Bitcoin Crypto - bounties for quantum capable adversaries

With the advances in quantum computing taking place over the last few years, researchers have started considering the implications on cryptocurrencies. As most digital signature schemes would be impacted, it is somewhat reassuring that transition schemes to quantum resistant signatures are already being considered for Bitcoin. In this work, we stress the danger of public key reuse, as it prevents users from recovering their funds in the presence of a quantum enabled adversary despite any transition scheme the developers decide to implement. We emphasize this threat by quantifying the damage a functional quantum computer could inflict on Bitcoin (and Bitcoin Cash) by breaking exposed public keys

Protecting Quantum Procrastinators with Signature Lifting: A Case Study in Cryptocurrencies

Current solutions to quantum vulnerabilities of widely used cryptographic schemes involve migrating users to post-quantum schemes before quantum attacks become feasible. This work deals with protecting quantum procrastinators: users that failed to migrate to post-quantum cryptography in time. To address this problem in the context of digital signatures, we introduce a technique called signature lifting, that allows us to lift a deployed pre-quantum signature scheme satisfying a certain property to a post-quantum signature scheme that uses the same keys. Informally, the said property is that a post-quantum one-way function is used somewhere along the way to derive the public-key from the secret-key. Our constructions of signature lifting relies heavily on the post-quantum digital signature scheme Picnic (Chase et al., CCS\u2717). Our main case-study is cryptocurrencies, where this property holds in two scenarios: when the public-key is generated via a key-derivation function or when the public-key hash is posted instead of the public-key itself. We propose a modification, based on signature lifting, that can be applied in many cryptocurrencies for securely spending pre-quantum coins in presence of quantum adversaries. Our construction improves upon existing constructions in two major ways: it is not limited to pre-quantum coins whose ECDSA public-key has been kept secret (and in particular, it handles all coins that are stored in addresses generated by HD wallets), and it does not require access to post-quantum coins or using side payments to pay for posting the transaction

Efficient proofs of software exploitability for real-world processors

CRAhttps://eprint.iacr.org/2022/1223.pdfPublished versio

Efficient Proofs of Software Exploitability for Real-world Processors

We consider the problem of proving in zero-knowledge the existence of vulnerabilities in executables compiled to run on real-world processors. We demonstrate that it is practical to prove knowledge of real exploits for real-world processor architectures without the need for source code and without limiting our consideration to narrow vulnerability classes. To achieve this, we devise a novel circuit compiler and a toolchain that produces highly optimized, non-interactive zero-knowledge proofs for programs executed on the MSP430, an ISA commonly used in embedded hardware. Our toolchain employs a highly optimized circuit compiler and a number of novel optimizations to construct efficient proofs for program binaries. To demonstrate the capability of our system, we test our toolchain by constructing proofs for challenges in the Microcorruption capture the flag exercises

Enhancing Security and Transparency of User Data Systems with Blockchain Technology

As blockchain is increasingly gaining popularity, interest in corporate use is also gaining traction. One area blockchain has seen an increased amount of use are systems involving management of sensitive information, such as user data systems. In this thesis commissioned by a stakeholder, blockchain is implemented in user data system as a proof-of-concept prototype aiming to prove that the implementation can enhance data security and transparency in user data systems. The first half of the this will build a theoretical framework. First, fundamental theory of blockchain is examined, which includes an overview of blockchain’s architecture and its security features. This includes architecture and functionality on general level, consensus methodology, and other security algorithms such as hashes. Second, already existing blockchain solutions that could benefit in designing the proof-of-concept prototype are explored, which included a patient data system, and an Internet-of-Things system. Patient data system’s case provided a solution of implementing blockchain as a separate component in the patient information system, while Internet-of-Things’ solution provided insight of storing functional data in the blockchain, while keeping the actual raw data in a separate database with a restricted access. These solutions formed an adequate foundation; however, the solutions couldn’t be applied as-is, which lead to the need of applying and designing a new solution. The latter half of reports the implementation process of blockchain. First, the research method used in this thesis, constructive research approach, is demonstrated - constructive research approach aims to create a practical solution for a real-life problem. The prototype’s primary requirement is that it should be able to record a log of activity in the user data system, telling who did what and to whom, and without revealing any confidential information. The prototype is implemented in a test environment using a separate database for storing the actual user data, and blockchain for storing data about activity happening in the user data system. The prototype’s validity was tested using software testing methods, more specifically integration testing and user acceptance testing. The research will benefit the stakeholder with a working example showing a potential way of implementing a blockchain solution in a commercial software. The research aims to prove that with the implemented blockchain solution can adequately help monitoring actions committed by users, enforcing honest usage, and helping spot malicious activity, and this way improving transparency and security. The research has also value in scientific community with its practical approach demonstrating how could a blockchain system be implemented in sensitive user data systems, and what are its potential benefits in security. The next step for the study is evaluating the actual value of the implementation in the commercial software, or proof-of-value research.Lohkoketjujen kasvaessa suosiota myös kiinnostus yrityskäyttöä kohtaan on ollut kasvussa. Yksi osa-alue missä lohkoketjujen käyttö on nähnyt kasvua ovat luottamuksellista tietoa käsittelevät järjestelmät, kuten käyttäjätietojärjestelmät. Tässä sidosryhmän toimeksiantamassa tutkielmassa implementoidaan lohkoketju käyttäjätietojärjestelmään osana konseptitodistusprototyyppiä (proof-of-concept), joka pyrkii todistamaan lohkoketjun kykyä tietoturvan ja läpinäkyvyyden kehittämisessä käyttäjätietojärjestelmissä. Tutkielman ensimmäinen puolisko luo teoreettisen viitekehyksen. Ensimmäisenä tutustutaan lohkoketjujen perusteisiin, johon kuuluu sen arkkitehtuurin sekä tietoturvaominaisuuksien tarkastelua. Tämä sisältää yleisen tason katsauksen toiminnallisuudesta, yhteisymmärrysmetodologiasta sekä muista tietoturva-algoritmeista, kuten tiivisteistä (hash). Tämän jälkeen syvennytään olemassa oleviin lohkoketjuratkaisuihin, jotka voisivat hyödyntää konseptitodistusprototyypin suunnittelemisessa. Tarkasteltavina toimivat esimerkit potilastietojärjestelmästä sekä esineiden internetistä. Potilastietojärjestelmän tapauksessa perusteltiin lohkoketjun implementoimista erillisenä komponenttina, kun taas esineiden internetin tapauksessa esitettiin toiminnallisen datan säilyttämistä lohkoketjussa, kun taas raakadata säilytetään erillisessä tietokannassa rajatulla pääsyllä. Nämä esimerkit loivat hyvän pohjan, mutta eivät ole sovellettavissa prototyyppiin sellaisinaan. Tutkielman toinen puolisko selostaa prototyypin kehitysprosessia. Aluksi esitellään käytetty tutkimusmenetelmä, eli konstruktiivinen tutkimusmenetelmä, jonka ominaispiirteenä on luoda käytännön ratkaisu oikean elämän ongelmaan. Prototyypin ensisijaisena vaatimuksena on pystyä kirjata aktiviteettilokeja käyttäjätietojärjestelmässä, kertoen kuka teki mitäkin ja kenelle, kuitenkaan paljastamatta luottamuksellista tietoa. Prototyyppi implementoitiin testiympäristöön käyttäen erillistä tietokantaa itse käyttäjätietojen tallentamiseen, kun taas lohkoketjua käytettiin käyttäjätietojärjestelmän aktiviteettilokien tallentamiseen. Prototyypin toimivuus varmistettiin ohjelmistotestausmetodeilla, tarkemmin ottaen integraatiotestauksella ja hyväksymistestauksella. Tehty tutkimus tulee hyödyttämään sidosryhmää toimivalla prototyypillä esittelemällä potentiaalisen tavan lisätä lohkoketjutoteutus kaupalliseen ohjelmistoon. Tutkielma pyrkii todistamaan lohkoketjutotetuksen tuomaa hyötyä käyttäjien tekemien muutosten tarkkailussa, täten kannustaen rehelliseen käyttöön ja samoin auttaa tunnistamaan haitallisen toiminnan, joka kaiken kaikkiaan johtaa kehittyneeseen tietoturvallisuuteen ja läpinäkyvyyteen. Tutkielmalla on myös tieteellistä arvoa esitellen käyttäjätietojärjestelmien tietoturvan kehittämistä lohkoketjutoteutusta hyödyntäen. Jatkotutkimusmahdollisuutena on arvioida toteutuksen varsinainen tuomalisäarvo kaupallisessa ohjelmistossa

Imbalanced Cryptographic Protocols

Efficiency is paramount when designing cryptographic protocols, heavy mathematical operations often increase computation time, even for modern computers. Moreover, they produce large amounts of data that need to be sent through (often limited) network connections. Therefore, many research efforts are invested in improving efficiency, sometimes leading to imbalanced cryptographic protocols. We define three types of imbalanced protocols, computationally, communicationally, and functionally imbalanced protocols. Computationally imbalanced cryptographic protocols appear when optimizing a protocol for one party having significantly more computing power. In communicationally imbalanced cryptographic protocols the messages mainly flow from one party to the others. Finally, in functionally imbalanced cryptographic protocols the functional requirements of one party strongly differ from the other parties. We start our study by looking into laconic cryptography, which fits both the computational and communicational category. The emerging area of laconic cryptography involves the design of two-party protocols involving a sender and a receiver, where the receiver’s input is large. The key efficiency requirement is that the protocol communication complexity must be independent of the receiver’s input size. We show a new way to build laconic OT based on the new notion of Set Membership Encryption (SME) – a new member in the area of laconic cryptography. SME allows a sender to encrypt to one recipient from a universe of receivers, while using a small digest from a large subset of receivers. A recipient is only able to decrypt the message if and only if it is part of the large subset. As another example of a communicationally imbalanced protocol we will look at NIZKs. We consider the problem of proving in zero-knowledge the existence of exploits in executables compiled to run on real-world processors. Finally, we investigate the problem of constructing law enforcement access systems that mitigate the possibility of unauthorized surveillance, as a functionally imbalanced cryptographic protocol. We present two main constructions. The first construction enables prospective access, allowing surveillance only if encryption occurs after a warrant has been issued and activated. The second allows retrospective access to communications that occurred prior to a warrant’s issuance

Securitisation and the Role of the State in Delivering UK Cyber Security in a New-Medieval Cyberspace

Both the 2010 and the 2015 UK National Security Strategies identified threats from cyberspace as being among the most significant ‘Tier One’ threats to UK national security. These threats have been constructed as a threat to the state, a threat to the country’s Critical National Infrastructure (CNI), a threat to future economic success and a threat to businesses and individual citizens. As a result, the response to this threat has historically been seen as being a shared responsibility with most potential victims of cyber-attack responsible for their own security and the UK state agencies operating as a source of advice and guidance to promote best practice in the private sector. A range of government departments, including the Cabinet Office, MI5 and GCHQ among others, have been responsible for the government’s own cyber security. However, despite a budget allocation of £860 million for the 2010 – 2015 period, progress on reducing the frequency and cost of cyber-attacks was limited and the 2010 strategy for dealing with cyber security was widely seen as having failed. This led to a new National Cyber Security Strategy (NCSS) in 2016 which indicated a significant change in approach, in particular with a more proactive role for the state through the formation of the National Cyber Security Centre (NCSC) and a £1.6 billion budget for cyber security between 2016 and 2021. However, cyber-attacks remain a significant issue for many organisations in both the public and private sector, and attacks such as the Wannacry ransomware/wiper attack, UK specific data breaches such as those witnessed in 2017 at Debenhams, Three, Wonga and ABTA, and breaches outside the UK that impacted UK citizens such as Equifax show that the frequency and impact of cyber security issues remain significant. The underlying cause of the insecurity of cyberspace is reflected in the metaphorical description of cyberspace as the wild-west or as an ungoverned space. This is a result of cyberspace features such as anonymity, problematic attribution and a transnational nature that can limit the effective reach of law enforcement agencies. When these features are combined with an increasing societal and economic dependence on information technology and mediated data, this increases the potential economic impact of disruption to these systems and enhances the value of the data for both legitimate and illegitimate purposes. This thesis argues that cyberspace is not ungoverned, and that it is more accurate to consider cyberspace to be a New Medieval environment with multiple overlapping authorities. In fact, cyberspace has always been far from ungoverned, it is just differently governed from a realspace Westphalian nation state system. The thesis also argues that cyberspace is currently experiencing a ‘Westphalian transformation’ with the UK state (among many others) engaged in a process designed to assert its authority and impose state primacy in cyberspace. This assertion of state authority is being driven by an identifiable process of securitisation in response to the constructed existential threat posed by unchecked cyberattacks by nation states and criminal enterprises. The Copenhagen School’s securitisation theory has been used to inform an original analysis of key speech acts by state securitising actors that has highlighted the key elements of the securitisation processes at work. This has clearly shown the development of the securitisation discourse, and the importance of referent objects and audience in asserting the state’s authority through the securitisation process. Original qualitative data collected through in-depth semi-structured interviews with elite members of the cyber security community has provided insights to the key issues in cyber security that support the view that cyberspace has New Medieval characteristics. The interview data has also allowed for the construction of a view of the complexities of the cyberspace environment, the overlapping authorities of state and private sector organisations and some of the key issues that arise. These issues are identified as being characteristic of a particularly complex form of policy problem referred to as a ‘wicked problem’. An understanding of cyber security as a wicked problem may aid in the identification of future possible policy approaches for cyber security policy in the UK

Unmanned Aircraft Systems in the Cyber Domain

Unmanned Aircraft Systems are an integral part of the US national critical infrastructure. The authors have endeavored to bring a breadth and quality of information to the reader that is unparalleled in the unclassified sphere. This textbook will fully immerse and engage the reader / student in the cyber-security considerations of this rapidly emerging technology that we know as unmanned aircraft systems (UAS). The first edition topics covered National Airspace (NAS) policy issues, information security (INFOSEC), UAS vulnerabilities in key systems (Sense and Avoid / SCADA), navigation and collision avoidance systems, stealth design, intelligence, surveillance and reconnaissance (ISR) platforms; weapons systems security; electronic warfare considerations; data-links, jamming, operational vulnerabilities and still-emerging political scenarios that affect US military / commercial decisions. This second edition discusses state-of-the-art technology issues facing US UAS designers. It focuses on counter unmanned aircraft systems (C-UAS) – especially research designed to mitigate and terminate threats by SWARMS. Topics include high-altitude platforms (HAPS) for wireless communications; C-UAS and large scale threats; acoustic countermeasures against SWARMS and building an Identify Friend or Foe (IFF) acoustic library; updates to the legal / regulatory landscape; UAS proliferation along the Chinese New Silk Road Sea / Land routes; and ethics in this new age of autonomous systems and artificial intelligence (AI).https://newprairiepress.org/ebooks/1027/thumbnail.jp