Placing Conditional Disclosure of Secrets in the Communication Complexity Universe

In the conditional disclosure of secrets (CDS) problem (Gertner et al., J. Comput. Syst. Sci., 2000) Alice and Bob, who hold n-bit inputs x and y respectively, wish to release a common secret z to Carol (who knows both x and y) if and only if the input (x,y) satisfies some predefined predicate f. Alice and Bob are allowed to send a single message to Carol which may depend on their inputs and some shared randomness, and the goal is to minimize the communication complexity while providing information-theoretic security. Despite the growing interest in this model, very few lower-bounds are known. In this paper, we relate the CDS complexity of a predicate f to its communication complexity under various communication games. For several basic predicates our results yield tight, or almost tight, lower-bounds of Omega(n) or Omega(n^{1-epsilon}), providing an exponential improvement over previous logarithmic lower-bounds. We also define new communication complexity classes that correspond to different variants of the CDS model and study the relations between them and their complements. Notably, we show that allowing for imperfect correctness can significantly reduce communication - a seemingly new phenomenon in the context of information-theoretic cryptography. Finally, our results show that proving explicit super-logarithmic lower-bounds for imperfect CDS protocols is a necessary step towards proving explicit lower-bounds against the class AM, or even AM cap coAM - a well known open problem in the theory of communication complexity. Thus imperfect CDS forms a new minimal class which is placed just beyond the boundaries of the "civilized" part of the communication complexity world for which explicit lower-bounds are known

Making Masking Security Proofs Concrete - Or How to Evaluate the Security of any Leaking Device

We investigate the relationships between theoretical studies of leaking cryptographic devices and concrete security evaluations with standard side-channel attacks. Our contributions are in four parts. First, we connect the formal analysis of the masking countermeasure proposed by Duc et al. (Eurocrypt 2014) with the Eurocrypt 2009 evaluation framework for side-channel key recovery attacks. In particular, we re-state their main proof for the masking countermeasure based on a mutual information metric, which is frequently used in concrete physical security evaluations. Second, we discuss the tightness of the Eurocrypt 2014 bounds based on experimental case studies. This allows us to conjecture a simplified link between the mutual information metric and the success rate of a side-channel adversary, ignoring technical parameters and proof artifacts. Third, we introduce heuristic (yet well-motivated) tools for the evaluation of the masking countermeasure when its independent leakage assumption is not perfectly fulfilled, as it is frequently encountered in practice. Thanks to these tools, we argue that masking with non-independent leakages may provide improved security levels in certain scenarios. Eventually, we consider the tradeoff between measurement complexity and key enumeration in divide-and-conquer side-channel attacks, and show that it can be predicted based on the mutual information metric, by solving a non-linear integer programming problem for which efficient solutions exist. The combination of these observations enables significant reductions of the evaluation costs for certification bodies

Breaking Symmetric Cryptosystems Using Quantum Period Finding

Due to Shor's algorithm, quantum computers are a severe threat for public key cryptography. This motivated the cryptographic community to search for quantum-safe solutions. On the other hand, the impact of quantum computing on secret key cryptography is much less understood. In this paper, we consider attacks where an adversary can query an oracle implementing a cryptographic primitive in a quantum superposition of different states. This model gives a lot of power to the adversary, but recent results show that it is nonetheless possible to build secure cryptosystems in it. We study applications of a quantum procedure called Simon's algorithm (the simplest quantum period finding algorithm) in order to attack symmetric cryptosystems in this model. Following previous works in this direction, we show that several classical attacks based on finding collisions can be dramatically sped up using Simon's algorithm: finding a collision requires $\Omega(2^{n/2})$ queries in the classical setting, but when collisions happen with some hidden periodicity, they can be found with only $O(n)$ queries in the quantum model. We obtain attacks with very strong implications. First, we show that the most widely used modes of operation for authentication and authenticated encryption e.g. CBC-MAC, PMAC, GMAC, GCM, and OCB) are completely broken in this security model. Our attacks are also applicable to many CAESAR candidates: CLOC, AEZ, COPA, OTR, POET, OMD, and Minalpher. This is quite surprising compared to the situation with encryption modes: Anand et al. show that standard modes are secure with a quantum-secure PRF. Second, we show that Simon's algorithm can also be applied to slide attacks, leading to an exponential speed-up of a classical symmetric cryptanalysis technique in the quantum model.Comment: 31 pages, 14 figure

Efficient Zero-Knowledge Proofs and their Applications

A zero-knowledge proof is a fundamental cryptographic primitive that enables the verification of statements without revealing unnecessary information. Zero-knowledge proofs are a key component of many cryptographic protocols and, often, one of their main efficiency bottlenecks. In recent years there have been great advances in improving the efficiency of zero-knowledge proofs, bring them closer to wide deployability. In this thesis we make another step towards the construction of computationally-efficient zero-knowledge proofs. Specifically, we construct efficient zero-knowledge proofs for the satisfiability of arithmetic circuits for which the computational cost of the prover is only a constant factor more expensive than direct evaluation of the circuit. We also construct efficient zero-knowledge proofs to check the correct execution of (Tiny)RAM programs. In this case the computational cost for the prover is a superconstant factor larger than executing the program directly. Our proofs also support efficient verification and small proof sizes. For security, they rely on symmetric primitives and could potentially withstand attacks from quantum computers. On a different research direction, we look at group signatures, a fundamental primitive which relies on zero-knowledge proofs. A group signature enables users to sign anonymously on behalf of a group of users. In case of dispute a Manager can identify the author of a signature and potentially banish the user from the group. In this thesis we address the fundamental question of defining the security of fully dynamic group signatures, for which the users can join and leave at any time. Differently from other restricted settings, this case has been largely overlooked in the past. Our security model is general, does not implicitly assume existing design paradigms and captures the security of existing models for more restricted settings

Byzantine fault-tolerant vote collection for D-DEMOS, a distributed e-voting system

Τα συστήματα διαχείρισης εκλογών είναι μια δυναμική τεχνολογία που επιτρέπει την βελτίωση της δημοκρατικής διαδικασίας μέσω της μείωσης του κόστους υλοποίησης εκλογών, της αύξησης της συμμετοχής των ψηφοφόρων και της αμεσότητας παραγωγής αποτελεσμάτων. Επίσης, δίνουν την δυνατότητα στους ψηφοφόρους να επιβεβαιώσουν άμεσα την ορθή λειτουργία ολόκληρης της εκλογικής διαδικασίας. Δυστυχώς, τα υπάρχοντα τέτοια συστήματα είναι σχεδιασμένα με κεντρικά συστατικά, τα οποία και αποτελούν μοναδικά σημεία αποτυχίας. Αυτό μπορεί να οδηγήσει στην απώλεια διαθεσιμότητας, εμπιστευτικότητας, καθώς και της ακεραιότητας του εκλογικού αποτελέσματος. Σε αυτή τη διατριβή εξετάζουμε την εισαγωγή ανοχής λαθών στα εκλογικά συστήματα, μέσω της εισαγωγής κατανεμημένων συστατικών. Αυτό είναι περίπλοκο γιατί, εκτός από την ακεραιότητα και διαθεσιμότητα, σε ένα εκλογικό σύστημα είναι σημαντικό να διαφυλαχθεί και η εμπιστευτικότητα, απέναντι σε έναν κακόβουλο αντίπαλο. Εστιάζουμε στην φάση συλλογής ψήφων του εκλογικού συστήματος, η οποία είναι ένα κρίσιμο τμήμα της εκλογικής διαδικασίας. Χρησιμοποιούμε το σύγχρονο αλλά κεντρικοποιημένο σύστημα διαχείρισης εκλογών DEMOS σαν βάση για την μελέτη μας. Αυτό το σύστημα χρησιμοποιεί κωδικούς που αντιστοιχούν στις δυνατές επιλογές των ψηφοφόρων, μια Αρχή Εκλογών η οποία αρχικοποιεί τις εκλογές, συλλέγει τις ψήφους και παράγει το αποτέλεσμα, και έναν Πίνακα Ανακοινώσεων για την διατήρηση των στοιχείων των εκλογών μακροπρόθεσμα. Εξάγουμε τον μηχανισμό συλλογής ψήφων από την κεντρικοποιημένη Αρχή Εκλογών του αρχικού συστήματος DEMOS, και τον αντικαθιστούμε με ένα κατανεμημένο σύστημα που χειρίζεται την συλλογή ψήφων με ανοχή σε λάθη Βυζαντινού τύπου. Σε αυτή τη διατριβή, παρουσιάζουμε τον σχεδιασμό, ανάλυση ασφάλειας, την ανάπτυξη και αξιολόγηση της πρωτότυπης υλοποίησης αυτού του κατανεμημένου συστατικού συλλογής ψήφων. Παρουσιάζουμε δύο εκδόσεις αυτού του συστατικού: μία πλήρως ασύγχρονη και μία με ελάχιστες υποθέσεις συγχρονισμού αλλά καλύτερη απόδοση. Και οι δύο εκδόσεις παρέχουν άμεση επιβεβαίωση στην ψηφοφόρο ότι η ψήφος της καταχωρήθηκε όπως υποβλήθηκε, χωρίς να απαιτούνται κρυπτογραφικές λειτουργίες από την πλευρά της ψηφοφόρου. Με αυτόν τον τρόπο, η ψηφοφόρος μπορεί να στείλει την ψήφο της χρησιμοποιώντας έναν μη ασφαλή υπολογιστή ή δίκτυο, και να συνεχίσει να είναι εξασφαλισμένη ότι η ψήφος της καταχωρήθηκε σωστά. Για παράδειγμα, μπορεί να ψηφίσει χρησιμοποιώντας έναν δημόσιο υπολογιστή, ή στέλνοντας ένα σύντομο μήνυμα μέσω κινητού τηλεφώνου. Ακόμη και σε αυτές τις περιπτώσεις, η εμπιστευτικότητα της ψήφου διατηρείται στο ακέραιο. Δίνουμε ένα μοντέλο και μια ανάλυση ασφάλειας για τα συστήματα που παρουσιάζουμε. Υλοποιούμε πρωτότυπα από τα πλήρη συστήματα, μετράμε την απόδοσή τους πειραματικά, και επιδεικνύουμε την ικανότητά τους να χειρίζονται εκλογές μεγάλου μεγέθους. Τέλος, παρουσιάζουμε τις διαφορές απόδοσης ανάμεσα στις δύο εκδόσεις του συστήματος. Θεωρούμε ότι τα συστατικά συλλογής ψήφων που παρουσιάζουμε σε αυτή τη διατριβή μπορούν να βρουν εφαρμογή σε οποιοδήποτε σύστημα διαχείρισης εκλογών που στηρίζεται στην τεχνική της εκπροσώπησης των επιλογών στα ψηφοδέλτια με κωδικούς.E-voting systems are a powerful technology for improving democracy by reducing election cost, increasing voter participation, and even allowing voters to directly verify the entire election procedure. Unfortunately, prior internet voting systems have single points of failure, which may result in the compromise of availability, voter secrecy, or integrity of the election results. In this thesis, we consider increasing the fault-tolerance of voting systems by introducing distributed components. This is non-trivial as, besides integrity and availability, voting requires safeguarding confidentiality as well, against a malicious adversary. We focus on the vote collection phase of the voting system, which is a crucial part of the election process. We use the DEMOS state-of-the-art but centralized voting system as the basis for our study. This system uses vote codes to represent voters' choices, an Election Authority to setup the election and handle vote collection and result production, and a Bulletin Board for storing the election transcript for the long-term. We extract the vote collection mechanism from the centralized Election Authority component of the original DEMOS system, and replace it with a distributed system that handles vote collection in a Byzantine fault-tolerant manner. In this thesis, we present the design, security analysis, prototype implementation and experimental evaluation of this vote collection component. We present two versions of this component: one completely asynchronous and one with minimal timing assumptions but better performance. Both versions provide immediate assurance to the voter her vote was recorded as cast, without requiring cryptographic operations on behalf of the voter. This way, a voter may cast her vote using an untrusted computer or network, and still be assured her vote was recorded as cast. For example, she may vote via a public web terminal, or by sending an SMS from a mobile phone. Even in these cases, voter's privacy is still preserved. We provide a model and security analysis of the systems we present. We implement prototypes of the complete systems, we measure their performance experimentally, and we demonstrate their ability to handle large-scale elections. Finally, we demonstrate the performance trade-offs between the two versions of the system. We consider the vote collection components we introduce are applicable to any voting system that uses the code-voting technique

Bringing Theory Closer to Practice in Post-quantum and Leakage-resilient Cryptography

Modern cryptography pushed forward the need of having provable security. Whereas ancient cryptography was only relying on heuristic assumptions and the secrecy of the designs, nowadays researchers try to make the security of schemes to rely on mathematical problems which are believed hard to solve. When doing these proofs, the capabilities of potential adversaries are modeled formally. For instance, the black-box model assumes that an adversary does not learn anything from the inner-state of a construction. While this assumption makes sense in some practical scenarios, it was shown that one can sometimes learn some information by other means, e.g., by timing how long the computation take. In this thesis, we focus on two different areas of cryptography. In both parts, we take first a theoretical point of view to obtain a result. We try then to adapt our results so that they are easily usable for implementers and for researchers working in practical cryptography. In the first part of this thesis, we take a look at post-quantum cryptography, i.e., at cryptographic primitives that are believed secure even in the case (reasonably big) quantum computers are built. We introduce HELEN, a new public-key cryptosystem based on the hardness of the learning from parity with noise problem (LPN). To make our results more concrete, we suggest some practical instances which make the system easily implementable. As stated above, the design of cryptographic primitives usually relies on some well-studied hard problems. However, to suggest concrete parameters for these primitives, one needs to know the precise complexity of algorithms solving the underlying hard problem. In this thesis, we focus on two recent hard-problems that became very popular in post-quantum cryptography: the learning with error (LWE) and the learning with rounding problem (LWR). We introduce a new algorithm that solves both problems and provide a careful complexity analysis so that these problems can be used to construct practical cryptographic primitives. In the second part, we look at leakage-resilient cryptography which studies adversaries able to get some side-channel information from a cryptographic primitive. In the past, two main disjoint models were considered. The first one, the threshold probing model, assumes that the adversary can put a limited number of probes in a circuit. He then learns all the values going through these probes. This model was used mostly by theoreticians as it allows very elegant and convenient proofs. The second model, the noisy-leakage model, assumes that every component of the circuit leaks but that the observed signal is noisy. Typically, some Gaussian noise is added to it. According to experiments, this model depicts closely the real behaviour of circuits. Hence, this model is cherished by the practical cryptographic community. In this thesis, we show that making a proof in the first model implies a proof in the second model which unifies the two models and reconciles both communities. We then look at this result with a more practical point-of-view. We show how it can help in the process of evaluating the security of a chip based solely on the more standard mutual information metric

Provably Secure Authenticated Encryption

Authenticated Encryption (AE) is a symmetric key cryptographic primitive that ensures confidentiality and authenticity of processed messages at the same time. The research of AE as a primitive in its own right started in 2000. The security goals of AE were captured in formal definitions in the tradition in the tradition of provable security (such as NAE, MRAE, OAE, RAE or the RUP), where the security of a scheme is formally proven assuming the security of an underlying building block. The prevailing syntax moved to nonce-based AE with associated data (which is an additional input that gets authenticated, but not encrypted). Other types of AE schemes appeared as well, e.g. ones that supported stateful sessions. Numerous AE schemes were designed; in the early years, these were almost exclusively blockcipher modes of operation, most notably OCB in 2001, CCM in 2003 and GCM in 2004. At the same time, issues were discovered both with the security and applicability of the most popular AE schemes, and other applications of symmetric key cryptography. As a response, the Competition for Authenticated Encryption: Security, Applicability, and Robustness (CAESAR) was started in 2013. Its goals were to identify a portfolio of new, secure and reliable AE schemes that would satisfy the needs of practical applications, and also to boost the research in the area of AE. Prompted by CAESAR, 57 new schemes were designed, new types of constructions that gained popularity appeared (such as the Sponge-based AE schemes), and new notions of security were proposed (such as RAE). The final portfolio of the CAESAR competition should be announced in 2018. In this thesis, we push the state of the art in the field of AE in several directions. All of them are related to provable security, in one way, or another. We propose OMD, the first provably secure dedicated AE scheme that is based on a compression function. We further modify OMD to achieve nonce misuse-resistant security (MRAE). We also propose another provably secure variant of OMD called pure OMD, which enjoys a great improvement of performance over OMD. Inspired by the modifications that gave rise to pure OMD, we turn to the popular Sponge-based AE schemes and prove that similar measures can also be applied to the keyed Sponge and keyed Duplex (a variant of the Sponge), allowing a substantial increase of performance without an impact on security. We then address definitional aspects of AE. We critically evaluate the security notion of OAE, whose authors claimed that it provides the best possible security for online schemes under nonce reuse. We challenge these claims, and discuss what are the meaningful requirements for online AE schemes. Based on our findings, we formulate a new definition of online AE security under nonce-reuse, and demonstrate its feasibility. We next turn our attention to the security of nonce-based AE schemes under stretch misuse; i.e. when a scheme is used with varying ciphertext expansion under the same key, even though it should not be. We argue that varying the stretch is plausible, and formulate several notions that capture security in presence of variable stretch. We establish their relations to previous notions, and demonstrate the feasibility of security in this setting. We finally depart from provable security, with the intention to complement it. We compose a survey of universal forgeries, decryption attacks and key recovery attacks on 3rd round CAESAR candidates

Quantitative security of block ciphers:designs and cryptanalysis tools

Block ciphers probably figure in the list of the most important cryptographic primitives. Although they are used for many different purposes, their essential goal is to ensure confidentiality. This thesis is concerned by their quantitative security, that is, by measurable attributes that reflect their ability to guarantee this confidentiality. The first part of this thesis deals with well know results. Starting with Shannon's Theory of Secrecy, we move to practical implications for block ciphers, recall the main schemes on which nowadays block ciphers are based, and introduce the Luby-Rackoff security model. We describe distinguishing attacks and key-recovery attacks against block ciphers and show how to turn the firsts into the seconds. As an illustration, we recall linear cryptanalysis which is a classical example of statistical cryptanalysis. In the second part, we consider the (in)security of block ciphers against statistical cryptanalytic attacks and develop some tools to perform optimal attacks and quantify their efficiency. We start with a simple setting in which the adversary has to distinguish between two sources of randomness and show how an optimal strategy can be derived in certain cases. We proceed with the practical situation where the cardinality of the sample space is too large for the optimal strategy to be implemented and show how this naturally leads to the concept of projection-based distinguishers, which reduce the sample space by compressing the samples. Within this setting, we re-consider the particular case of linear distinguishers and generalize them to sets of arbitrary cardinality. We show how these distinguishers between random sources can be turned into distinguishers between random oracles (or block ciphers) and how, in this setting, one can generalize linear cryptanalysis to Abelian groups. As a proof of concept, we show how to break the block cipher TOY100, introduce the block cipher DEAN which encrypts blocks of decimal digits, and apply the theory to the SAFER block cipher family. In the last part of this thesis, we introduce two new constructions. We start by recalling some essential notions about provable security for block ciphers and about Serge Vaudenay's Decorrelation Theory, and introduce new simple modules for which we prove essential properties that we will later use in our designs. We then present the block cipher C and prove that it is immune against a wide range of cryptanalytic attacks. In particular, we compute the exact advantage of the best distinguisher limited to two plaintext/ciphertext samples between C and the perfect cipher and use it to compute the exact value of the maximum expected linear probability (resp. differential probability) of C which is known to be inversely proportional to the number of samples required by the best possible linear (resp. differential) attack. We then introduce KFC a block cipher which builds upon the same foundations as C but for which we can prove results for higher order adversaries. We conclude both discussions about C and KFC by implementation considerations