [DH76]
and is usually called the DH protocol. As depicted in Figure 2.4, it requires only two moves.
In order to avoid man-in-the-middle attacks, these two moves should be authenticated.
Alice Bob
pick x ∈u |G| pick y ∈u |G|
X ← gx X−−−−−−−−→
Y←−−−−−−−− Y ← gy
K ← Y x = gxy K ← Xy = gxy
Figure 2.4. The Diffie-Hellman (DH) Key Agreement Protocol.
Both parties know the public parameter g which spans a group G. Alice picks a random
16

Chapter 2 - The Authentication Problem
number x and computes X ← gx while Bob picks a random y and computes Y ← gy. Then,
Alice sends X to Bob and Bob sends Y to Alice. Alice, resp. Bob, computes Y x, resp.
Xy, and both result in gxy. Now, both of them share a secret key K = gxy. Note that g
is chosen such that for any adversary who knows g, X, and Y it is hard to retrieve x and
y (Discrete Logarithm Problem). So, anyone seeing (or eavesdropping) X and/or Y is not
able to deduce x or y since the discrete logarithm is hard. Consequently, it is hard to find
the key K. On the other hand, with no authentication an adversary can run a man-in-the-
middle attack between the two participants, so the authentication of the two messages is
mandatory for this protocol.
2.1.3 Public-Key Cryptography
Public-key cryptography stands for any scheme for which the knowledge of a public-key does
not compromise security. The problem of the MDH model is that it is only adapted to key
agreement protocols and cannot achieve confidentiality directly. This becomes possible if
we combine the key agreement protocol with some symmetric cryptographic primitives.
In this section, we concentrate on public-key primitives. Indeed, by using public-key
cryptography, it is also possible to achieve confidentiality and authenticity on the insecure
channel. Of course, with public-key cryptography, we still relax the confidentiality hypoth-
esis on the extra channel.
Confidentiality. Confidentiality over the insecure channel can be achieved using public-key
encryption. As depicted in Figure 2.5, the destination should first execute a key generation
algorithm which creates a key pair, e.g., a private key and a public key. Then, anyone
knowing the public key of the destination is able to send confidential messages to him. Only
the owner of the corresponding private key, in this case the destination, is able to decrypt
the received messages. The use of this model is only possible if the source is ensured to use
the correct public key, otherwise this model is subject to man-in-the-middle attacks.
Well-known examples of public-key cryptosystems are RSA [RSA78] and ElGamal [ElG85].
Authenticity and integrity. Authenticity and integrity on the insecure channel can be
achieved with public-key cryptography, too. It is done by using digital signature schemes.
As depicted in Figure 2.6, unlike the encryption, the key generation is done by the source.
Then, the source signs the message and sends the message-signature pair to the destination.
At the destination, the received message-signature pair is verified by using the public key.
As for the encryption, the use of this model is only possible if the destination is ensured to
use the correct public key, otherwise this model is subject to man-in-the-middle attacks.
Typical examples of textbook digital signature schemes are RSA [RSA78] and ElGa-
17

Sylvain Pasini
Trent Bob
input: KTrentp ,KTrents input: KBobp ,KBobs
KBobp←−−−−−−−−
certBob ← certify(KTrents ,KBobp ,Bob, exp date)
certBob−−−−−−−−→
Alice Bob
input: m,KTrentp input: KBobp ,KBobs
verify(KTrentp , certBob)
certBob←−−−−−−−−
c← enc(KBobp ,m)
c−−−−−−−−→ m← dec(KBobs , c)
Figure 2.8. The Use of Certificates.
A Public Key Infrastructure (PKI) is used to handle the creation, the management, and
the distribution of certificates. A PKI consists of Certificate Authorities (CA), Registration
Authorities (RA), and certificate directories. In short, a CA creates and signs certificates
for entities. For that a CA possesses a key pair and a root certificate for its public key.
The root certificate may be certified by another CA. This leads to a CA hierarchy. One CA
receiving a certificate should verify it by checking each certificate from the trusted CA (the
one he knows the public key from) to the final certificate. This is also known as the chain of
trust. A CA may delegate the registration of entities to a RA. The RA is only responsible
to identify the entity, but cannot output certificates without the CA. In fact, only the CA
knows the private signing key for yielding certificates to entities.
One of the main PKIs in use today is the one implemented for the World Wide Web.
When a user opens a secure Web page (HTTPS, or HTTP with SSL), the server sends a
certificate to the browser. The browser should then verify the validity of the certificate.
Clearly, a browser does not know the certificate of all web sites in the world. In general,
Web browsers only integrate certificates of popular CAs and trust them (by default). In
order to be verifiable, the Web server should obtained a certificate for its public key from
a popular CA. So, the Web browser is able to check the validity of the received certificate
(through the CA) and then to start a secure session with the Web server.
20

Chapter 2 - The Authentication Problem
2.2 Communication Channels
In this section, we analyze the different channels at disposal for any human being. Human
beings can communicate with different communication channels and they choose one of them
depending on some requirements. For example, if a human being needs to reach another
human being for urgent matters, he must choose a channel with high availability and low
latency such as a telephone link. But, if he wants to transfer money, he must establish a
more reliable link for instance by going to the desk to encounter the banker. (Nowadays, he
can use the Internet with prior established security association.)
The security of communication channels can be characterized by some security attributes
which are defined below.
Definition 2.1 (Security Attributes).
Suppose a communication channel between a sender and a receiver. A message m is sent
and a message m̂ is received. We define the following security properties:
Confidentiality assumes that only the legitimate receiver can read the message m̂.
Integrity assumes that the received message m̂ is the same as the sent message m, i.e.,
m̂ = m.
Authenticity assumes that only the legitimate sender can input a message m into the
channel. This is often combined with integrity, i.e., m = m̂.
Freshness assumes that the received message m̂ was not received before.
Liveliness assumes that a message m which has been sent by the sender will eventually
be delivered to the receiver.
Timeliness assumes that a message m which has been sent by the sender will be delivered
to the receiver in real time (transmission time in negligible).
In addition, to compare the different human communication channels, it is necessary to
define other properties which characterize the usability of these channels. These communi-
cation properties are defined below.
Definition 2.2 (Communication Properties).
Suppose a communication channel between a sender and a receiver. We define the follow-
ing communication properties:
The cost represents the required amount of money spent to establish the communication
channel and to transmit a message.
The availability expresses the fact that the channel can easily be established at any time.
21

Sylvain Pasini
The speed rate represents the amount of data that can be transferred through the chan-
nel for a fixed time duration.
The latency represents the amount of time between the moment when the message is
sent and the moment when it is received.
Using Definition 2.1 and Definition 2.2, it is possible to compare the usual human com-
munication channels in a cryptographic sense.
Face to face (voice) conversation allows perfect authentication, perfect integrity and in
certain cases, confidentiality. In addition, freshness, liveliness, and timeliness are trivially
ensured. However, this channel can have a very high cost if, for example, the two persons
are far from each other. For the same reasons, the availability is also bad. Note that the
communication has (almost) no latency but a low speed rate. In conclusion, this human
channel achieves high security but low throughput.
Telephone is less secure than a face to face conversation. It allows a third party to spy
the communication and thus does not guarantee confidentiality. On the other hand, it has a
much lower cost and a higher availability. In short, it still preserves authentication assuming
that both users can recognize each others’ voice. Integrity and freshness is also guaranteed,
indeed it is pretty hard to modify a message in real time as it is integrated in an interactive
conversation.
Mail, like a postcard or a parcel, is not confidential either. It can be easily lost and thus
this channel does not guarantee liveliness. We can consider that a handwritten mail achieves
authentication by assuming that the recipient can identify the writing. As for telephone,
this channel guarantees availability but has a long latency.
Voice mail is in a security sense close to mail except that it can be easily replayed and so
messages may not be fresh. Note that voice mail (as well as fax) may have a certain amount
of latency since we do not know when the recipient will read the message.
Electronic mail is the worst communication channel in terms of security, it protects nothing
by itself. However, it is the most usable communication channel and its costs is very small
(too small if we consider the spam phenomenon), the availability and the speed rate are
very high.
A short overview of the security and communication properties for each human commu-
nication channel is described in Figure 2.9. The pictogram , indicates that the property
on the channel is a good feature. Note that the choice is in fact a trade-off between the
security and the human usability. In other words, the most secure channel is a face to face
conversation but it is the least usable. In the other hand, the most usable is the email but
it is the least secure. For a specific use, the choice of the human communication channel is
a trade-off between the required security and the available cost.
22

Chapter 2 - The Authentication Problem
2.5.2 Protocols Using Distance Bounding
Brands and Chaum [BC93] proposed a practical method to upper bound the physical dis-
tance between two devices. For instance, during an authentication phase between an em-
ployee and an access control, the system would like to be ensured that the employee is
nearby, i.e., within a few meters. The proposed principle is quite simple. It consists of
a challenge-response using only one-bit messages. The verifier V sends a bit (challenge)
and the prover P replies immediately with a bit (response). They assume that electronic
devices which play the role of the prover can have very short timings between the reception
of a challenge and the sending of the corresponding response. The verifier V has simply
to measure the time elapsed between the sending of the challenge and the reception of the
response. Knowing the time elapsed, it can easily deduce the maximal distance between
them. Two attacks are described in [BC93]: the mafia fraud which is a man-in-the-middle
attack where the adversary is a fraudulent verifier at the same time as a fraudulent prover
and an attack in which the prover P sends bits out too soon. Solutions for preventing both
attacks are proposed in [BC93] and the final protocol proposed is depicted in Figure 2.14.
P V
∀i ∈ {1, . . . , k} : mi ∈R {0, 1} ∀i ∈ {1, . . . , k} : αi ∈R {0, 1}
(c, d)← commit(m1‖ · · · ‖mk) c−−−−−−−−→
Begin of rapid exchange
αi←−−−−−−−−
βi ← α̂i ⊕mi
βi−−−−−−−−→ m̂i ← β̂i ⊕ αi
End of rapid exchange
m← α1‖β1‖ · · · ‖αk‖βk
σ ← sign(m) d‖σ−−−−−−−−→ m̂← α1‖β̂1‖ · · · ‖αk‖β̂k
check (c, d) = commit(m̂1‖ · · · ‖m̂k)
check σ̂ = sign(m̂)
Figure 2.14. Distance Bounding Protocol.
Based on this distance upper bounding, Cagalj, Capkun, and Hubaux [CCH05] proposed a
key agreement protocol for wireless networks, in particular for peer-to-peer communication.
It allows the parties to authenticate DH values given in input. In the previous protocol, it
is not clear how the prover should sign the message. Cagalj, Capkun, and Hubaux [CCH05]
propose a method which only needs authentication. The protocol is depicted in Figure 2.15.
29

Sylvain Pasini
Considering a trusted setup phase. One may combine the advantages of both setups:
the first setup requires no trusted third party and no pre-shared information while
the second setup requires no user interaction. So, one may use the first solution, e.g.,
use a user-aided message authentication protocol, to exchange long-term signature
verification keys. Then, these public keys may be used to authenticate messages, e.g.,
of a DH protocol. This combination requires no trusted third party and no pre-shared
key. At the same time, it requires user interaction only once for several sessions (while
before it required user interaction for each new session).
Following Remark 2.7 and the above summary, this thesis is split in two parts: the first
part focuses on user-aided message authentication protocols while the second part focuses
on digital signatures schemes.
32

Chapter
THREE
Preliminaries
This chapter introduces the necessary notions and definitions used throughout this thesis. In
particular, it presents hash functions which is one of the most used cryptographic primitives.
It also defines several models of commitment schemes such as tag-based or not, keyed or
not, and different types of trapdoors. This chapter also recalls the random oracle and the
common reference string models.
3.1 Notations
Let S be a finite set. We write s ∈u S to say that s is uniformly distributed in the set S
and we write s←u S to say that s was picked uniformly from the set S.
Throughout this thesis the term “algorithm” stands for a probabilistic polynomial-time
(PPT) Turing machine modeled by deterministic functions in terms of an input and random
coins. When dealing with protocols, we use P and V to denote the prover and verifier
respectively. If nothing else is stated, they are both considered to be PPT algorithms.
We denote by protP(α),V(β)(γ) an instance of the protocol “prot” between P and V. The
element γ denotes the common input of all participants, e.g., public keys, while α (resp. β)
describes the private input ofP (resp. V). Note that when the protocol is not known or is im-
plicitly known, the interaction between the two parties can be denoted by 〈P(α),V(β)〉 (γ).
In some cases, we need to describe only the view of a party, say for instance V. We denote
33

Chapter 3 - Preliminaries
Assume K1 = K2 = . . . = Kn = K. A multi-keyed hash function H is εau-almost
universal with respect to the sub-key pairs, if for any two distinct inputs m0,m1 ∈ M,
any indexes i, j, and any k1, . . . , kn, k̂1, . . . , k̂n ∈ K, we can write:
Pr
[
k∗ ∈u K : H(m0, ~k) = H(m1, ~̂k)
]
≤ εau ,
where ~k = (k1, . . . , ki−1, k∗, ki+1, . . . , kn) and ~̂k = (k̂1, . . . , k̂j−1, k∗, k̂j+1, . . . , k̂n) and the
equality i = j is allowed.
Definition 3.6 (Universal Hash Function).
A keyed or multi-keyed hash function H is universal if it is 1|H|-almost universal.
Definition 3.7 (Almost Strongly Universal Hash Function).
A hash function H is said εasu-almost strongly universal, if for any a, any b, and any two
distinct inputs m0,m1 ∈M, we can write:
Pr [k ∈u K : H(m0, k) = a,H(m1, k) = b] ≤
εasu
|H| .
Assume K1 = K2 = . . . = Kn = K. A multi-keyed hash function H is εasu-almost
strongly universal with respect to the sub-key pairs, if for any a, any b, any two distinct
inputs m0,m1 ∈M, any indexes i, j, and any k1, . . . , kn, k̂1, . . . , k̂n ∈ K, we can write:
Pr
[
k∗ ∈u K : H(m0, ~k) = a,H(m1, ~̂k) = b
]
≤ εasu|H| ,
where ~k = (k1, . . . , ki−1, k∗, ki+1, . . . , kn) and ~̂k = (k̂1, . . . , k̂j−1, k∗, k̂j+1, . . . , k̂n) and the
equality i = j is allowed.
Definition 3.8 (Strongly Universal Hash Function).
A keyed or multi-keyed hash function H is strongly universal if it is 1|H| -almost strongly
universal.
Definition 3.9 (Almost XOR-Universal Hash Function).
A hash function H is said εaxu-almost XOR-universal, if for any two distinct inputs
m0,m1 ∈M and any difference ∆h ∈ H, we can write:
Pr [k ∈u K : H(m0, k)⊕ H(m1, k) = ∆h] ≤ εaxu .
Assume K1 = K2 = . . . = Kn = K. A multi-keyed hash function H is εaxu-almost XOR-
universal with respect to the sub-key pairs, if for any two distinct inputs m0,m1 ∈ M,
any difference ∆h ∈ H, any indexes i, j, and any k1, . . . , kn, k̂1, . . . , k̂n ∈ K, we can write:
Pr
[
k∗ ∈u K : H(x0, ~k)⊕ H(x1, ~̂k) = ∆h
]
≤ εaxu ,
37

Sylvain Pasini
– if there is an entry (m, r) in the table T, then it simply returns r,
– otherwise, it picks a random value r ∈u {0, 1}n, inserts the entry (m, r) in the
table T, and returns r.
3.3.2 Pseudo-random Generator
A Pseudo-Random Generator (PRG) is an important primitive in cryptography. Given
a short sequence of (truly) random bits, a PRG allows to generate a longer sequence of
(pseudo)random bits in an efficient way. The short sequence of input random bits is often
called the seed.
Definition 3.13 (Pseudo-random Generator).
A pseudo-random generator is a deterministic algorithm
G : {0, 1}k → {0, 1}n
seed 7→ R = G(seed)
satisfying the following two conditions:
Efficiency: G is computable in polynomial-time.
Pseudo-randomness: The output R is computationally indistinguishable from an n-bit
uniformly distributed random variable.
The generator G is said (T, ℓ, ε)-PRG resistant if any T -time adversary A wins the
distinguishing game of Figure 3.5 with probability at most 1/2 + ε (or the advantage of A
is at most ε).
A C
pick b ∈u {0, 1}
for i : 1..ℓ:
select si si−−−−−−−−→ if b = 0: ri ← G(si)
ri←−−−−−−−− if b = 1: ri ←u {0, 1}n
b̂ = guess(b)
A wins if b̂ = b.
Figure 3.5. The Distinguishing Game.
A concrete example of such a construction is the Blum-Blum-Shub (BBS) PRG [BBS86].
This generator is very secure, however it is not very efficient. We can also refer to QUAD
40

Chapter 3 - Preliminaries
recently proposed by Berbain, Gilbert, and Patarin [BGP06]. One advantage of QUAD
compared to BBS is its efficiency.
3.4 Common Reference String Model
Cryptographic schemes, like commitment schemes, are often defined with key pairs. While
these definitions are essential for proving the security of the overall protocol, they imply
some kind of “secure” transmission of the public-key to all participants.
In the Common Reference String (CRS) model, we assume all implementations to use the
same trusted public key known as the common reference string and denoted by crs. We
also believe that no corresponding secret key is kept by anyone. Note that the use of the
common public key can be “hard-coded” or can be an oracle access.
The CRS model is not so restrictive as it seems at first glance. All communication stan-
dards provide system wide public parameters such as specifications of hash functions, a group
generator, or the bit length of public keys. Therefore, one should make a trade-off between
computational efficiency and re-usability and size of system-wide parameters. Moreover,
there are theoretic constructions that allow generation of a crs in the standard model.
3.5 Commitment Schemes
As depicted in Figure 3.6, a commitment scheme can be seen as a “locked combination safe”:
When Alice wants to commit on a message m to Bob, she places m into the
“safe” and closes it (step 1). The safe is also the commitment object, denoted c,
and can be given to another party, i.e., to Bob (step 2). Obviously, the message
m cannot be known by other parties prior its opening, i.e., the “locked safe”
is “hiding” the message (step 3). In addition, the message cannot be modified
by Alice, i.e., the “locked safe” is “binding” (step 4). The message is revealed
only when the decommitment object, denoted by d, is revealed. Here, d is the
combination (step 5).
3.5.1 (Tag-less) Commitment Model
We can formalize a commitment scheme by two algorithms commit and open. For any
message m we have (c, d) ← commit(m). The c value is called the commit value and the d
value the decommit value. Knowing both c and d, the message can be recovered using the
open algorithm, i.e., m ← open(c, d). As a “locked safe”, a commitment scheme should be
41

Chapter 3 - Preliminaries
Definition 3.17 (Full Hiding Commitment Scheme).
Let k be the bit-length of the hidden value. A scheme is said (T, εh)-fully hiding if any
T -time adversary A wins the FH game of Figure 3.8 with probability at most 2−k + εh.
A commitment scheme is said perfectly (semantic or full) hiding if it is (∞, 0)-(semantic or
full)-hiding.
Here is a useful lemma taken from Vaudenay [Vau05b].
Lemma 3.18 (Semantic versus Full Hiding Properties).
There exists a (small) constant ν such that for any T and any εh, a (T+ν, εh)-semantically
hiding scheme is a (T, 2εh)-fully hiding commitment scheme.
Obviously, a (T + ν, εh)-fully hiding commitment scheme is also (T, εh)-semantically hiding.
Hence, the two notions of hiding commitment schemes are essentially equivalent.
In addition, commitments should be binding, i.e., an adversary which has committed to a
message mt‖mh by sending the commit value c cannot open to two different hidden values
mh,0 and mh,1. More formally, the binding property is defined as follows.
Definition 3.19 (Binding property.).
For any key pair (Kp,Ks)← setup(1λ), it is hard to find (mt, c, d0, d1) such that mh,b ←
open(Kp,mt, c, dB) 6= ⊥ for b = 0, 1 and mh,0 6= mh,1.
Clearly, the semantic binding (SB) game of Figure 3.9 must be hard.
A C
Kp←−−−−−−−− (Kp,Ks)← setup(1λ)
select mt, c, d0, d1
mt||c||d0||d1−−−−−−−−→ mh,0 ← open(Kp,mt, c, d0)
mh,1 ← open(Kp,mt, c, d1)
A wins if mh,0,mh,1 6=⊥ and mh,1 6= mh,0.
Figure 3.9. The Semantic Binding (SB) Game.
Definition 3.20 (Semantic Binding Commitment Scheme).
A scheme is said (T, εb)-semantically binding if any T -time adversary A wins the SB game
of Figure 3.9 with probability at most εb.
We can also define the full binding (FB) game. As described in Figure 3.10, it works as
follows: the adversary A selects a tag mt and a commit value c. Then, he sends both to the
challenger C. C picks a random value mh and sends it back to A. A proposes a decommit
value d and succeeds if it opens to mh, i.e., if mh ?= open(Kp,mt, c, d).
45

Sylvain Pasini
A C
Kp←−−−−−−−− (Kp,Ks)← setup(1λ)
select mt,c
mt‖c−−−−−−−−→
mh←−−−−−−−− pick mh ∈u {0, 1}k
select d d−−−−−−−−→ m̂h ← open(Kp,m, c, d)
A wins if m̂h = mh.
Figure 3.10. The Full Binding (FB) Game.
Definition 3.21 (Full Binding Commitment Scheme).
A scheme is said (T, εb)-fully binding if any T -time adversary A wins the FB game of
Figure 3.10 with probability at most 2−k + εb.
A commitment scheme is said perfectly (semantic or full) binding if it is (∞, 0)-(semantic
or full)-binding.
3.5.4 Non-Malleability
Non-malleability is the strongest property for commitment schemes. Indeed, the binding and
hiding properties directly follow from non-malleability but not vice versa. Many notions of
non-malleable commitments have been proposed in the cryptographic literature [DDN91,
DCIO98, FF00, DG03, LN06a]. All these definitions try to capture requirements that are
necessary to defeat man-in-the-middle attacks. Here, we adopt the modernized version of
non-malleability with respect to opening. The corresponding definition [LN06a] mimics the
framework of non-malleable encryption [BS99] and leads to more natural security proofs
compared to the simulation-based definitions [DCIO98, DG03].
For ciphers, non-malleability and security against chosen ciphertext attacks (CCA) are
known to be tightly coupled. In fact, these notions coincide if the adversary is allowed to
make decryption queries throughout the entire attack [BDPR97] and thus usage of decryp-
tion oracles can simplify many proofs without significantly increasing the security require-
ments. Unfortunately, a similar technique is not applicable to commitment schemes as there
can be several different valid decommitment values di for a single commitment c. Thus, one
must use explicit definitions of hiding, binding, and non-malleability properties in proofs.
The non-malleability property is defined by elaborated games. Thus we focus on tag-less
schemes and we use an illustrative pictorial style to specify these games, see Figure 3.11 and
Figure 3.12. Intuitively, the goal is: given a valid commitment c, it is infeasible to generate
related commitments ĉ1, . . . , ĉn that can be successfully opened after seeing a decommitment
46

Sylvain Pasini
adversary A is at most
AdvnmCom(A) = |Pr [Gnm0 = 1]− Pr [Gnm1 = 1]| ≤ εnm .
Note that A2 can be any computable relation that is completely fixed after seeing c. For
instance, we can define A2(σ, x, y) outputs 1 if x = y and 0 otherwise. Hence, it must be
infeasible to construct a commitment ĉ that can be opened later to the same value as the
challenge commitment c.
Non-malleable commitment schemes can be built using a CCA2 secure public-key en-
cryption scheme. However, this method is too inefficient for lightweight devices. Efficient
non-malleable commitment schemes may be designed by using a hash function as detailed
by Laur and Nyberg [LN06a].
3.5.5 Ideal Commitment Model
The notion of ideal commitment model describes a scheme which is perfectly hiding and
perfectly binding.
For instance, an ideal commitment scheme can be implemented using a trusted third party
(TTP) as follows:
Commitment step. The commit(m) algorithm consists of sending the message m securely
to the TTP. The TTP binds m to a unique commit value c, inserts (c,m) in a database T
with a protection flag, and returns c to the owner. Note that there is no decommit value.
The protection flag avoids future access from anyone except the owner.
Opening step. The open(c) algorithm is a simple call to the TTP. The TTP clears the
protection flag of (c,m) which becomes available for anyone.
To commit on m, Alice first sends m to the TTP, gets back c, and then forwards c to Bob
as depicted in Figure 3.13. As depicted in Figure 3.14, to reveal the message Alice asks the
Alice Bob
TTP
commit(m)
c
pick c
store (c,m, protected) in T
A



TTP
c
Figure 3.13. Ideal Commitment: Commit Algorithm and Commitment Phase.
TTP to clear the protection flag. Now, Bob can open the commitment by giving c to the
TTP who sends back the message m (if the protection flag was cleared).
48

Sylvain Pasini
Note that rDSA = g′ mod q. We have
ℓ̂ = (ℓ− m̂h)
H(mt) + xrDSA
k (mod q) .
Consequently, we obtain
ℓ̂ = (ℓ− m̂h)sDSA (mod q)
and this is the reason why ℓ and sDSA are in the extra information ξ.
Note that this scheme has a stronger binding property called simulation sound binding
property which guarantees that a commitment made by an adversary with tag mt is binding
even if he saw many simulated commit values but never a commitment with mt. It is showed
in [MY04] that if an adversary can break this property then it can also break DSA.
3.6 Entropies
We provide the necessary quantitative definitions of the entropy of a random variable.
Definition 3.22 (Min-Entropy).
Let X a random variable in a set X with distribution D. We define the min-entropy of
X by
H∞(D) = − log maxx∈DX
Pr[X = x] .
Definition 3.23 (Renyi Entropy).
Let X a random variable in a set X with distribution D. We define the Renyi entropy (of
order 2) of X by
H2(D) = − log
∑
x∈DX
Pr[X = x]2 .
3.7 Collisions on the Outputs of a Random Oracle
Mironov [Mir06] computed the probability of collision on the outputs of a random oracle R.
Lemma 3.24 (Collisions on R outputs).
Let R denotes a set of possible rj values with cardinality q. We consider ℓ i.i.d. trials ri
with distribution D. Let εc be the probability that at least one of the trials is in R or at
least two of the trials are equal. We have
εc ≤ 2−2·H∞(D) · ℓ2 · q + 2−H∞(D) · ℓ2 . (3.1)
56

Chapter
FOUR
Security Model
This chapter presents the security model for (message authentication) protocols relying on
an extra authenticated channel. We first define the network setting (nodes, identities, and
protocol instances) and the communication model (the available channels). Then, we define
the adversary capabilities on the network, on the insecure channel, and finally on the extra
authenticated channel. Finally, we present the concept of short authenticated string (SAS).
4.1 Network Model
We define a model for a communication network made up of devices and different commu-
nication channels between them. Here, the term “device” is a generic name to describe any
communication entity. For instance, a device may be a personal computer, a mobile phone,
a satellite, or a television.
Nodes and Unique Identities. We consider a network composed of N communication
devices. Each device is located on a node n and each node is given a unique identity idn.
For instance, identities may be interpreted as network addresses. The communication
device located on node n, of identity idn, is denoted by Pidn .
Key Database. Each node n locally maintains a database of (skj , idj) pairs. A pair means
that it can use the symmetric key skj to communicate securely with the node of
identity idj.
61

Sylvain Pasini
A Protocol Run. A protocol π specifies a sequence of steps which consist of receiving a
message and sending a response. The N participants of the network are potentially
involved in the protocol execution. An internal short-term state σ keeps track on
previously completed steps. Once the protocol is completed, σ is removed. A protocol
starts with some specified inputs and an initial state (in terms of database content). It
ends with some specified outputs (or an error message) and a final state. The difference
between the inputs and outputs with respect to the initial and final states is that the
adversary has control over the first ones but not on the states, except if the node was
corrupted or some information leaked.
Concurrent Protocol Instances. A node n can run concurrent instances of the same or
different protocols. Each instance of a protocol π is formally denoted by a unique
instance tag π(i)n . Note that the (internal) state of a protocol related to a given tag
changes with time as new steps of the protocol are made.
Group Descriptions. Let π be a protocol specifying the interaction between the partic-
ipants Pid1 , . . . ,Pidn . The participants form a group which may be small, e.g., two
parties (n = 2), or much larger. We denote by G = {id1, . . . , idn} the group of partic-
ipants involved in the protocol. We always assume that the group G is ordered with
respect to the sender identities id1 < id2 < · · · < idn. We may use H to refer to the
group of honest (non-corrupted) participants. Clearly, we always have H ⊆ G.
4.2 Communication Model
It is often prohibitively expensive to establish physical infrastructure that guarantees in-
tegrity of received messages. Authenticity concerns are particularly justified in case of
wireless communication, since anybody with the proper equipment can eavesdrop, inject
messages and cause communication failures. Thus, we have to assume that participants ex-
change messages over a communication network that is controlled by a malicious adversary.
However, the latter does not exclude the possibility of truly authentic message transmis-
sion, since participants may use alternative ways to communicate. For instance, in many
small-range wireless networks a human operator can authentically transfer short messages
from one device to another. If entities are further apart, we can transfer such messages over
the phone provided that the participants can recognize each other by voice and behavior.
As usual, we consider a model where communication is asynchronous. Nodes can use
in-band and out-of-band communication channels:
In-band communication. The in-band communication channel is totally insecure. It is
routed via an active adversary A who can eavesdrop, delay, modify, drop, and insert
messages. More details about the adversary capabilities are given in Section 4.3.
62

Part I Chapter 4 - Security Model
Out-of-band communication. Additionally, nodes are able to send out-of-band messages
through an authenticated extra channel. More details on that channel are given in
Section 4.4.
Figure 4.1 describes a network with three nodes, where each node can send insecure messages
as well as authenticated messages to each other.
Node 1 Node 2
Adversary
Node 3
A-I
A-I A-
I
Figure 4.1. Communication Channels (Example with Three Participants).
We emphasize that there are no true broadcast channels in our model. Although several
wireless networks such as WLAN in ad-hoc mode offer physical broadcast channels, there
are no guarantees that the signal actually reaches all nodes. If we can guarantee this by
physical means, then the authentication task becomes almost trivial. As different recipients
can receive different broadcast messages, there is no difference between broadcasting and
standard messaging except for efficiency. Similarly, broadcasting authenticated messages
does not change the security analysis, although in practice, broadcasting can significantly
reduce the necessary human interaction and make the protocol more user-friendly. For
instance, a user entering the same PIN on each mobile device in a Bluetooth piconet is
certainly less demanding than using different PIN values. The same is true if we consider
secure VoIP-based conference calls: a participant giving the same value to all others has
much less work than a participant giving a different value to each other.
Note that in some cases, a participant, say Alice, may only send messages without really
interacting with any other party. As well, the other parties only receive messages from Alice.
In that case, both communication channels are only used in one-way. Such a protocol using
one-way channels is said non-interactive.
Definition 4.1 (Non-interactive Protocol).
A protocol is said to be non-interactive if all protocol messages are sent from one node
only, e.g., from Alice to the others.
63

Sylvain Pasini
4.3 Adversarial Model
We adapt different adversarial models from Laur, Pasini and Vaudenay [Vau05b, Vau05a,
PV06a, PV06b, LP08, LP09]. All these adversarial models are based on the one from Bellare-
Rogaway [BR93a] which places the adversary at the center of the network. The adversary
can make queries to any instances on any nodes. By default, the adversary is assumed to
have full control over
• the insecure channel,
• the protocol inputs,
• which node launches a new protocol instance,
• which instance makes a new protocol step.
The adversary is also able
• to access the protocol outputs,
• to influence the delivery of messages (without modifying them) over the authenticated
channels.
Occasionally, the adversary may
• violate the privacy of the internal state of a given node,
• corrupt a node so that its behavior with respect to future protocol runs is no longer
guaranteed.
We assume that the actions of the participants, including potential adversaries, only depend
on the received messages and their relative ordering. This assumption is often justified
even if a practical instantiation of a protocol depends on explicit timings. In fact, it is
straightforward to prove that security guarantees obtained in this simplified model are valid
for all practical settings, where exact timings do not depend on the states of private variables.
More formally, the adversary has access to the following oracles:
Launch. The π(i)n ← launch(n, r, x) oracle launches a new protocol instance on node n
playing the role r with input x. The role r describes a character, i.e., a role to play in
the protocol. It can be for instance Alice or Bob. This launch oracle returns a unique
instance tag π(i)n . Since a node can run concurrent protocols, there may be several
instances related to the same node n. Note that the instance inherits the current node
state as input state.
64

Part I Chapter 4 - Security Model
Execute. The ξ ← execute({j ∈ [1, n] : π(ij)j }) oracle runs the full protocol with the given n
protocol instances π(i1)1 , π
(i2)
2 , . . . π
(in)n on nodes 1, 2, . . . , n and returns the full transcript
of protocol messages and the protocol outputs. This oracle models passive attacks.
Send. The m′ ← send(π(i)n ,m) oracle sends an incoming message m to the instance π(i)n . It
returns either an outgoing messagem′ which is meant to be sent to another participant,
or the the final output of the protocol if it completed. This models active attacks.
For example, assume a protocol π with two characters, Alice and Bob executed in presence
of an adversary A. Let the character Alice be played on node A with input xA and the
character Bob be played on node B with input xB . A possible protocol execution is de-
picted in Figure 4.2 in two different ways: an adversary query list and a schematic message
representation.
1. π(1)A ← launch(A,Alice, xA)
2. π(1)B ← launch(B,Bob, xB)
3. m1 ← send(π(1)A , ∅)
4. m2 ← send(π(1)B , m̂1)
5. m3 ← send(π(1)A , m̂2)
6. ...
≡
A A B
launch(Alice,xA)←−−−−−−−−−− launch(Bob,xB)−−−−−−−−−−→
π(1)A−−−−−−−−−−→ π
(1)
B←−−−−−−−−−−
send(π(1)A ,∅)←−−−−−−−−−−
m1−−−−−−−−−−→ send(π
(1)
B , bm1)−−−−−−−−−−→
send(π(1)A ,bm2)←−−−−−−−−−− m2←−−−−−−−−−−
. . . . . .
until a message is a termination message.
Figure 4.2. Example of Oracle Queries for a Protocol Execution.
Notation. By convention, we describe protocols by putting a hat ( ·̂ ) on the notation for
messages received by a node (i.e., inputs of the send oracle) which are not authenticated
since they can differ from messages which were sent (i.e., outputs of the send oracle)
in the case of an active attack. For instance, it is the case for m1 and m̂1 as well as
for m2 and m̂2 in Figure 4.2.
We may give to the adversary also access to the oraclem← receive(π(i)n ). However, this can
be trivially emulated by a m← send(π(i)n , ∅). The existence of the receive oracle makes sense
only when we are using a non-interactive protocol. Indeed, a non-interactive protocol only
uses one-way channels. So, it may seem strange to allow the adversary to ask for receiving
a message with the m ← send(π(i)n , ∅) oracle, i.e., sending an empty message, because this
may mean that the channels may be bidirectional.
65

Sylvain Pasini
Note that the Bellare-Rogaway [BR93a] model considers additional oracles specific to
protocols using long-term secrets, like key agreements for instance:
Remove. The remove(n, id) oracle removes any (sk, id) entry in the database of node n.
In practice, this oracle may be implemented by an adversary making denial-of-service
attacks in the communication link between n and id so that n decides not to trust this
connection anymore and to remove it.
Reveal. The sk ← reveal(π(i)n ) oracle reveals the session key sk to the adversary A if the
instance π(i)n have accepted them before. This query models the loss of the session key
and can be used to show the consequences on the other instances.
Corrupt. The corrupt(n) oracle corrupts the collection of instances related to the node n.
So the behavior of any protocol instance at node n is no longer guaranteed. This query
models the corruption of a node (all instances), for example a user-password pair has
been stolen or a malicious code has been installed on the device on node n, e.g., with
a “Trojan horse”.
Test. The b ← test(n, sk, id) tells whether (sk, id) is an entry of the database of node n
(b = 1) or not (b = 0). In practice, this oracle may be implemented by an active
adversary trying to impersonate node n to communicate with id. If the attempt
succeeds, it means that sk was correct.
Definition 4.2 (Attack Cost.).
The attack cost is measured by
• q, the number of launched instances of the different roles, i.e., the online complexity,
• T , the additional time complexity, i.e., the offline complexity,
• p, the probability of success.
4.4 Authenticated Channel Models
When referring to “channel”, we refer by default to an insecure broadband channel with
no additional assumption. As mentioned before, the devices of the network can use extra
authenticated channels.
An authenticated channel is related to a node identity id. Formally, an authenticated
channel from a node n has an identifier idn. It allows the recipient of a message to know
the identity of the node from which the message has been sent. Note that an adversary
cannot modify it (i.e., integrity is implicitly protected), but she can delay it, remove it,
replay it, and of course read it. In particular, an authenticated channel does not provide
confidentiality.
66

Part I Chapter 4 - Security Model
By convention, we note authidn(m) a message m which has been sent from node n through
the authenticated channel.
The send oracle maintains unordered sets of authenticated messages in every channel idn
from node n. Only send oracles with a π(i)n instance can insert a new message in this set.
When a send oracle is queried with any instance and any message authidn(m), it is accepted
by the oracle only if m is in the set related to channel idn. Note that concurrent or successive
instances related to the same node write in the same channel, i.e., in the same set. Thus,
when an instance π(i)n sends a message, the recipient of this message can only authenticate
the node from which it has been sent, i.e., n, but not the connection to the right instance,
i.e., i.
For simplicity, we assume that the input or output to the send oracle are either authenti-
cated or non-authenticated messages, but not both. Namely, protocols do not concatenate
authenticated and non-authenticated messages.
4.4.1 Weak Authenticated Channels
By default, authenticated channels with no other assumption than authentication and in-
tegrity are called weak. This means that an adversary can delay, remove, or replay a message.
In particular, the sender of the message has no assurance on the message delivery.
4.4.2 Stronger Authenticated Channels
In some cases we need special assumptions on the authenticated channel. Thus, we can
consider stronger authenticated channels, namely channels in which additional properties
are achieved. In the following, we propose some possible properties that can be assumed on
a stronger authentication channel.
Stall-free transmission assumes that when a message is released by a send oracle, either
it is used as input in the just following send oracle query (either authenticated or not)
or it is never used.
Transmission with acknowledgment assumes that messages are released with a desti-
nation node identifier and the sender can check whether an instance at the destination
node has received the message or not.
Listener-ready transmission assumes that the sender can check if an instance at the
destination node is currently ready to listen to the authenticated channel.
Transmission with immediate delivery assumes that an input message of a send oracle
is immediately delivered to the recipient.
67

Sylvain Pasini
4.4.3 Examples
As mentionned in Section 2.2, human beings can use different channels to communicate.
However, not all achieve authentication.
A face-to-face conversation (encounter) and a telephone call ensure authenticity. In
addition to this, these channels achieve some of the above stronger properties. Suppose two
persons want to start communicating. When the first person starts talking, he knows that
the second one is listening (listener-ready). When one talks to the other one, he knows that
the message is not a replay of a previous conversation since interactivity implies coherent
conversations (stall-free). Humans can also sense if the other one has listened to the message
(acknowledgment). Finally, in face to face conversation, spoken words will be immediately
heard by the other (immediate delivery). However, by telephone, this is not the case. Indeed,
there may be delays, crosstalks, and concurrent talks (collisions of voices).
A (postal) mail can be stalled and released in a different order. The sender has no
confirmation in general that the mail has been received (except using a registered mail).
Finally, the recipient may not be ready to receive it. Thus, a mail achieves none of the
strong properties. A registered mail (reg. mail) only adds an acknowledgment.
A voice mail (or voice record) achieves none of the stronger properties since the message
could be a recorded one, the recorder has no confirmation that the destination heard it, and
the recipient is in general not ready to listen.
An electronic mail (email) is the worst channel in term of security since it has none of
these properties. In particular,note that an email with no cryptographic appendix, such as
a GPG signature for instance, is in fact not an authenticated channel since it can easily be
forged.
It is clear that mail, electronic mail and voice record are not delivered immediately.
Interactive Non-interactive
Encounter Telephone Reg. mail Mail Voice mail Email
Authentication , , , , ,
Stall-free , ,
Acknowledgment , , ,
Listener-ready , ,
Immediate delivery ,
Strong / Weak Strong Strong Strong Weak Weak -
Figure 4.3. Stronger Properties on the Extra Channels used by Human Beings.
There also exist other channels that enable the transfer of a string from one device to
another in an authenticated way. The user still plays an important role. He has in possession
68

Sylvain Pasini
70

Chapter
FIVE
On the Optimal Entropy
of Authenticated Communication
In this chapter, we would like to upper bound the security of an arbitrary SAS-based message
authentication protocol π given the overall length of authenticated strings it uses. In other
words, if we fix the number of authenticated bits to k, then the question is what is the
strongest achievable security? To answer that question, in this chapter we propose generic
attacks against such kinds of protocols. Note that we focus in two-party protocols. Since
there exists no protocol resistant to these generic attacks we conclude that it is the strongest
achievable security. Any protocol reaching this security level would be optimal.
Generic Unilateral Message Authentication Protocol. Assume that the protocol is used to
authenticate a message m from Alice to Bob. For that reason, we assume that authenticated
messages are only sent by Alice. We consider the more general case by supposing that the
protocol can use any sequence of authenticated messages in a given set S during the protocol.
We call it a transcript. Note that authenticated strings may be interleaved with regular
messages which are not represented in the transcript since they may be easily forged by an
adversary. For any input message m, the authenticated transcript used during a protocol
run is denoted by SASm and it is picked with a distribution Dm in the set S of all possible
transcripts.
71

Sylvain Pasini
One-shot Adversaries. First, we analyze the security against adversaries which can only
use one instance of Alice and one instance of Bob. We call them one-shot adversaries.
Multi-shot Adversaries. Second, we consider adversaries which can launch many instances
of Alice and Bob. We call them multi-shot adversaries. Over a weak authenticated channel,
adversaries can delay or replay authenticated messages. With protocols using a k-bit SAS,
we may have the following attacks.
Delay attack. An attacker starts a protocol with Alice to recover one authenticated string.
Then, the attacker launches several (online) protocols with Bob until the expected au-
thenticated string by Bob matches the one recovered before from Alice. The adversary
delivers the authenticated string of Alice to this instance of Bob.
Catalog attack. Similarly, an adversary launches several instances of Alice, recovers many
authenticated strings, and builds a catalog of authenticated strings. Then, the adver-
sary starts a protocol with Bob and (if possible) uses one of the recovered authenticated
string from Alice. This attack works when the SAS catalog is close to the complete
one.
Trade-off attack. We can further trade the number of Bob’s instances against the number
of Alice’s instances and have a birthday paradox effect.
Note that the first two attacks work within a number of trials around 2k but the third one
needs only around 2k/2 trials.
5.1 Probability of Collision Between Random Variables
In any attack, i.e., one-shot, delay, catalog, or trade-off attack, we need to study the prob-
ability that two authenticated strings collide.
We will see later that the one-shot attack is successful if the two authenticated transcripts
SASAlice and SASBob match. By considering the SAS values as independent and identically
distributed (i.i.d.) random variables, it is interesting to know the probability of collision
between them. In order to build secure protocols, we also need to know when this probability
of collision is minimal.
Lemma 5.1 (Collision Between Two Independent Random Variables).
Let X and Y be two independent and identically distributed random variables with distri-
bution D over a support set S of n elements, i.e., |S| = n. We have
Pr[X = Y ] = 2H2(D) ≥ 1n and Pr[X = Y |D is uniform] =
1
n . (5.1)
72

Part I Chapter 5 - On the Optimal Entropy of Authenticated Communication
Thanks to Lemma 5.1, we know the probability of collision between two random variables
and we know that this probability is minimal when the distribution is uniform.
Proof.
Let n be the size of the set S. Since X and Y are i.i.d. we have
Pr[X = Y ] =
∑
si∈S
Pr[X = si] · Pr[Y = si] =
∑
si∈S
p2i
where pi denotes Pr[X = si]. Note that the above line leads to Pr[X = Y ] = 2H2(D) where
H2(·) denotes the Renyi entropy as in Definition 3.23.
Now, let us write pi = 1n + ρi, we obtain
Pr[X = Y ] =
∑
si∈S
p2i =
∑
si∈S
(
1
n + ρi
)2
=
∑
si∈S
(
1
n
)2
+ 2
∑
si∈S
1
nρi +
∑
si∈S
ρ2i .
Note that
∑
si∈S pi =
∑
si∈S
1
n +
∑
si∈S ρi = 1 and so we deduce that
∑
si∈S ρi = 0. We
finally obtain
Pr[X = Y ] = 1n +
∑
si∈S
ρ2i .
Clearly,
∑
si∈S ρ
2
i is positive.
∑
si∈S ρ
2
i = 0 when all ρi are null, i.e., when the distribution
D is uniform, and ∑si∈S ρ2i > 0 when the distribution D is non-uniform.
Later, we will also see that a multi-shot attack tries to find a collision between two sets of
SAS values. In order to build secure protocols, we also need to know when this probability
of collision between these sets is minimal.
Lemma 5.2 (SAS Values Should Belong to the Uniform Distribution).
We consider two sets of independent random values {Xi}, resp. {Yj}, of size p, resp. q,
where the elements are picked in a set S of size n with distribution D.
The probability of collision between the two sets is minimal when the distribution D is
uniform.
Assuming that the attacks really look for collision between random SAS values, any au-
thentication protocol must use uniformly distributed SAS values in order to minimize the
attacks. Indeed, any other distribution will allow the adversary to find collisions with a
higher probability or a smaller complexity. So, the protocol will be less secure.
Proof.
Let Cp,qD be the probability that there exists a Xi which corresponds to a Yj given a distri-
bution D along the set S of n elements, i.e., a collision occurred between the two sets:
Cp,qD = Pr [{X1, · · · ,Xp} ∩ {Y1, · · · , Yq} 6= ∅] .
73

Part I Chapter 5 - On the Optimal Entropy of Authenticated Communication
By noting that D′ is distributed over n − 1 elements only (since a never occurs) and
assuming that Equation 5.2 is true for n− 1 elements, we can write
Cp,qD′ ≥ C
p,q
Un−1 .
So, we obtain
Cp,qD ≥ C
p,q
Un−1 · (1− pa)
p(1− pa)q
+1 · [1− (1− pa)p][1− (1− pa)q]
+
p∑
i=1
{
Cp−i,qUn−1
(p
i
)
pia(1− pa)p−i
}
·[1− (1− pa)p](1− pa)q
+
q∑
i=1
{
Cp,q−iUn−1
(q
i
)
pia(1− pa)q−i
}
·(1− pa)p[1− (1− pa)q]
∆= Cp,qD0 .
The right hand side of this inequality corresponds to the probability of collisions Cp,qD0
where the distribution D0 is defined as
Pr
D0
[X = x] =
{
pa if x = a
1
n−1(1− pa) if x 6= a
.
Consequently, we obtain Cp,qD ≥ C
p,q
D0 .
We repeat this step using the same reasoning but using another element. Let b 6= a
be an element of the set S and let pb its probability over D0, i.e., pb = PrD0[X = b] =
1
n−1(1− pa). Proceeding as before, we obtain C
p,q
D0 ≥ C
p,q
D1 where D1 is defined as
Pr
D1
[X = x] =
{
pb if x = b
1
n−1(1− pb) if x 6= b
.
Finally, we obtain the following recurrence
Cp,qD ≥ C
p,q
D0 ≥ C
p,q
D1 ≥ · · · ≥ C
p,q
Di ≥ · · ·
where the distributions are defined as
Pr
Di
[X = x] =
{
pi if x = ai
1
n−1(1− pi) if x 6= ai
with
ai =
{
a if i odd
b if i even , p0 = PrD [X = ai], ∀i ≥ 1 : pi = PrDi−1[X = ai] .
75