- Jens-Matthias Bohli, Alban Hessler, Klaus Maier, Osman Ugus, and Dirk Westhoff
"Dependable Over-the-Air Programming"
In Adhoc & Sensor Wireless Networks, 2011
[Abstract]The complexity of software running on wireless sensor networks has increased over the years, and the need for an over-the-air (OTA) programming tool has become prominent. The requirements for the network traffic generated by a code update and the security issues that arise from it are atypical for wireless sensor networks, thus requiring innovative solutions. In this article, we provide an integrated protocol suite for a secure and efficient code image propagation in multi-hop wireless sensor networks consisting of three main parts: i) An efficient data structure including a program memory efficient $\mathcalT$-time signature based on Merkle's one time signature; ii) A transmission efficient authenticated pagewise packet encoding using rateless erasure codes with security measures against denial-of-service-attacks; iii) An adaptive multi-hop propagation strategy which uses techniques from fuzzy control to mitigate the hidden terminal problem. Weaving means from fuzzy control into the propagation scheme enables exploiting the benefits of rateless erasure codes by efficiently reducing channel congestion and, thus, packet collisions.
- Jens-Matthias Bohli, Meiko Jensen, Nils Gruschka, Luigi Lo Iacono, and Jörg Schwenk
"Security Prospects through Cloud Computing by Adopting Multiple Clouds"
In Proceedings of the 4th IEEE International Conference on Cloud Computing (CLOUD), 2011
[Abstract]Clouds impose new security challenges, which are amongst the biggest obstacles when considering the usage of cloud services. This triggered a lot of research activities in this direction, resulting in a quantity of proposals targeting the various security threats. Besides the security issues coming with the cloud paradigm, it can also provide a new set of unique features which open the path towards novel security approaches, techniques and architectures. This paper initiates this discussion by contributing a concept which achieves security merits by making use of multiple distinct clouds at the same time.
- Jens-Matthias Bohli, Panos Papadimitrados, Donato Verardi, and Dirk Westhoff
"Resilient Data Aggregation for Unattended WSNs"
In 6th IEEE International Workshop on Practical Issues in Building Sensor Network Applications (SenseApp 2011), 2011
[Abstract]Unattended wireless sensor networks (WSNs) collect and store sensed data in the absence of a base station (sink). WSN data aggregation is a widely accepted approach to improve storage and communication efficiency. But the vulnerability of low-cost WSN nodes to compromise makes the use of secure protocols mandatory. As most secure data aggregation algorithms use the base station as a trust anchor, unattended WSNs need new solutions for secure data aggregation. We address exactly this problem, proposing a new resilient data aggregation scheme that protects data \emphintegrity} and remains \emph{robust} to a wide range of attacks, integrating \emph{Quality-of-Information (QoI) as a defense mechanism. We argue that a QoI metric accompanying every aggregation result is necessary for the WSN user, to assess the quality of obtained data and detect errors or attacks. Even with a significant fraction of the WSN nodes controlled by the attacker, our scheme identifies and mitigates the effect of the attacks. This is supported by our analysis, with simulations of realistic strong attacks. The practicality of our scheme is supported by our proof of concept implementation.
- Jens-Matthias Bohli and Andreas Pashalidis
"Relations among privacy notions"
In ACM Trans. Inf. Syst. Secur., vol. 14, pp. 4:1-4:24, 2011
[Abstract]This article presents a hierarchy of privacy notions that covers multiple anonymity and unlinkability variants. The underlying definitions, which are based on the idea of indistinguishability between two worlds, provide new insights into the relation between, and the fundamental structure of, different privacy notions. We furthermore place previous privacy definitions concerning group signature, anonymous communication, and secret voting systems in the context of our hierarchy; this renders these traditionally disconnected notions comparable.
- Jens-Matthias Bohli, Alban Hessler, Osman Ugus, and Dirk Westhoff
"Security Solutions for Uplink- and Downlink-Traffic in Wireless Sensor Networks"
In it - Information Technology, vol. 52, no. 6, pp. 313-319, 2010
[Abstract]This article provides an overview about selected security and dependability solutions for wireless sensor networks. The proposed concepts have been recently developed in the European projects UbiSecSens, Sensei and WSAN4CIP. The main focus of this article is on securing convergecast traffic, securing multicast as well as aggregation providing in-network resilience for real-time wireless sensor networks. All the discussed solutions have in common that, besides an adequate security level, key design aspects are energy efficiency and a small memory footprint.
- Jens-Matthias Bohli, Christoph Sorge, and Osman Ugus
"A Privacy Model for Smart Metering"
In ICC 2010 Workshops (IEEE Workshop on Smart Grid Communications), pp. 1-5, 2010
[Abstract]Electricity suppliers have started replacing traditional electricity meters with so-called smart meters, which can transmit current power consumption levels to the supplier within short intervals. Though this is advantageous for the electricity suppliers' planning purposes, and also allows the customers a more detailed look at their usage behavior, it means a considerable risk for privacy. The detailed information can be used to judge whether persons are in the household, when they come home, which electric devices they use (e.g. when they watch TV), and so forth. In this work, we introduce a new model, the ``smart metering privacy model'', for measuring the degree of privacy that a smart metering application can provide. Moreover, we present two design solutions both with and without involvement of trusted third parties. We show that the solution with trusted party can provide ``perfect privacy'' under certain conditions.
[PDF] - Jens-Matthias Bohli, Alban Hessler, Osman Ugus, and Dirk Westhoff
"Security enhanced multi-hop over the air reprogramming with Fountain Codes."
In IEEE LCN 2009 (IEEE SenseApp Workshop), pp. 850-857, IEEE, 2009
[Abstract]Recently, several code update approaches for multi-hop sensor networks have been proposed basically addressing two orthogonal problems: security and efficient over the air reprogramming. Unfortunately, the proposed security solutions for code update mechanisms are only considering early proposed over the air reprogramming solutions like e.g. Deluge or MOAP. Therefore, currently available symmetric key based secure code update schemes are not per se suited to support advanced coding techniques such as Fountain Codes. In this work, we provide means to secure this promising technique mainly with efficient symmetric cryptographic primitives and demonstrate its applicability for efficient and robust over the air reprogramming.
- Emiliano De Cristofaro, Jens-Matthias Bohli, and Dirk Westhoff
"FAIR: fuzzy-based aggregation providing in-network resilience for real-time wireless sensor networks."
In ACM Conference on Wireless Security, WiSec'09, pp. 253-260, ACM, 2009
[Abstract]This work introduces FAIR, a novel framework for Fuzzy-based Aggregation providing In-network Resilience for Wireless Sensor Networks (WSN). FAIR addresses the possibility of malicious aggregator nodes manipulating data. It provides data-integrity based on a trust level of the WSN response and it tolerates link or node failures. Compared to available solutions, it offers a general aggregation model and makes the trust level visible to the querier. We classify the proposed approach as complementary to protocols ensuring resilience against sensor leaf nodes providing faulty data. Thanks to our flexible resilient framework and due to the use of Fuzzy Inference Schemes, we achieve promising results within a short design cycle.
- Jens-Matthias Bohli, Christoph Sorge, and Dirk Westhoff
"Initial observations on economics, pricing, and penetration of the internet of things market."
In Computer Communication Review (Editorial Note), vol. 39, no. 2, pp. 50-55, 2009
[Abstract]One expectation about the future Internet is the participation of billions of sensor nodes, integrating the physical with the digital world. This Internet of Things can offer new and enhanced services and applications based on knowledge about the environment and the entities within. Millions of micro-providers could come into existence, forming a highly fragmented market place with new business opportunities to offer commercial services. In the related field of Internet and Telecommunication services, the design of markets and pricing schemes has been a vital research area in itself. We discuss how these findings can be transferred to the Internet of Things. Both the appropriate market structure and corresponding pricing schemes need to be well understood to enable a commercial success of sensor-based services. We show some steps that an evolutionary establishment of this market might have to take.
- Jens-Matthias Bohli, Christian Henrich, Carmen Kempka, Jörn Müller-Quade, and Stefan Röhrich
"Enhancing electronic voting machines on the example of Bingo voting."
In IEEE Transactions on Information Forensics and Security, vol. 4, no. 4, pp. 745-750, 2009
[Abstract]The main purpose of cryptographic voting schemes is to provide transparency while protecting ballot secrecy and to enable a fast tally. In this paper, we address three major issues of cryptographic voting schemes. First we discuss the problem of secrecy and coercion resistance in the situation of a corrupted voting machine. While hard to obtain in general, we propose and analyze a novel approach that uses encapsulated design and minimizes the information that can compromise ballot secrecy. The second issue we address is the assumption that an adversary does not know which receipts are checked and the problem of receipt stealing. Many voting schemes with receipts share this vulnerability. We provide a solution that increases protection of each vote and which can be generalized for voting schemes that use computers to form the receipt. The last issue discussed in this paper is the question of how an election can be contested. For this, an error or a manipulation must not only be detected but also proven. While the problems and solutions are described for Bingo Voting, we argue that the problems are shared by many cryptographic voting schemes and that the solutions presented in this work give insight in the prerequisites needed for a secure election.
- Jens-Matthias Bohli and Andreas Pashalidis
"Relations Among Privacy Notions"
In Financial Cryptography and Data Security, FC'09, Lecture Notes in Computer Science, vol. 5628, pp. 362-380, Springer, 2009
[Abstract]This paper presents a hierarchy of privacy notions that covers multiple anonymity and unlinkability variants. The underlying definitions, which are based on the idea of indistinguishability between two worlds, provide new insights into the relation between, and the fundamental structure of, different privacy notions. We apply our definitions to group signatures and anonymous communication systems, and show how they relate to existing definitions.
[PDF] - Osman Ugus, Dirk Westhoff, and Jens-Matthias Bohli
"A ROM-friendly secure code update mechanism for WSNs using a stateful-verifier tau-time signature scheme."
In ACM Conference on Wireless Network Security, WiSec'09, pp. 29-40, ACM, 2009
[Abstract]Several mechanisms have been proposed to efficiently authenticate multicast of finite data streams as needed for code image updates in wireless sensor networks (WSNs). They involve either a public-key digital signature or loose time synchronization between the sender and the receivers. What usually does not get any attention is the program memory (ROM) occupied by these mechanisms which do not fulfill the primary task of a sensor network. An optimized implementation of the elliptic curve digital signature scheme occupies up to 25% of the ROM of a TelosB node; the same or even more is needed for time synchronization schemes. Therefore, if sensor networks do not need public-key operations or time synchronization for their primary task, these SCU mechanism are not suitable for coexistence with the application code on the sensor nodes. This work contributes in two directions. Firstly, we propose a stateful-verifier T-time signature scheme based on Merkle's one-time signature. Secondly, we propose a protocol exploiting our signature scheme for securing existing code image update protocols for WSNs minimizing ROM overhead to 1% on TelosB motes.
- Jens-Matthias Bohli and Christoph Sorge
"Key-Substitution-Angriffe und das Signaturgesetz"
In Datenschutz und Datensicherheit, vol. 32, no. 6, pp. 388-393, 2008
[Abstract]Der vorliegende Beitrag widerlegt die gängige Annahme, nahezu jedes kryptographische Signaturverfahren erfülle die Anforderungen an fortgeschrittene elektronische Signaturen. Auch Algorithmen, die nach üblichen Kriterien der Kryptographie als sicher bezeichnet werden, werden den Anforderungen des Gesetzgebers nicht gerecht. Key-Substitution-Angriffe gefährden auch heute übliche Signaturalgorithmen. Der Artikel geht auch auf Gegenma&sumlnahmen ein und betrachtet Folgen für die qualifizierte Signatur.
- Jens-Matthias Bohli, Alban Hessler, Osman Ugus, and Dirk Westhoff
"A Secure and Resilient WSN Roadside Architecture for Intelligent Transport Systems"
In ACM Conference on Wireless Network Security, WiSec'08, pp. 161-171, ACM, 2008
[Abstract]We propose a secure and resilient WSN roadside architec- ture for intelligent transport systems which supports the two complementary services accident prevention and post- accident investigation. Our WSN security architecture is stimulated by the understanding that WSN roadside islands will only be rolled-out and used when hardware costs are close to the minimum. We provide a purely software based security solution which does not rely on costly HW compo- nents like road side units (RSU) or tamper resistant modules on sensor nodes. We use existing components, but also de- scribe protocols that may be of independent interest.
- Michel Abdalla, Jens-Matthias Bohli, María Isabel González Vasco, and Rainer Steinwandt
"(Password) Authenticated Key Establishment: From 2-Party to Group"
In Theory of Cryptography Conference - TCC 2007, Lecture Notes in Computer Science, vol. 4392, pp. 499-514, Springer, 2007
[Abstract]A protocol compiler is described, that transforms any provably secure authenticated 2-party key establishment into a provably secure authenticated group key establishment with 2 more rounds of communication. The compiler introduces neither idealizing assumptions nor high-entropy secrets, e.\,g., for signing. In particular, applying the compiler to a password-authenticated 2-party key establishment without random oracle assumption, yields a password-authenticated group key establishment without random oracle assumption. Our main technical tools are non-interactive and non-malleable commitment schemes that can be implemented in the common reference string (CRS) model.
- Jens-Matthias Bohli, María Isabel González Vasco, and Rainer Steinwandt
"Secure Group Key Establishment Revisited"
In International Journal of Information Security, vol. 6, no. 4, pp. 243-254, 2007
[Abstract]We examine the popular proof models for group key establishment of Bresson et al. and point out missing security properties addressing malicious protocol participants. We show that established group key establishment schemes from CRYPTO 2003 and ASIACRYPT 2004 do not fully meet these new requirements. Next to giving a formal definition of these extended security properties, we prove a variant of the explored proposal from ASIACRYPT 2004 secure in this stricter sense. Our proof builds on the Computational Diffie Hellman (CDH) assumption and the random oracle model.
[PDF] - Jens-Matthias Bohli, Jörn Müller-Quade, and Stefan Röhrich
Ch. "Long-term Secure Key Establishment"
In Long-term and Dynamical Aspects of Information Security: Emerging Trends in Information and Communication Security, Nova Science Publishers, ISBN 1-60021-912-8, pp. 87-95, 2007
[Abstract]In this paper we present a long-term secure key establishment protocol. Long-term security means resistance against attacks even if later, after completion of the protocol, some security assumptions become invalid. This makes the attacker more powerful, e.g. able to solve a formerly hard problem. In this setting we assume the hardness of the Diffie-Hellman problem during the protocol run, but later the attacker is able to solve the discrete logarithm problem which, e.g., is possible if quantum computers can be built. We achieve the security through combining the computationalDiffie-Hellman key exchange with a classic Needham-Schroeder like protocol which uses symmetric encryption and a key distribution server. There are no known fundamental quantumattacks against good symmetric encryption schemes, which gives us long-term security. Through combination with the Diffie-Hellmann key exchange we achieve protection against a corrupted server as long as the Diffie-Hellman assumption holds and it allows us to give an efficient protocol with three rounds and five messages.
- Jens-Matthias Bohli, Jörn Müller-Quade, and Stefan Röhrich
"Bingo Voting: Secure and Coercion-Free Voting Using a Trusted Random Number Generator"
In E-Voting and Identity, VOTE-ID 2007, Lecture Notes in Computer Science, vol. 4896, pp. 111-124, Springer, 2007
[Abstract]It is debatable if current direct-recording electronic votingmachines can sufficiently be trusted for a use in elections. Reports about malfunctions and possible ways ofmanipulation abound. Voting schemes have to fulfill seemingly contradictory requirements: On one hand the election process should be verifiable to prevent electoral fraud and on the other hand each vote should be deniable to avoid coercion and vote buying. This work presents a new verifiable and coercion-free voting scheme Bingo Voting, which is based on a trusted random number generator. As a motivation for the new scheme two coercion/vote buying attacks on voting schemes are presented which show that it can be dangerous to let the voter contribute randomness to the voting scheme. A proof-of-concept implementation of the scheme shows the practicality of the scheme: all costly computations can be moved to a non time critical pre-voting phase.
- Jens-Matthias Bohli, Benjamin Glas, and Rainer Steinwandt
"Towards Provably Secure Group Key Agreement Building on Group Theory"
In Progress in Cryptology - VIETCRYPT 2006, Lecture Notes in Computer Science, vol. 4341, pp. 322-336, Springer, 2006
[Abstract] Known proposals for key establishment schemes based on combinatorial group theory are often formulated in a rather informal manner. Typically, issues like the choice of a session identifier and parallel protocol executions are not addressed, and no security proof in an established model is provided. Successful attacks against proposed parameter sets for braid groups further decreased the attractivity of combinatorial group theory as a candidate platform for cryptography. We present a 2-round group key agreement protocol that can be proven secure in the random oracle model if a certain group-theoretical problem is hard. The security proof builds on a framework of Bresson et al., and explicitly addresses some issues concerning malicious insiders and also forward secrecy. While being designed as a tool for basing group key agreement on non-abelian groups, our framework also yields a 2-round group key agreement basing on a Computational Diffie-Hellman assumption.
- Jens-Matthias Bohli and Rainer Steinwandt
"Deniable Group Key Agreement"
In Progress in Cryptology - VIETCRYPT 2006, Lecture Notes in Computer Science, vol. 4341, pp. 298-311, Springer, 2006
[Abstract]Especially for key establishment protocols to be used in internet applications, the (privacy) concern of deniability arises: Can a protocol transcript be used--possibly by a participant--to prove the involvement of another party in the protocol? For two party key establishment protocols, a common technique for achieving deniability is the replacement of signature-based message authentication with authentication based on symmetric keys. We explore the question of deniability in the context of group key establishment: Taking into account malicious insiders, using a common symmetric key for authentication is critical, and the question of how to achieve deniability arises. Building on a model of Bresson et al., we offer a formalization of deniability and present a group key agreement offering provable security in the usual sense, deniability, and security guarantees against malicious insiders. Our approach for achieving deniability through a suitably distributed Schnorr-signature might also be of independent interest.
[PDF] - Jens-Matthias Bohli, Benjamin Glas, and Rainer Steinwandt
"Algebraic Cryptosystems and Side Channel Attacks: Braid Groups and DPA"
In Congressus Numerantium, vol. 182, pp. 145-154, 2006
[Abstract] For practically deployed cryptographic schemes, the resistance of implementations to side channel attacks has been explored extensively. On the other hand, for recently proposed ``algebraic'' cryptographic schemes, e.\,g., originating in combinatorial group theory, attacks on the implementation level so far received little attention. This contribution discusses the feasibility of mounting a Differential Power Analysis (DPA) on the canonical form computation in braid groups as occurring, e.\,g., in a braid group based signature scheme. Interestingly, already attacking a ``naive'' implementation turns out to be less straightforward than one might expect.
- Jens-Matthias Bohli, María Isabel González Vasco, and Rainer Steinwandt
"Password-Authenticated Constant-Round Group Key Establishment with a Common Reference String"
Cryptology ePrint Archive, Report 2006/214, 2006
- Jens-Matthias Bohli, María Isabel González Vasco, and Rainer Steinwandt
"A Subliminal-free Variant of ECDSA"
In Information Hiding - IH2006, Lecture Notes in Computer Science, vol. 4437, pp. 375-387, Springer, 2006
[Abstract] A mode of operation of the Elliptic Curve Digital Signature Algorithm (ECDSA) is presented which provably excludes subliminal communication through ECDSA signatures. For this, the notion of a signature scheme that is \emphsubliminal-free with proof} is introduced which can be seen as generalizing \emph{subliminal-free signatures} and being intermediate to the established concepts of \emph{invariant} and \emph{unique signatures}. Motivated by the proposed use of ECDSA for signing passports, our focus is not on proving the mere existence of a subliminal-free ECDSA mode of operation, but on demonstrating its practical potential. The proposed construction relies on the availability of a party acting as warden and on a reasonably-sized non-interactive proof of subliminal-freeness. {For instance, in the passport scenario, the passport holder plays the role of the warden, and we show that a suitable combination of the pseudo random function of Naor and Reingold with bit commitments and non-interactive zero-knowledge proofs can be used for accomplishing the required proof of subliminal-freeness with acceptable efficiency.
- Jens-Matthias Bohli, Stefan Röhrich, and Rainer Steinwandt
"Key substitution attacks revisited: Taking into account malicious signers"
In International Journal of Information Security, vol. 5, no. 1, pp. 30-36, 2006
[Abstract] Given a signature $s$ for some message $m$ along with a corresponding public verification key $y$, in a key substitution attack an attacker derives another verification key $\overliney}\ne y$--possibly along with a matching secret key--such that $s$ is also a valid signature of $m$ for the verification key $\overline{y$. Menezes and Smart have shown that with suitable parameter restrictions DSA and EC-DSA are immune to such attacks. Here, we show that in the presence of a malicious signer key substitution attacks against several signature schemes that are secure in the sense introduced by Mene\-zes and Smart can be mounted. While for EC-DSA such an attack is feasible, other established signature schemes, including EC-KCDSA, can be shown to be secure in this sense.
- Jens-Matthias Bohli
"A Framework for Robust Group Key Agreement"
In Computational Science and Its Applications - ICCSA 2006 (3), Lecture Notes in Computer Science, vol. 3982, pp. 355-364, Springer, 2006
[Abstract]Considering a protocol of Tseng, we show that a group key agreement protocol that resists attacks by malicious insiders in the authenticated broadcast model, loses this security when it is transfered into an unauthenticated point-to-point network with the protocol compiler introduced by Katz and Yung. We develop a protocol framework that allows to transform passively secure protocols into protocols that provide security against malicious insiders and active adversaries in an unauthenticated point-to-point network and, in contrast to existing protocol compilers, does not increase the number of rounds. Our protocol particularly uses the session identifier to achieve the security. By applying the framework to the Burmester-Desmedt protocol we obtain a new 2 round protocol that is provably secure against active adversaries and malicious participants.
- Jens-Matthias Bohli, María Isabel González Vasco, and Rainer Steinwandt
"Burmester-Desmedt Tree-Based Key Transport Revisited: Provable Security"
Cryptology ePrint Archive, Report 2005/360, 2005
- Jens-Matthias Bohli, Jörn Müller-Quade, and Stefan Röhrich
"On Group Key Agreement with Cheater Identification"
Western European Workshop on Research in Cryptology, WEWoRC 2005, 2005
[Abstract] Group key establishment protocols are needed to provide more than two principals with a common session key for subsequent cryptographic protocols. We consider the problem of cheater identification that gives robustness guarantees to the protocol, since the cheater who caused the failure can be excluded and the protocol started anew in the smaller group. When all cheaters are excluded the protocol will finally succeed. We introduce a functionality describing the task of group key establishment with cheater identification in the UC framework. We adapt the protocol of BGN03 such that cheater can be identified if a reliable broadcast is given, where all message are received within a known time period. Thereby we achieve the goals of YRI04 with fewer assumptions and a conceptually simpler protocol.
- Jens-Matthias Bohli, Jörn Müller-Quade, and Stefan Röhrich
"Fairness and Correctness in Case of a Premature Abort"
In Progress in Cryptology - INDOCRYPT 2005, Lecture Notes in Computer Science, vol. 3797, pp. 322-331, Springer, 2005
[Abstract]When using cryptographic protocols for security critical applications premature abort is a serious threat. We define two important properties called quit fairness and quit correctness for protocols to resist attacks by premature abort. The main result of the paper is that quit fairness and quit correctness can be achieved for two-party secure function evaluation whereas for multi-party protocols the two properties of quit fairness and quit correctness are mutually exclusive. This negative result implies that countermeasures to premature abort, e.g.\ optimistic protocols, are vital for secure electronic applications.
- Jens-Matthias Bohli, María Isabel González Vasco, Consuelo Martínez, and Rainer Steinwandt
"Weak Keys in $MST1$"
In Designs, Codes and Cryptography, vol. 37, no. 3, pp. 509-524, 2005
[Abstract]The public key cryptosystem MST1 has been introduced by Magliveras et al. (Public Key Cryptosystems from Group Factorizations. Jatra Mountain Mathematical Publications). Its security relies on the hardness of factoring with respect to wild logarithmic signatures. To identify a 'wild-like' logarithmic signatures, the criterion of being totally-non-transversal has been proposed. We present tame totally-non-transversal logarithmic signatures for the alternating and symmetric groups of degree \geq 5. Hence, basing a key generation procedure on the assumption that totally-non-transversal logarithmic signatures are 'wild like' seems critical. We also discuss the problem of recognizing 'weak' totally-non-transversal logarithmic signatures, and demonstrate that another proposed key generation procedure based on permutably transversal logarithmic signatures may produce weak keys.
- Jens-Matthias Bohli and Rainer Steinwandt
"On Subliminal Channels in Deterministic Signature Schemes"
In Information Security and Cryptology - ICISC 2004, Lecture Notes in Computer Science, vol. 3506, pp. 182-194, Springer, 2005
[Abstract] Subliminal channels in randomized signature algorithms like the DSA are well-known. However, much less seems to be known about this issue when dealing with deterministic schemes. Using some known signature schemes like ESIGN-D and SFLASH$^v3$ as example, we illustrate the problem of subliminal channels in non-interactive deterministic signature algorithms. Based on an appropriate formalization, a deterministic variant of RSA-PSS is shown to be subliminal free.
- Jens-Matthias Bohli
"Algorithmen für iterative Entscheidungen in der Signalverarbeitung"
Diplomarbeit am Institut für Algorithmen und Kognitive Systeme, Universität Karlsruhe, 2003
- Jens-Matthias Bohli
"Schwache Schlüssel des Public-Key-Systems MST\_1"
Studienarbeit am Institut für Algorithmen und Kognitive Systeme, Universität Karlsruhe, 2001
