
Miroslaw KutylowskiNASK National Research Institute
Miroslaw Kutylowski
prof. dr hab.
About
271
Publications
14,397
Reads
How we measure 'reads'
A 'read' is counted each time someone views a publication summary (such as the title, abstract, and list of authors), clicks on a figure, or views or downloads the full-text. Learn more
1,590
Citations
Introduction
Additional affiliations
October 2000 - present
Publications
Publications (271)
We analyze the popular in practice FIDO2 authentication scheme from the point of view of kleptographic threats that have not been addressed so far in the literature. We show that despite its spartan design and apparent efforts to make it immune to dishonest protocol participants, the unlinkability features of FIDO2 can be effectively broken without...
In this paper, we analyze the FIDO2 authentication scheme from the point of view of its resilience to kleptographic attacks. We show that despite its spartan design and apparent efforts to make it immune to dishonest protocol participants, the unlinkability features of FIDO2 can be effectively broken without a chance to detect it by observing the i...
As part of the responses to the ongoing crypto wars, the notion of Anamorphic Encryption was put forth. The notion allows private communication in spite of a dictator who is engaged in an extreme form of surveillance and or censorship, where it asks for all private keys and knows and may even dictate all messages. The original work pointed out effi...
The goal of this research is to raise technical doubts regarding the usefulness of the repeated attempts by governments to curb Cryptography (aka the “Crypto Wars”), and argue that they, in fact, cause more damage than adding effective control. The notion of Anamorphic Encryption was presented in Eurocrypt’22 for a similar aim. There, despite the p...
The European eIDAS Regulation introduces an electronic seal as a legal solution necessary for the transition to a fully digital document flow. An electronic seal has to authenticate the origin of the document and confirm the data contained in a digital document. A usage scenario of electronic seals – e.g. confirming financial operations, issuing in...
We discuss the model of electronic signatures as described by the European eIDAS Regulation from the perspective of common understanding of electronic signatures in the cryptographic community. We show that these two perspectives do not present the same picture. The discrepancies between them may become opportunities as well as barriers for rapid d...
Driven by various legal obligations and service requirements, the redactable blockchain was introduced to balance the modifiability and immutability of blockchain technology. However, such a blockchain inevitably generates one or even more acceptable versions for the same block data, enabling malicious full nodes to deceive light/new nodes with old...
In this paper we present modifications to the protocols PACE (Password Authenticated Connection Establishment) and PACE CAM (PACE with Chip Authentication Mapping) from International Civil Aviation Organization (ICAO) specification. We show that with slight changes it is possible to convert PACE (which is limited to password authentication) and PAC...
We propose a modification of the hierarchical-ring-signature scheme, which may be regarded as an extension to a regular ring signature scheme. The scheme is defined over a structure of nodes, where each node is a root of its own tree, and its anonymity-set spans over all its leaf nodes. Our modified construction is resistant to an exposure of rando...
This chapter is devoted to the design and implementation of electronic ID (eID) such as ePassports and electronic personal identity documents. We present an overview of existing and emerging concepts, both concerning threats and possible countermeasures. Thereby we aim to shed light on the development of ubiquitous systems, where many artifacts wil...
In this chapter we focus on two important security challenges that naturally emerge for large scale systems composed of cheap devices implementing only symmetric cryptographic algorithms. First, we consider threats due to poor or malicious implementations of protocols, which enable data to be leaked from the devices to an adversary. We present solu...
The main real impact of the GDPR regulation of the EU should be improving the protection of data concerning physical persons. The sharp GDPR rules have to create a controllable information environment, and to prevent misuse of personal data. The general legal norms of GDPR may, indeed, be regarded as justified and well motivated by the existing thr...
This book constitutes the refereed proceedings of the 14th International Conference on Network and System Security, NSS 2020, held in Melbourne, VIC, Australia, in November 2020.
The 17 full and 9 short papers were carefully reviewed and selected from 60 submissions. The selected papers are devoted to topics such as secure operating system architec...
We present a derandomized version of the ICAO protocol PACE – a PAKE protocol (password authenticated key exchange) used for identity documents including biometric passports and future European personal ID documents. The modification aims to remove necessity of implementing random number generator and thereby reduce the cost of the chip and its cer...
Creating a distributed reputation system compliant with the GDPR Regulation faces a number of problems. Each record should be protected regarding its integrity and origin, while the record’s author should remain anonymous, as long as there is no justified legal reason to reveal his real identity. Thereby, the standard digital signatures cannot be a...
As many research papers show, one of the problems of a LoRa network is its limit regarding the scalability. However, these papers also indicate that it is possible to achieve the scalability for them by dynamically selecting transmission parameters and/or by employing multiple gateways. In this paper, we build upon the latter solution and show that...
We present anonymous identification schemes, where a verifier can check that the user belongs to an ad-hoc group of users (just like in case of ring signatures), however a transcript of a session executed between a user and a verifier is deniable: neither the verifier nor the prover can convice a third party that a given user has been involved in a...
An identification protocol has to deliver a proof that the protocol participants are who they claim to be. Related to the circumstances, the proof must be sufficiently convincing for the addressee. On the other hand, as long as the data minimality principle is concerned, the proof should be useless for any party that is not the intended addressee....
Recently, a few pragmatic and privacy protecting systems for authentication in multiple systems have been designed. The most prominent examples include Pseudonymous Signatures for German personal identity cards and Anonymous Attestation. The main properties are that a user can authenticate himself with a single private key (stored on a smart card),...
The chapter concerns cryptographic schemes enabling to sign digital data in a pseudonymized way. The schemes aim to provide a strong cryptographic evidence of integrity of the signed data and origin of the signature, but at the same time have to hide the identity of the signatory. There are two crucial properties that are specific for pseudonymous...
This special issue contains 28 full papers selected from the Computer Animation
This book constitutes the refereed proceedings of the 33rd IFIP TC 11 International Conference on Information Security and Privacy Protection, SEC 2018, held at the 24th IFIP World Computer Congress, WCC 2018, in Poznan, Poland, in September 2018.
The 27 revised full papers presented were carefully reviewed and selected from 89 submissions. The pa...
We consider data transmission in a wireless multi-hop network, where node failures may occur and it is risky to send over a single path. As the stations may transmit at the same time, we apply the Cai-Lu-Wang collision avoidance scheme. We assume that the nodes know only their neighbors and there is no global coordination. The routing strategy is t...
We present a protection mechanism against forgery of electronic signatures with the original signing keys. It works for standard signatures based on discrete logarithm problem such as DSA. It requires only a slight modification of the signing device – an implementation of an additional hidden evidence functionality. We assume that neither verificat...
Security of many cryptographic protocols is conditioned by quality of the random elements generated in the course of the protocol execution. On the other hand, cryptographic devices implementing these protocols are designed given technical limitations, usability requirements and cost constraints. This frequently results in black box solutions. Unfo...
We present a version of Camenisch-Lysyanskaya’s anonymous credential system immune to attacks based on leakage of ephemeral values used during protocol execution. While preserving “provable security” of the original design, our scheme improves its security in a realistic scenario of an imperfect implementation on a cryptographic device.
We consider the situation, where an adversary may learn the ephemeral values used by the prover within an identification protocol, aiming to get the secret keys of the user, or just to impersonate the prover subsequently. Unfortunately, most classical cryptographic identification protocols are exposed to such attacks, which might be quite realistic...
Data deduplication is a special type of resource usage optimisation. It leads to reduction of the used storage space and network bandwidth by eliminating duplicate copies of the same data file. Convergent encryption, as the state-of-art approach, has been widely adopted to perform secure deduplication in the cross-user scenario. However, all prior...
We present a formal model for domain pseudonymous signatures – in particular providing a simple and strong concept and comprehensive formalization of unlinkability, which is the key property of domain pseudonymous signatures. Following the approach deployed for German personal identity cards, we consider domains that have to be registered and requi...
We study the problem of hiding communication: while it is easy to encrypt a message sent from Alice to Bob, it is hard to hide that such a communication takes place. Communiaction hiding is one of the fundamental privacy challenges, especially in case of an adversary having a complete view of the traffic and controlling a large number of nodes.
Fol...
Recently, a few pragmatic and privacy protecting systems for authentication in multiple systems have been designed. The most prominent examples are Restricted Identification and Pseudonymous Signature schemes designed by the German Federal Office for Information Security for German personal identity cards. The main properties are that a user can au...
According to the European Commission Decision C(2006) 2909, EU Member States must implement Supplemental Access Control (SAC) on biometric passports. The SAC standard describes two versions of a password based authenticated key exchange protocol called PACE-GM and PACE-IM. Moreover, it defines an extension called PACE-CAM. Apart from password authe...
The application of modern electronic identity documents is not limited to local authentication, but they can be used to remotely access online services. In order to protect user's activities in different services, a pseudonymous identification system must be used. Standard cryptographic primitives are to complex for embedded devices, thus the restr...
We investigate eIDAS Token specification for Pseudonymous Signature published recently by German security authority BSI, German Federal Office for Information Security. We analyze how far the current specification prevents privacy violations by the Issuer by malicious or simply careless implementation. We find that, despite the declared design goal...
In a number of practical scenarios a wireless device needs to mark its presence, for instance, to some access point. That enables the access point to assign the device its transmission slot or update the count of the network nodes. Many protocols can achieve exactly this result. In this paper, our goal is to show how that can be done in the simples...
In our paper we provide mathematical analysis of a probabilistic long-hop routing algorithms which uses as the randomizing factor the estimate of distance of a station from the previous-hop source of the message.
This paper presents an algorithm that improves channel-access statistics for wireless medium. The proposed modification of the standard CSMA algorithm is analytically shown to yield better results and simulation results are given to support this claim.
We present a pragmatic evaluation system, where privacy of each evaluator is guaranteed in a cryptographic way. Each evaluation report is signed with a domain signature that is related to the anonymous signer and to the evaluation subject in the way that (a) a given user cannot appear under different pseudonym for a given evaluation subject (no Syb...
Anonymous credential systems have to provide strong privacy protection: a user may prove his (chosen) attributes without leaking neither his identity nor other attributes. In this paper we consider U-Prove - one of the major commercial anonymous credential systems.
We show that the revocation mechanism designed for U-Prove enables a system provider...
We introduce and analyze a distributed cardinality estimation algorithm for a network consisted of not synchronized nodes. Our solution can be treated as a generalization of the classic approximate counting algorithm based on the balls and bins model and is connected to the well studied process of covering the circle with random arcs. Although the...
In this paper we consider restricted identification (RI) protocols which enable strong authentication and privacy protection for access control in an unlimited number of domains. A single secret key per user is used to authenticate and derive his identity within any domain, while the number of domains is unlimited and the scheme guarantees unlinkab...
We present a new concept for invalidating electronic signatures which, in many situations, seem to be better suited for real business and society applications. We do not rely on an administrative invalidation process executed separately for each single signing key and based on certificate revocation lists. Instead, all signatures created with a cer...
We present a communication protocol with encryption, suitable for extremely weak devices, which communicate only by sending un-modulated, on/off signals (beeping). We assume severely constrained model with no coordination or synchronization between devices, and no mechanism for message reception acknowledgement. Under these assumptions, we present...
A key distribution scheme for wireless sensor networks based on a system of dynamic, pairwise keys is considered. In the scheme, each pair of communicating nodes shares pairwise symmetric keys and changes them at every transmission using a set of hashing functions. This article examines security aspects of the protocol. The most important issue is...
We show that despite the cryptographic strength of the password authentication, we cannot exclude an attack by an adversary that penetrates the reader device at some moment, but apart from this is passive and manipulates neither the reader nor the microcontroller of the identity document. So even the most careful examination and certification of th...
We propose an effective scheme for controlling usage of secure signature creation devices (SSCD). With cryptographic means we assure that an inspector can check whether an (ordered) list of signatures at hand is the complete list of signatures created by the device. Our scheme is devoted to some applications like automatic creation of invoices or c...
Designing a cryptographic protocol for practical applications is a challenging task even for relatively simple scenarios. The usual approach is to design a protocol having in mind some simple attack scenarios. This produces clean designs but many security problems might be ignored. Repeatedly, the development in this area was a sequence of steps: m...
We analyse security of the scheme proposed in the paper “Accumulators and U-Prove Revocation” from the Financial Cryptography 2013 proceedings. Its authors propose an extension for the U-Prove, the credential system developed by Microsoft. This extension allows to revoke tokens (containers for credentials) using a new cryptographic accumulator sche...
In this paper we present a negative solution of counting problems for some classes slightly different from bounded arithmetic (Δ
0sets). To get the results we study properties of chains of finite automata.
We consider admissible encodings on an elliptic curve, that is, the hash functions that map bitstrings to points of the curve. We extend the framework of admissible encodings, known from CRYPTO 2010 paper, to some class of non-deterministic mapping algorithms. Using Siguna Müller’s probabilistic square root algorithm we show a mapping that works ef...
The two-volume set, LNCS 8712 and LNCS 8713 constitutes the refereed proceedings of the 19th European Symposium on Research in Computer Security, ESORICS 2014, held in Wroclaw, Poland, in September 2014 The 58 revised full papers presented were carefully reviewed and selected from 234 submissions. The papers address issues such as cryptography, for...
The two-volume set, LNCS 8712 and LNCS 8713 constitutes the refereed proceedings of the 19th European Symposium on Research in Computer Security, ESORICS 2014, held in Wroclaw, Poland, in September 2014 The 58 revised full papers presented were carefully reviewed and selected from 234 submissions. The papers address issues such as cryptography, for...
We present two protocols for data aggregation in networks consisting of many subsystems run by different and potentially adversarial parties. In such a case the messages from the nodes of a subnetwork are aggregated and transmitted to the sink over intermediate nodes which are not controlled by the subnetwork, and which potentially are influenced b...
We consider the scenario where a broadcaster sends messages to an ad hoc subset of receivers. We assume that once a receiver becomes active, it must receive all messages directed to it.
The problem considered in this paper is minimization of the energy usage for the receiver. As most of the energy is spent for the receiver’s antenna, our goal is to...
We extend the idea of Restricted Identification deployed in the personal identity documents in Germany. Our protocol, Mutual Restricted Authentication (MRI for short), is designed for direct anonymous authentication between users who belong to the same domain (called also a sector). MRI requires only one private key per user. Still there are no lim...
We present a Anonymous Mutual Authentication (AMA) protocol for authentication and key agreement between cryptographic devices. It is an alternative for Terminal Authentication (TA) plus Chip Authentication (ChA) developed for electronic travel documents. Unlike conventional TA, executing AMA does not provide any digital record that could be used a...
We present a pragmatic solution for issuing low cost secure identity documents. The case described in detail are planned parking permits for disabled people issued by local authorities. We describe in particular a new concept of verification of face image of document holder in a way that ensures cryptographic security level, but does not require th...
Rackoff and Simon proved that a variant of Chaum’s protocol for anonymous communication, later developed as the Onion Routing Protocol, is unlinkable against a passive adversary that controls all communication links and most of the nodes in a communication system. A major drawback of their analysis is that the protocol is secure only if (almost) al...
We present SPACE|AA protocol that merges Chip Authentication of a smart card with card owner authorization via PACE protocol implemented in German personal identity documents. It is an improvement of PACE|AA protocol presented at Financial Cryptography 2012. Moreover, we explicitly formulate privacy model implicitely used by the authors of PACE|AA.
We propose a method for prevention of tracking RFID tags. We consider the model in which the adversary may eavesdrop a large fraction of interactions, but not all of them. We propose a scheme that we call Chameleon RFID. It is based on dynamic changes of identity during each interaction-flipping half of bits at random positions. The scheme is not b...
Distributed RSA key generation protocols aim to generate RSA keys in such a way that no single participant of the protocol can learn factorization of the RSA modu-lus. In this note we show that two recent protocols of this kind (Journal of Network Security, Vol. 7, No. 1, 2008, pp. 106-113 and Vol. 8, No. 2, 2009, pp. 139-150) fail their se-curity...
For personal identity documents, we propose a procedure of presenting a signed face image of the document
holder. Our goal is to authenticate the image by document issuer, but at the same time to prevent misuse of this high quality digital data. As the signature is recipient dependent, illegitimate transfer of the signature to third parties is stro...
We show how a signatory can indicate coercion by embedding a secret message into the signature. Our scheme is practical and applies to standard signature schemes unlike the recent construction of Durnoga et al. (2013). The construction follows directly from kleptographic techniques due to Moti Yung and Adam Young.
We present a Stamp&Extend time-stamping scheme based on linking via modified creation of Schnorr signatures. The scheme is based on lazy construction of a tree of signatures.
Stamp&Extend returns a timestamp immediately after the request, unlike the schemes based on the concept of timestamping rounds. Despite the fact that all timestamps are linear...
We consider the algorithm by Baquero, Almeida and Menezes that computes extreme values observed by nodes of an ad hoc network. We adapt it to meet specific technical features of communication in wireless networks with a single channel based on time multiplexing. Our approach leads to substantial reduction of the number of messages transmitted as we...
We consider Provable Data Possesion (PDP) - a protocol which enables an owner of data stored in the cloud to verify whether this data is still available in the cloud without holding a copy of the file. We propose a PDP framework based on Lagrangian interpolation in the exponent for groups with hard discrete logarithm problem. We reuse properties of...
Let $n = 2^k$ be the length of the broadcast cycle of the RBO broadcast
scheduling protocol (see [arXiv:1108.5095] and [arXiv:1201.3318]). Let $lb$ and
$ub$ be the variables of the RBO receiver as defined in [ arXiv:1201.3318 ]. We
show that the number of changes of $lb$ (the "left-side energy") is not greater
than $k + 1$. We also show that the nu...
One of crucial disadvantages of key predistribution schemes for ad hoc networks is that if devices A and B use a shared key K to determine their session keys, then any adversarial device that holds K can impersonate A against B (or vice versa). Also, the adversary holding such a device can eavesdrop on communication between A and B for the lifetime...
We present an alert algorithm for single-hop radio networks with polylogarithmic time complexity and sublogarithmic energy complexity. Our algorithm works correctly with high probability regardless of the number of stations that try to broadcast an alert signal. Moreover, we show that it can be made fairly robust against node failures. We show a lo...
We present a variant of the protocol stack for anonymous authentication implemented in German personal identity documents. We strengthen the system by eliminating group keys - a potential target of attack for a powerful adversary aiming to undermine Restricted Identification mechanisms. We provide a mechanism of authentication that merges Chip Auth...
We present a concept for Public Key Infrastructure based on certificates that are not understood as a guarantee of Certification Authority for unconditional authenticity of the data contained in the certificate. As liability of CA is a source of cost barrier for widespread use of PKI services, we concentrate on cost-efficient solutions. At the same...
We consider documents with restricted access rights, where some segments of the document are encrypted in order to prevent unauthorized reading. The access rights to such a document are described by an access graph. It is a directed acyclic graph; each node describing a different access rights level. It is assumed that a user having the rights corr...
We concern schemes designed for user authentication in different systems (called sectors) with a single private key so that activities of the same person in different sectors are not linkable. In particular, we consider Restricted Identification scheme implemented on personal identity cards (neuer Personalausweis) issued by German authorities. The...
The framework of digital signature based on qualified certificates and X.509 architecture is known to have many security risks.
Moreover, the fraud prevention mechanism is fragile and does not provide strong guarantees that might be regarded necessary
for flow of legal documents.
Recently, mediated signatures have been proposed as a mechanism to e...
We present a strong authentication mechanism intended for embedded systems based on standard but weak processors, without
support for cryptographic operations. So far the main effort was to provide methods based on relatively short keys and complex
computations, we make advantage of availability of non-volatile memory of larger size and confine our...
We describe a broadcast encryption system with revocation, where security is based on PUF (Physical Unclonable Function) instead
of a cryptographic problem. Our scheme is immune to advances of cryptography (which may suddenly ruin any system depending
solely of cryptographic assumptions). It is resilient to collusion attacks, which are frequently t...