1,443 research outputs found
Chaotic Compilation for Encrypted Computing: Obfuscation but Not in Name
An `obfuscation' for encrypted computing is quantified exactly here, leading
to an argument that security against polynomial-time attacks has been achieved
for user data via the deliberately `chaotic' compilation required for security
properties in that environment. Encrypted computing is the emerging science and
technology of processors that take encrypted inputs to encrypted outputs via
encrypted intermediate values (at nearly conventional speeds). The aim is to
make user data in general-purpose computing secure against the operator and
operating system as potential adversaries. A stumbling block has always been
that memory addresses are data and good encryption means the encrypted value
varies randomly, and that makes hitting any target in memory problematic
without address decryption, yet decryption anywhere on the memory path would
open up many easily exploitable vulnerabilities. This paper `solves (chaotic)
compilation' for processors without address decryption, covering all of ANSI C
while satisfying the required security properties and opening up the field for
the standard software tool-chain and infrastructure. That produces the argument
referred to above, which may also hold without encryption.Comment: 31 pages. Version update adds "Chaotic" in title and throughout
paper, and recasts abstract and Intro and other sections of the text for
better access by cryptologists. To the same end it introduces the polynomial
time defense argument explicitly in the final section, having now set that
denouement out in the abstract and intr
Symbolic Encryption with Pseudorandom Keys
We give an efficient decision procedure that, on input two (acyclic)
cryptographic expressions making arbitrary use of an encryption scheme
and a (length doubling) pseudorandom generator, determines (in polynomial time) if the two expressions produce computationally indistinguishable distributions for any pseudorandom generator and encryption scheme satisfying the standard security notions of pseudorandomness and indistinguishability under chosen plaintext attack.
The procedure works by mapping each expression to a symbolic pattern that captures, in a fully abstract way, the information revealed by the expression to a computationally bounded observer. We then prove that if any two (possibly cyclic) expressions are mapped to the same
pattern, then the associated distributions are indistinguishable.
At the same time, if the expressions are mapped to different symbolic
patterns and do not contain encryption cycles, there are secure
pseudorandom generators and encryption schemes for which the two
distributions can be distinguished with overwhelming advantage
Security Verification of Low-Trust Architectures
Low-trust architectures work on, from the viewpoint of software,
always-encrypted data, and significantly reduce the amount of hardware trust to
a small software-free enclave component. In this paper, we perform a complete
formal verification of a specific low-trust architecture, the Sequestered
Encryption (SE) architecture, to show that the design is secure against direct
data disclosures and digital side channels for all possible programs. We first
define the security requirements of the ISA of SE low-trust architecture.
Looking upwards, this ISA serves as an abstraction of the hardware for the
software, and is used to show how any program comprising these instructions
cannot leak information, including through digital side channels. Looking
downwards this ISA is a specification for the hardware, and is used to define
the proof obligations for any RTL implementation arising from the ISA-level
security requirements. These cover both functional and digital side-channel
leakage. Next, we show how these proof obligations can be successfully
discharged using commercial formal verification tools. We demonstrate the
efficacy of our RTL security verification technique for seven different correct
and buggy implementations of the SE architecture.Comment: 19 pages with appendi
Formal Models and Techniques for Analyzing Security Protocols: A Tutorial
International audienceSecurity protocols are distributed programs that aim at securing communications by the means of cryptography. They are for instance used to secure electronic payments, home banking and more recently electronic elections. Given The financial and societal impact in case of failure, and the long history of design flaws in such protocol, formal verification is a necessity. A major difference from other safety critical systems is that the properties of security protocols must hold in the presence of an arbitrary adversary. The aim of this paper is to provide a tutorial to some modern approaches for formally modeling protocols, their goals and automatically verifying them
On Equivalences, Metrics, and Computational Indistinguishability
The continuous technological progress and the constant growing of information flow we observe every day, brought us an urgent need to find a way to defend our data from malicious intruders; cryptography is the field of computer science that deals with security and studies techniques to protect communications from third parties,
but in the recent years there has been a crisis in proving the security of cryptographic protocols, due to the exponential increase in the complexity of modeling proofs.
In this scenario we study interactions in a typed lambda-calculus properly defined to fit well into the key aspects of a cryptographic proof: interaction, complexity and probability. This calculus, RSLR, is an extension of Hofmann's SLR for probabilistic polynomial time computations and it is perfect to model cryptographic primitives and adversaries. In particular, we characterize notions of context equivalence and
context metrics, when defined on linear contexts, by way of traces, making proofs easier. Furthermore we show how to use this techniqe to obtain a proof methodology
for computational indistinguishability, a key notion in modern cryptography; finally we give some motivating examples of concrete cryptographic schemes
Computationally secure information flow
This thesis presents a definition and a static program analysis for
secure information flow. The definition of secure information flow is not
based on non-interference, but on the computational independence of
the programs public outputs from its secret inputs. Such definition allows
cryptographic primitives to be gracefully handled, as their security
is usually defined to be only computational, not information-theoretical.
The analysis works on a simple imperative programming language
containing a cryptographic primitive encryption as a possible operation.
The analysis captures the intuitive qualities of the (lack of) information flow from a plaintext to its corresponding ciphertext. We prove
the analysis correct with respect to the definition of secure information flow described above. In the proof of correctness we assume that the
encryption primitive hides the identity of plaintexts and keys.
This thesis also considers the case where the identities of plaintexts
and keys are not hidden by encryption, i.e. given two ciphertexts it may
be possible to determine whether the corresponding plaintexts are equal
or not. We also give an analysis for this case, though it is not a whole
program analysis. Namely, we cannot analyse loops. Nevertheless, with
the help of the analysis one can check, whether two formal expressions
(which are equivalent to the output of programs without loops) have
indistinguishable interpretations as bit-strings.In dieser Dissertation wird eine Definition und eine statische Programmanalyse für sicheren Informationsfluss präsentiert. Die Definition des sicheren Informations usses basiert nicht auf der Unbeeinflußbarkeit, sondern auf der komplexitätstheoretischen Unabhängigkeit der öffentlichen Ausgaben des Programms von seinen geheimen Eingaben. Eine solche Definition erlaubt uns, kryptographische Primitiven elegant zu bearbeiten, weil ihre Sicherheit meistens nur komplexitätstheoretisch und nicht informationstheoretisch definiert ist. Die Analyse arbeitet auf einer einfachen imperativen Programmiersprache, die eine kryptographische Primitive Verschlüsselung als eine mögliche Operation enthält. Die Analyse gibt die intuitive Eigenschaft des (nicht vorhandenen) Informationsflusses von einem Klartext zu dem entsprechenden Schlüsseltext wieder. Wir geben den Korrektheitsbeweis der Analyse in Bezug auf die obengegebene Definition des sicheren Informationflusses. Im Beweis nehmen wir an, daß die Verschlüsselungsprimitive die Identität der Klartexte und Schlüssel versteckt. Diese Dissertation behandelt auch den Fall, dass die Verschlüsselungsprimitive die Identität der Klartexte und Schlüssel nicht versteckt, d.h. daß man aus zwei Schlüsseltexten möglicherweise herausfinden kann, ob die entsprechenden Klartexte gleich sind oder nicht. Wir geben eine Analyse auch für diesen Fall an, obwohl sie nicht auf ganze Programme anwendbar ist, da wir keine Schleifen analysieren können. Mit Hilfe dieser Analyse kann man feststellen, ob zwei formale Ausdrücke (die gleichwertig zu der Ausgabe der Programme ohne Schleifen sind) gleiche Interpretation als Bitfolgen haben
Computationally secure information flow
This thesis presents a definition and a static program analysis for
secure information flow. The definition of secure information flow is not
based on non-interference, but on the computational independence of
the programs public outputs from its secret inputs. Such definition allows
cryptographic primitives to be gracefully handled, as their security
is usually defined to be only computational, not information-theoretical.
The analysis works on a simple imperative programming language
containing a cryptographic primitive encryption as a possible operation.
The analysis captures the intuitive qualities of the (lack of) information flow from a plaintext to its corresponding ciphertext. We prove
the analysis correct with respect to the definition of secure information flow described above. In the proof of correctness we assume that the
encryption primitive hides the identity of plaintexts and keys.
This thesis also considers the case where the identities of plaintexts
and keys are not hidden by encryption, i.e. given two ciphertexts it may
be possible to determine whether the corresponding plaintexts are equal
or not. We also give an analysis for this case, though it is not a whole
program analysis. Namely, we cannot analyse loops. Nevertheless, with
the help of the analysis one can check, whether two formal expressions
(which are equivalent to the output of programs without loops) have
indistinguishable interpretations as bit-strings.In dieser Dissertation wird eine Definition und eine statische Programmanalyse für sicheren Informationsfluss präsentiert. Die Definition des sicheren Informations usses basiert nicht auf der Unbeeinflußbarkeit, sondern auf der komplexitätstheoretischen Unabhängigkeit der öffentlichen Ausgaben des Programms von seinen geheimen Eingaben. Eine solche Definition erlaubt uns, kryptographische Primitiven elegant zu bearbeiten, weil ihre Sicherheit meistens nur komplexitätstheoretisch und nicht informationstheoretisch definiert ist. Die Analyse arbeitet auf einer einfachen imperativen Programmiersprache, die eine kryptographische Primitive Verschlüsselung als eine mögliche Operation enthält. Die Analyse gibt die intuitive Eigenschaft des (nicht vorhandenen) Informationsflusses von einem Klartext zu dem entsprechenden Schlüsseltext wieder. Wir geben den Korrektheitsbeweis der Analyse in Bezug auf die obengegebene Definition des sicheren Informationflusses. Im Beweis nehmen wir an, daß die Verschlüsselungsprimitive die Identität der Klartexte und Schlüssel versteckt. Diese Dissertation behandelt auch den Fall, dass die Verschlüsselungsprimitive die Identität der Klartexte und Schlüssel nicht versteckt, d.h. daß man aus zwei Schlüsseltexten möglicherweise herausfinden kann, ob die entsprechenden Klartexte gleich sind oder nicht. Wir geben eine Analyse auch für diesen Fall an, obwohl sie nicht auf ganze Programme anwendbar ist, da wir keine Schleifen analysieren können. Mit Hilfe dieser Analyse kann man feststellen, ob zwei formale Ausdrücke (die gleichwertig zu der Ausgabe der Programme ohne Schleifen sind) gleiche Interpretation als Bitfolgen haben
Partial Order Reduction for Security Protocols
Security protocols are concurrent processes that communicate using
cryptography with the aim of achieving various security properties. Recent work
on their formal verification has brought procedures and tools for deciding
trace equivalence properties (e.g., anonymity, unlinkability, vote secrecy) for
a bounded number of sessions. However, these procedures are based on a naive
symbolic exploration of all traces of the considered processes which,
unsurprisingly, greatly limits the scalability and practical impact of the
verification tools.
In this paper, we overcome this difficulty by developing partial order
reduction techniques for the verification of security protocols. We provide
reduced transition systems that optimally eliminate redundant traces, and which
are adequate for model-checking trace equivalence properties of protocols by
means of symbolic execution. We have implemented our reductions in the tool
Apte, and demonstrated that it achieves the expected speedup on various
protocols
A Cut Principle for Information Flow
We view a distributed system as a graph of active locations with
unidirectional channels between them, through which they pass messages. In this
context, the graph structure of a system constrains the propagation of
information through it.
Suppose a set of channels is a cut set between an information source and a
potential sink. We prove that, if there is no disclosure from the source to the
cut set, then there can be no disclosure to the sink. We introduce a new
formalization of partial disclosure, called *blur operators*, and show that the
same cut property is preserved for disclosure to within a blur operator. This
cut-blur property also implies a compositional principle, which ensures limited
disclosure for a class of systems that differ only beyond the cut.Comment: 31 page
- …