Collusion-Preserving Computation

In collusion-free protocols, subliminal communication is impossible and parties are thus unable to communicate ``any information beyond what the protocol allows\u27\u27. Collusion-free protocols are interesting for several reasons, but have specifically attracted attention because they can be used to reduce trust in game-theoretic mechanisms. Collusion-free protocols are impossible to achieve (in general) when all parties are connected by point-to-point channels, but exist under certain physical assumptions (Lepinksi et al., STOC~2005) or in specific network topologies (Alwen et al., Crypto~2008). We provide a ``clean-slate\u27\u27 definition of the stronger notion of collusion preservation. Our goals in revisiting the definition are: -- To give a definition with respect to arbitrary communication resources (that includes as special cases the communication models from prior work). We can then, in particular, better understand what types of resources enable collusion-preserving protocols. -- To construct protocols that allow no additional subliminal communication in the case when parties can communicate (a bounded amount of information) via other means. (This property is not implied by collusion-freeness.) -- To provide a definition supporting \emph{composition}, so that protocols can be designed in a modular fashion using sub-protocols run among subsets of the parties. In addition to proposing the definition, we explore implications of our model and show a general feasibility result for collusion-preserving computation of arbitrary functionalities

Deniable Key Exchanges for Secure Messaging

Despite our increasing reliance on digital communication, much of our online discourse lacks any security or privacy protections. Almost no email messages sent today provide end-to-end security, despite privacy-enhancing technologies being available for decades. Recent revelations by Edward Snowden of government surveillance have highlighted this disconnect between the importance of our digital communications and the lack of available secure messaging tools. In response to increased public awareness and demand, the market has recently been flooded with new applications claiming to provide security and privacy guarantees. Unfortunately, the urgency with which these tools are being developed and marketed has led to inferior or insecure products, grandiose claims of unobtainable features, and widespread confusion about which schemes can be trusted. Meanwhile, there remains disagreement in the academic community over the definitions and desirability of secure messaging features. This incoherent vision is due in part to the lack of a broad perspective of the literature. One of the most contested properties is deniability—the plausible assertion that a user did not send a message or participate in a conversation. There are several subtly different definitions of deniability in the literature, and no available secure messaging scheme meets all definitions simultaneously. Deniable authenticated key exchanges (DAKEs), the primary cryptographic tool responsible for deniability in a secure messaging scheme, are also often unsuitable for use in emerging applications such as smartphone communications due to unreasonable resource or network requirements. In this thesis, we provide a guide for a practitioner seeking to implement deniable secure messaging systems. We examine dozens of existing secure messaging protocols, both proposed and implemented, and find that they achieve mixed results in terms of security. This systematization of knowledge serves as a resource for understanding the current state-of-the-art approaches. We survey formalizations of deniability in the secure messaging context, as well as the properties of existing DAKEs. We construct several new practical DAKEs with the intention of providing deniability in modern secure messaging environments. Notably, we introduce Spawn, the first non-interactive DAKE that offers forward secrecy and achieves deniability against both offline and online judges; Spawn can be used to improve the deniability properties of the popular TextSecure secure messaging application. We prove the security of our new constructions in the generalized universal composability (GUC) framework. To demonstrate the practicality of our protocols, we develop and compare open-source instantiations that remain secure without random oracles