Section: New Results
Cryptographic protocols
Identity based cryptography
Participants : Régis Dupont, Andreas Enge, Javier Herranz.
Elliptic curves in cryptography have first been used to replace finite fields in protocols whose security relies on the discrete logarithm problem, essentially keeping the protocols as they are and substituting one algebraic structure for another. There are, however, new applications of elliptic curves that exploit specific additional structures that are not found in the finite field setting, for instance the Tate and Weil pairings.
Everybody knows that the most difficult problem in modern cryptography, and more precisely its would-be widespread use, is the key authentication problem, or more generally that of authenticating principals on an open network. The ``classical'' approach to this problem is that of a public key infrastructure (PKI), in which some centralized or distributed authority issues certificates for authenticating the different users. Another approach, less publicized, is that of identity based cryptography (ID), in which the public key of a user can be built very easily from his email address for instance. The cryptographic burden is then put on the shoulders of the private key generator (PKG) that must be contacted by the users privately to get their secret keys and open their emails. The ID approach can be substituted to the PKI approach in some cases, where some form of ideal trustable PKG exists (private networks, etc.).
This ID idea is not new, but no efficient and robust protocol was known prior to the ideas of Boneh et al. using pairings on elliptic curves. R. Dupont and A. Enge have worked on such an ID-system. They have defined a notion of security for such a protocol and have given a proof of security of a generalization of a system of Sakai, Ohgishi and Kasahara's in this model [12] .
With respect to signatures, a current area of research is related to the aggregation of different signatures on different messages. In many applications, it is desirable to be able to transform many signatures on different messages into a single signature, in such a way that the length of this (aggregate) signature is much less than the total length of the initial signatures. A recipient should be able to verify the correctness of all the initial signatures by using only the list of messages and the aggregate signature, ideally with less computational efforts than in the case where he must verify all the signatures one by one.
For traditional PKI-based signature schemes, some efficient proposals of aggregate signature schemes have been proposed [28] , [43] . In particular, in [28] , the length of the resulting aggregate signature is constant, independent of the number of messages and the number of signers. This proposal uses bilinear pairings as a tool. Using RSA techniques, the obtained aggregate signatures have a length which is independent of the number of messages, but still linear with respect to the number of signers.
In the scenario of identity-based signatures, none of the existing signature schemes allows an efficient aggregation of signatures, in the sense that resulting aggregate signatures have a length which is always linear with respect to the number of messages. To partially solve this problem, Javier Herranz has proposed in [14] a new identity-based signature scheme, which allows to obtain an aggregate signature whose length is independent of the number of messages, but linear with respect to the number of signers. In situations where one wants to aggregate many signatures coming from a small set of signers (even a unique signer) the length of the resulting signatures is simply constant.
Special (short) signatures
Participants : Javier Herranz, Fabien Laguillaumie.
To achieve specific properties desired in real-world applications of cryptography, variants of the classical digital signatures have been designed. Undeniable signatures and confirmer signatures are examples of such variants. Directed signatures differ from the well-known confirmer signatures in that the signer has the simultaneous abilities to confirm, deny and individually convert a signature. The universal conversion of these signatures has remained an open problem since their introduction in 1993. F. Laguillaumie, in collaboration with Pascal Paillier (Gemplus) and Damien Vergnaud (Univ. Caen) provides in the Asiacrypt'05 paper "Universally Convertible Directed Signatures" [40] a positive answer to this quest by showing a very efficient design for universally convertible directed signatures, both in terms of computational complexity and signature size. The construction relies on the so-called xyz -trick, previously introduced by F. Laguillaumie and Damien Vergnaud, applicable to bilinear map groups.
F. Laguillaumie, in collaboration with Damien Vergnaud, also introduced a new undeniable signature scheme which is existentially unforgeable and anonymous under chosen message attacks in the standard model [41] . The scheme is an embedding of Boneh and Boyen's recent short signature scheme in a group where the decisional Diffie-Hellman problem is assumed to be difficult. The anonymity of the scheme relies on a decisional variant of the strong Diffie-Hellman assumption, while its unforgeability relies on the strong Diffie-Hellman assumption.
In collaboration with Benoît Libert and Jean-Jacques Quisquater [21] , F. Laguillaumie designed two fairly efficient universal designated verifier signature (UDVS) schemes which are secure (in terms of unforgeability and anonymity) in the standard model (i.e. without random oracles). Their security relies on algorithmic assumptions which are much more classical than assumptions involved in the two only known UDVS schemes in standard model to date. The latter schemes rely on the Strong Diffie-Hellman assumption and the strange-looking knowledge of exponent assumption (KEA). The proposed schemes are also the first random oracle-free constructions with the anonymity property.
Finally, J. Herranz and F. Laguillaumie proposed in [20] a blind ring signature scheme based on pairings on algebraic curves. They formally prove the security (anonymity, blindness and unforgeability) of their scheme in the random oracle model, under quite standard assumptions. Blind ring signatures are useful, for instance, to design secure e-cash systems involving several banks.
Decryption with special properties
Participant : Javier Herranz.
In collaboration with David Galindo (Radboud University, Nijmegen, The Netherlands), Javier Herranz worked on token-controlled public key encryption schemes . In such schemes, the sender encrypts messages by using the public key of the receiver together with a secret token, in such a way that the receiver is able to decrypt the ciphertext only when the token is delivered. This provides a solution to situations where someone wants a receiver to obtain some confidential information only when some condition is fulfilled, but he is afraid he could not encrypt the message when this condition (a date, an event) is already satisfied. The sender can encrypt the message in advance and give the employed secret token to some external party (a lawyer, for example) under the requirement that this party will deliver the token to the intended receivers when the stated condition holds.
The results of this work, which have been published in [17] , are the following: first some security flaws in previous token-controlled public key encryption schemes are detected, which are due to the fact that a crucial security property for these schemes had never been considered. In this work, this property is defined and formalized; once this is done, it is quite easy to see that previous schemes do not satisfy this property. Finally, a simple and efficient generic construction of token-controlled public key encryption schemes is proposed, starting from any trapdoor partial one-way function. The resulting schemes satisfy all the required security properties, in the random oracle model.
CESAM
Participants : Andreas Enge, Nicolas Gürel.
The CESAM project is a contract of the ACI Sécurité Informatique, involving TANC , P. Gaudry from SPACES/CACAO and the crypto team at ENS. The goal of this project is to study cryptographic protocols involving elliptic curves, with a view towards specific environment where the resources (cpu, memory, bandwidth) are limited.
In [30] , an authenticated key exchange algorithm is designed using specific properties of elliptic curves, namely the existence of the quadratic twist that can be associated to any elliptic curve. The nice feature of this approach is that it is possible to prove the security of the protocol in the standard model, and in particular without relying on the controversial Random Oracle Model. Indeed, in key exchange protocols, the session key is usually obtained via the application of a hash function to a group element. In the present case, this hash function is no longer necessary.
The curves that can be used in this protocol are not the same as the curves that are used in classical protocols, since the group orders of the curve and of the quadratic twist both need to be prime. A. Enge has made use of the complex multiplication approach presented above to generate such curves. Finding curves of cryptographic size (192 bits) is a matter of seconds with his implementation. A note is in preparation.
In the same direction, N. Gürel [39] has provided new tools to avoid the use of hash functions in elliptic curve key exchange protocols. The method is simple to put in practice, since one just takes some of the bits of the abscissa of a point. The difficult part is to give a rigorous proof that if this point is indistinguishable from a random point then the bits that are extracted are indistinguishable from random bits. N. Gürel proved this result in two contexts: the case where the base field is an extension of degree 2, and in the case where the base field is a prime field. In the former case, one can extract 1/2 of the bits of the abscissa, whereas in the latter case the extraction rate is lower (and depends on the indistinguishability that is required).
Security in ad hoc networks
Participants : François Morain, Javier Herranz, Fabien Laguillaumie.
F. Morain and D. Augot (CODES ) participate in the ACI SERAC (SEcuRity models and protocols for Ad-hoC Networks), which started in september 2004. Their interest there is to understand the (new?) cryptographic needs required and to try to invent new trust models.
It is clear that the recent arrival of Hipercom (also a member of SERAC) at École polytechnique triggers new collaborations in that direction.
A collaboration between TANC (J. Herranz, F. Laguillaumie) and CODES (R. Bhaskar) via the SERAC project of the ACI S&I has led to [16] .
Achieving secure routing in ad-hoc networks is a big challenge. The typical way to prevent or reduce the possible attacks is to use mechanisms to authenticate the origin of all messages. Standard (asymmetric) signature schemes provide these mechanisms, but may result in inefficient implementations, especially when many nodes (and so many signatures) are expected.
Some of these efficiency problems can be reduced with the use of aggregate signatures, which improve the length and the cost of managing many different signatures. In this article, they propose a new concept, aggregate designated verifier signature schemes, which can be implemented in a more efficient way than standard aggregate signatures (for example by using MACs). Such schemes can be sufficient to authenticate the establishment of routes in reactive protocols. Formal definitions for the new primitive and the required security properties are given. Moreover a specific and efficient scheme is proposed which uses MACs, and is proven secure in the random oracle model.
[11] is an extension of their work in [16] : they especially add the ID-based feature.
J. Herranz and F. Laguillaumie have given a series of lectures on digital signatures for the members of the SERAC project.
