End-to-End Encrypted Group Messaging with Insider Security

Our society has become heavily dependent on electronic communication, and preserving the integrity of this communication has never been more important. Cryptography is a tool that can help to protect the security and privacy of these communications. Secure messaging protocols like OTR and Signal typically employ end-to-end encryption technology to mitigate some of the most egregious adversarial attacks, such as mass surveillance. However, the secure messaging protocols deployed today suffer from two major omissions: they do not natively support group conversations with three or more participants, and they do not fully defend against participants that behave maliciously. Secure messaging tools typically implement group conversations by establishing pairwise instances of a two-party secure messaging protocol, which limits their scalability and makes them vulnerable to insider attacks by malicious members of the group. Insiders can often perform attacks such as rendering the group permanently unusable, causing the state of the group to diverge for the other participants, or covertly remaining in the group after appearing to leave. It is increasingly important to prevent these insider attacks as group conversations become larger, because there are more potentially malicious participants. This dissertation introduces several new protocols that can be used to build modern communication tools with strong security and privacy properties, including resistance to insider attacks. Firstly, the dissertation addresses a weakness in current two-party secure messaging tools: malicious participants can leak portions of a conversation alongside cryptographic proof of authorship, undermining confidentiality. The dissertation introduces two new authenticated key exchange protocols, DAKEZ and XZDH, with deniability properties that can prevent this type of attack when integrated into a secure messaging protocol. DAKEZ provides strong deniability in interactive settings such as instant messaging, while XZDH provides deniability for non-interactive settings such as mobile messaging. These protocols are accompanied by composable security proofs. Secondly, the dissertation introduces Safehouse, a new protocol that can be used to implement secure group messaging tools for a wide range of applications. Safehouse solves the difficult cryptographic problems at the core of secure group messaging protocol design: it securely establishes and manages a shared encryption key for the group and ephemeral signing keys for the participants. These keys can be used to build chat rooms, team communication servers, video conferencing tools, and more. Safehouse enables a server to detect and reject protocol deviations, while still providing end-to-end encryption. This allows an honest server to completely prevent insider attacks launched by malicious participants. A malicious server can still perform a denial-of-service attack that renders the group unavailable or "forks" the group into subgroups that can never communicate again, but other attacks are prevented, even if the server colludes with a malicious participant. In particular, an adversary controlling the server and one or more participants cannot cause honest participants' group states to diverge (even in subtle ways) without also permanently preventing them from communicating, nor can the adversary arrange to covertly remain in the group after all of the malicious participants under its control are removed from the group. Safehouse supports non-interactive communication, dynamic group membership, mass membership changes, an invitation system, and secure property storage, while offering a variety of configurable security properties including forward secrecy, post-compromise security, long-term identity authentication, strong deniability, and anonymity preservation. The dissertation includes a complete proof-of-concept implementation of Safehouse and a sample application with a graphical client. Two sub-protocols of independent interest are also introduced: a new cryptographic primitive that can encrypt multiple private keys to several sets of recipients in a publicly verifiable and repeatable manner, and a round-efficient interactive group key exchange protocol that can instantiate multiple shared key pairs with a configurable knowledge relationship

A study of KEM generalizations

The NIST, in its recent competition on quantum-resilient confidentiality primitives, requested the submission of exclusively KEMs. The task of KEMs is to establish secure session keys that can drive, amongst others, public key encryption and TLS-like secure channels. In this work we test the KEM abstraction in the context of constructing cryptographic schemes that are not subsumed in the PKE and secure channels categories. We find that, when used to construct a key transport scheme or when used within a secure combiner, the KEM abstraction imposes certain inconvenient limits, the settling of which requires the addition of auxiliary symmetric primitives. We hence investigate generalizations of the KEM abstraction that allow a considerably simplified construction of the above primitives. In particular, we study VKEMs and KDFEMs, which augment classic KEMs by label inputs, encapsulation handle outputs, and key derivation features, and we demonstrate that they can be transformed into KEM combiners and key transport schemes without requiring auxiliary components. We finally show that all four finalist KEMs of the NIST competition are effectively KDFEMs. Our conclusion is that only very mild adjustments are necessary to significantly increase their versatility

Post-Quantum Signal Key Agreement with SIDH

In the effort to transition cryptographic primitives and protocols to quantum-resistant alternatives, an interesting and useful challenge is found in the Signal protocol. The initial key agreement component of this protocol, called X3DH, has so far proved more subtle to replace - in part due to the unclear security model and properties the original protocol is designed for. This paper defines a formal security model for the original signal protocol, in the context of the standard eCK and CK+ type models, which we call the Signal-adapted-CK model. We then propose a secure replacement for the Signal X3DH key exchange protocol based on SIDH, and provide a proof of security in the Signal-adapted-CK model, showing our protocol satisfies all security properties of the original Signal X3DH. We call this new protocol SI-X3DH. Our protocol refutes the claim of Brendel, Fischlin, Günther, Janson, and Stebila [Selected Areas in Cryptography (2020)] that SIDH cannot be used to construct a secure X3DH replacement due to adaptive attacks. Unlike the generic constructions proposed in the literature, our protocol achieves deniability without expensive machinery such as post-quantum ring signatures. It also benefits from the efficiency of SIDH as a key-exchange protocol, compared to other post-quantum key exchange protocols such as CSIDH

Embedding of QDs into Ionic Crystals:: Methods, Characterization and Applications

Colloidal semiconductor quantum dots (QDs) have gained substantial interest as adjustable, bright and spectrally tunable fluorophores in the past decades. Besides their in-depth analyses in the scientific community, first industrial applications as color conversion and color enrichment materials were implemented. However, stability and processability are essential for their successful use in these and further applications. Methods to embed QDs into oxides or polymers can only partially solve this challenge. Recently, our group introduced the embedding of QDs into ionic salts, which holds several advantages in comparison to polymer or oxide-based counterparts. Both gas permeability and environmental-related degradation processes are negligible, making these composites an almost perfect choice of material. To evaluate this new class of QD-salt mixed crystals, a thorough understanding of the formation procedure and the final composites is needed. The present work is focused on embedding both aqueous-based and oil-based metal-chalcogenide QDs into several ionic salts and the investigations of their optical and chemical properties upon incorporation into the mixed crystals. QDs with well-known, reproducible and high-quality synthetic protocols are chosen as emissive species. CdTe QDs were incorporated into NaCl as host matrix by using the straightforward "classical" method. The resulting mixed crystals of various shapes and beautiful colors preserve the strong luminescence of the incorporated QDs. Besides NaCl, also borax and other salts are used as host matrices. Mercaptopropionic acid stabilized CdTe QDs can easily be co-crystallized with NaCl, while thioglycolic acid as stabilizing agent results in only weakly emitting powder-like mixed crystals. This challenge was overcome by adjusting the pH, the amount of free stabilizer and the type of salt used, demonstrating the reproducible incorporation of highest-quality CdTe QDs capped with thioglycolic acid into NaCl and KCl salt crystals. A disadvantage of the "classical" mixed crystallization procedure was its long duration which prevents a straightforward transfer of the protocol to less stable QD colloids, e.g., initially oil-based, ligand exchanged QDs. To address this challenge, the "Liquid-liquid-diffusion-assisted-crystallization" (LLDC) method is introduced. By applying the LLDC, a substantially accelerated ionic crystallization of the QDs is shown, reducing the crystallization time needed by one order of magnitude. This fast process opens the field of incorporating ligand-exchanged Cd-free QDs into NaCl matrices. To overcome the need for a ligand exchange, the LLDC can also be extended towards a two-step approach. In this modified version, the seed-mediated LLDC provides for the first time the ability to incorporate oil-based QDs directly into ionic matrices without a prior phase transfer. The ionic salts appear to be very tight matrices, ensuring the protection of the QDs from the environment. As one of the main results, these matrices provide extraordinary high photo- and chemical stability. It is further demonstrated with absolute measurements of photoluminescence quantum yields (PL-QYs), that the PL-QYs of aqueous CdTe QDs can be considerably increased upon incorporation into a salt matrix by applying the "classical" crystallization procedure. The achievable PL enhancement factors depend strongly on the PL-QYs of the parent QDs and can be described by the change of the dielectric surrounding as well as the passivation of the QD surface. Studies on CdSe/ZnS in NaCl and CdTe in borax showed a crystal-induced PL-QY increase below the values expected for the respective change of the refractive index, supporting the derived hypothesis of surface defect curing by a CdClx formation as one main factor for PL-QY enhancement. The mixed crystals developed in this work show a high suitability as color conversion materials regarding both their stability and spectral tunability. First proof-of-concept devices provide promising results. However, a combination of the highest figures of merit at the same time is intended. This ambitious goal is reached by implementing a model-experimental feedback approach which ensures the desired high optical performance of the used emitters throughout all intermediate steps. Based on the approach, a white LED combining an incandescent-like warm white with an exceptional high color rendering index and a luminous efficacy of radiation is prepared. It is the first time that a combination of this highly related figures of merit could be reached using QD-based color converters. Furthermore, the idea of embedding QDs into ionic matrices gained considerable interest in the scientific community, resulting in various publications of other research groups based on the results presented here. In summary, the present work provides a profound understanding how this new class of QD-salt mixed crystal composites can be efficiently prepared. Applying the different crystallization methods and by changing the matrix material, mixed crystals emitting from blue to the near infrared region of the electromagnetic spectrum can be fabricated using both Cd-containing and Cd-free QDs. The resulting composites show extraordinary optical properties, combining the QDs spectral tunability with the rigid and tight ionic matrix of the salt. Finally, their utilization as a color conversion material resulted in a high-quality white LED that, for the first time, combines an incandescent-like hue with outstanding optical efficacy and color rendering properties. Besides that, the mixed crystals offer huge potential in other high-quality applications which apply photonic and optoelectronic components

The Prom Problem: Fair and Privacy-Enhanced Matchmaking with Identity Linked Wishes

In the Prom Problem (TPP), Alice wishes to attend a school dance with Bob and needs a risk-free, privacy preserving way to find out whether Bob shares that same wish. If not, no one should know that she inquired about it, not even Bob. TPP represents a special class of matchmaking challenges, augmenting the properties of privacy-enhanced matchmaking, further requiring fairness and support for identity linked wishes (ILW) – wishes involving specific identities that are only valid if all involved parties have those same wishes. The Horne-Nair (HN) protocol was proposed as a solution to TPP along with a sample pseudo-code embodiment leveraging an untrusted matchmaker. Neither identities nor pseudo-identities are included in any messages or stored in the matchmaker’s database. Privacy relevant data stay within user control. A security analysis and proof-of-concept implementation validated the approach, fairness was quantified, and a feasibility analysis demonstrated practicality in real-world networks and systems, thereby bounding risk prior to incurring the full costs of development. The SecretMatch™ Prom app leverages one embodiment of the patented HN protocol to achieve privacy-enhanced and fair matchmaking with ILW. The endeavor led to practical lessons learned and recommendations for privacy engineering in an era of rapidly evolving privacy legislation. Next steps include design of SecretMatch™ apps for contexts like voting negotiations in legislative bodies and executive recruiting. The roadmap toward a quantum resistant SecretMatch™ began with design of a Hybrid Post-Quantum Horne-Nair (HPQHN) protocol. Future directions include enhancements to HPQHN, a fully Post Quantum HN protocol, and more

Post Quantum Noise

We introduce PQNoise, a post-quantum variant of the Noise framework. We demonstrate that it is possible to replace the Diffie-Hellman key-exchanges in Noise with KEMs in a secure way. A challenge is the inability to combine key pairs of KEMs, which can be resolved by certain forms of randomness-hardening for which we introduce a formal abstraction. We provide a generic recipe to turn classical Noise patterns into PQNoise patterns. We prove that the resulting PQNoise patterns achieve confidentiality and authenticity in the fACCE-model. Moreover we show that for those classical Noise-patterns that have been conjectured or proven secure in the fACCE-model our matching PQNoise-patterns eventually achieve the same security. Our security proof is generic and applies to any valid PQNoise pattern. This is made possible by another abstraction, called a hash-object, which hides the exact workings of how keying material is processed in an abstract stateful object that outputs pseudorandom keys under different corruption patterns. We also show that the hash chains used in Noise are a secure hash-object. Finally, we demonstrate the practicality of PQNoise delivering benchmarks for several base patterns

Formal Analysis of SPDM: Security Protocol and Data Model version 1.2

DMTF is a standards organization by major industry players in IT infrastructure including AMD, Alibaba, Broadcom, Cisco, Dell, Google, Huawei, IBM, Intel, Lenovo, and NVIDIA, which aims to enable interoperability, e.g., including cloud, virtualization, network, servers and storage. It is currently standardizing a security protocol called SPDM, which aims to secure communication over the wire and to enable device attestation, notably also explicitly catering for communicating hardware components. The SPDM protocol inherits requirements and design ideas from IETF’s TLS 1.3. However, its state machines and transcript handling are substantially different and more complex. While architecture, specification, and open-source libraries of the current versions of SPDM are publicly available, these include no significant security analysis of any kind. In this work we develop the first formal models of the three modes of the SPDM protocol version 1.2.1, and formally analyze their main security propertie

PERICLES Deliverable 4.3:Content Semantics and Use Context Analysis Techniques

The current deliverable summarises the work conducted within task T4.3 of WP4, focusing on the extraction and the subsequent analysis of semantic information from digital content, which is imperative for its preservability. More specifically, the deliverable defines content semantic information from a visual and textual perspective, explains how this information can be exploited in long-term digital preservation and proposes novel approaches for extracting this information in a scalable manner. Additionally, the deliverable discusses novel techniques for retrieving and analysing the context of use of digital objects. Although this topic has not been extensively studied by existing literature, we believe use context is vital in augmenting the semantic information and maintaining the usability and preservability of the digital objects, as well as their ability to be accurately interpreted as initially intended.PERICLE

Enabling Use of Signal in a Disconnected Village Environment

A significant portion of the world still does not have a stable internet connection. Those people should have the ability to communicate with their loved ones who may not live near by or to share ideas with friends. To power this achievable reality, our lab has set out on making infrastructure for enabling delay tolerant applications. This network will communicate using existing smartphones that will relay the information to a connected environment. The proof of concept application our lab is using is Signal as it offers end to end encryption messaging and an open source platform our lab can develop