Keeping Authorities "Honest or Bust" with Decentralized Witness Cosigning

The secret keys of critical network authorities - such as time, name, certificate, and software update services - represent high-value targets for hackers, criminals, and spy agencies wishing to use these keys secretly to compromise other hosts. To protect authorities and their clients proactively from undetected exploits and misuse, we introduce CoSi, a scalable witness cosigning protocol ensuring that every authoritative statement is validated and publicly logged by a diverse group of witnesses before any client will accept it. A statement S collectively signed by W witnesses assures clients that S has been seen, and not immediately found erroneous, by those W observers. Even if S is compromised in a fashion not readily detectable by the witnesses, CoSi still guarantees S's exposure to public scrutiny, forcing secrecy-minded attackers to risk that the compromise will soon be detected by one of the W witnesses. Because clients can verify collective signatures efficiently without communication, CoSi protects clients' privacy, and offers the first transparency mechanism effective against persistent man-in-the-middle attackers who control a victim's Internet access, the authority's secret key, and several witnesses' secret keys. CoSi builds on existing cryptographic multisignature methods, scaling them to support thousands of witnesses via signature aggregation over efficient communication trees. A working prototype demonstrates CoSi in the context of timestamping and logging authorities, enabling groups of over 8,000 distributed witnesses to cosign authoritative statements in under two seconds.Comment: 20 pages, 7 figure

Oops, I did it again -- Security of One-Time Signatures under Two-Message Attacks

One-time signatures (OTS) are called one-time, because the accompanying reductions only guarantee security under single-message attacks. However, this does not imply that efficient attacks are possible under two-message attacks. Especially in the context of hash-based OTS (which are basic building blocks of recent standardization proposals) this leads to the question if accidental reuse of a one-time key pair leads to immediate loss of security or to graceful degradation. In this work we analyze the security of the most prominent hash-based OTS, Lamport\u27s scheme, its optimized variant, and WOTS, under different kinds of two-message attacks. Interestingly, it turns out that the schemes are still secure under two message attacks, asymptotically. However, this does not imply anything for typical parameters. Our results show that for Lamport\u27s scheme, security only slowly degrades in the relevant attack scenarios and typical parameters are still somewhat secure, even in case of a two-message attack. As we move on to optimized Lamport and its generalization WOTS, security degrades faster and faster, and typical parameters do not provide any reasonable level of security under two-message attacks

Merkle Signatures with Virtually Unlimited Signature Capacity

Abstract. We propose GMSS, a new variant of the Merkle signature scheme. GMSS is the first Merkle-type signature scheme that allows a cryptographically unlimited (2 80) number of documents to be signed with one key pair. Compared to recent improvements of the Merkle signature scheme, GMSS reduces the signature size as well as the signature generation cost. Keywords: Merkle signatures, post-quantum cryptography, SSL.

Linicrypt: A Model for Practical Cryptography

A wide variety of objectively practical cryptographic schemes can be constructed using only symmetric-key operations and linear operations. To formally study this restricted class of cryptographic algorithms, we present a new model called {\em Linicrypt}. A Linicrypt program has access to a random oracle whose inputs and outputs are field elements, and otherwise manipulates data only via fixed linear combinations. Our main technical result is that it is possible to decide {\em in polynomial time} whether two given Linicrypt programs induce computationally indistinguishable distributions (against arbitrary PPT adversaries, in the random oracle model). We show also that indistinguishability of Linicrypt programs can be expressed as an existential formula, making the model amenable to {\em automated program synthesis.} In other words, it is possible to use a SAT/SMT solver to automatically generate Linicrypt programs satisfying a given security constraint. Interestingly, the properties of Linicrypt imply that this synthesis approach is both sound and complete. We demonstrate this approach by synthesizing Linicrypt constructions of garbled circuits

Hash Families and Cover-Free Families with Cryptographic Applications

This thesis is focused on hash families and cover-free families and their application to problems in cryptography. We present new necessary conditions for generalized separating hash families, and provide new explicit constructions. We then consider three cryptographic applications of hash families and cover-free families. We provide a stronger de nition of anonymity in the context of shared symmetric key primitives and give a new scheme with improved anonymity properties. Second, we observe that nding the invalid signatures in a set of digital signatures that fails batch veri cation is a group testing problem, then apply and compare many group testing algorithms to solve this problem e ciently. In particular, we apply group testing algorithms based on cover-free families. Finally, we construct a one-time signature scheme based on cover-free families with short signatures

Die Blockchain Technologie : eine Methode zur Identifikation von Anwendungsfällen

Längst hat die Blockchain seit der Einführung der Kryptowährung Bitcoin im Jahr 2009 Forscher und auch Experten aus der Privatwirtschaft in ihren Bann gezogen. Waren es anfangs zunächst vor allem Anwendungsfälle aus der Finanzbranche, haben sich diese mit der Blockchain weiterentwickelt. Das Potenzial der Technologie ist heute unbestritten gross, doch nur langsam entwickeln sich Initiativen in anderen Bereichen ausserhalb des Finanzsektors. Das Ziel dieser Masterarbeit ist es, mittels einer selbst erarbeiteten Methode Anwendungsfälle zu identifizieren, welche sich für die Blockchain eignen. Dabei sollte die Methode branchenübergreifend verwendbar sein. Um dies zu erreichen, wurde in einem theoretischen Teil zunächst der aktuelle Stand der Blockchain Technologie erfasst. In einem aufbauenden Teil wurden Anwendungsfelder der Technologie betrachtet und analysiert. Durch Nutzung von explorativen Forschungsmethoden wurden weitere potenzielle Anwendungsfelder miteinbezogen. Mittels qualitativen Experteninterviews wurde der Status Quo der Blockchain vertieft und die Stärken und Schwächen sowie die Implikationen durch eine SWOT-Analyse klassifiziert und erfasst. Aus all diesen Teilen wurden Parameter abgeleitet, welche in der erarbeiteten Methode zur Anwendung kommen. Die Verifikation der Methode erfolgte durch theoretische Anwendung sowie der Evaluation mit Experten. Die Erkenntnis des Status Quo der Blockchain zeigt auf, dass die Technologie insgesamt ihren disruptiven Attributen gerecht wird, insbesondere in Hinblick auf die Anwendungsfälle. Die Experten sind sich jedoch einig, dass die wahren Anwendungsfälle für die Blockchain erst noch entwickelt werden müssen und dabei auch die Kombination von Thematiken wie das Internet der Dinge und die künstliche Intelligenz das Anwendungsspektrum enorm erweitern. Die Methode zur Identifikation kann hierbei erste Indikationen dazu liefern, ob ein angedachter Fall mittels Blockchain zielführend umgesetzt werden kann