Group-Based Secure Computation: Optimizing Rounds, Communication, and Computation

A recent work of Boyle et al. (Crypto 2016) suggests that ``group-based\u27\u27 cryptographic protocols, namely ones that only rely on a cryptographically hard (Abelian) group, can be surprisingly powerful. In particular, they present succinct two-party protocols for securely computing branching programs and NC1 circuits under the DDH assumption, providing the first alternative to fully homomorphic encryption. In this work we further explore the power of group-based secure computation protocols, improving both their asymptotic and concrete efficiency. We obtain the following results. - Black-box use of group. We modify the succinct protocols of Boyle et al. so that they only make a black-box use of the underlying group, eliminating an expensive non-black-box setup phase. - Round complexity. For any constant number of parties, we obtain 2-round MPC protocols based on a PKI setup under the DDH assumption. Prior to our work, such protocols were only known using fully homomorphic encryption or indistinguishability obfuscation. - Communication complexity. Under DDH, we present a secure 2-party protocol for any NC1 or log-space computation with n input bits and m output bits using n+(1+o(1)) m+\poly(\lambda) bits of communication, where \lambda is a security parameter. In particular, our protocol can generate n instances of bit-oblivious-transfer using (4+o(1))\cdot n bits of communication. This gives the first constant-rate OT protocol under DDH. - Computation complexity. We present several techniques for improving the computational cost of the share conversion procedure of Boyle et al., improving the concrete efficiency of group-based protocols by several orders of magnitude

Measuring And Securing Cryptographic Deployments

This dissertation examines security vulnerabilities that arise due to communication failures and incentive mismatches along the path from cryptographic algorithm design to eventual deployment. I present six case studies demonstrating vulnerabilities in real-world cryptographic deployments. I also provide a framework with which to analyze the root cause of cryptographic vulnerabilities by characterizing them as failures in four key stages of the deployment process: algorithm design and cryptanalysis, standardization, implementation, and endpoint deployment. Each stage of this process is error-prone and influenced by various external factors, the incentives of which are not always aligned with security. I validate the framework by applying it to the six presented case studies, tracing each vulnerability back to communication failures or incentive mismatches in the deployment process. To curate these case studies, I develop novel techniques to measure both existing and new cryptographic attacks, and demonstrate the widespread impact of these attacks on real-world systems through measurement and cryptanalysis. While I do not claim that all cryptographic vulnerabilities can be described with this framework, I present a non-trivial (in fact substantial) number of case studies demonstrating that this framework characterizes the root cause of failures in a diverse set of cryptographic deployments

Energy Efficient Security Framework for Wireless Local Area Networks

Wireless networks are susceptible to network attacks due to their inherentvulnerabilities. The radio signal used in wireless transmission canarbitrarily propagate through walls and windows; thus a wireless networkperimeter is not exactly known. This leads them to be more vulnerable toattacks such as eavesdropping, message interception and modifications comparedto wired-line networks. Security services have been used as countermeasures toprevent such attacks, but they are used at the expense of resources that arescarce especially, where wireless devices have a very limited power budget.Hence, there is a need to provide security services that are energy efficient.In this dissertation, we propose an energy efficient security framework. Theframework aims at providing security services that take into account energyconsumption. We suggest three approaches to reduce the energy consumption ofsecurity protocols: replacement of standard security protocol primitives thatconsume high energy while maintaining the same security level, modification ofstandard security protocols appropriately, and a totally new design ofsecurity protocol where energy efficiency is the main focus. From ourobservation and study, we hypothesize that a higher level of energy savings isachievable if security services are provided in an adjustable manner. Wepropose an example tunable security or TuneSec system, which allows areasonably fine-grained security tuning to provide security services at thewireless link level in an adjustable manner.We apply the framework to several standard security protocols in wirelesslocal area networks and also evaluate their energy consumption performance.The first and second methods show improvements of up to 70% and 57% inenergy consumption compared to plain standard security protocols,respectively. The standard protocols can only offer fixed-level securityservices, and the methods applied do not change the security level. The thirdmethod shows further improvement compared to fixed-level security by reducing(about 6% to 40%) the energy consumed. This amount of energy saving can bevaried depending on the configuration and security requirements

Efficient Protocols for Multi-Party Computation

Secure Multi-Party Computation (MPC) allows a group of parties to compute a join function on their inputs without revealing any information beyond the result of the computation. We demonstrate secure function evaluation protocols for branching programs, where the communication complexity is linear in the size of the inputs, and polynomial in the security parameter. Our result is based on the circular security of the Paillier\u27s encryption scheme. Our work followed the breakthrough results by Boyle et al. [9; 11]. They presented a Homomorphic Secret Sharing scheme which allows the non-interactive computation of Branching Programs over shares of the secret inputs. Their protocol is based on the Decisional Diffie-Hellman Assumption. Additionally, we offer a verification technique to directly check correctness of the actual computation, rather than the absence of a potential error as in [9]. This results in fewer repetitions of the overall computation for a given error bound. We also use Paillier’s encryption as the underlying scheme of publicly perceptual hashing. Perceptual hashing allows the computation of a robust fingerprint of media files, such that the fingerprint can be used to detect the same object even if it has been modified in per- ceptually non-significant ways (e.g., compression). The robustness of such functions relies on the use of secret keys both during the computation and the detection phase. We present examples of publicly evaluatable perceptual hash functions which allow a user to compute the perceptual hash of an image using a public key, while only the detection algorithm will use the secret key. Our technique can be used to encourage users to submit intimate images to blacklist databases to stop those images from ever being posted online – indeed using a publicly evaluatable perceptual hash function the user can privately submit the fingerprint, without ever revealing the image. We present formal definitions for the security of perceptual hash, a general theoretical result that uses Fully Homomorphic Encryption, and a specific construction using Paillier’s encryption. For the latter we show via extensive implementation tests that the cryptographic overhead can be made minimal, resulting in a very efficient construction

HACL * : A Verified Modern Cryptographic Library

International audienceHACL* is a verified portable C cryptographic library that implements modern cryptographic primitives such as the ChaCha20 and Salsa20 encryption algorithms, Poly1305 and HMAC message authentication, SHA-256 and SHA-512 hash functions, the Curve25519 elliptic curve, and Ed25519 signatures. HACL* is written in the F* programming language and then compiled to readable C code. The F* source code for each cryptographic primitive is verified for memory safety, mitigations against timing side-channels, and functional correctness with respect to a succinct high-level specification of the primitive derived from its published standard. The translation from F* to C preserves these properties and the generated C code can itself be compiled via the CompCert verified C compiler or mainstream compilers like GCC or CLANG. When compiled with GCC on 64-bit platforms, our primitives are as fast as the fastest pure C implementations in OpenSSL and Libsodium, significantly faster than the reference C code in TweetNaCl, and between 1.1x-5.7x slower than the fastest hand-optimized vectorized assembly code in SUPERCOP. HACL* implements the NaCl cryptographic API and can be used as a drop-in replacement for NaCl libraries like Libsodium and TweetNaCl. HACL * provides the cryptographic components for a new mandatory ciphersuite in TLS 1.3 and is being developed as the main cryptographic provider for the miTLS verified implementation. Primitives from HACL* are also being integrated within Mozilla's NSS cryptographic library. Our results show that writing fast, verified, and usable C cryptographic libraries is now practical

SoK: A Practical Cost Comparison Among Provable Data Possession Schemes

Provable Data Possession (PDP) schemes provide users with the ability to efficiently audit and verify the integrity of data stored with potentially unreliable third-parties, such as cloud storage service providers. While dozens of PDP schemes have been developed, no PDP schemes have been practically implemented with an existing cloud service. This work attempts to provide a starting point for the integration of PDP schemes with cloud storage service providers by providing a cost analysis of PDP schemes. This cost analysis is performed by implementing and analyzing five PDP schemes representative of the dozens of various PDP approaches. This paper provides analysis of the overhead and performance of each of these schemes to generate a comparable cost for each scheme using real-world cloud pricing models. Results show that the total cost of each scheme is comparable for smaller file sizes, but for larger files this cost can vary across schemes by an order of magnitude. Ultimately, the difference in cost between the simple MAC-based PDP scheme and the most efficient PDP scheme is negligible. While the MAC-PDP scheme may not be the most efficient, no other scheme improving upon it\u27s complexity can be implemented without the use of additional services or APIs leading to the conclusion that the simplest, storage only PDP scheme is the most practical to implement. Furthermore, the findings in this paper suggest that, in general, PDP schemes optimize on an inaccurate cost model and that future schemes should consider the existing economic realities of cloud services

Quantum information with black boxes : lifting protocols from theory to implementation

According to recent estimates, 10^18 bytes of data are generated on a daily basis around the globe. Our information society urges for radical solutions to treat such data deluge. By exploiting fundamental key elements of quantum theory -arguably the most probed theory of modern physics- quantum information science is nowadays revolutionizing the way in which we acquire, process, store and transmit information. In the midst of the information era, the potential of quantum technologies is being recognized by the industry sector, and in turn, new capabilities for quantum information processing keep driving exciting discoveries related to more fundamental aspects of science. There are several research programs all around the world fostering the development and commercialization of quantum technologies, mostly for cryptographic and randomness generation duties. Thus, the technological limitations that today step us aside from the quantum information era are gradually being overcome. But there is a fundamental issue that still needs to be faced: the impossibility to know what is really going on in quantum experiments, due to their atomic-scale dimensions. Indeed, how will an average user guarantee the proper functioning of a quantum device that has been purchased from an external company? To his eyes, the device will merely look like a black box. Even if the customer holds a PhD in quantum science, the issue will remain fundamentally cumbersome because of the impossibility to fully control, i.e. monitor, all the physical processes occurring in any quantum experiment. Furthermore, the situation turns even more dramatic when considering adversarial applications, where a malicious eavesdropper could break the devices to manipulate their internal working, turning the protocol insecure and hence irrelevant as well. Therefore, it is the purpose of this Thesis to contribute to the experimental development of quantum information protocols with uncharacterized devices, namely, device-independent quantum information protocols. These protocols are naturally immune to any attack or failure related to mismatches between protocol theory and its actual implementation. This is achieved throughout the different Chapters by pursuing the following three overlapping duties: (i) To broaden theoretic capabilities by establishing a richer understanding of relevant fundamental resources lying at the basis of the theory of quantum information with uncharacterized devices. (ii) To develop competitive quantum information protocols by finding an adequate trade-off between high-performance and practicability; between the power of the device-independent framework and its less demanding, so-called semi-device-independent, relaxations. (iii) To analyze and improve experimental conditions of diverse physical setups in order to carry out implementations in proof-of-principle experiments demonstrating quantum information protocols with black boxes. Our objective of turning the theory of quantum information into a graspable technology for our society through the development and implementation of protocols based on the minimalist, user-friendly, black-box paradigm contributes not only to the technological development of these protocols, but it also offers valuable insights on more fundamental aspects of quantum theory. In this sense, we contribute to the characterization and quantification of entanglement -the pivotal quantum resource at the basis of most testable phenomena without classical account- in scenarios of practical interest where uncharacterized devices are used. From the more applied perspective, we contribute to the development of two specific information tasks: the certification of genuinely random numbers in device-independent and semi-device-independent scenarios, and the generation of a shared secret key among two parties in a full device-independent manner.De acuerdo con estimaciones recientes, 10^18 bytes de datos se generan diariamente alrededor del mundo. Nuestra sociedad necesita urgentemente soluciones efectivas para lidiar con este diluvio de datos. Utilizando elementos fundamentales de la teoría cuántica -la teoría más explorada de la física moderna, posiblemente- la información cuántica está revolucionando la forma en la que adquirimos, procesamos, almacenamos y transmitimos información. En plena era de la información, el sector industrial reconoce cada vez más el potencial de las tecnologías cuánticas, y a su vez nuevos desarrollos en el procesamiento de la información cuántica continúan impulsando descubrimientos prominentes relacionados con aspectos científcos de carácter más fundamental. Existen varios programas de investigación alrededor del mundo desarrollando y comercializando tecnologías cuánticas, principalmente para aplicaciones de criptografía y generación de números aleatorios. Así, las limitaciones que hoy nos separan de la era de la información cuántica están siendo gradualmente superadas. Sin embargo, existe un problema fundamental que aún necesita ser enfrentado: la imposibilidad de saber lo que realmente sucede en un experimento cuántico, debido a sus dimensiones de tamaño atómico. En efecto, ¿cómo podrá un usuario garantizar el funcionamiento adecuado de un dispositivo cuántico que ha sido adquirido a través de una compañía externa? A sus ojos el dispositivo será una verdadera caja negra. Incluso si el usuario contara con un Doctorado en ciencia cuántica, el problema prevalecería insoluble debido a la imposibilidad de controlar a la perfección, es decir monitorear, todos los procesos físicos que ocurren en cualquier experimento cuántico. Además, la situación se vuelve aún más dramática si se piensa en aplicaciones en donde un agente maligno pudiese hackear los dispositivos y manipular su funcionamiento interno, volviendo así el protocolo en cuestión inseguro y por ende también irrelevante. El propósito de esta Tesis es entonces contribuir al desarrollo experimental de protocolos de información cuántica con dispositivos sin caracterizar, llamados "device-independent". Estos protocolos son, por naturaleza, immunes a cualquier ataque o falla relacionada con desajustes entre la teoría y la implementación del protocolo. Esto se logra a lo largo de los diferentes Capítulos prosiguiendo las siguientes tres tareas que en ocasiones se traslapan: (i) Ampliar las capacidades teóricas estableciendo un entendimiento mayor de los recursos fundamentales de la teoría de la información cuántica con dispositivos sin caracterizar. (ii) Desarrollar protocolos de información cuántica competitivos, encontrando un intercambio adecuado entre alto rendimiento y practicabilidad; entre el poder del marco de trabajo device-independent y sus menos demandantes versiones, dichas "semi-device-independent". (iii) Analizar y mejorar las condiciones experimentales de diversas plataformas para llevar a cabo implementaciones en experimentos de prueba de principio, demostrando la realización de protocolos de información cuántica con cajas negras. Nuestro objetivo de convertir la teoría de la información cuántica en una tecnología tangible para nuestra sociedad a través del uso de dispositivos sin caracterizar contribuye no solamente al desarrollo tecnológico de estos protocolos, sino que también ofrece una visión valiosa de aspectos más fundamental. En este sentido, contribuimos a la caracterización y cuantificación del entrelazamiento -el recurso cuántico fundamental de muchos fenómenos sin contraparte clásica- en escenarios de interés práctico en dónde se consideran dispositivos sin caracterizar. Desde la perspectiva más aplicada, contribuimos al desarrollo de dos tareas específicas: la certificación de números genuinamente aleatorios en escenarios device-independent y semi-device-independent, y la generación de una llave secreta entre dos partes de manera device-independent

A suite of quantum algorithms for the shortestvector problem

Crytography has come to be an essential part of the cybersecurity infrastructure that provides a safe environment for communications in an increasingly connected world. The advent of quantum computing poses a threat to the foundations of the current widely-used cryptographic model, due to the breaking of most of the cryptographic algorithms used to provide confidentiality, authenticity, and more. Consequently a new set of cryptographic protocols have been designed to be secure against quantum computers, and are collectively known as post-quantum cryptography (PQC). A forerunner among PQC is lattice-based cryptography, whose security relies upon the hardness of a number of closely related mathematical problems, one of which is known as the shortest vector problem (SVP). In this thesis I describe a suite of quantum algorithms that utilize the energy minimization principle to attack the shortest vector problem. The algorithms outlined span the gate-model and continuous time quantum computing, and explore methods of parameter optimization via variational methods, which are thought to be effective on near-term quantum computers. The performance of the algorithms are analyzed numerically, analytically, and on quantum hardware where possible. I explain how the results obtained in the pursuit of solving SVP apply more broadly to quantum algorithms seeking to solve general real-world problems; minimize the effect of noise on imperfect hardware; and improve efficiency of parameter optimization.Open Acces

Quantum information with black boxes : lifting protocols from theory to implementation

According to recent estimates, 10^18 bytes of data are generated on a daily basis around the globe. Our information society urges for radical solutions to treat such data deluge. By exploiting fundamental key elements of quantum theory -arguably the most probed theory of modern physics- quantum information science is nowadays revolutionizing the way in which we acquire, process, store and transmit information. In the midst of the information era, the potential of quantum technologies is being recognized by the industry sector, and in turn, new capabilities for quantum information processing keep driving exciting discoveries related to more fundamental aspects of science. There are several research programs all around the world fostering the development and commercialization of quantum technologies, mostly for cryptographic and randomness generation duties. Thus, the technological limitations that today step us aside from the quantum information era are gradually being overcome. But there is a fundamental issue that still needs to be faced: the impossibility to know what is really going on in quantum experiments, due to their atomic-scale dimensions. Indeed, how will an average user guarantee the proper functioning of a quantum device that has been purchased from an external company? To his eyes, the device will merely look like a black box. Even if the customer holds a PhD in quantum science, the issue will remain fundamentally cumbersome because of the impossibility to fully control, i.e. monitor, all the physical processes occurring in any quantum experiment. Furthermore, the situation turns even more dramatic when considering adversarial applications, where a malicious eavesdropper could break the devices to manipulate their internal working, turning the protocol insecure and hence irrelevant as well. Therefore, it is the purpose of this Thesis to contribute to the experimental development of quantum information protocols with uncharacterized devices, namely, device-independent quantum information protocols. These protocols are naturally immune to any attack or failure related to mismatches between protocol theory and its actual implementation. This is achieved throughout the different Chapters by pursuing the following three overlapping duties: (i) To broaden theoretic capabilities by establishing a richer understanding of relevant fundamental resources lying at the basis of the theory of quantum information with uncharacterized devices. (ii) To develop competitive quantum information protocols by finding an adequate trade-off between high-performance and practicability; between the power of the device-independent framework and its less demanding, so-called semi-device-independent, relaxations. (iii) To analyze and improve experimental conditions of diverse physical setups in order to carry out implementations in proof-of-principle experiments demonstrating quantum information protocols with black boxes. Our objective of turning the theory of quantum information into a graspable technology for our society through the development and implementation of protocols based on the minimalist, user-friendly, black-box paradigm contributes not only to the technological development of these protocols, but it also offers valuable insights on more fundamental aspects of quantum theory. In this sense, we contribute to the characterization and quantification of entanglement -the pivotal quantum resource at the basis of most testable phenomena without classical account- in scenarios of practical interest where uncharacterized devices are used. From the more applied perspective, we contribute to the development of two specific information tasks: the certification of genuinely random numbers in device-independent and semi-device-independent scenarios, and the generation of a shared secret key among two parties in a full device-independent manner.De acuerdo con estimaciones recientes, 10^18 bytes de datos se generan diariamente alrededor del mundo. Nuestra sociedad necesita urgentemente soluciones efectivas para lidiar con este diluvio de datos. Utilizando elementos fundamentales de la teoría cuántica -la teoría más explorada de la física moderna, posiblemente- la información cuántica está revolucionando la forma en la que adquirimos, procesamos, almacenamos y transmitimos información. En plena era de la información, el sector industrial reconoce cada vez más el potencial de las tecnologías cuánticas, y a su vez nuevos desarrollos en el procesamiento de la información cuántica continúan impulsando descubrimientos prominentes relacionados con aspectos científcos de carácter más fundamental. Existen varios programas de investigación alrededor del mundo desarrollando y comercializando tecnologías cuánticas, principalmente para aplicaciones de criptografía y generación de números aleatorios. Así, las limitaciones que hoy nos separan de la era de la información cuántica están siendo gradualmente superadas. Sin embargo, existe un problema fundamental que aún necesita ser enfrentado: la imposibilidad de saber lo que realmente sucede en un experimento cuántico, debido a sus dimensiones de tamaño atómico. En efecto, ¿cómo podrá un usuario garantizar el funcionamiento adecuado de un dispositivo cuántico que ha sido adquirido a través de una compañía externa? A sus ojos el dispositivo será una verdadera caja negra. Incluso si el usuario contara con un Doctorado en ciencia cuántica, el problema prevalecería insoluble debido a la imposibilidad de controlar a la perfección, es decir monitorear, todos los procesos físicos que ocurren en cualquier experimento cuántico. Además, la situación se vuelve aún más dramática si se piensa en aplicaciones en donde un agente maligno pudiese hackear los dispositivos y manipular su funcionamiento interno, volviendo así el protocolo en cuestión inseguro y por ende también irrelevante. El propósito de esta Tesis es entonces contribuir al desarrollo experimental de protocolos de información cuántica con dispositivos sin caracterizar, llamados "device-independent". Estos protocolos son, por naturaleza, immunes a cualquier ataque o falla relacionada con desajustes entre la teoría y la implementación del protocolo. Esto se logra a lo largo de los diferentes Capítulos prosiguiendo las siguientes tres tareas que en ocasiones se traslapan: (i) Ampliar las capacidades teóricas estableciendo un entendimiento mayor de los recursos fundamentales de la teoría de la información cuántica con dispositivos sin caracterizar. (ii) Desarrollar protocolos de información cuántica competitivos, encontrando un intercambio adecuado entre alto rendimiento y practicabilidad; entre el poder del marco de trabajo device-independent y sus menos demandantes versiones, dichas "semi-device-independent". (iii) Analizar y mejorar las condiciones experimentales de diversas plataformas para llevar a cabo implementaciones en experimentos de prueba de principio, demostrando la realización de protocolos de información cuántica con cajas negras. Nuestro objetivo de convertir la teoría de la información cuántica en una tecnología tangible para nuestra sociedad a través del uso de dispositivos sin caracterizar contribuye no solamente al desarrollo tecnológico de estos protocolos, sino que también ofrece una visión valiosa de aspectos más fundamental. En este sentido, contribuimos a la caracterización y cuantificación del entrelazamiento -el recurso cuántico fundamental de muchos fenómenos sin contraparte clásica- en escenarios de interés práctico en dónde se consideran dispositivos sin caracterizar. Desde la perspectiva más aplicada, contribuimos al desarrollo de dos tareas específicas: la certificación de números genuinamente aleatorios en escenarios device-independent y semi-device-independent, y la generación de una llave secreta entre dos partes de manera device-independent.Postprint (published version