ABSTRACT
A message recognition protocol (MRP) aims to exchange authenticated information in an insecure channel. During the initialization session of the protocol, the parties exchange some authenticated information which the adversary can passively observe. Then, one party wants to send authenticated messages to the other party over an insecure channel. Such security requirements are often found in wireless sensor networks.
A perennial MRP is one that is able to recover from the adversarial interference, no matter how long the adversary has been active before it stops. MRPs based on hash chains are not perennial because after fixing the length of the hash chain in the initialization phase, authentic communication is not possible if the adversary interferes until all elements of the hash chain have been consumed.
Perennial MRPs can be trivially built from public-key primitives. In this paper we present very strong evidence that they cannot be constructed from "cheap" primitives. Namely, we show in the symbolic model of cryptography, perennial MRPs cannot be built using just hash functions and XORing. The result also covers other symmetric primitives, e.g. encryption. The result explains why all previous attempts to construct perennial MRPs from those primitives have failed. The result also has interesting implications regarding authentication protocols in general, and the gap between formal and computational models of cryptography.
- M. Abadi and M. R. Tuttle. A Semantics for a Logic of Authentication (Extended Abstract). In PODC, pages 201--216, 1991. Google ScholarDigital Library
- R. Anderson, F. Bergadano, B. Crispo, J.-H. Lee, C. Manifavas, and R. Needham. A New Family of Authentication Protocols. Operating Systems Review, 32(4): 9--20, 1998. Google ScholarDigital Library
- M. Backes and B. Pfitzmann. Limits of the Cryptographic Realization of Dolev-Yao-Style XOR. In ESORICS 2005 (LNCS 3679), pages 178--196. Springer, 2005. Google ScholarDigital Library
- M. Backes, B. Pfitzmann, M. Steiner, and M. Waidner. Polynomial fairness and liveness. In CSFW, pages 160--174. IEEE Computer Society, 2002. Google ScholarDigital Library
- M. Backes, B. Pfitzmann, and M. Waidner. Limits of the BRSIM/UC Soundness of Dolev-Yao Models with Hashes. In ESORICS 2006 (LNCS 4189). pages 404--423, Springer, 2006. Google ScholarDigital Library
- A. Buldas and A. Jürgenson. Does Secure Time-Stamping Imply Collision-Free Hash Functions? In ProvSec (LNCS 4784), pages 138--150. Springer, 2007. Google ScholarDigital Library
- A. Buldas and M. Niitsoo. Can We Construct Unbounded Time-Stamping Schemes from Collision-Free Hash Functions? In ProvSec (LNCS 5324), pages 254--267. Springer, 2008. Google ScholarDigital Library
- A. Buldas and M. Saarepera. On Provably Secure Time-Stamping Schemes. In ASIACRYPT (LNCS 3329), pages 500--514. Springer, 2004.Google Scholar
- W. R. Claycomb, R. Lopes, D. Shin, and B. Kim. Key Establishment Using Group Information for Wireless Sensor Networks. In Sensor Systems and Software (LNICST 24), pages 51--65. Springer, 2010.Google ScholarCross Ref
- D. Dolev and A. C.-C. Yao. On the Security of Public Key Protocols. IEEE Transactions on Information Theory, 29(2): 198--207, 1983.Google ScholarDigital Library
- O. Goldreich. Foundations of Cryptography, Volume I - Basic Techniques. Cambridge University Press, 2001. Google ScholarDigital Library
- M. González Muñiz and P. Laud. On the (im)possibility of perennial message recognition protocols without public-key cryptography. Technical Report T-4-12, Cybernetica AS, 2010.Google Scholar
- M. González Muñiz and R. Steinwandt. Cryptanalysis of a Message Recognition Protocol by Mashatan and Stinson. In ICISC '09: 12th International Conference on Information Security and Cryptology, 2009.Google Scholar
- R. Impagliazzo and S. Rudich. Limits on the Provable Consequences of One-Way Permutations. In STOC '89, pages 44--61, New York, NY, USA, 1989. ACM. Google ScholarDigital Library
- P. Laud. Implementing Cryptographic Primitives in the Symbolic Model. Submitted, 2010.Google Scholar
- S. Laur and S. Pasini. User-Aided Data Authentication. International Journal of Security and Networks, 4(1/2): 69--86, 2009. Google ScholarDigital Library
- P. Lincoln, J. C. Mitchell, M. Mitchell, and A. Scedrov. A probabilistic poly-time framework for protocol analysis. In ACM Conference on Computer and Communications Security, pages 112--121, 1998. Google ScholarDigital Library
- A. Liu and P. Ning. TinyECC: A Configurable Library for Elliptic Curve Cryptography in Wireless Sensor Networks. In IPSN '08: Proceedings of the 7th International Conference on Information Processing in Sensor Networks, pages 245--256. IEEE Computer Society, 2008. Google ScholarDigital Library
- S. Lucks, E. Zenner, A. Weimerskirch, and D. Westhoff. Concrete Security for Entity Recognition: The Jane Doe Protocol. In INDOCRYPT 2008 (LNCS 5365), pages 158--171. Springer-Verlag, 2008. Google ScholarDigital Library
- A. Mashatan and D. R. Stinson. A New Message Recognition Protocol for Ad Hoc Pervasive Networks. In Cryptology and Network Security, 7th International Conference, CANS 2008 (LNCS 5339), pages 378--394. Springer, 2008. Google ScholarDigital Library
- A. Mashatan, D. R. Stinson, and I. Goldberg. A New Message Recognition Protocol with Self-recoverability for Ad Hoc Pervasive Networks. In Applied Cryptography and Network Security (LNCS 5536), pages 219--237. Springer, 2009. Google ScholarDigital Library
- R. C. Merkle. A Digital Signature Based on a Conventional Encryption Function. In CRYPTO (LNCS 293), pages 369--378. Springer, 1987. Google ScholarDigital Library
- C. J. Mitchell. Remote User Authentication Using Public Information. In Cryptography and Coding, 9th IMA International Conference (LNCS 2398), pages 360--369. Springer-Verlag, 2003.Google Scholar
- O. Pereira and J.-J. Quisquater. On the Impossibility of Building Secure Cliques-Type Authenticated Group Key Agreement Protocols. Journal of Computer Security, 14(2): 197--246, 2006. Google ScholarDigital Library
- B. Schmidt, P. Schaller, and D. Basin. Impossibility Results for Secret Establishment. In CSF, pages 261--273. IEEE Computer Society, 2010. Google ScholarDigital Library
- D. R. Simon. Finding Collisions on a One-Way Street: Can Secure Hash Functions Be Based on General Assumptions? In EUROCRYPT (LNCS 1403), pages 334--345. Springer, 1998.Google Scholar
- F. Stajano and R. Anderson. The Resurrecting Duckling: Security Issues for Ad-hoc Wireless Networks. In Security Protocols, 7th International Workshop (LNCS 1796), pages 172--182. Springer, 2000. Google ScholarDigital Library
- A. Weimerskirch and D. Westhoff. Zero Common-Knowledge Authentication for Pervasive Networks. In Selected Areas in Cryptography, 10th Annual International Workshop, SAC 2003 (LNCS 3006), pages 73--87. Springer, 2004.Google Scholar
- J. Zhou and D. Gollmann. A Fair Non-repudiation Protocol. In IEEE Symposium on Security and Privacy, pages 55--61. IEEE Computer Society, 1996. Google ScholarDigital Library
Index Terms
- On the (im)possibility of perennial message recognition protocols without public-key cryptography
Recommendations
Public-Key encryption from ID-Based encryption without one-time signature
OTM'06: Proceedings of the 2006 international conference on On the Move to Meaningful Internet Systems: AWeSOMe, CAMS, COMINF, IS, KSinBIT, MIOS-CIAO, MONET - Volume Part IDesign a secure public key encryption scheme and its security proof are one of the main interests in cryptography In 2004, Canetti, Halevi and Katz [8] constructed a public key encryption (PKE) from a selective identity-based encryption scheme with a ...
Secure public-key encryption scheme without random oracles
Since the first practical and secure public-key encryption scheme without random oracles proposed by Cramer and Shoup in 1998, Cramer-Shoup's scheme and its variants remained the only practical and secure public-key encryption scheme without random ...
Public-key cryptography and password protocols
We study protocols for strong authentication and key exchange in asymmetric scenarios where the authentication server possesses ~a pair of private and public keys while the client has only a weak human-memorizable password as its authentication key. We ...
Comments