Chaotic Compilation for Encrypted Computing: Obfuscation but Not in Name

An `obfuscation' for encrypted computing is quantified exactly here, leading to an argument that security against polynomial-time attacks has been achieved for user data via the deliberately `chaotic' compilation required for security properties in that environment. Encrypted computing is the emerging science and technology of processors that take encrypted inputs to encrypted outputs via encrypted intermediate values (at nearly conventional speeds). The aim is to make user data in general-purpose computing secure against the operator and operating system as potential adversaries. A stumbling block has always been that memory addresses are data and good encryption means the encrypted value varies randomly, and that makes hitting any target in memory problematic without address decryption, yet decryption anywhere on the memory path would open up many easily exploitable vulnerabilities. This paper `solves (chaotic) compilation' for processors without address decryption, covering all of ANSI C while satisfying the required security properties and opening up the field for the standard software tool-chain and infrastructure. That produces the argument referred to above, which may also hold without encryption.Comment: 31 pages. Version update adds "Chaotic" in title and throughout paper, and recasts abstract and Intro and other sections of the text for better access by cryptologists. To the same end it introduces the polynomial time defense argument explicitly in the final section, having now set that denouement out in the abstract and intr

Symbolic Encryption with Pseudorandom Keys

We give an efficient decision procedure that, on input two (acyclic) cryptographic expressions making arbitrary use of an encryption scheme and a (length doubling) pseudorandom generator, determines (in polynomial time) if the two expressions produce computationally indistinguishable distributions for any pseudorandom generator and encryption scheme satisfying the standard security notions of pseudorandomness and indistinguishability under chosen plaintext attack. The procedure works by mapping each expression to a symbolic pattern that captures, in a fully abstract way, the information revealed by the expression to a computationally bounded observer. We then prove that if any two (possibly cyclic) expressions are mapped to the same pattern, then the associated distributions are indistinguishable. At the same time, if the expressions are mapped to different symbolic patterns and do not contain encryption cycles, there are secure pseudorandom generators and encryption schemes for which the two distributions can be distinguished with overwhelming advantage

Security Verification of Low-Trust Architectures

Low-trust architectures work on, from the viewpoint of software, always-encrypted data, and significantly reduce the amount of hardware trust to a small software-free enclave component. In this paper, we perform a complete formal verification of a specific low-trust architecture, the Sequestered Encryption (SE) architecture, to show that the design is secure against direct data disclosures and digital side channels for all possible programs. We first define the security requirements of the ISA of SE low-trust architecture. Looking upwards, this ISA serves as an abstraction of the hardware for the software, and is used to show how any program comprising these instructions cannot leak information, including through digital side channels. Looking downwards this ISA is a specification for the hardware, and is used to define the proof obligations for any RTL implementation arising from the ISA-level security requirements. These cover both functional and digital side-channel leakage. Next, we show how these proof obligations can be successfully discharged using commercial formal verification tools. We demonstrate the efficacy of our RTL security verification technique for seven different correct and buggy implementations of the SE architecture.Comment: 19 pages with appendi

Formal Models and Techniques for Analyzing Security Protocols: A Tutorial

International audienceSecurity protocols are distributed programs that aim at securing communications by the means of cryptography. They are for instance used to secure electronic payments, home banking and more recently electronic elections. Given The financial and societal impact in case of failure, and the long history of design flaws in such protocol, formal verification is a necessity. A major difference from other safety critical systems is that the properties of security protocols must hold in the presence of an arbitrary adversary. The aim of this paper is to provide a tutorial to some modern approaches for formally modeling protocols, their goals and automatically verifying them

On Equivalences, Metrics, and Computational Indistinguishability

The continuous technological progress and the constant growing of information flow we observe every day, brought us an urgent need to find a way to defend our data from malicious intruders; cryptography is the field of computer science that deals with security and studies techniques to protect communications from third parties, but in the recent years there has been a crisis in proving the security of cryptographic protocols, due to the exponential increase in the complexity of modeling proofs. In this scenario we study interactions in a typed lambda-calculus properly defined to fit well into the key aspects of a cryptographic proof: interaction, complexity and probability. This calculus, RSLR, is an extension of Hofmann's SLR for probabilistic polynomial time computations and it is perfect to model cryptographic primitives and adversaries. In particular, we characterize notions of context equivalence and context metrics, when defined on linear contexts, by way of traces, making proofs easier. Furthermore we show how to use this techniqe to obtain a proof methodology for computational indistinguishability, a key notion in modern cryptography; finally we give some motivating examples of concrete cryptographic schemes

Computationally secure information flow

This thesis presents a definition and a static program analysis for secure information flow. The definition of secure information flow is not based on non-interference, but on the computational independence of the programs public outputs from its secret inputs. Such definition allows cryptographic primitives to be gracefully handled, as their security is usually defined to be only computational, not information-theoretical. The analysis works on a simple imperative programming language containing a cryptographic primitive encryption as a possible operation. The analysis captures the intuitive qualities of the (lack of) information flow from a plaintext to its corresponding ciphertext. We prove the analysis correct with respect to the definition of secure information flow described above. In the proof of correctness we assume that the encryption primitive hides the identity of plaintexts and keys. This thesis also considers the case where the identities of plaintexts and keys are not hidden by encryption, i.e. given two ciphertexts it may be possible to determine whether the corresponding plaintexts are equal or not. We also give an analysis for this case, though it is not a whole program analysis. Namely, we cannot analyse loops. Nevertheless, with the help of the analysis one can check, whether two formal expressions (which are equivalent to the output of programs without loops) have indistinguishable interpretations as bit-strings.In dieser Dissertation wird eine Definition und eine statische Programmanalyse für sicheren Informationsfluss präsentiert. Die Definition des sicheren Informations usses basiert nicht auf der Unbeeinflußbarkeit, sondern auf der komplexitätstheoretischen Unabhängigkeit der öffentlichen Ausgaben des Programms von seinen geheimen Eingaben. Eine solche Definition erlaubt uns, kryptographische Primitiven elegant zu bearbeiten, weil ihre Sicherheit meistens nur komplexitätstheoretisch und nicht informationstheoretisch definiert ist. Die Analyse arbeitet auf einer einfachen imperativen Programmiersprache, die eine kryptographische Primitive Verschlüsselung als eine mögliche Operation enthält. Die Analyse gibt die intuitive Eigenschaft des (nicht vorhandenen) Informationsflusses von einem Klartext zu dem entsprechenden Schlüsseltext wieder. Wir geben den Korrektheitsbeweis der Analyse in Bezug auf die obengegebene Definition des sicheren Informationflusses. Im Beweis nehmen wir an, daß die Verschlüsselungsprimitive die Identität der Klartexte und Schlüssel versteckt. Diese Dissertation behandelt auch den Fall, dass die Verschlüsselungsprimitive die Identität der Klartexte und Schlüssel nicht versteckt, d.h. daß man aus zwei Schlüsseltexten möglicherweise herausfinden kann, ob die entsprechenden Klartexte gleich sind oder nicht. Wir geben eine Analyse auch für diesen Fall an, obwohl sie nicht auf ganze Programme anwendbar ist, da wir keine Schleifen analysieren können. Mit Hilfe dieser Analyse kann man feststellen, ob zwei formale Ausdrücke (die gleichwertig zu der Ausgabe der Programme ohne Schleifen sind) gleiche Interpretation als Bitfolgen haben

Computationally secure information flow

This thesis presents a definition and a static program analysis for secure information flow. The definition of secure information flow is not based on non-interference, but on the computational independence of the programs public outputs from its secret inputs. Such definition allows cryptographic primitives to be gracefully handled, as their security is usually defined to be only computational, not information-theoretical. The analysis works on a simple imperative programming language containing a cryptographic primitive encryption as a possible operation. The analysis captures the intuitive qualities of the (lack of) information flow from a plaintext to its corresponding ciphertext. We prove the analysis correct with respect to the definition of secure information flow described above. In the proof of correctness we assume that the encryption primitive hides the identity of plaintexts and keys. This thesis also considers the case where the identities of plaintexts and keys are not hidden by encryption, i.e. given two ciphertexts it may be possible to determine whether the corresponding plaintexts are equal or not. We also give an analysis for this case, though it is not a whole program analysis. Namely, we cannot analyse loops. Nevertheless, with the help of the analysis one can check, whether two formal expressions (which are equivalent to the output of programs without loops) have indistinguishable interpretations as bit-strings.In dieser Dissertation wird eine Definition und eine statische Programmanalyse für sicheren Informationsfluss präsentiert. Die Definition des sicheren Informations usses basiert nicht auf der Unbeeinflußbarkeit, sondern auf der komplexitätstheoretischen Unabhängigkeit der öffentlichen Ausgaben des Programms von seinen geheimen Eingaben. Eine solche Definition erlaubt uns, kryptographische Primitiven elegant zu bearbeiten, weil ihre Sicherheit meistens nur komplexitätstheoretisch und nicht informationstheoretisch definiert ist. Die Analyse arbeitet auf einer einfachen imperativen Programmiersprache, die eine kryptographische Primitive Verschlüsselung als eine mögliche Operation enthält. Die Analyse gibt die intuitive Eigenschaft des (nicht vorhandenen) Informationsflusses von einem Klartext zu dem entsprechenden Schlüsseltext wieder. Wir geben den Korrektheitsbeweis der Analyse in Bezug auf die obengegebene Definition des sicheren Informationflusses. Im Beweis nehmen wir an, daß die Verschlüsselungsprimitive die Identität der Klartexte und Schlüssel versteckt. Diese Dissertation behandelt auch den Fall, dass die Verschlüsselungsprimitive die Identität der Klartexte und Schlüssel nicht versteckt, d.h. daß man aus zwei Schlüsseltexten möglicherweise herausfinden kann, ob die entsprechenden Klartexte gleich sind oder nicht. Wir geben eine Analyse auch für diesen Fall an, obwohl sie nicht auf ganze Programme anwendbar ist, da wir keine Schleifen analysieren können. Mit Hilfe dieser Analyse kann man feststellen, ob zwei formale Ausdrücke (die gleichwertig zu der Ausgabe der Programme ohne Schleifen sind) gleiche Interpretation als Bitfolgen haben

Partial Order Reduction for Security Protocols

Security protocols are concurrent processes that communicate using cryptography with the aim of achieving various security properties. Recent work on their formal verification has brought procedures and tools for deciding trace equivalence properties (e.g., anonymity, unlinkability, vote secrecy) for a bounded number of sessions. However, these procedures are based on a naive symbolic exploration of all traces of the considered processes which, unsurprisingly, greatly limits the scalability and practical impact of the verification tools. In this paper, we overcome this difficulty by developing partial order reduction techniques for the verification of security protocols. We provide reduced transition systems that optimally eliminate redundant traces, and which are adequate for model-checking trace equivalence properties of protocols by means of symbolic execution. We have implemented our reductions in the tool Apte, and demonstrated that it achieves the expected speedup on various protocols

A Cut Principle for Information Flow

We view a distributed system as a graph of active locations with unidirectional channels between them, through which they pass messages. In this context, the graph structure of a system constrains the propagation of information through it. Suppose a set of channels is a cut set between an information source and a potential sink. We prove that, if there is no disclosure from the source to the cut set, then there can be no disclosure to the sink. We introduce a new formalization of partial disclosure, called *blur operators*, and show that the same cut property is preserved for disclosure to within a blur operator. This cut-blur property also implies a compositional principle, which ensures limited disclosure for a class of systems that differ only beyond the cut.Comment: 31 page