Still Wrong Use of Pairings in Cryptography

Several pairing-based cryptographic protocols are recently proposed with a wide variety of new novel applications including the ones in emerging technologies like cloud computing, internet of things (IoT), e-health systems and wearable technologies. There have been however a wide range of incorrect use of these primitives. The paper of Galbraith, Paterson, and Smart (2006) pointed out most of the issues related to the incorrect use of pairing-based cryptography. However, we noticed that some recently proposed applications still do not use these primitives correctly. This leads to unrealizable, insecure or too inefficient designs of pairing-based protocols. We observed that one reason is not being aware of the recent advancements on solving the discrete logarithm problems in some groups. The main purpose of this article is to give an understandable, informative, and the most up-to-date criteria for the correct use of pairing-based cryptography. We thereby deliberately avoid most of the technical details and rather give special emphasis on the importance of the correct use of bilinear maps by realizing secure cryptographic protocols. We list a collection of some recent papers having wrong security assumptions or realizability/efficiency issues. Finally, we give a compact and an up-to-date recipe of the correct use of pairings.Comment: 25 page

Developing an Automatic Generation Tool for Cryptographic Pairing Functions

Pairing-Based Cryptography is receiving steadily more attention from industry, mainly because of the increasing interest in Identity-Based protocols. Although there are plenty of applications, efficiently implementing the pairing functions is often difficult as it requires more knowledge than previous cryptographic primitives. The author presents a tool for automatically generating optimized code for the pairing functions which can be used in the construction of such cryptographic protocols. In the following pages I present my work done on the construction of pairing function code, its optimizations and how their construction can be automated to ease the work of the protocol implementer. Based on the user requirements and the security level, the created cryptographic compiler chooses and constructs the appropriate elliptic curve. It identifies the supported pairing function: the Tate, ate, R-ate or pairing lattice/optimal pairing, and its optimized parameters. Using artificial intelligence algorithms, it generates optimized code for the final exponentiation and for hashing a point to the required group using the parametrisation of the chosen family of curves. Support for several multi-precision libraries has been incorporated: Magma, MIRACL and RELIC are already included, but more are possible

Can NSEC5 be practical for DNSSEC deployments?

NSEC5 is proposed modification to DNSSEC that simultaneously guarantees two security properties: (1) privacy against offline zone enumeration, and (2) integrity of zone contents, even if an adversary compromises the authoritative nameserver responsible for responding to DNS queries for the zone. This paper redesigns NSEC5 to make it both practical and performant. Our NSEC5 redesign features a new fast verifiable random function (VRF) based on elliptic curve cryptography (ECC), along with a cryptographic proof of its security. This VRF is also of independent interest, as it is being standardized by the IETF and being used by several other projects. We show how to integrate NSEC5 using our ECC-based VRF into the DNSSEC protocol, leveraging precomputation to improve performance and DNS protocol-level optimizations to shorten responses. Next, we present the first full-fledged implementation of NSEC5—extending widely-used DNS software to present a nameserver and recursive resolver that support NSEC5—and evaluate their performance under aggressive DNS query loads. Our performance results indicate that our redesigned NSEC5 can be viable even for high-throughput scenarioshttps://eprint.iacr.org/2017/099.pdfFirst author draf

Notes on Lattice-Based Cryptography

Asymmetrisk kryptering er avhengig av antakelsen om at noen beregningsproblemer er vanskelige å løse. I 1994 viste Peter Shor at de to mest brukte beregningsproblemene, nemlig det diskrete logaritmeproblemet og primtallsfaktorisering, ikke lenger er vanskelige å løse når man bruker en kvantedatamaskin. Siden den gang har forskere jobbet med å finne nye beregningsproblemer som er motstandsdyktige mot kvanteangrep for å erstatte disse to. Gitterbasert kryptografi er forskningsfeltet som bruker kryptografiske primitiver som involverer vanskelige problemer definert på gitter, for eksempel det korteste vektorproblemet og det nærmeste vektorproblemet. NTRU-kryptosystemet, publisert i 1998, var et av de første som ble introdusert på dette feltet. Problemet Learning With Error (LWE) ble introdusert i 2005 av Regev, og det regnes nå som et av de mest lovende beregningsproblemene som snart tas i bruk i stor skala. Å studere vanskelighetsgraden og å finne nye og raskere algoritmer som løser den, ble et ledende forskningstema innen kryptografi. Denne oppgaven inkluderer følgende bidrag til feltet: - En ikke-triviell reduksjon av Mersenne Low Hamming Combination Search Problem, det underliggende problemet med et NTRU-lignende kryptosystem, til Integer Linear Programming (ILP). Særlig finner vi en familie av svake nøkler. - En konkret sikkerhetsanalyse av Integer-RLWE, en vanskelig beregningsproblemvariant av LWE, introdusert av Gu Chunsheng. Vi formaliserer et meet-in-the-middle og et gitterbasert angrep for denne saken, og vi utnytter en svakhet ved parametervalget gitt av Gu, for å bygge et forbedret gitterbasert angrep. - En forbedring av Blum-Kalai-Wasserman-algoritmen for å løse LWE. Mer spesifikt, introduserer vi et nytt reduksjonstrinn og en ny gjetteprosedyre til algoritmen. Disse tillot oss å utvikle to implementeringer av algoritmen, som er i stand til å løse relativt store LWE-forekomster. Mens den første effektivt bare bruker RAM-minne og er fullt parallelliserbar, utnytter den andre en kombinasjon av RAM og disklagring for å overvinne minnebegrensningene gitt av RAM. - Vi fyller et tomrom i paringsbasert kryptografi. Dette ved å gi konkrete formler for å beregne hash-funksjon til G2, den andre gruppen i paringsdomenet, for Barreto-Lynn-Scott-familien av paringsvennlige elliptiske kurver.Public-key Cryptography relies on the assumption that some computational problems are hard to solve. In 1994, Peter Shor showed that the two most used computational problems, namely the Discrete Logarithm Problem and the Integer Factoring Problem, are not hard to solve anymore when using a quantum computer. Since then, researchers have worked on finding new computational problems that are resistant to quantum attacks to replace these two. Lattice-based Cryptography is the research field that employs cryptographic primitives involving hard problems defined on lattices, such as the Shortest Vector Problem and the Closest Vector Problem. The NTRU cryptosystem, published in 1998, was one of the first to be introduced in this field. The Learning With Error (LWE) problem was introduced in 2005 by Regev, and it is now considered one of the most promising computational problems to be employed on a large scale in the near future. Studying its hardness and finding new and faster algorithms that solve it became a leading research topic in Cryptology. This thesis includes the following contributions to the field: - A non-trivial reduction of the Mersenne Low Hamming Combination Search Problem, the underlying problem of an NTRU-like cryptosystem, to Integer Linear Programming (ILP). In particular, we find a family of weak keys. - A concrete security analysis of the Integer-RLWE, a hard computational problem variant of LWE introduced by Gu Chunsheng. We formalize a meet-in-the-middle attack and a lattice-based attack for this case, and we exploit a weakness of the parameters choice given by Gu to build an improved lattice-based attack. - An improvement of the Blum-Kalai-Wasserman algorithm to solve LWE. In particular, we introduce a new reduction step and a new guessing procedure to the algorithm. These allowed us to develop two implementations of the algorithm that are able to solve relatively large LWE instances. While the first one efficiently uses only RAM memory and is fully parallelizable, the second one exploits a combination of RAM and disk storage to overcome the memory limitations given by the RAM. - We fill a gap in Pairing-based Cryptography by providing concrete formulas to compute hash-maps to G2, the second group in the pairing domain, for the Barreto-Lynn-Scott family of pairing-friendly elliptic curves.Doktorgradsavhandlin

Improved throughput of Elliptic Curve Digital Signature Algorithm (ECDSA) processor implementation over Koblitz curve k-163 on Field Programmable Gate Array (FPGA)

يقـدم البحث دراسة عن تصميم وتنفيذ دائرة الكترونية لتوليد التوقيع الالكتروني والتاكد من صحته ,بالاعتماد على مواصفات المنحني الاهليجي الموصى بها من  قبل المعهد الوطني للمعايير والتكنولوجيا(NIST) .حيث أرتكز العمل على إختيار منحني كوبلتز وتطبيقه على الحقول المنتهية أو ما تسمى بحقول غالو(2163)GF، ونظراً لأهمية تحسين الأداء في المعالجات الحديثة المبنية في بيئة البوابات المنطقية القابلة للبرمجة (FPGA)،  فقد أظهرت نتائج المحاكاة والتنفيذ للتصميم المقترح على الجهاز نوع Virtex5-xc5vlx155t-3ff1738  زيادة في معدل البيانات التي يتم معالجتها اثناء عمليتي توليد التوقيع واثبات صحته الى 0.08187 Mbit/s وبنسبة تصل الى 6.95% ,بالمقارنة مع التصميمات السابقة ، كما أستغرقت مدة تنفيذ العمليتين 1.66 ملي ثانية وبتردد أقصاه 83.477 ميكاهرتز. تم الاخذ بنظرالاعتبار تصميم المنفذ التسلسلي غير المتزامن (UART) والمستخدم في عملية نقل البيانات بين الحاسبة وFPGA .            The widespread use of the Internet of things (IoT) in different aspects of an individual’s life like banking, wireless intelligent devices and smartphones has led to new security and performance challenges under restricted resources. The Elliptic Curve Digital Signature Algorithm (ECDSA) is the most suitable choice for the environments due to the smaller size of the encryption key and changeable security related parameters. However, major performance metrics such as area, power, latency and throughput are still customisable and based on the design requirements of the device. The present paper puts forward an enhancement for the throughput performance metric by proposing a more efficient design for the hardware implementation of ECDSA. The design raised the throughput to 0.08207 Mbit/s, leading to an increase of 6.95% from the existing design. It also includes the design and implementation of the Universal Asynchronous Receiver Transmitter (UART) module. The present work is based on a 163-bit key-size over Koblitz curve k-163 and secure hash function SHA-1. A serial module for the underlying modular layer, high-speed architecture of Koblitz point addition and Koblitz point multiplication have been considered in this work, in addition to utilising the carry-save-multiplier, modular adder-subtractor and Extended Euclidean module for ECDSA protocols. All modules are designed using VHDL and implemented on the platform Virtex5 xc5vlx155t-3ff1738. Signature generation requires 0.55360ms, while its validation consumes 1.10947288ms. Thus, the total time required to complete both processes is equal to 1.66ms and the maximum frequency is approximately 83.477MHZ, consuming a power of 99mW with the efficiency approaching 3.39 * 10-6

Security in serverless network environments

As portable computing devices grow in popularity, so does the need for secure communications. Lacking tethers, these devices are ideal for forming small proximal groups in an ad-hoc fashion in environments where no server or permanent services are available. Members of these groups communicate over a broadcast or multicast network interconnect, and rely upon each other to form a cohesive group. While generally small in size and short in lifetime, security is a critical aspect of these groups that has received much academic attention in recent years. Much of the research focuses upon generating a common, group-wide private key suitable for encryption. This group key agreement utilizes keying technology that is very costly for small, limited-lifetime devices. Furthermore, key agreement provides no constructs for message authentication or integrity. Traditional systems require two keypairs to address both aspects of the secure group and one for encryption, the other for message validation. This work investigates the appropriateness of using a shared keypair for both contributory group key agreement and message quality guarantees. A JCE-compliant key agreement and digital signature framework has been implemented and is presented, and discussed. Using elliptic curve-based keys, this is possible at no loss in security, and these keys are easily and quickly computable on smaller devices. Algorithms that are known for their cryptographic strength are leveraged in both encryption and digital signature applications. This technique provides a computationally-effient key agreement scheme and digital signature framework, and a network-effcient key and signature distribution system. Perfect forward and backward security is maintained, and all members retain a current view of the group from a cryptographic perspective. This thesis is the culmination of several quarters of research and work, all conducted at the Rochester Institute of Technology under the supervison of Dr. Hans-Peter Bischof between December 2002 and January 2004. This thesis is completed as partial fullfillment of the requirements for a Masters Degree in Computer Science from the Rochester Institute of Technology

Applying security features to GA4GH Phenopackets

Global Alliance for Genomic and Health has developed a standard file format called Phenopacket to improve the exchange of phenotypic information over the network. However, this standard does not implement any security mechanism, which allows an attacker to obtain sensitive information if he gets hold of it. This project aims to provide security features within the Phenopacket schema to ensure a secure exchange. To achieve this objective, it is necessary to understand the structure of the schema in order to classify which fields need to be protected. Once the schema has been designed, an investigation is conducted into which technologies are currently the most secure, leading to the implementation of three security mechanisms: digital signature, encryption, and hashing. To conclude, several verification tests are performed to ensure that both the creation of Phenopacket and the security measures applied have been correctly implemented, confirming that data exchange is possible without revealing any sensitive data

Group Selection and Key Management Strategies for Ciphertext-Policy Attribute-Based Encryption

Ciphertext-Policy Attribute-Based Encryption (CPABE) was introduced by Bethencourt, Sahai, and Waters, as an improvement of Identity Based Encryption, allowing fine grained control of access to encrypted files by restricting access to only users whose attributes match that of the monotonic access tree of the encrypted file. Through these modifications, encrypted files can be placed securely on an unsecure server, without fear of malicious users being able to access the files, while allowing each user to have a unique key, reducing the vulnerabilites associated with sharing a key between multiple users. However, due to the fact that CPABE was designed for the purpose of not using trusted servers, key management strategies such as efficient renewal and immediate key revocation are inherently prevented. In turn, this reduces security of the entire scheme, as a user could maliciously keep a key after having an attribute changed or revoked, using the old key to decrypt files that they should not have access to with their new key. Additionally, the original CPABE implementation provided does not discuss the selection of the underlying bilinear pairing which is used as the cryptographic primitive for the scheme. This thesis explores different possibilites for improvement to CPABE, in both the choice of bilinear group used, as well as support for key management that does not rely on proxy servers while minimizing the communication overhead. Through this work, it was found that nonsupersingular elliptic curves can be used for CPABE, and Barreto-Naehrig curves allowed the fastest encryption and key generation in CHARM, but were the slowest curves for decryption due to the large size of the output group. Key management was performed by using a key-insulation method, which provided helper keys which allow keys to be transformed over different time periods, with revocation and renewal through key update. Unfortunately, this does not allow immediate revocation, and revoked keys are still valid until the end of the time period during which they are revoked. Discussion of other key management methods is presented to show that immediate key revocation is difficult without using trusted servers to control access

High-level Cryptographic Abstractions

The interfaces exposed by commonly used cryptographic libraries are clumsy, complicated, and assume an understanding of cryptographic algorithms. The challenge is to design high-level abstractions that require minimum knowledge and effort to use while also allowing maximum control when needed. This paper proposes such high-level abstractions consisting of simple cryptographic primitives and full declarative configuration. These abstractions can be implemented on top of any cryptographic library in any language. We have implemented these abstractions in Python, and used them to write a wide variety of well-known security protocols, including Signal, Kerberos, and TLS. We show that programs using our abstractions are much smaller and easier to write than using low-level libraries, where size of security protocols implemented is reduced by about a third on average. We show our implementation incurs a small overhead, less than 5 microseconds for shared key operations and less than 341 microseconds (< 1%) for public key operations. We also show our abstractions are safe against main types of cryptographic misuse reported in the literature