Conversion Functions for Symmetric Key Ciphers

As a general design criterion, a symmetric key cipher should not be closed under functional composition due to the implications on the security of the cipher. However, there are scenarios in which this property is desirable and can be obtained without reducing the security of a cipher by increasing the computational workload of the cipher. We expand the idea of a symmetric key cipher being closed under functional composition to a more general scenario where there exists a function that converts the ciphertext resulting from encryption under a specific key to the ciphertext corresponding to encryption with another key. We show how to perform such a conversion without exposing the plaintext. We discuss the tradeoff between the computational workload and security, and the relationship between such conversions and proxy cryptography. We conclude with a discussion of some practical applications of our results

Conversion Functions for Symmetric Key Ciphers

As a general design criterion, a symmetric key cipher should not be closed under functional composition due to the implications on the security of the cipher. However, there are scenarios in which this property is desirable and can be obtained without reducing the security of a cipher by increasing the computational workload of the cipher. We expand the idea of a symmetric key cipher being closed under functional composition to a more general scenario where there exists a function that converts the ciphertext resulting from encryption under a specific key to the ciphertext corresponding to encryption with another key. We show how to perform such a conversion without exposing the plaintext. We discuss the tradeoff between the computational workload and security, and the relationship between such conversions and proxy cryptography. We conclude with a discussion of some practical applications of our results

Analysis and Implementation of the Messaging Layer Security Protocol

The use of messaging services on smartphones has increased considerably in recent years, due to the growth in the availability of mobile devices and the evolution of communication technologies via Internet, factors that have effectively replaced the use of text messages. This increase also concerned the use in the business environment, a context where the exchange of confidential information is more frequent and therefore the need to protect communication between two or more people. This is important not only on a security point of view, but also for personal privacy. The major global players have responded by implementing security measures within their services, such as end-to-end encryption and increasingly strict rules regarding the processing of personal data. In this thesis we will illustrate Messaging Layer Security, shortened as MLS, a new protocol under development that guarantees security and efficiency in group conversations. When in a conversation between two clients, security can be ensured through end-to-end encryption and key exchange. The problem arises when multiple actors participate in the conversation asynchronously: in this case the computational effort is considerable, even more so considering the use of mobile devices with reduced battery capacity that does not guarantee the continuous presence of the online device. The thesis will deal with both the architectural part, that is more general and traces the outline of the subject, and the protocol part, more technical and detailed. Finally, an implementation of MLS written in Rust and called Melissa will be illustrated, which provides all the basic functionalities indicated in the draft 05 version of the protocol

A Lightweight Cryptographic System for Implantable Biosensors

This paper presents a lightweight cryptographic system integrated onto a multi-function implantable biosensor prototype. The resulting heterogeneous system provides a unique and fundamental capability by immediately encrypting and signing the sensor data upon its creation within the body. By providing these security services directly on the implantable sensor, a number of low-level attacks can be prevented. This design uses the recently standardized SHA-3 Keccak secure hash function implemented in an authenticated encryption mode. The security module consists of the DuplexSponge security core and the interface wrapper. The security core occupies only 1550 gate- equivalents, which is the smallest authenticated encryption core reported to date. The circuit is fabricated using 0.18 μm CMOS technology and uses a supply voltage of 1.8 V. The simulated power consumption of the complete cryptosystem with a 500 KHz clock is below 7 μW

A Lightweight Cryptographic System for Implantable Biosensors

This paper presents a lightweight cryptographic system integrated onto a multi-function implantable biosensor prototype. The resulting heterogeneous system provides a unique and fundamental capability by immediately encrypting and signing the sensor data upon its creation within the body. By providing these security services directly on the implantable sensor, a number of low-level attacks can be prevented. This design uses the recently standardized SHA-3 Keccak secure hash function implemented in an authenticated encryption mode. The security module consists of the DuplexSponge security core and the interface wrapper. The security core occupies only 1550 gate- equivalents, which is the smallest authenticated encryption core reported to date. The circuit is fabricated using 0.18 μm CMOS technology and uses a supply voltage of 1.8 V. The simulated power consumption of the complete cryptosystem with a 500 KHz clock is below 7 μW

On the Impossibility of Approximate Obfuscation and Applications to Resettable Cryptography

The traditional notion of {\em program obfuscation} requires that an obfuscation $\tilde{f}$ of a program $f$ computes the exact same function as $f$, but beyond that, the code of $\tilde{f}$ should not leak any information about $f$. This strong notion of {\em virtual black-box} security was shown by Barak et al. (CRYPTO 2001) to be impossible to achieve, for certain {\em unobfuscatable function families}. The same work raised the question of {\em approximate obfuscation}, where the obfuscated $\tilde{f}$ is only required to approximate $\tilde{f}$; that is, $\tilde{f}$ only agrees with $f$ on some input distribution. We show that, assuming {\em trapdoor permutations}, there exist families of {\em robust unobfuscatable functions} for which even approximate obfuscation is impossible. That is, obfuscation is impossible even if the obfuscated $\tilde{f}$ only agrees with $f$ with probability slightly more than $\frac{1}{2}$, on a uniformly sampled input (below $\frac{1}{2}$-agreement, the function obfuscated by $\tilde{f}$ is not uniquely defined). Additionally, we show that, assuming only one-way functions, we can rule out approximate obfuscation where $\tilde{f}$ is not allowed to err, but may refuse to compute $f$ with probability close to $1$. We then demonstrate the power of robust unobfuscatable functions by exhibiting new implications to resettable protocols that so far have been out of our reach. Concretely, we obtain a new non-black-box simulation technique that reduces the assumptions required for resettably-sound zero-knowledge protocols to {\em one-way functions}, as well as reduce round-complexity. We also present a new simplified construction of simultaneously resettable zero-knowledge protocols that does not rely on collision-resistent hashing. Finally, we construct a three-message simultaneously resettable \WI {\em argument of knowledge} (with a non-black-box knowledge extractor). Our constructions are based on a special kind of ``resettable slots that are useful for a non-black-box simulator, but not for a resetting prover

Intruder deducibility constraints with negation. Decidability and application to secured service compositions

The problem of finding a mediator to compose secured services has been reduced in our former work to the problem of solving deducibility constraints similar to those employed for cryptographic protocol analysis. We extend in this paper the mediator synthesis procedure by a construction for expressing that some data is not accessible to the mediator. Then we give a decision procedure for verifying that a mediator satisfying this non-disclosure policy can be effectively synthesized. This procedure has been implemented in CL-AtSe, our protocol analysis tool. The procedure extends constraint solving for cryptographic protocol analysis in a significative way as it is able to handle negative deducibility constraints without restriction. In particular it applies to all subterm convergent theories and therefore covers several interesting theories in formal security analysis including encryption, hashing, signature and pairing.Comment: (2012

Secure Multiparty Computation from SGX

International audienceIsolated Execution Environments (IEE) offered by novel commodity hardware such as Intel's SGX deployed in Skylake processors permit executing software in a protected environment that shields it from a malicious operating system; it also permits a remote user to obtain strong interactive attestation guarantees on both the code running in an IEE and its input/output behaviour. In this paper we show how IEEs provide a new path to constructing general secure multiparty computation (MPC) protocols. Our protocol is intuitive and elegant: it uses code within an IEE to play the role of a trusted third party (TTP), and the attestation guarantees of SGX to bootstrap secure communications between participants and the TTP. In our protocol the load of communications and computations on participants only depends on the size of each party's inputs and outputs and is thus small and independent from the intricacy of the functionality to be computed. The remaining computational load-essentially that of computing the functionality-is moved to an untrusted party running an IEE-enabled machine, an appealing feature for Cloud-based scenarios. However, as often the case even with the simplest cryptographic protocols, we found that there is a large gap between this intuitively appealing solution and a protocol with rigorous security guarantees. We bridge this gap through a comprehensive set of results that include: i. a detailed construction of a protocol for secure computation for arbitrary functionalities; ii. formal security definitions for the security of the overall protocol and that of its components; and iii. a modular security analysis of our protocol that relies on a novel notion of labeled attested computation. We implemented and extensively evaluated our solution on SGX-enabled hardware, providing detailed measurements of our protocol as well as comparisons with software-only MPC solutions. Furthermore, we show the cost induced by using constant-time, i.e., timing side channel resilient, code in our implementation