14 research outputs found

    Cryptographic Analysis of Secure Messaging Protocols

    Get PDF
    Instant messaging applications promise their users a secure and private way to communicate. The validity of these promises rests on the design of the underlying protocol, the cryptographic primitives used and the quality of the implementation. Though secure messaging designs exist in the literature, for various reasons developers of messaging applications often opt to design their own protocols, creating a gap between cryptography as understood by academic research and cryptography as implemented in practice. This thesis contributes to bridging this gap by approaching it from both sides: by looking for flaws in the protocols underlying real-world messaging applications, as well as by performing a rigorous analysis of their security guarantees in a provable security model.Secure messaging can provide a host of different, sometimes conflicting, security and privacy guarantees. It is thus important to judge applications based on the concrete security expectations of their users. This is particularly significant for higher-risk users such as activists or civil rights protesters. To position our work, we first studied the security practices of protesters in the context of the 2019 Anti-ELAB protests in Hong Kong using in-depth, semi-structured interviews with participants of these protests. We report how they organised on different chat platforms based on their perceived security, and how they developed tactics and strategies to enable pseudonymity and detect compromise.Then, we analysed two messaging applications relevant in the protest context: Bridgefy and Telegram. Bridgefy is a mobile mesh messaging application, allowing users in relative proximity to communicate without the Internet. It was being promoted as a secure communication tool for use in areas experiencing large-scale protests. We showed that Bridgefy permitted its users to be tracked, offered no authenticity, no effective confidentiality protections and lacked resilience against adversarially crafted messages. We verified these vulnerabilities by demonstrating a series of practical attacks.Telegram is a messaging platform with over 500 million users, yet prior to this work its bespoke protocol, MTProto, had received little attention from the cryptographic community. We provided the first comprehensive study of the MTProto symmetric channel as implemented in cloud chats. We gave both positive and negative results. First, we found two attacks on the existing protocol, and two attacks on its implementation in official clients which exploit timing side channels and uncover a vulnerability in the key exchange protocol. Second, we proved that a fixed version of the symmetric MTProto protocol achieves security in a suitable bidirectional secure channel model, albeit under unstudied assumptions. Our model itself advances the state-of-the-art for secure channels

    SƩcuritƩ Ʃtendue de la cryptographie fondƩe sur les rƩseaux euclidiens

    Get PDF
    Lattice-based cryptography is considered as a quantum-safe alternative for the replacement of currently deployed schemes based on RSA and discrete logarithm on prime fields or elliptic curves. It offers strong theoretical security guarantees, a large array of achievable primitives, and a competitive level of efficiency. Nowadays, in the context of the NIST post-quantum standardization process, future standards may ultimately be chosen and several new lattice-based schemes are high-profile candidates. The cryptographic research has been encouraged to analyze lattice-based cryptosystems, with a particular focus on practical aspects. This thesis is rooted in this effort.In addition to black-box cryptanalysis with classical computing resources, we investigate the extended security of these new lattice-based cryptosystems, employing a broad spectrum of attack models, e.g. quantum, misuse, timing or physical attacks. Accounting that these models have already been applied to a large variety of pre-quantum asymmetric and symmetric schemes before, we concentrate our efforts on leveraging and addressing the new features introduced by lattice structures. Our contribution is twofold: defensive, i.e. countermeasures for implementations of lattice-based schemes and offensive, i.e. cryptanalysis.On the defensive side, in view of the numerous recent timing and physical attacks, we wear our designerā€™s hat and investigate algorithmic protections. We introduce some new algorithmic and mathematical tools to construct provable algorithmic countermeasures in order to systematically prevent all timing and physical attacks. We thus participate in the actual provable protection of the GLP, BLISS, qTesla and Falcon lattice-based signatures schemes.On the offensive side, we estimate the applicability and complexity of novel attacks leveraging the lack of perfect correctness introduced in certain lattice-based encryption schemes to improve their performance. We show that such a compromise may enable decryption failures attacks in a misuse or quantum model. We finally introduce an algorithmic cryptanalysis tool that assesses the security of the mathematical problem underlying lattice-based schemes when partial knowledge of the secret is available. The usefulness of this new framework is demonstrated with the improvement and automation of several known classical, decryption-failure, and side-channel attacks.La cryptographie fondeĢe sur les reĢseaux euclidiens repreĢsente une alternative prometteuse aĢ€ la cryptographie asymeĢtrique utiliseĢe actuellement, en raison de sa reĢsistance preĢsumeĢe aĢ€ un ordinateur quantique universel. Cette nouvelle famille de scheĢmas asymeĢtriques dispose de plusieurs atouts parmi lesquels de fortes garanties theĢoriques de seĢcuriteĢ, un large choix de primitives et, pour certains de ses repreĢsentants, des performances comparables aux standards actuels. Une campagne de standardisation post-quantique organiseĢe par le NIST est en cours et plusieurs scheĢmas utilisant des reĢseaux euclidiens font partie des favoris. La communauteĢ scientifique a eĢteĢ encourageĢe aĢ€ les analyser car ils pourraient aĢ€ lā€™avenir eĢ‚tre implanteĢs dans tous nos systeĢ€mes. Lā€™objectif de cette theĢ€se est de contribuer aĢ€ cet effort.Nous eĢtudions la seĢcuriteĢ de ces nouveaux cryptosysteĢ€mes non seulement au sens de leur reĢsistance aĢ€ la cryptanalyse en ā€œboiĢ‚te noireā€ aĢ€ lā€™aide de moyens de calcul classiques, mais aussi selon un spectre plus large de modeĢ€les de seĢcuriteĢ, comme les attaques quantiques, les attaques supposant des failles dā€™utilisation, ou encore les attaques par canaux auxiliaires. Ces diffeĢrents types dā€™attaques ont deĢjaĢ€ eĢteĢ largement formaliseĢs et eĢtudieĢs par le passeĢ pour des scheĢmas asymeĢtriques et symeĢtriques preĢ-quantiques. Dans ce meĢmoire, nous analysons leur application aux nouvelles structures induites par les reĢseaux euclidiens. Notre travail est diviseĢ en deux parties compleĢmentaires : les contremesures et les attaques.La premieĢ€re partie regroupe nos contributions aĢ€ lā€™effort actuel de conception de nouvelles protections algorithmiques afin de reĢpondre aux nombreuses publications reĢcentes dā€™attaques par canaux auxiliaires. Les travaux reĢaliseĢs en eĢquipe auxquels nous avons pris part on abouti aĢ€ lā€™introduction de nouveaux outils matheĢmatiques pour construire des contre-mesures algorithmiques, appuyeĢes sur des preuves formelles, qui permettent de preĢvenir systeĢmatiquement les attaques physiques et par analyse de temps dā€™exeĢcution. Nous avons ainsi participeĢ aĢ€ la protection de plusieurs scheĢmas de signature fondeĢs sur les reĢseaux euclidiens comme GLP, BLISS, qTesla ou encore Falcon.Dans une seconde partie consacreĢe aĢ€ la cryptanalyse, nous eĢtudions dans un premier temps de nouvelles attaques qui tirent parti du fait que certains scheĢmas de chiffrement aĢ€ cleĢ publique ou dā€™eĢtablissement de cleĢ peuvent eĢchouer avec une faible probabiliteĢ. Ces eĢchecs sont effectivement faiblement correĢleĢs au secret. Notre travail a permis dā€™exhiber des attaques dites Ā« par eĢchec de deĢchiffrement Ā» dans des modeĢ€les de failles dā€™utilisation ou des modeĢ€les quantiques. Nous avons dā€™autre part introduit un outil algorithmique de cryptanalyse permettant dā€™estimer la seĢcuriteĢ du probleĢ€me matheĢmatique sous-jacent lorsquā€™une information partielle sur le secret est donneĢe. Cet outil sā€™est aveĢreĢ utile pour automatiser et ameĢliorer plusieurs attaques connues comme des attaques par eĢchec de deĢchiffrement, des attaques classiques ou encore des attaques par canaux auxiliaires

    Security in the Presence of Key Reuse: Context-Separable Interfaces and their Applications

    Get PDF
    Key separation is often difficult to enforce in practice. While key reuse can be catastrophic for security, we know of a number of cryptographic schemes for which it is provably safe. But existing formal models, such as the notions of joint security (Haber-Pinkas, CCS ā€™01) and agility (Acar et al., EUROCRYPT ā€™10), do not address the full range of key-reuse attacksā€”in particular, those that break the abstraction of the scheme, or exploit protocol interactions at a higher level of abstraction. This work attends to these vectors by focusing on two key elements: the game that codifies the scheme under attack, as well as its intended adversarial model; and the underlying interface that exposes secret key operations for use by the game. Our main security experiment considers the implications of using an interface (in practice, the API of a software library or a hardware platform such as TPM) to realize the scheme specified by the game when the interface is shared with other unspecified, insecure, or even malicious applications. After building up a definitional framework, we apply it to the analysis of two real-world schemes: the EdDSA signature algorithm and the Noise protocol framework. Both provide some degree of context separability, a design pattern for interfaces and their applications that aids in the deployment of secure protocols

    Non-Malleable Functions and Their Applications

    Get PDF
    We formally study ``non-malleable functions\u27\u27 (NMFs), a general cryptographic primitive which simplifies and relaxes ``non-malleable one-way/hash functions\u27\u27 (NMOWHFs) introduced by Boldyreva et al. (Asiacrypt 2009) and refined by Baecher et al. (CT-RSA 2010). NMFs focus on basic functions, rather than one-way/hash functions considered in the literature of NMOWHFs. We mainly follow Baecher et al. to formalize a game-based definition for NMFs. Roughly, a function ff is non-malleable if given an image yāˆ—ā†f(xāˆ—)y^* \leftarrow f(x^*) for a randomly chosen xāˆ—x^*, it is hard to output a mauled image yy with a transformation Ļ•\phi from some prefixed transformation class s.t. y=f(Ļ•(xāˆ—))y = f(\phi(x^*)). A distinctive strengthening of our non-malleable notion is that Ļ•\phi such that Ļ•(xāˆ—)=xāˆ—\phi(x^*) = x^* is allowed. We also consider adaptive non-malleability, which stipulates that non-malleability holds even when an inversion oracle is available. We investigate the relations between non-malleability and one-wayness in depth. In non-adaptive setting, we show that for any achievable transformation class, non-malleability implies one-wayness for poly-to-one functions but not vise versa.In adaptive setting, we show that for most algebra-induced transformation class, adaptive non-malleability (ANM) is equivalent to adaptive one-wayness (AOW) for injective functions. These results establish theoretical connections between non-malleability and one-wayness for functions, which extend to trapdoor functions as well, and thus resolve the open problems left by Kiltz et al. (Eurocrypt 2010). We also study the relations between standard OW/NM and hinted OW/NM, where the latter notions are typically more useful in practice. Towards efficient realizations of NMFs, we give a deterministic construction from adaptive trapdoor functions and a randomized construction from all-but-one lossy functions and one-time signature. This partially solves an open problem posed by Boldyreva et al. (Asiacrypt 2009). Finally, we explore applications of NMFs in security against related-key attacks (RKA). We first show that the implication AOW ā‡’\Rightarrow ANM provides key conceptual insight into addressing non-trivial copy attacks in RKA security. We then show that NMFs give rise to a generic construction of continuous non-malleable key derivation functions, which have proven to be very useful in achieving RKA security for numerous cryptographic primitives. Particularly, our construction simplifies and clarifies the construction by Qin et al. (PKC 2015)

    The related-key analysis of feistel constructions

    Get PDF
    Lecture Notes in Computer Science, Volume 8540, 2015.It is well known that the classical three- and four-round Feistel constructions are provably secure under chosen-plaintext and chosen-ciphertext attacks, respectively. However, irrespective of the number of rounds, no Feistel construction can resist related-key attacks where the keys can be offset by a constant. In this paper we show that, under suitable reuse of round keys, security under related-key attacks can be provably attained. Our modification is substantially simpler and more efficient than alternatives obtained using generic transforms, namely the PRG transform of Bellare and Cash (CRYPTO 2010) and its random-oracle analogue outlined by Lucks (FSE 2004). Additionally we formalize Luckā€™s transform and show that it does not always work if related keys are derived in an oracle-dependent way, and then prove it sound under appropriate restrictions

    Related Randomness Attacks for Public Key Encryption

    Get PDF
    Abstract. Several recent and high-profile incidents give cause to believe that randomness failures of various kinds are endemic in deployed cryptographic systems. In the face of this, it behoves cryptographic researchers to develop methods to immunise ā€“ to the extent that it is possible ā€“ cryptographic schemes against such failures. This paper considers the practically-motivated situation where an adversary is able to force a public key encryption scheme to reuse random values, and functions of those values, in encryption computations involving adversarially chosen public keys and messages. It presents a security model appropriate to this situation, along with variants of this model. It also provides necessary conditions on the set of functions used in order to attain this security notation, and demonstrates that these conditions are also sufficient in the Random Oracle Model. Further standard model constructions achieving weaker security notions are also given, with these constructions having interesting connections to other primitives including: pseudo-random functions that are secure in the related key attack setting; Correlated Input Secure hash functions; and public key encryption schemes that are secure in the auxiliary input setting (this being a special type of leakage resilience)
    corecore