Performing Computations on Hierarchically Shared Secrets

Hierarchical secret sharing schemes distribute a message to a set of shareholders with different reconstruction capabilities. In distributed storage systems, this is an important property because it allows to grant more reconstruction capability to better performing storage servers and vice versa. In particular, Tassa\u27s conjunctive and disjunctive hierarchical secret sharing schemes are based on Birkhoff interpolation and perform equally well as Shamir\u27s threshold secret sharing scheme. Thus, they are promising candidates for distributed storage systems. A key requirement is the possibility to perform function evaluations over shared data. However, practical algorithms supporting this have not been provided yet with respect to hierarchical secret sharing schemes. Aiming at closing this gap, in this work, we show how additions and multiplications of shares can be practically computed using Tassa\u27s conjunctive and disjunctive hierarchical secret sharing schemes. Furthermore, we provide auditing procedures for operations on messages shared hierarchically, which allow to verify that functions on the shares have been performed correctly. We close this work with an evaluation of the correctness, security, and efficiency of the protocols we propose

On Security Notions for Multi-Party Computation

Die meisten Sicherheitsbegriffe, die heutzutage benutzt werden, stammen aus den 1980ern. Doch durch ein seitdem besseres Verständnis der Theorie stellt sich die Frage, ob sie nicht weiterentwickelt werden können. Ein begrenzender Faktor sind hierbei sogenannte Unmöglichkeitsbeweise, die mathematisch beweisen, welche Sicherheitsgarantien nicht erfüllt werden können. Diese liefern einen begrenzenden Faktor, ihre Aussage sollte jedoch nicht übertrieben werden. Der Beweis ist nur in seinem eigenen Setting gültig und deckt nur genau den einen Sicherheitsbegriff ab. Historisch haben sich die etablierten Sicherheitsbegriffe jedoch zu etwas deutlich schwächerem entwickelt, wodurch eine Lücke zwischen dem entstanden ist, was praktisch benutzt wird, und dem, was bekanntermaßen unmöglich ist. In dieser Promotion zeigen wir einige dieser Lücken auf und untersuchen Sicherheitsbegriffe, die mit Sicherer Mehrparteienberechnung (MPC) zusammenhängen, und die zwischen den Etablierten und den Unmöglichen liegen. Abbildung von Geschäftsmodellen und Gesetzlichen Regelungen in MPC. Mit Sicherer Mehrparteienberechnung (MPC) können Parteien eine Funktion über privaten Eingaben auf sichere Weise so berechnen, dass nichts über die Eingaben der anderen Parteien bekannt wird außer die Ausgabe der Funktion. Heutzutage hat MPC nur einen vergleichsweise geringen Mehraufwand im Vergleich zur direkten Berechnung. Und obwohl Datensparsamkeit in der Praxis belohnt wird, wird MPC kaum benutzt. Wir glauben dass einer der Gründe dafür, dass MPC in Praxis kaum benutzt wird, darin liegt, dass es Geschäftsmodelle und gesetzliche Regelungen ignoriert die eine gewisse Leakage der Daten benötigen, während allgemeines MPC auf fast-perfekte Privatsphäre hinarbeitet. Wir präsentieren einen neuen Baustein, der es Geschäften---die durch einen zentralen Operator repräsentiert werden---ermöglicht, effizient die gewünschte Menge an Leakage abzubilden, die benötigt wird, um das Geschäft aufrechtzuerhalten oder um gesetzliche Vorgaben zu erfüllen, während Nutzer anonym und ohne durch mehrere Interaktionen hinweg verlinkt werden können Daten sammeln. Wir modellieren die Anforderungen im Universal Composability (UC) Framework. Dadurch wird garantiert, dass die Sicherheitsgarantien unabhängig davon halten, welche Protokolle parallel ausgeführt werden. Trotz dieser starken Sicherheitsgarantien ist das Protokoll dabei effizient genug, um auf moderner Hardware ausgeführt zu werden, selbst wenn der Nutzer die Daten auf Smartphones mit beschränkter Rechenleistung sammeln. (Fetzer, Keller, Maier, Raiber, Rupp, Schwerdt, PETS 2022) Eine Instantiierung stärkerer Commitments. Mit einem Bit Commitment Schema kann sich ein Sender gegenüber eines Empfängers auf ein Bit festlegen, ohne das dabei zu offenbaren (hiding), aber auf eine Art die es dem Sender nicht erlaubt, den Empfänger später davon zu überzeugen, dass das Commitment auf ein anderes Bit festgelegt wurde (binding). In der Quantenwelt sind Commitments stark genug, um MPC zu konstruieren, weswegen es einen Anreiz gibt, Commitments so sicher wie möglich zu machen; jedoch sagen Unmöglichkeitsbeweise aus, dass beide Sicherheitsbegriffe -- hiding und binding -- gleichzeitig nicht bedingungslos halten können. Als Konsequenz weichen moderne Bit Commitment Schemas eine Sicherheitseigenschaft auf, die dann nur noch computationally halten, also auf Grundlage komplexitätstheoretischer Annahmen. Wir stellen das erste Bit Commitment Protokoll im Quantum Random Oracle Modle (QROM) vor, das bedingungslose Sicherheit für den Empfänger (binding) und langfristige Sicherheit für den Sender (hiding) bietet und das dabei keine Zusatzhardware benötigt. Unser Resultat basiert auf einer neuen Annahme über die Schwierigkeit, Quantenzustände über einen langen Zeitraum zu speichern. Langfristige Sicherheit modelliert technischen Fortschritt des Angreifers, da Transkripte, die heutzutage nicht effizient gebrochen werden können, in Zukunft vielleicht einfach extrahierbar sind, sobald schnellere Maschinen verfügbar sind. Wir beweisen die Sicherheit des Commitment Protokolls im QROM unter oben genannter Annahme und zeigen, dass eine Instantiierung im Standardmodell zu einem neuen Angriff auf die langfristige Hiding-Eigenschaft zulässt. (Döttling, Koch, Maier, Mechler, Müller, Müller-Quade, Tiepelt, IN EINREICHUNG) Undetectable Multi-Party Computation. Covert MPC ist eine Erweiterung von MPC, die nicht nur die Eingaben versteckt, sondern das gesamte Vorhandensein der Berechnung. Teilnehmer lernen nur dann die Ausgabe, wenn alle anderen Parteien das Protokoll ausgeführt haben und die Ausgabe für alle Parteien vorteilhaft ist. Anderenfalls lernen die Teilnehmer nichts, nicht mal, welche anderen Parteien versucht haben, an der Berechnung teilzunehmen. Ein einzelner Nichtteilnehmer kann unabsichtlich die gesamte Berechnung abbrechen. Daher stellt sich die Frage: können $N$ Teilnehmer eine Berechnung ausführen, während $K > N$ Parteien anwesend sind, und bei der die Ausgabe nur von den Eingaben der $N$ Teilnehmer abhängt, während die Identität der anderen Teilnehmer unter den anwesenden Parteien versteckt wird? Dies sollte insbesondere dann gelten, wenn die restlichen Parteien nicht wissen, dass eine Berechnung im Gang ist. Wir verknüpfen diese Frage mit der theoretischen Machbarkeit von Anonymen Whistleblowing, bei dem eine einzelne Partei versucht, eine Nachricht preiszugeben, ohne dabei die eigene Identität zu offenbaren und ohne dass sich die anderen Parteien auf irgendeine besondere Art verhalten müssen. Leider zeigen wir dass keine Primitive sowohl Korrektheit und Anonymität mit überwältigender Wahrscheinlichkeit im asymptotischen Setting erreichen kann, selbst unter sehr starken Annahmen. Jedoch konstruieren wir eine heuristische Instantiierung im Fine-Grained setting mit überwältigender Korrektheit und jeder beliebigen Ziel-Anonymität. Unsere Ergebnisse liefern starke Grundlagen für die Untersuchung der Möglichkeit von Anonymen Nachrichtentransfer durch authentifizierte Kanäle, ein faszinierendes Ziel von dem wir glauben, dass es von grundlegendem Interesse ist. (Agrikola, Couteau, Maier, TCC 2022

Universally Verifiable Poll-Site Voting Schemes Providing Everlasting Privacy

Computer based voting brings up huge challenges for technology. On the one hand an electronic voting system has to be transparent enough to allow verification of its correct functioning; on the other hand, it must ensure that these verification procedures do not allow an attacker to violate voter privacy. Both requirements can be addressed by providing cryptographically secured voting receipts. Each voter cast his or her vote in encoded form and receives a copy of the recorded ballot as receipt. The voters can use these receipts to verify that their vote is contained in the input of the tally. Furthermore, the encoded votes are publicly processed, which allows voters and observers to check that the election outcome has been determined correctly. However, to provide a private and free election, no voter should be able to prove to someone else for whom he or she voted. This must not only be prevented during the election, but also afterwards for an indefinite period of time. Especially with respect to everlasting privacy this is not ensured by most verifiable voting systems. If the receipt contains, for instance, the voting decision encrypted using some public key cryptography, an attacker can determine the candidates selected as soon as the underlying computational problem has been solved for the key length chosen. In this work we provide a summary of privacy weaknesses that may arise in verifiable electronic poll-site voting systems, and we identify and solve open issues. More precisely, we concentrate on the following three questions: (1) How can we show correct anonymization of votes in an efficient and privacy preserving manner using a generic approach? (2) How can we introduce everlasting privacy to mixing and homomorphic tallying based voting schemes? (3) How can we reduce the amount of trust voters have to put in authorities regarding privacy? In electronic voting so-called reencryption mix-nets are used to anonymize votes. These mix-nets shuffles votes in a universally verifiable manner, i.e., they publish some audit information allowing voters and observers to verify that the votes came out as they went in. In practice, mostly generic verification procedures are used to show correctness of this process. However, many of them do not provide an adequate level of privacy. To address (1), we investigate several proposals and introduce a new protocol that combines existing approaches but improves them with respect to privacy and efficiency. Another drawback of mixing based voting schemes is that all implementations provide computational privacy only. We address (2) by presenting a mix-net that uses a homomorphic and unconditionally hiding commitment scheme to encode the votes and audit data, implying everlasting privacy. The correctness of the anonymization process is guaranteed with overwhelming probability, even if all authorities collaborate. An implication of our result is that many current voting systems that use mix-nets can be upgraded to everlasting privacy. Subsequently, we show that this protocol can be applied to Prêt à Voter and Split-Ballot imposing only minor changes to current implementations. The same approach is used to introduce everlasting privacy to homomorphic tallying based schemes. The votes are encoded with an unconditionally hiding commitment scheme, they are homomorphically tallied in public, and the result is decoded afterwards. To show that our solution can be applied to poll-site voting, we describe how the Scratch & Vote voting system can be improved using our tallying protocol. Again only minor changes to the classical scheme are necessary. To address (3), the approach of non-personalized receipts is analyzed. If the receipts handed out to the voters do not contain a link to their vote cast, they do not have to put their trust in authorities keeping this association secret. We introduce an electronic ballot box that generates non-personalized receipts using a process that is similar to the anonymization procedure carried out by mix-nets. The correctness of the receipt generation is universally verifiable. Furthermore, our approach improves on existing solutions with respect to correctness and privacy. Finally, we compare all voting systems that are improved in this work, highlight their advantages and disadvantages, and conclude with key issues for future work

Voting with unconditional privacy: CFSY for booth voting

In this note we simplify the Cramer, Franklin, Schoenmaker and Yung internet voting protocol to the booth setting. In it, objects of the form $g_0^r g_1^{x_1}...g_l^{x_l}$ are used to define an unconditionally hiding commitment scheme. Because of their homomorphic properties they are particularly suited for voting protocols with unconditional privacy. In fact, we show that almost all existing protocols that provide unconditional privacy use or could benefit from these commitments. Even though we present no novelty from a cryptographic perpective, the protocol presented is interesting from a voting perspective because it is simple enough to be understood by non-cryptographers, yet very powerful

Long-Term Confidential Secret Sharing-Based Distributed Storage Systems

Secret sharing-based distributed storage systems can provide long-term protection of confidentiality and integrity of stored data. This is achieved by periodically refreshing the stored shares and by checking the validity of the generated shares through additional audit data. However, in most real-life environments (e.g. companies), this type of solution is not optimal for three main reasons. Firstly, the access rules of state of the art secret sharing-based distributed storage systems do not match the hierarchical organization in place in these environments. Secondly, data owners are not supported in selecting the most suitable storage servers while first setting up the system nor in maintaining it secure in the long term. Thirdly, state of the art approaches require computationally demanding and unpractical and expensive building blocks that do not scale well. In this thesis, we mitigate the above mentioned issues and contribute to the transition from theory to more practical secret sharing-based long-term secure distributed storage systems. Firstly, we show that distributed storage systems can be based on hierarchical secret sharing schemes by providing efficient and secure algorithms, whose access rules can be adapted to the hierarchical organization of a company and its future modifications. Secondly, we introduce a decision support system that helps data owners to set up and maintain a distributed storage system. More precisely, on the one hand, we support data owners in selecting the storage servers making up the distributed storage system. We do this by providing them with scores that reflect their actual performances, here used in a broad sense and not tied to a specific metric. These are the output of a novel performance scoring mechanism based on the behavioral model of rational agents as opposed to the classical good/bad model. On the other hand, we support data owners in choosing the right secret sharing scheme parameters given the performance figures of the storage servers and guide them in updating them accordingly with the updated performance figures so as to maintain the system secure in the long term. Thirdly, we introduce efficient and affordable distributed storage systems based on a trusted execution environment that correctly outsources the data and periodically computes valid shares. This way, less information-theoretically secure channels have to be established for confidentiality guarantees and more efficient primitives are used for the integrity safeguard of the data. We present a third-party privacy-preserving mechanism that protects the integrity of data by checking the validity of the shares

Information-Theoretic Privacy in Verifiable Outsourced Computation

Today, it is common practice to outsource time-consuming computations to the cloud. Using the cloud allows anyone to process large quantities of data without having to invest in the necessary hardware, significantly lowering cost requirements. In this thesis we will consider the following work flow for outsourced computations: A data owner uploads data to a server. The server then computes some function on the data and sends the result to a third entity, which we call verifier. In this scenario, two fundamental security challenges arise. A malicious server may not perform the computation correctly, leading to an incorrect result. Verifiability allows for the detection of such results. In order for this to be practical, the verification procedure needs to be efficient. The other major challenge is privacy. If sensitive data, for example medical data is processed it is important to prevent unauthorized access to such sensitive information. Particularly sensitive data has to be kept confidential even in the long term. The field of verifiable computing provides solutions for the first challenge. In this scenario, the verifier can check that the result that was given was computed correctly. However, simultaneously addressing privacy leads to new challenges. In the scenario of outsourced computation, privacy comes in different flavors. One is privacy with respect to the server, where the goal is to prevent the server from learning about the data processed. The other is privacy with respect to the verifier. Without using verifiable computation the verifier obviously has less information about the original data than the data owner - it only knows the output of the computation but not the input to the computation. If this third party verifier however, is given additional cryptographic data to verify the result of the computation, it might use this additional information to learn information about the inputs. To prevent that a different privacy property we call privacy with respect to the verifier is required. Finally, particularly sensitive data has to be kept confidential even in the long term, when computational privacy is not suitable any more. Thus, information-theoretic measures are required. These measures offer protection even against computationally unbounded adversaries. Two well-known approaches to these challenges are homomorphic commitments and homomorphic authenticators. Homomorphic commitments can provide even information-theoretic privacy, thus addressing long-term security, but verification is computationally expensive. Homomorphic authenticators on the other hand can provide efficient verification, but do not provide information-theoretic privacy. This thesis provides solutions to these research challenges -- efficient verifiability, input-output privacy and in particular information-theoretic privacy. We introduce a new classification for privacy properties in verifiable computing. We propose function-dependent commitment, a novel framework which combines the advantages of homomorphic commitments and authenticators with respect to verifiability and privacy. We present several novel homomorphic signature schemes that can be used to solve verifiability and already address privacy with respect to the verifier. In particular we construct one such scheme fine-tailored towards multivariate polynomials of degree two as well as another fine-tailored towards linear functions over multi-sourced data. The latter solution provides efficient verifiability even for computations over data authenticated by different cryptographic keys. Furthermore, we provide transformations for homomorphic signatures that add privacy. We first show how to add computational privacy and later on even information-theoretic privacy. In this way, we turn homomorphic signatures into function-dependent commitments. By applying this transformation to our homomorphic signature schemes we construct verifiable computing schemes with information-theoretic privacy

Distributed Differentially Private Averaging with Improved Utility and Robustness to Malicious Parties

Learning from data owned by several parties, as in federated learning, raises challenges regarding the privacy guarantees provided to participants and the correctness of the computation in the presence of malicious parties. We tackle these challenges in the context of distributed averaging, an essential building block of distributed and federated learning. Our first contribution is a novel distributed differentially private protocol which naturally scales with the number of parties. The key idea underlying our protocol is to exchange correlated Gaussian noise along the edges of a network graph, complemented by independent noise added by each party. We analyze the differential privacy guarantees of our protocol and the impact of the graph topology, showing that we can match the accuracy of the trusted curator model even when each party communicates with only a logarithmic number of other parties chosen at random. This is in contrast with protocols in the local model of privacy (with lower accuracy) or based on secure aggregation (where all pairs of users need to exchange messages). Our second contribution is to enable users to prove the correctness of their computations without compromising the efficiency and privacy guarantees of the protocol. Our construction relies on standard cryptographic primitives like commitment schemes and zero knowledge proofs.Comment: 39 page

Flexible Long-Term Secure Archiving

Privacy and data protection have always been basic human needs in any society that makes use of written language. From simple personal correspondence over military communication to trade secrets or medical information, confidentiality has been of utmost importance. The implications of a leak of such sensitive information may prove devastating, as the previous examples illustrate perfectly. Furthermore reliability, that is, integrity and authenticitiy of information, is critical with risks reaching from annoying to lethal as can again be seen in the previous examples. This need for data protection has carried over from the analogue to the digital age seamlessly with the amount of data being generated, transmitted and stored increasing steadily and containing more and more personal details. And in regard of the developments in computational technology that recent years have seen, such as the ongoing improvements with respect to quantum computing as well as cryptoanalytical advances, the capabilities of attackers on the security of private information have never been more distinct. Thus the need for privacy and data protection has rarely been more dire