Ustaoğlu, Berkant
Loading...
Profile URL
Name Variants
Ustaoglu, B
Ustaoglu, B.
Ustaoğlu, B
Ustaoğlu, B.
Ustaoglu, Berkant
Ustaoglu, B.
Ustaoğlu, B
Ustaoğlu, B.
Ustaoglu, Berkant
Job Title
Email Address
berkantustaoglu@iyte.edu.tr
Main Affiliation
04.02. Department of Mathematics
Status
Current Staff
Website
ORCID ID
Scopus Author ID
Turkish CoHE Profile ID
Google Scholar ID
WoS Researcher ID
Sustainable Development Goals
1NO POVERTY
0
Research Products
2ZERO HUNGER
0
Research Products
3GOOD HEALTH AND WELL-BEING
0
Research Products
4QUALITY EDUCATION
0
Research Products
5GENDER EQUALITY
0
Research Products
6CLEAN WATER AND SANITATION
0
Research Products
7AFFORDABLE AND CLEAN ENERGY
0
Research Products
8DECENT WORK AND ECONOMIC GROWTH
0
Research Products
9INDUSTRY, INNOVATION AND INFRASTRUCTURE
1
Research Products
10REDUCED INEQUALITIES
0
Research Products
11SUSTAINABLE CITIES AND COMMUNITIES
0
Research Products
12RESPONSIBLE CONSUMPTION AND PRODUCTION
0
Research Products
13CLIMATE ACTION
0
Research Products
14LIFE BELOW WATER
0
Research Products
15LIFE ON LAND
0
Research Products
16PEACE, JUSTICE AND STRONG INSTITUTIONS
0
Research Products
17PARTNERSHIPS FOR THE GOALS
0
Research Products
Documents
26
Citations
543
h-index
12
This researcher does not have a WoS ID.
Scholarly Output
20
Articles
9
Views / Downloads
48303/7968
Supervised MSc Theses
0
Supervised PhD Theses
0
WoS Citation Count
299
Scopus Citation Count
71
Patents
0
Projects
1
WoS Citations per Publication
14.95
Scopus Citations per Publication
3.55
Open Access Source
20
Supervised Theses
0
| Journal | Count |
|---|---|
| Lecture Notes in Computer Science | 8 |
| Cryptology ePrint Archive | 4 |
| International Journal of Information Security | 2 |
| Designs, Codes, and Cryptography | 1 |
| IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences | 1 |
Current Page: 1 / 2
Scopus Quartile Distribution
Competency Cloud
20 results
Scholarly Output Search Results
Now showing 1 - 10 of 20
Conference Object Citation - WoS: 22Multi-Party Off-The Messaging(Association for Computing Machinery (ACM), 2009) Goldberg, Ian; Ustaoğlu, Berkant; Van Gundy, Matthew D.; Chen, HaoMost cryptographic algorithms provide a means for secret and authentic communication. However, under many circumstances, the ability to repudiate messages or deny a conversation is no less important than secrecy and authenticity. For whistleblowers, informants, political dissidents and journalists - to name a few - it is most important to have means for deniable conversation, where electronic communication must mimic face-to-face private meetings. Off-the-Record Messaging, proposed in 2004 by Borisov, Goldberg and Brewer, and its subsequent improvements, simulate private two-party meetings. Despite some attempts, the multi-party scenario remains unresolved. In this paper, we first identify the properties of multi-party private meetings. We illustrate the differences not only between the physical and electronic medium but also between two- and multi-party scenarios, which have important implications for the design of private chatrooms. We then propose a solution to multi-party off-the-record instant messaging that satisfies the above properties. Our solution is also composable with extensions that provide other properties, such as anonymity. Copyright 2009 ACM.Conference Object Citation - WoS: 5Citation - Scopus: 7Modeling Leakage of Ephemeral Secrets in Tripartite/Group Key Exchange(Institute of Electronics, Information and Communication, Engineers, IEICE, 2013) Manulis, Mark; Suzuki, Koutarou; Ustaoglu, BerkantWe propose a security model, referred as g-eCK model, for group key exchange that captures essentially all non-trivial leakage of static and ephemeral secret keys of participants, i.e., group key exchange version of extended Canetti-Krawczyk (eCK) model. Moreover, we propose the first one-round tripartite key exchange (3KE) protocol secure in the g-eCK model under the gap Bilinear Diffie-Hellman (gap BDH) assumption and in the random oracle model.Article Efficient Key Exchange With Tight Security Reduction(International Association for Cryptologic Research, 2009) Wu, Jiang; Ustaoğlu, BerkantIn this paper, we propose two authenticated key exchange (AKE) protocols, SMEN and SMEN−, which have efficient online computation and tight security proof in the extended Canetti-Krawczyk (eCK) model. SMEN takes 1.25 exponentiations in online computation, close to that (1.17 exponentiations) of the most efficient AKEs MQV and its variants HMQV and CMQV. SMEN has a security reduction as tight as that of NAXOS, which is the first AKE having a tight security reduction in the eCK model. As a comparison, MQV does not have a security proof; both HMQV and CMQV have a highly non-tight security reduction, and HMQV needs a non-standard assumption; NAXOS takes 2.17 exponentiations in online computation; NETS, a NAXOS variant, takes two online exponentiations in online computation. SMEN simultaneously achieves online efficiency and a tight security proof at a cost of 0.17 more exponentiations in offline computation and the restriction that one party is not allowed to establish a key with itself. SMEN− takes 1.29 exponentiations in online computation, but SMEN− does not use the static private key to compute the ephemeral public key (as does in SMEN, NAXOS, CMQV, and NETS), and hence reduces the risk of leaking the static private key.Article Citation - WoS: 25Comparing Sessionstatereveal and Ephemeralkeyreveal for Diffie-Hellman Protocols (extended Version)(International Association for Cryptologic Research, 2009) Ustaoğlu, BerkantBoth the ``eCK'' model, by LaMacchia, Lauter and Mityagin, and the ``CK01'' model, by Canetti and Krawczyk, address the effect of leaking session specific ephemeral data on the security of key establishment schemes. The CK01-adversary is given a \SessionStateReveal{} query to learn session specific private data defined by the protocol specification, whereas the eCK-adversary is equipped with an \RevealEphemeralKey{} query to access all ephemeral private input required to carry session computations. \SessionStateReveal{} \emph{cannot} be issued against the test session; by contrast \RevealEphemeralKey{} \emph{can} be used against the test session under certain conditions. On the other hand, it is not obvious how \RevealEphemeralKey{} compares to \SessionStateReveal{}. Thus it is natural to ask which model is more useful and practically relevant. While formally the models are not comparable, we show that recent analysis utilizing \SessionStateReveal{} and \RevealEphemeralKey{} have a similar approach to ephemeral data leakage. First we pinpoint the features that determine the approach. Then by examining common motives for ephemeral data leakage we conclude that the approach is meaningful, but does not take into account timing, which turns out to be critical for security. Lastly, for Diffie-Hellman protocols we argue that it is important to consider security when discrete logarithm values of the outgoing ephemeral public keys are leaked and offer a method to achieve security even if the values are exposed.Conference Object Citation - WoS: 28Strongly Secure Authenticated Key Exchange Without Naxos' Approach(Springer Verlag, 2009) Kim, Minkyu; Fujioka, Atsushi; Ustaoğlu, BerkantLaMacchia, Lauter and Mityagin [15] proposed the extended Canetti-Krawczyk (eCK) model and an AKE protocol, called NAXOS. Unlike previous security models, the adversary in the eCK model is allowed to obtain ephemeral secret information related to the test session, which makes the security proof difficult. To overcome this NAXOS combines an ephemeral private key x with a static private key a to generate an ephemeral public key X; more precisely X∈=∈g H(x,a). As a result, no one is able to query the discrete logarithm of X without knowing both the ephemeral and static private keys. In other words, the discrete logarithm of an ephemeral public key, which is typically the ephemeral secret, is hidden via an additional random oracle. In this paper, we show that it is possible to construct eCK-secure protocol without the NAXOS' approach by proposing two eCK-secure protocols. One is secure under the GDH assumption and the other under the CDH assumption; their efficiency and security assurances are comparable to the well-known HMQV [12] protocol. Furthermore, they are at least as secure as protocols that use the NAXOS' approach but unlike them and HMQV, the use of the random oracle is minimized and restricted to the key derivation function. © 2009 Springer-Verlag Berlin Heidelberg.Conference Object Citation - WoS: 25Citation - Scopus: 26Quantum Key Distribution in the Classical Authenticated Key Exchange Framework(Springer, 2013) Mosca, Michele; Stebila, Douglas; Ustaoğlu, BerkantKey establishment is a crucial primitive for building secure channels in a multi-party setting. Without quantum mechanics, key establishment can only be done under the assumption that some computational problem is hard. Since digital communication can be easily eavesdropped and recorded, it is important to consider the secrecy of information anticipating future algorithmic and computational discoveries which could break the secrecy of past keys, violating the secrecy of the confidential channel. Quantum key distribution (QKD) can be used generate secret keys that are secure against any future algorithmic or computational improvements. QKD protocols still require authentication of classical communication, although existing security proofs of QKD typically assume idealized authentication. It is generally considered folklore that QKD when used with computationally secure authentication is still secure against an unbounded adversary, provided the adversary did not break the authentication during the run of the protocol. We describe a security model for quantum key distribution extending classical authenticated key exchange (AKE) security models. Using our model, we characterize the long-term security of the BB84 QKD protocol with computationally secure authentication against an eventually unbounded adversary. By basing our model on traditional AKE models, we can more readily compare the relative merits of various forms of QKD and existing classical AKE protocols. This comparison illustrates in which types of adversarial environments different quantum and classical key agreement protocols can be secure. © 2013 Springer-Verlag.Article Citation - WoS: 7Integrating Identity-Based and Certificate-Based Authenticated Key Exchange Protocols(Springer Verlag, 2011) Ustaoğlu, BerkantKey establishment is becoming a widely deployed cryptographic primitive. As such, there has been extensive research on designing algorithms that produce shared secret keys. These protocols require parties to either hold certificates or rely on identity (ID)-based primitives to achieve authentication. Chain and cross certifications allow users trusting different certification authorities to interact. Similarly, there are methods to extend ID-based solutions across multiple key generation centers (KGC). However, there has been no dedicated work on interoperability between the two settings. A straightforward solution would require each user to maintain certificates and ID-based static keys to accommodate all peers. The cost of maintaining many secret keys; matching keys with protocols; and preventing undesired interference would arguably make such a solution impractical. In this work, we offer an alternative where a user needs to keep a single static key pair and can subsequently engage in a session key establishment with peers holding certificates or identity-based keys. Thus, the proposed solution has none of disadvantages of maintaining multiple static private keys. © 2011 Springer-Verlag.Conference Object Citation - WoS: 19Comparing the Pre- and Post-Specified Peer Models for Key Agreement(Springer Verlag, 2008) Menezes, Alfred; Ustaoğlu, BerkantIn the pre-specified peer model for key agreement, it is assumed that a party knows the identifier of its intended communicating peer when it commences a protocol run. On the other hand, a party in the post-specified peer model for key agreement does not know the identifier of its communicating peer at the outset, but learns the identifier during the protocol run. In this paper we compare the security assurances provided by the Canetti-Krawczyk security definitions for key agreement in the pre- and post-specified peer models. We give examples of protocols that are secure in one model but insecure in the other. We also enhance the Canetti-Krawczyk security models and definitions to encompass a class of protocols that are executable and secure in both the pre- and post-specified peer models. © 2008 Springer-Verlag Berlin Heidelberg.Article Utilizing Postponed Ephemeral and Pseudo-Static Keys in Tripartite and Identity-Based Key Agreement Protocols(International Association for Cryptologic Research, 2009) Fujioka, Atsushi; Suzuki, Koutarou; Ustaoğlu, BerkantWe propose an new one-round implicitly authenticated three-party protocol that extends Joux's protocol as well as a two-party identity-based protocol. Our protocols have a single communication round that consists of ephemeral (one-time) public keys along with certificates in the tripartite protocol, and identities in the identity-based setting. As such our protocols are communication efficient and furthermore do not require enhanced message format.Conference Object Citation - WoS: 4Reusing Static Keys in Key Agreement Protocols(Springer Verlag, 2009) Chatterjee, Sanjit; Menezes, Alfred; Ustaoğlu, BerkantContrary to conventional cryptographic wisdom, the NIST SP 800-56A standard explicitly allows the use of a static key pair in more than one of the key establishment protocols described in the standard. In this paper, we give examples of key establishment protocols that are individually secure, but which are insecure when static key pairs are reused in two of the protocols. We also propose an enhancement of the extended Canetti-Krawczyk security model and definition for the situation where static public keys are reused in two or more key agreement protocols. © 2009 Springer-Verlag.