Search

Your search keyword '"Stephan Krenn"' showing total 62 results
Start Over Author "Stephan Krenn" Language undetermined
62 results on '"Stephan Krenn"'

12. KRAKEN

Author

Karl Koch, Stephan Krenn, Tilen Marc, Stefan More, and Sebastian Ramacher

Published
2022
Full Text
View/download PDF

15. KRAKEN: A Secure, Trusted, Regulatory-Compliant, and Privacy-Preserving Data Sharing Platform

Author

Silvia Gabrielli, Stephan Krenn, Donato Pellegrino, Juan Carlos Pérez Baún, Pilar Pérez Berganza, Sebastian Ramacher, and Wim Vandevelde

Abstract

The KRAKEN project aims to enable the sharing, brokerage, and trading of personal data including sensitive data (e.g., educational and health records and wellbeing data from wearable devices) by returning its control to both data subjects/data providers throughout the entire data lifecycle. The project is providing a data marketplace which will allow the sharing of personal data and its usage for research and business purposes, by using privacy-preserving cryptographic tools. KRAKEN is developing an advanced platform to share certified information between users and organizations by leveraging on distributed ledger technology, promoting the vision of self-sovereign identity solutions (ensuring users’ consent and data control in a privacy-friendly way), preserving security, privacy, and the protection of personal data in compliance with EU regulations (e.g., GDPR). The feasibility of the KRAKEN solution will be tested through two high-impact pilots in the education and healthcare fields.

Published
2022
Full Text
View/download PDF

18. On the Security of Offloading Post-Processing for Quantum Key Distribution

Author

Thomas Lorünser, Stephan Krenn, Christoph Pacher, and Bernhard Schrenk

Subjects
FOS: Computer and information sciences, secure offloading, information reconciliation, Quantum Physics, Computer Science - Cryptography and Security, secure outsourcing, quantum key distribution, post-processing, General Physics and Astronomy, FOS: Physical sciences, privacy amplification, Quantum Physics (quant-ph), Cryptography and Security (cs.CR)
Abstract

Quantum key distribution (QKD) has been researched for almost four decades and is currently making its way to commercial applications. However, deployment of the technology at scale is challenging, because of the very particular nature of QKD and its physical limitations. Among others, QKD is computationally intensive in the post-processing phase and devices are therefore complex and power hungry, which leads to problems in certain application scenarios. In this work we study the possibility to offload computationally intensive parts in the QKD post-processing stack in a secure way to untrusted hardware. We show how error correction can be securely offloaded for discrete-variable QKD to a single untrusted server and that the same method cannot be used for long distance continuous-variable QKD. Furthermore, we analyze possibilities for multi-server protocols to be used for error correction and privacy amplification. Even in cases where it is not possible to offload to an external server, being able to delegate computation to untrusted hardware components on the device could improve the cost and certification effort for device manufacturers., Comment: 17 pages

Published
2022
Full Text
View/download PDF

19. Privacy-Preserving Analytics for Data Markets Using MPC

Author

Sebastian Ramacher, Karl Koch, Stephan Krenn, and Donato Pellegrino

Subjects
business.industry, Privacy analysis, Data market, Internet privacy, 0102 computer and information sciences, 02 engineering and technology, 01 natural sciences, Privacy preserving, 010201 computation theory & mathematics, Analytics, 020204 information systems, General Data Protection Regulation, 0202 electrical engineering, electronic engineering, information engineering, media_common.cataloged_instance, Business, European union, media_common
Abstract

Data markets have the potential to foster new data-driven applications and help growing data-driven businesses. When building and deploying such markets in practice, regulations such as the European Union’s General Data Protection Regulation (GDPR) impose constraints and restrictions on these markets especially when dealing with personal or privacy-sensitive data.

Published
2021
Full Text
View/download PDF

20. Privacy-Preserving Incentive Systems with Highly Efficient Point-Collection

Author

Christoph Striecks, Fabian Eidens, Jan Bobolz, Daniel Slamanig, and Stephan Krenn

Subjects
Provable security, 021110 strategic, defence & security studies, Computer science, business.industry, 0211 other engineering and technologies, Homomorphic encryption, 02 engineering and technology, Mathematical proof, Computer security, computer.software_genre, Loyalty business model, Incentive, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, business, Protocol (object-oriented programming), computer, ElGamal encryption, Financial services
Abstract

Incentive systems (such as customer loyalty systems) are omnipresent nowadays and deployed in several areas such as retail, travel, and financial services. Despite the benefits for customers and companies, this involves large amounts of sensitive data being transferred and analyzed. These concerns initiated research on privacy-preserving incentive systems, where users register with a provider and are then able to privately earn and spend incentive points. In this paper we construct an incentive system that improves upon the state-of-the-art in several ways: (1) We improve efficiency of the Earn protocol by replacing costly zero-knowledge proofs with a short structure-preserving signature on equivalence classes. (2) We enable tracing of remainder tokens from double-spending transactions without losing backward unlinkability. (3) We allow for secure recovery of failed Spend protocol runs (where usually, any retries would be counted as double-spending attempts). (4) We guarantee that corrupt users cannot falsely blame other corrupt users for their double-spending. We propose an extended formal model of incentive systems and a concrete instantiation using homomorphic Pedersen commitments, ElGamal encryption, structure-preserving signatures on equivalence classes (SPS-EQ), and zero-knowledge proofs of knowledge. We formally prove our construction secure and present benchmarks showing its practical efficiency.

Published
2020
Full Text
View/download PDF

21. Fully invisible protean signatures schemes

Author

Kai Samelin, Henrich C. Pöhls, Daniel Slamanig, and Stephan Krenn

Subjects
Scheme (programming language), Information privacy, Invisibility, Third party, Computer Networks and Communications, Computer science, RSS, Aggregate (data warehouse), 020206 networking & telecommunications, 0102 computer and information sciences, 02 engineering and technology, computer.file_format, Computer security, computer.software_genre, 01 natural sciences, Digital signature, 010201 computation theory & mathematics, 0202 electrical engineering, electronic engineering, information engineering, computer, Software, Information Systems, computer.programming_language
Abstract

Protean signatures (PSs), recently introduced by Krenn et al. (CANS ‘18), allow a semi-trusted third party (the sanitiser), to modify a signed message in a controlled way: the signer can define the message parts to be arbitrarily editable by the sanitiser, as well as message parts which can be redacted (but not altered otherwise) by the sanitiser. Thus, PSs generalise both redactable signatures (RSs) and sanitisable signatures (SSs) into a single notion. Invisibility for PSs guarantees that no outsider (i.e. any party not being signer or sanitiser) can decide which message parts can be edited. However, the current definition of invisibility does not prohibit that an outsider can decide which parts are redactable – only which parts can be edited are hidden. This negatively impacts the privacy guarantees provided by this definition. The authors extend PSs to be fully invisible. Their notion guarantees that an outsider can identify neither editable nor redactable parts. They, therefore, introduce the new notions of invisible RSs and invisible non-accountable SSs ( S S ′ ), along with a consolidated framework for aggregate signatures. Using those building blocks, their resulting construction is significantly more efficient than the original scheme by Krenn et al., which they demonstrate in a prototypical implementation.

Published
2020
Full Text
View/download PDF

22. Privacy and Identity Management. Data for Better Living: AI and Privacy

Author

Michael Friedewald, Eva Lievens, Samuel Fricker, Melek Önen, and Stephan Krenn

Subjects
business.industry, Internet privacy, Sociology, business, Identity management
Abstract

This book contains selected papers presented at the 14th IFIP WG 9.2, 9.6/11.7, 11.6/SIG 9.2.2 International Summer School on Privacy and Identity Management, held in Windisch, Switzerland, in Augu ...

Published
2020
Full Text
View/download PDF

23. Towards Privacy in Geographic Message Dissemination for Connected Vehicles

Author

Stefan Ruehrup and Stephan Krenn

Subjects
FOS: Computer and information sciences, Computer Science - Cryptography and Security, Geographic area, Privacy by Design, business.industry, Computer science, 020206 networking & telecommunications, 02 engineering and technology, Server, 11. Sustainability, Scalability, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, Relevance (information retrieval), Routing (electronic design automation), business, Consistent hashing, Cryptography and Security (cs.CR), Computer network
Abstract

With geographic message dissemination, connected vehicles can be served with traffic information in their proximity, thereby positively impacting road safety, traffic management, or routing. Since such messages are typically relevant in a small geographic area, servers only distribute messages to affected vehicles for efficiency reasons. One main challenge is to maintain scalability of the server infrastructure when collecting location updates from vehicles and determining the relevant group of vehicles when messages are distributed to a geographic relevance area, while at the same time respecting the individual user's privacy in accordance with legal regulations. In this paper, we present a framework for geographic message dissemination following the privacy-by-design and privacy-by-default principles, without having to accept efficiency drawbacks compared to conventional server-client based approaches.

Published
2019
Full Text
View/download PDF

24. Practical Group-Signatures with Privacy-Friendly Openings

Author

Christoph Striecks, Stephan Krenn, and Kai Samelin

Subjects
Group (mathematics), Computer science, Existential quantification, Joins, 0102 computer and information sciences, 02 engineering and technology, Computer security, computer.software_genre, 01 natural sciences, Signature (logic), 010201 computation theory & mathematics, Reachability, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, Isolation (database systems), computer, Anonymity
Abstract

Group signatures allow creating signatures on behalf of a group, while remaining anonymous. To prevent misuse, there exists a designated entity, named the opener, which can revoke anonymity by generating a proof which links a signature to its creator. Still, many intermediate cases have been discussed in the literature, where not the full power of the opener is required, or the users themselves require the power to claim (or deny) authorship of a signature and (un-)link signatures in a controlled way. However, these concepts were only considered in isolation. We unify these approaches, supporting all these possibilities simultaneously, providing fine-granular openings, even by members. Namely, a member can prove itself whether it has created a given signature (or not), and can create a proof which makes two created signatures linkable (or unlinkable resp.) in a controlled way. Likewise, the opener can show that a signature was not created by a specific member and can prove whether two signatures stem from the same signer (or not) without revealing anything else. Combined, these possibilities can make full openings irrelevant in many use-cases. This has the additional benefit that the requirements on the reachability of the opener are lessened. Moreover, even in the case of an involved opener, our framework is less privacy-invasive, as the opener no longer requires access to the signed message. Our provably secure black-box CCA-anonymous construction with dynamic joins requires only standard building blocks. We prove its practicality by providing a performance evaluation of a concrete instantiation, and show that our non-optimized implementation is competitive compared to other, less feature-rich, notions.

Published
2019
Full Text
View/download PDF

25. Privacy and Identity Management. Fairness, Accountability, and Transparency in the Age of Big Data

Author

Eleni Kosta, Jo Pierson, Simone Fischer-Hübner, Daniel Slamanig, Stephan Krenn, and TILT

Subjects
business.industry, Accountability, Big data, Accounting, business, Transparency (behavior), Identity management
Abstract

This book contains selected papers presented at the 13th IFIP WG 9.2, 9.6/11.7, 11.6/SIG 9.2.2 International Summer School on Privacy and Identity Management, held in Vienna, Austria, in August 2018. The 10 full papers included in this volume were carefully reviewed and selected from 27 submissions. Also included are reviewed papers summarizing the results of workshops and tutorials that were held at the Summer School as well as papers contributed by several of the invited speakers. The papers combine interdisciplinary approaches to bring together a host of perspectives: technical, legal, regulatory, socio-economic, social, societal, political, ethical, anthropological, philosophical, historical, and psychological.

Published
2019
Full Text
View/download PDF

26. iUC: Flexible Universal Composability Made Simple

Author

Daniel Rausch, Stephan Krenn, Ralf Küsters, and Jan Camenisch

Subjects
Protocol (science), Focus (computing), SIMPLE (military communications protocol), business.industry, Computer science, Subroutine, 0102 computer and information sciences, 02 engineering and technology, Modular design, Mathematical proof, 01 natural sciences, Task (project management), 010201 computation theory & mathematics, Universal composability, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, business, Software engineering
Abstract

Proving the security of complex protocols is a crucial and very challenging task. A widely used approach for reasoning about such protocols in a modular way is universal composability. A perfect model for universal composability should provide a sound basis for formal proofs and be very flexible in order to allow for modeling a multitude of different protocols. It should also be easy to use, including useful design conventions for repetitive modeling aspects, such as corruption, parties, sessions, and subroutine relationships, such that protocol designers can focus on the core logic of their protocols.

Published
2019
Full Text
View/download PDF

27. Chameleon-Hashes with Dual Long-Term Trapdoors and Their Applications

Author

Stephan Krenn, Kai Samelin, Henrich C. Pöhls, and Daniel Slamanig

Subjects
Discrete mathematics, Computer science, Ephemeral key, Hash function, 0202 electrical engineering, electronic engineering, information engineering, 020207 software engineering, 020201 artificial intelligence & image processing, 02 engineering and technology, DUAL (cognitive architecture), Term (time)
Abstract

A chameleon-hash behaves likes a standard collision-resistant hash function for outsiders. If, however, a trapdoor is known, arbitrary collisions can be found. Chameleon-hashes with ephemeral trapdoors (\(\mathsf {CHET}\); Camenisch et al., PKC 17) allow prohibiting that the holder of the long-term trapdoor can find collisions by introducing a second, ephemeral, trapdoor. However, this ephemeral trapdoor is required to be chosen freshly for each hash.

Published
2018
Full Text
View/download PDF

28. Revisiting Proxy Re-Encryption: Forward Secrecy, Improved Security, and Applications

Author

Stephan Krenn, Thomas Lorünser, Christoph Striecks, Sebastian Ramacher, David Derler, and Daniel Slamanig

Subjects
Delegation, business.industry, Computer science, media_common.quotation_subject, Order (ring theory), 0102 computer and information sciences, 02 engineering and technology, Encryption, Computer security, computer.software_genre, 01 natural sciences, Proxy re-encryption, Public-key cryptography, 010201 computation theory & mathematics, Forward secrecy, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, business, Proxy (statistics), computer, media_common
Abstract

We revisit the notion of proxy re-encryption (\(\mathsf {PRE}\)), an enhanced public-key encryption primitive envisioned by Blaze et al. (Eurocrypt’98) and formalized by Ateniese et al. (NDSS’05) for delegating decryption rights from a delegator to a delegatee using a semi-trusted proxy. \(\mathsf {PRE}\) notably allows to craft re-encryption keys in order to equip the proxy with the power of transforming ciphertexts under a delegator’s public key to ciphertexts under a delegatee’s public key, while not learning anything about the underlying plaintexts.

Published
2018
Full Text
View/download PDF

29. Protean Signature Schemes

Author

Daniel Slamanig, Kai Samelin, Henrich C. Pöhls, and Stephan Krenn

Subjects
Scheme (programming language), 021110 strategic, defence & security studies, Theoretical computer science, Third party, Invisibility, Computer science, 0211 other engineering and technologies, 02 engineering and technology, Transparency (human–computer interaction), Signature (logic), 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, computer, computer.programming_language
Abstract

We introduce the notion of Protean Signature schemes. This novel type of signature scheme allows to remove and edit signer-chosen parts of signed messages by a semi-trusted third party simultaneously. In existing work, one is either allowed to remove or edit parts of signed messages, but not both at the same time. Which and how parts of the signed messages can be modified is chosen by the signer. Thus, our new primitive generalizes both redactable (Steinfeld et al., ICISC ’01, Johnson et al., CT-RSA ’02 & Brzuska et al., ACNS ’10) and sanitizable signatures schemes (Ateniese et al., ESORICS ’05 & Brzuska et al., PKC ’09). We showcase a scenario where either primitive alone is not sufficient. Our provably secure construction (offering both strong notions of transparency and invisibility) makes only black-box access to sanitizable and redactable signature schemes, which can be considered standard tools nowadays. Finally, we have implemented our scheme; Our evaluation shows that the performance is reasonable.

Published
2018
Full Text
View/download PDF

30. Towards Attribute-Based Credentials in the Cloud

Author

Christoph Striecks, Anja Salzer, Thomas Lorünser, and Stephan Krenn

Subjects
Authentication, business.industry, Computer science, Cloud computing, Cryptography, 02 engineering and technology, Possession (law), Computer security, computer.software_genre, Credential, Proxy re-encryption, Identity management, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, Key (cryptography), ComputingMilieux_COMPUTERSANDSOCIETY, 020201 artificial intelligence & image processing, business, computer
Abstract

Attribute-based credentials (ABCs, sometimes also anonymous credentials) are a core cryptographic building block of privacy-friendly authentication systems, allowing users to obtain credentials on attributes and prove possession of these credentials in an unlinkable fashion. Thereby, users have full control over which attributes the user wants to reveal to a third party while offering high authenticity guarantees to the receiver. Unfortunately, up to date, all known ABC systems require access to all attributes in the clear at the time of proving possession of a credential to a third party. This makes it hard to offer privacy-preserving identity management systems “as a service,” as the user still needs specific key material and/or dedicated software locally, e.g., on his device.

Published
2018
Full Text
View/download PDF

31. Batch-verifiable Secret Sharing with Unconditional Privacy

Author

Christoph Striecks, Stephan Krenn, and Thomas Lorünser

Subjects
Proactive secret sharing, Computer science, business.industry, 020204 information systems, Internet privacy, 0202 electrical engineering, electronic engineering, information engineering, Secure multi-party computation, Verifiable secret sharing, 02 engineering and technology, business, Secret sharing, 020202 computer hardware & architecture
Published
2017
Full Text
View/download PDF

32. Practical Strongly Invisible and Strongly Accountable Sanitizable Signatures

Author

Stephan Krenn, David Derler, Daniel Slamanig, Michael Till Beck, Kai Samelin, Jan Camenisch, and Henrich C. Pöhls

Subjects
Scheme (programming language), Invisibility, Computer science, 020206 networking & telecommunications, 02 engineering and technology, Computer security, computer.software_genre, Signature (logic), Random oracle, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Malleability, Digital signature, 0202 electrical engineering, electronic engineering, information engineering, ComputingMilieux_COMPUTERSANDSOCIETY, 020201 artificial intelligence & image processing, Limit (mathematics), computer, computer.programming_language
Abstract

Sanitizable signatures are a variant of digital signatures where a designated party (the sanitizer) can update admissible parts of a signed message. At PKC ’17, Camenisch et al. introduced the notion of invisible sanitizable signatures that hides from an outsider which parts of a message are admissible. Their security definition of invisibility, however, does not consider dishonest signers. Along the same lines, their signer-accountability definition does not prevent the signer from falsely accusing the sanitizer of having issued a signature on a sanitized message by exploiting the malleability of the signature itself. Both issues may limit the usefulness of their scheme in certain applications.

Published
2017
Full Text
View/download PDF

33. Malicious Clients in Distributed Secret Sharing Based Storage Networks

Author

Thomas Lorünser, Stephan Krenn, and Andreas Happe

Subjects
Proactive secret sharing, business.industry, Computer science, 020206 networking & telecommunications, 02 engineering and technology, Secret sharing, Server, Data_FILES, 0202 electrical engineering, electronic engineering, information engineering, Secure multi-party computation, 020201 artificial intelligence & image processing, business, Byzantine fault tolerance, Computer network
Abstract

Multi-cloud storage is a viable alternative to traditional storage solutions. Recent approaches realize safe and secure solutions by combining secret-sharing with Byzantine fault-tolerant distribution schemes into safe and secure storage systems protecting a user against arbitrarily misbehaving storage servers.

Published
2017
Full Text
View/download PDF

34. Chameleon-Hashes with Ephemeral Trapdoors

Author

Kai Samelin, Jan Camenisch, David Derler, Daniel Slamanig, Stephan Krenn, and Henrich C. Pöhls

Subjects
Theoretical computer science, Hash function, SWIFFT, 0102 computer and information sciences, 02 engineering and technology, 01 natural sciences, Hash tree, Collision resistance, 010201 computation theory & mathematics, SHA-2, 0202 electrical engineering, electronic engineering, information engineering, Cryptographic hash function, Hash chain, 020201 artificial intelligence & image processing, Double hashing, Mathematics
Abstract

A chameleon-hash function is a hash function that involves a trapdoor the knowledge of which allows one to find arbitrary collisions in the domain of the function. In this paper, we introduce the notion of chameleon-hash functions with ephemeral trapdoors. Such hash functions feature additional, i.e., ephemeral, trapdoors which are chosen by the party computing a hash value. The holder of the main trapdoor is then unable to find a second pre-image of a hash value unless also provided with the ephemeral trapdoor used to compute the hash value. We present a formal security model for this new primitive as well as provably secure instantiations. The first instantiation is a generic black-box construction from any secure chameleon-hash function. We further provide three direct constructions based on standard assumptions. Our new primitive has some appealing use-cases, including a solution to the long-standing open problem of invisible sanitizable signatures, which we also present.

Published
2017
Full Text
View/download PDF

35. A counterexample to the chain rule for conditional HILL entropy

Author

Daniel Wichs, Akshay Wadia, Krzysztof Pietrzak, and Stephan Krenn

Subjects
0209 industrial biotechnology, 005 Computer programming, programs & data, 004 Data processing & computer science, General Mathematics, Open problem, 0102 computer and information sciences, 02 engineering and technology, Chain rule, 000 Computer science, knowledge & systems, 01 natural sciences, Injective function, Theoretical Computer Science, Deterministic encryption, Combinatorics, Computational Mathematics, 020901 industrial engineering & automation, Computational Theory and Mathematics, 010201 computation theory & mathematics, Joint probability distribution, Entropy (information theory), Random variable, Mathematics, Counterexample
Abstract

Most entropy notions $${H(.)}$$H(.) like Shannon or min-entropy satisfy a chain rule stating that for random variables $${X,Z,}$$X,Z, and $${A}$$A we have $${H(X|Z,A)\ge H(X|Z)-|A|}$$H(X|Z,A)źH(X|Z)-|A|. That is, by conditioning on $${A}$$A the entropy of $${X}$$X can decrease by at most the bitlength $${|A|}$$|A| of $${A}$$A. Such chain rules are known to hold for some computational entropy notions like Yao's and unpredictability-entropy. For HILL entropy, the computational analogue of min-entropy, the chain rule is of special interest and has found many applications, including leakage-resilient cryptography, deterministic encryption, and memory delegation. These applications rely on restricted special cases of the chain rule. Whether the chain rule for conditional HILL entropy holds in general was an open problem for which we give a strong negative answer: we construct joint distributions $${(X,Z,A)}$$(X,Z,A), where $${A}$$A is a distribution over a single bit, such that the HILL entropy HHILL$${(X|Z)}$$(X|Z) is large but HHILL$${(X|Z,A)}$$(X|Z,A) is basically zero. Our counterexample just makes the minimal assumption that $${{\mathbf{NP}} \nsubseteq{\mathbf{P/poly}}}$$NPźP/poly. Under the stronger assumption that injective one-way function exist, we can make all the distributions efficiently samplable. Finally, we show that some more sophisticated cryptographic objects like lossy functions can be used to sample a distribution constituting a counterexample to the chain rule making only a single invocation to the underlying object.

Published
2016

36. CREDENTIAL: A Framework for Privacy-Preserving Cloud-Based Data Sharing

Author

Bernd Zwattendorfer, Florian Thiemer, Stephan Krenn, Felix Hörandner, and Andrea Migliavacca

Subjects
Cryptographic primitive, Electronic business, business.industry, Computer science, Data_MISCELLANEOUS, Internet privacy, 020207 software engineering, Cloud computing, 02 engineering and technology, Computer security, computer.software_genre, Credential, Identity management, Proxy re-encryption, Data sharing, 0202 electrical engineering, electronic engineering, information engineering, Identity (object-oriented programming), 020201 artificial intelligence & image processing, business, computer
Abstract

Data sharing – and in particular sharing of identity information – plays a vital role in many online systems. While in closed and trusted systems security and privacy can be managed more easily, secure and privacy-preserving data sharing as well as identity management becomes difficult when the data are moved to publicly available and semi-trusted systems such as public clouds. CREDENTIAL is therefore aiming on the development of a secure and privacy-preserving data sharing and identity management platform which gives stronger security guarantees than existing solutions on the market. The results will be showcased close to market-readiness through pilots from the domains of eHealth, eBusiness, and eGovernment, where security and privacy are crucial. From a technical perspective, the privacy and authenticity guarantees are obtained from sophisticated cryptographic primitives such as proxy re-encryption and redactable signatures.

Published
2016
Full Text
View/download PDF

37. Opportunities and Challenges of CREDENTIAL

Author

Simone Fischer-Hübner, Farzaneh Karegar, Christoph Striecks, Thomas Lorünser, Felix Hörandner, and Stephan Krenn

Subjects
021110 strategic, defence & security studies, Computer science, business.industry, 0211 other engineering and technologies, Cloud computing, 02 engineering and technology, Credential, Focus group, Data sharing, Metadata, World Wide Web, Engineering management, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, Identity (object-oriented programming), Architecture, business
Abstract

This paper summarizes the results of a workshop at the IFIP Summer School 2016 introducing the EU Horizon 2020 project credential, i.e., Secure Cloud Identity Wallet. The contribution of this document is three-fold. First, it gives an overview of the credential project, its use-cases, and core technologies. Second, it explains the challenges of the project’s approach and summarizes the results of the parallel focus groups that were held during the workshop. Third, it focuses on a specific challenge—the protection of metadata in centralized identity providers—and suggests a potential architecture addressing this problem.

Published
2016
Full Text
View/download PDF

38. Universal Composition with Responsive Environments

Author

Ralf Küsters, Stephan Krenn, Jan Camenisch, Robert R. Enderlein, and Daniel Rausch

Subjects
021110 strategic, defence & security studies, Transitive relation, Computer science, Distributed computing, Control (management), 0211 other engineering and technologies, 0102 computer and information sciences, 02 engineering and technology, Network interface, Adversary, Computer security, computer.software_genre, Mathematical proof, 01 natural sciences, 010201 computation theory & mathematics, Universal composability, computer, Equivalence (measure theory), Protocol (object-oriented programming)
Abstract

In universal composability frameworks, adversaries or environments and protocols/ideal functionalities often have to exchange meta-information on the network interface, such as algorithms, keys, signatures, ciphertexts, signaling information, and corruption-related messages. For these purely modeling-related messages, which do not reflect actual network communication, it would often be very reasonable and natural for adversaries/environments to provide the requested information immediately or give control back to the protocol/functionality immediately after having received some information. However, in none of the existing models for universal composability is this guaranteed. We call this the non-responsiveness problem. As we will discuss in the paper, while formally non-responsiveness does not invalidate any of the universal composability models, it has many disadvantages, such as unnecessarily complex specifications and less expressivity. Also, this problem has often been ignored in the literature, leading to ill-defined and flawed specifications. Protocol designers really should not have to care about this problem at all, but currently they have to: giving the adversary/environment the option to not respond immediately to modeling-related requests does not translate to any real attack scenario. This paper solves the non-responsiveness problem and its negative consequences completely, by avoiding this artificial modeling problem altogether. We propose the new concepts of responsive environments and adversaries. Such environments and adversaries must provide a valid response to modeling-related requests before any other protocol/functionality is activated. Hence, protocol designers do no longer have to worry about artifacts resulting from such requests not being answered promptly. Our concepts apply to all existing models for universal composability, as exemplified for the UC, GNUC, and IITM models, with full definitions and proofs simulation relations, transitivity, equivalence of various simulation notions, and composition theorems provided for the IITM model.

Published
2016
Full Text
View/download PDF

39. Signer-Anonymous Designated-Verifier Redactable Signatures for Cloud-Based Data Sharing

Author

Stephan Krenn, David Derler, and Daniel Slamanig

Subjects
business.industry, Computer science, 020206 networking & telecommunications, Cloud computing, Cryptography, 02 engineering and technology, Group signature, Computer security, computer.software_genre, Signature (logic), Data sharing, Information sensitivity, 0202 electrical engineering, electronic engineering, information engineering, Identity (object-oriented programming), 020201 artificial intelligence & image processing, business, computer, Block (data storage)
Abstract

Redactable signature schemes allow to black out predefined parts of a signed message without affecting the validity of the signature, and are therefore an important building block in privacy-enhancing cryptography. However, a second look shows, that for many practical applications, they cannot be used in their vanilla form. On the one hand, already the identity of the signer may often reveal sensitive information to the receiver of a redacted message; on the other hand, if data leaks or is sold, everyone getting hold of (redacted versions of) a signed message will be convinced of its authenticity.

Published
2016
Full Text
View/download PDF

40. Efficient zero-knowledge proofs for commitments from learning with errors over rings

Author

Vadim Lyubashevsky, Fabrice Benhamouda, Stephan Krenn, Krzysztof Pietrzak, École normale supérieure - Paris (ENS Paris), Université Paris sciences et lettres (PSL), Laboratoire d'informatique de l'école normale supérieure (LIENS), Département d'informatique - ENS Paris (DI-ENS), Centre National de la Recherche Scientifique (CNRS)-Institut National de Recherche en Informatique et en Automatique (Inria)-École normale supérieure - Paris (ENS Paris), Université Paris sciences et lettres (PSL)-Université Paris sciences et lettres (PSL)-Centre National de la Recherche Scientifique (CNRS)-Institut National de Recherche en Informatique et en Automatique (Inria)-École normale supérieure - Paris (ENS Paris), Université Paris sciences et lettres (PSL)-Université Paris sciences et lettres (PSL), Construction and Analysis of Systems for Confidentiality and Authenticity of Data and Entities (CASCADE), Université Paris sciences et lettres (PSL)-Université Paris sciences et lettres (PSL)-Inria Paris-Rocquencourt, Institut National de Recherche en Informatique et en Automatique (Inria)-Centre National de la Recherche Scientifique (CNRS), Austrian Institute of Technology [Vienna] (AIT), Institute of Science and Technology [Austria] (IST Austria), ANR-13-JS02-0003,CLE,Cryptography from Learning with Errors(2013), European Project: 321310,EC:FP7:ERC,ERC-2012-ADG_20120216,PERCY(2013), European Project: 259668,EC:FP7:ERC,ERC-2010-StG_20091028,PSPC(2010), École normale supérieure - Paris (ENS-PSL), Université Paris sciences et lettres (PSL)-Université Paris sciences et lettres (PSL)-Institut National de Recherche en Informatique et en Automatique (Inria)-Centre National de la Recherche Scientifique (CNRS)-École normale supérieure - Paris (ENS-PSL), Université Paris sciences et lettres (PSL)-Université Paris sciences et lettres (PSL)-Institut National de Recherche en Informatique et en Automatique (Inria)-Centre National de la Recherche Scientifique (CNRS), Université Paris sciences et lettres (PSL)-Université Paris sciences et lettres (PSL)-Institut National de Recherche en Informatique et en Automatique (Inria)-Centre National de la Recherche Scientifique (CNRS)-Inria Paris-Rocquencourt, Institute of Science and Technology [Klosterneuburg, Austria] (IST Austria), Université Paris sciences et lettres (PSL)-Université Paris sciences et lettres (PSL)-Centre National de la Recherche Scientifique (CNRS), Département d'informatique de l'École normale supérieure (DI-ENS), and Université Paris sciences et lettres (PSL)-Université Paris sciences et lettres (PSL)-Institut National de Recherche en Informatique et en Automatique (Inria)-Centre National de la Recherche Scientifique (CNRS)-École normale supérieure - Paris (ENS Paris)

Subjects
Discrete mathematics, Ring (mathematics), Mathematics::Commutative Algebra, Computer science, 004 Data processing & computer science, Multiplicative function, Rejection sampling, 020206 networking & telecommunications, 0102 computer and information sciences, 02 engineering and technology, 000 Computer science, knowledge & systems, 01 natural sciences, [INFO.INFO-CR]Computer Science [cs]/Cryptography and Security [cs.CR], 010201 computation theory & mathematics, 0202 electrical engineering, electronic engineering, information engineering, Commitment scheme, Zero-knowledge proof, Communication complexity, Constant (mathematics), Algorithm, Learning with errors, ComputingMilieux_MISCELLANEOUS
Abstract

We extend a commitment scheme based on the learning with errors over rings $$\mathsf{RLWE}$$ problem, and present efficient companion zero-knowledge proofs of knowledge. Our scheme maps elements from the ring or equivalently, n elements from $$\mathbb F_q$$ to a small constant number of ring elements. We then construct $$\varSigma $$-protocols for proving, in a zero-knowledge manner, knowledge of the message contained in a commitment. We are able to further extend our basic protocol to allow us to prove additive and multiplicative relations among committed values. Our protocols have a communication complexity of $$\mathcal {O}Mn\log q$$ and achieve a negligible knowledge error in one run. Here M is the constant from a rejection sampling technique that we employ, and can be set close to 1 by adjusting other parameters. Previously known $$\varSigma $$-protocols for LWE-related languages only achieved a noticeable or even constant knowledge error thus requiring many repetitions of the protocol, or relied on "smudging" out the error which necessitates working over large fields, resulting in poor efficiency.

Published
2015
Full Text
View/download PDF

41. Recovering Lost Device-Bound Credentials

Author

Lucjan Hanzlik, Foteini Baldimtsi, Gregory Neven, Jan Camenisch, Anja Lehmann, and Stephan Krenn

Subjects
0301 basic medicine, business.industry, Computer science, Computer security, computer.software_genre, Credential, Registration authority, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, 03 medical and health sciences, 030104 developmental biology, 0302 clinical medicine, Backup, 030220 oncology & carcinogenesis, ComputingMilieux_COMPUTERSANDSOCIETY, Smart card, business, computer
Abstract

Anonymous credential systems allow users to authenticate in a secure and private fashion. To protect credentials from theft as well as from being shared among multiple users, credentials can be bound to physical devices such as smart cards or tablets. However, device-bound credentials cannot be exported and backed up for the case that the device breaks down or is stolen. Restoring the credentials one by one and re-enabling the legitimate owner to use them may require significant efforts from the user. We present a mechanism that allows users to store some partial backup information of their credentials that will allow them to restore them through a single interaction with a device registration authority, while security and privacy are maintained. We therefore define anonymous credentials with backup and provide a generic construction that can be built on top of many existing credential systems.

Published
2015
Full Text
View/download PDF

42. An Architecture for Privacy-ABCs

Author

Maria Dubovitskaya, Gregory Neven, Ioannis Krontiris, Franz-Stefan Preiss, Patrik Bichsel, Robert R. Enderlein, Stephan Krenn, Kai Rannenberg, Christian Paquin, Anja Lehmann, Ahmad Sabouri, and Jan Camenisch

Subjects
Enterprise architecture framework, Architecture framework, business.industry, Computer science, Applications architecture, Solution architecture, Data architecture, Reference architecture, Software engineering, business, Software architecture description, Service-oriented modeling
Abstract

One of the main objectives of the ABC4Trust project was to define a common, unified architecture for Privacy-ABC systems to allow comparing their respective features and combining them into common platforms. The chapter presents an overview of features and concepts of Privacy-ABCs and introduces the architecture proposed by ABC4Trust, describing the layers and components as well as the highlevel APIs. We also present the language framework of ABC4Trust through an example scenario. Furthermore, this chapter investigates integration of Privacy-ABCs with the existing Identity Management protocols and also analyses the required trust relationships in the ecosystem of Privacy-ABCs.

Published
2014
Full Text
View/download PDF

43. Cryptographic Protocols Underlying Privacy-ABCs

Author

Maria Dubovitskaya, Patrik Bichsel, Franz-Stefan Preiss, Stephan Krenn, Gregory Neven, Anja Lehmann, Robert R. Enderlein, and Jan Camenisch

Subjects
TheoryofComputation_MISCELLANEOUS, Cryptographic primitive, business.industry, Computer science, media_common.quotation_subject, Cryptography, Cryptographic protocol, Computer security, computer.software_genre, Presentation, Blind signature, Commitment scheme, Architecture, business, computer, media_common
Abstract

In this chapter we present the Cryptographic Engine which provides the cryptographic functionality used in the ABC Engine, such as issuance or presentation of credentials. We first describe the architecture of the Cryptographic Engine, explain the building blocks it uses, and explain how they are bound together. We then describe the cryptographic primitives that the library uses to instantiate those building blocks.

Published
2014
Full Text
View/download PDF

44. Learning with Rounding, Revisited

Author

Daniel Wichs, Joël Alwen, Krzysztof Pietrzak, and Stephan Krenn

Subjects
Discrete mathematics, Polynomial, Open problem, Rounding, Modulus, 0102 computer and information sciences, 02 engineering and technology, 01 natural sciences, Deterministic encryption, Reduction (complexity), Range (mathematics), 010201 computation theory & mathematics, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, Learning with errors, Mathematics
Abstract

The learning with rounding (LWR) problem, introduced by Banerjee, Peikert and Rosen at EUROCRYPT ’12, is a variant of learning with errors (LWE), where one replaces random errors with deterministic rounding. The LWR problem was shown to be as hard as LWE for a setting of parameters where the modulus and modulus-to-error ratio are super-polynomial. In this work we resolve the main open problem and give a new reduction that works for a larger range of parameters, allowing for a polynomial modulus and modulus-to-error ratio. In particular, a smaller modulus gives us greater efficiency, and a smaller modulus-to-error ratio gives us greater security, which now follows from the worst-case hardness of GapSVP with polynomial (rather than super-polynomial) approximation factors.

Published
2013
Full Text
View/download PDF

46. A Counterexample to the Chain Rule for Conditional HILL Entropy

Author

Krzysztof Pietrzak, Akshay Wadia, and Stephan Krenn

Subjects
Discrete mathematics, Conditional entropy, Min entropy, 020206 networking & telecommunications, 0102 computer and information sciences, 02 engineering and technology, 01 natural sciences, Differential entropy, Rényi entropy, Combinatorics, 010201 computation theory & mathematics, Chain rule for Kolmogorov complexity, Conditional quantum entropy, Maximum entropy probability distribution, 0202 electrical engineering, electronic engineering, information engineering, Joint quantum entropy, Mathematics
Abstract

A chain rule for an entropy notion H(·) states that the entropy H(X) of a variable X decreases by at most l if conditioned on an l-bit string A, i.e., H(X|A)≥H(X)−l. More generally, it satisfies a chain rule for conditional entropy if H(X|Y,A)≥H(X|Y)−l. All natural information theoretic entropy notions we are aware of (like Shannon or min-entropy) satisfy some kind of chain rule for conditional entropy. Moreover, many computational entropy notions (like Yao entropy, unpredictability entropy and several variants of HILL entropy) satisfy the chain rule for conditional entropy, though here not only the quantity decreases by l, but also the quality of the entropy decreases exponentially in l. However, for the standard notion of conditional HILL entropy (the computational equivalent of min-entropy) the existence of such a rule was unknown so far. In this paper, we prove that for conditional HILL entropy no meaningful chain rule exists, assuming the existence of one-way permutations: there exist distributions X,Y,A, where A is a distribution over a single bit, but HHILL(X|Y)≫ HHILL(X|Y,A), even if we simultaneously allow for a massive degradation in the quality of the entropy. The idea underlying our construction is based on a surprising connection between the chain rule for HILL entropy and deniable encryption.

Published
2013
Full Text
View/download PDF

48. cPLC — A cryptographic programming language and compiler

Author

Ulrich Ultes-Nitsche, Martial Seifriz, Stephan Krenn, and Endre Bangerter

Subjects
Cryptographic primitive, Computer science, business.industry, Programming language, Cryptography, computer.file_format, Cryptographic protocol, computer.software_genre, Encryption, Benchmark (computing), Compiler, Executable, business, computer, Key exchange
Abstract

Cryptographic two-party protocols are used ubiquitously in everyday life. While some of these protocols are easy to understand and implement (e.g., key exchange or transmission of encrypted data), many of them are much more complex (e.g., e-banking and e-voting applications, or anonymous authentication and credential systems). For a software engineer without appropriate cryptographic skills the implementation of such protocols is often difficult, time consuming and error-prone. For this reason, a number of compilers supporting programmers have been published in recent years. However, they are either designed for very specific cryptographic primitives (e.g., zero-knowledge proofs of knowledge), or they only offer a very low level of abstraction and thus again demand substantial mathematical and cryptographic skills from the programmer. Finally, some of the existing compilers do not produce executable code, but only metacode which has to be instantiated with mathematical libraries, encryption routines, etc. before it can actually be used. In this paper we present a cryptographically aware compiler which is equally useful to cryptographers who want to benchmark protocols designed on paper, and to programmers who want to implement complex security sensitive protocols without having to understand all subtleties. Our tool offers a high level of abstraction and outputs well-structured and documented Java code. We believe that our compiler can contribute to shortening the development cycles of cryptographic applications and to reducing their error-proneness.

Published
2011
Full Text
View/download PDF

49. Cache games - Bringing access-based cache attacks on AES to practice

Author

Endre Bangerter, David Gullasch, and Stephan Krenn

Subjects
Computer science, business.industry, Advanced Encryption Standard, AES implementations, Plaintext, Cryptography, 02 engineering and technology, Related-key attack, Computer security, computer.software_genre, 020202 computer hardware & architecture, 020204 information systems, Ciphertext, 0202 electrical engineering, electronic engineering, information engineering, Side channel attack, Cache, business, computer, Block cipher
Abstract

Side channel attacks on cryptographic systems exploit information gained from physical implementations rather than theoretical weaknesses of a scheme. In recent years, major achievements were made for the class of so called access-driven cache attacks. Such attacks exploit the leakage of the memory locations accessed by a victim process. In this paper we consider the AES block cipher and present an attack which is capable of recovering the full secret key in almost real time for AES-128, requiring only a very limited number of observed encryptions. Unlike previous attacks, we do not require any information about the plaintext (such as its distribution, etc.). Moreover, for the first time, we also show how the plaintext can be recovered without having access to the cipher text at all. It is the first working attack on AES implementations using compressed tables. There, no efficient techniques to identify the beginning of AES rounds is known, which is the fundamental assumption underlying previous attacks. We have a fully working implementation of our attack which is able to recover AES keys after observing as little as 100 encryptions. It works against the OpenS SL 0.9.8n implementation of AES on Linux systems. Our spy process does not require any special privileges beyond those of a standard Linux user. A contribution of probably independent interest is a denial of service attack on the task scheduler of current Linux systems (CFS), which allows one to observe (on average) every single memory access of a victim process.

Published
2011
Full Text
View/download PDF

50. A Framework for Practical Universally Composable Zero-Knowledge Protocols

Author

Stephan Krenn, Jan Camenisch, and Victor Shoup

Subjects
Statement (computer science), Protocol (science), Theoretical computer science, Computer science, Universal composability, Compiler, Zero-knowledge proof, Specification language, Cryptographic protocol, computer.software_genre, Mathematical proof, computer
Abstract

Zero-knowledge proofs of knowledge (ZK-PoK) for discrete logarithms and related problems are indispensable for practical cryptographic protocols. Recently, Camenisch, Kiayias, and Yung provided a specification language (the CKY-language) for such protocols which allows for a modular design and protocol analysis: for every zero-knowledge proof specified in this language, protocol designers are ensured that there exists an efficient protocol which indeed proves the specified statement. However, the protocols resulting from their compilation techniques only satisfy the classical notion of ZK-PoK, which is not retained are when they used as building blocks for higher-level applications or composed with other protocols. This problem can be tackled by moving to the Universal Composability (UC) framework, which guarantees retention of security when composing protocols in arbitrary ways. While there exist generic transformations from $#931;-protocols to UC-secure protocols, these transformation are often too inefficient for practice. In this paper we introduce a specification language akin to the CKY-language and a compiler such that the resulting protocols are UC-secure and efficient. To this end, we propose an extension of the UC-framework addressing the issue that UC-secure zero-knowledge proofs are by definition proofs of knowledge, and state a special composition theorem which allows one to use the weaker --- but more efficient and often sufficient --- notion of proofs of membership in the UC-framework. We believe that our contributions enable the design of practically efficient protocols that are UC-secure and thus themselves can be used as building blocks.

Published
2011
Full Text
View/download PDF

Catalog

Books, media, physical & digital resources
See catalog results