# Questions tagged as ['protocol-design']

Design of cryptographic protocols, i.e. ways of using algorithms (primitives) to achieve one or more security goals like integrity, confidentiality, authenticity (maybe together with non-security-related goals). If you ask about a specific protocol, tag with its name instead (or additionally, if about its design).
Score: 0 Understanding MITM in an example authentication protocol Imagine that we have a protocol like this:
B -> A: RB
A -> B: {RB,B}K

Goal: authenticate A to B
K: a shared key between A and B
{}K: encrypting by K

After receiving {RB, B}K by B, B is able to authenticate A. But what if we have something like:
A -> C: {RB,B}K
C -> B: {RB,B}K
so in this case B will authenticate C instead of A, isn't it?

Score: 1 Secure protocols with the dynamic programming solution concept? Suppose that we have the usual problem of secure communication, where each of the $$I$$ agents have a private signal $$s_1,s_2,\dots,I$$ and they wish to compute any function $$f(s_1,s_1,...,s_I)=(x_1,x_2,...,x_I)$$ in such a way that no party learns more than their input $$s_i$$ and output $$x_i$$.

Although I have seen many cryptographic protocols designed to be secure and in order to solve the problem th ...

Score: 3 What are Practical Primitives based on Lattices, LWE and FHE? Lattice-based cryptography is being used for several primitives and applications.

I know there are newer works for PIR, PSI, ORAM that have seen tremendous improvements due to FHE. In some cases, FHE is the only tool that can be used for practical constructions of these primitives.

My question is which other such primitives have seen improvements (in performance or security)?

Score: 2 Why do people use protocols like PGP, when TLS already exists? TLS is the standard cryptography protocol on the internet, and many websites use it to secure their communications. However, for personal use, most people use other protocols like PGP, instead of using TLS keys/certificates.

There doesn't seem to be any reason to not use TLS for these things, or at least the encryption/signing part. The transport part of TLS isn't always needed, since people have ...

Score: 1 Secret sharing is based in random variables that are uniformly distributed? In Rabin and Ben-Or, their basic assumption is that each participant can broadcast a message to all other participants and that each pair of participants can communicate secretly. Hence, they design a protocol of communication that is called verifiable secret sharing protocol (VSSP), and show that any multiparty protocol, or game with incomplete information, can be achieved if a majority of the play ...

Score: 0 Secure multiparty protocols proof and why is a necessary condition? Is there a strict proof for secure multiparty protocols? What do they serve? I mean some have shown the existence for such protocols, but can I use them in order to substitute a mediator in game theory who sends messages to the players? How can I model a process of $$3$$ or $$4$$ players who can play a game wihtout the central mediator and they exchange infroamtion with each other?

Score: 0 Example of exchanging information I am searching for a simle model that can simulate the following procedure.

Suppose that $$i$$ and $$j$$ are two agents that each one obtains her state dependets signal $$s_i(\omega)$$ and $$s_j(\omega)$$. After observing their own signals with probability $$1$$, they do not know anything about the signal that the other agent has, but they do know the common prior $$\pi$$ about the signals, s.t. $$\pi:\Omega\to \D ...$$

Score: 1 Algorithmic game theory and protocol design for communication There is a field of exchanging information that combines cryptography and game theory. I am interested in understanding this field, but it's a little complex for me. To begin with there is a paper of Barany which shows that instead of having a centralized mechanism of information where a mediator can inform the players about what strategy to follow, the players instead can replace the mediator w ...

Score: 2 Different secret sharing schemes instead of Shamir's? Are there any different secret sharing schemes instead of Shamir's Secret Sharing , that is not based in polynomial interpolation over finite fields? Or is it the most efficient than the others?

Score: 2 Why can proverif not find value that I just created? I have a really simple ProVerif problem. My current proverif code looks like this:

(* communication channel *)
free c:channel.

(* trying to create a mac scheme *)
type mkey.
fun mac (bitstring , mkey): bitstring.

(* Symmetric encryption *)

type skey.
type coins.

fun internal_senc(bitstring , skey , coins): bitstring.

reduc forall m:bitstring , k:skey , r:coins;
sdec(internal_senc(m,k,r),k)  ...
Score: 1 Scheme where earlier hashes provide "hints" to find same or nearby hashes I am looking for a hash methodology that allows previous hashes to provide "hints" to find same or nearby hashes:

1. if I expect to find a message $$M = P + U$$ consisting of private $$P$$ and public $$U$$ that hashes to some $$H \lt N$$ on average after $$T = S/N$$ tries, where $$S$$ is size of hash space (ie a cryptographically secure hash that can only be brute-forced)
2. then there is a way to find another $$P' ...$$
Score: 1 Is there a secure two party protocol that makes P1 (with x as input) gets rx+r' and P2 gets (r,r') It should be a secure two party protocol against malicious adversary.

P1's input is X in Zp* (p is a prime number); P2's input is nothing. P1's output is rX+r'. r,r' are random numbers from Zp* P2' output is r and r'.

Is there any efficent protocol to realize this functionality other than by using homomorphic encrytion? If only HE solves this problem, which is the most efficent one?

Thanks for help!

Score: 0 What security properties do I lose when letting the group creator choose group keys in a protocol similar to the Signal Protocol? As far as I know Whatsapp ,Signal and co in their group channels first used the already existing peer-to-peer channels between the participants and protected using the Double Ratchet Algorithm to exchange the key material for group communication. The Matrix Olm Library implements this principle using its Megolm Ratchet for advancing the sender keys for each participant. Each group member creates i ...

Score: 1 Proof that someone has access to a private key whose public key is part of a known group I'm a crypto newbie and hoping to get pointed in the right direction. I've seen some related questions like this but none that satisfy my requirements.

Let's say Jane's Forum is a large community, and every member of Jane's Forum has a public/private keypair. The public key is associated with their profile and visible to anyone.

Bob's Backpack Shop is willing to send a free backpack to every memb ...

Score: 1 Why does CMS' PasswordRecipient use a KEK? When using openssl cms -encrypt -pwri_password, it follows the process described in RFC 3211, which passes the user-provided password into a KDF, but then, rather than using the output of that KDF to encrypt the content, it instead uses that key as a KEK to encrypt the actual content-encryption key (CEK), which is then bundled alongside the content:

SEQUENCE (2 elem)
OBJECT IDENTIFIER 1.2.840.113549.1 ...
Score: 1 Security proof for TLS 1.x In JKSS12, a proof for the handshake in TLS-DHE 1.2 is given, assuming (among other things) the PRF-ODH hypothesis on the PRF used to derive keys.

It is also stated that, if TLS 1.2 was to be modified to follow more closely the $$\Sigma_0$$ protocol from Canetti-Krawczyk; this protocol could be provably secure under a (weaker) DDH assumption instead of the PRF-ODH assumption (as it is the case for I ...

Score: 0 Detect if two numbers are equal without disclosing further information Consider the following scenario. Alice picks a number A; Bob picks a number B. Both A and B belong to a relatively small set X (by small I mean that X can be easily looped through: for intuition sake, imagine X to be the size of a deck of cards). I would like Alice and Bob to engage in a protocol that tells both if A = B. If A != B, then Alice should have no further information about B, and Bob should h ...

Score: 1 Composite order ECC and Ristretto I've been looking at ristretto.group, and its really cool.

I understand for some protocols we need curve points to behave as if they were from a prime order curve.

I have a few questions on this,

1. Do we call curves without prime order "composite"?
2. Why do some protocols demand prime order from the underlying curve?
3. Why isn't the fact that we work inside a prime order subgroup anyway good enough in th ...
Score: 1 What security does the BMR protocol offer against corruption? I've been conducting some research into general-purpose MPC protocols and have been unable to pinpoint the exact security offered by the BMR protocol. The reference I've been using for the majority of my research is “A pragmatic introduction to secure multi-party computation" by Evans et al., which states that BMR is able to achieve security "against any $$t < n$$ number of corruptions among ...

Score: 1 In TLS 1.3, what is the rational for using different handshake transcripts for Resumption Master Secret vs Application Traffic Secrets? The TLS 1.3 RFC, section 7.1 lists this as the last part of the key schedule:

https://datatracker.ietf.org/doc/html/rfc8446#section-7.1

            ...
0 -> HKDF-Extract = Master Secret
|
+-----> Derive-Secret(., "c ap traffic",
|                     ClientHello...server Finished)
|                     = client_application_traffic_secret_0
...
Score: 2 What happen if the curve used in key agreement protocol also used in signature inside of protocol? In key agreement (or key exchange) protocols, is used signature for authentication. Suppose that key exchange protocols execute on elliptic curve. The initiator of protocol must sends signature of his message with main message. What happen if the curve used in key agreement protocol also used in signature inside of protocol?

For example in Diffie-Hellman key exchange over curve, Alice sends $$aP$$ and  ...