14 research outputs found
Cryptographic Analysis of Secure Messaging Protocols
Instant messaging applications promise their users a secure and private way to communicate. The validity of these promises rests on the design of the underlying protocol, the cryptographic primitives used and the quality of the implementation. Though secure messaging designs exist in the literature, for various reasons developers of messaging applications often opt to design their own protocols, creating a gap between cryptography as understood by academic research and cryptography as implemented in practice. This thesis contributes to bridging this gap by approaching it from both sides: by looking for flaws in the protocols underlying real-world messaging applications, as well as by performing a rigorous analysis of their security guarantees in a provable security model.Secure messaging can provide a host of different, sometimes conflicting, security and privacy guarantees. It is thus important to judge applications based on the concrete security expectations of their users. This is particularly significant for higher-risk users such as activists or civil rights protesters. To position our work, we first studied the security practices of protesters in the context of the 2019 Anti-ELAB protests in Hong Kong using in-depth, semi-structured interviews with participants of these protests. We report how they organised on different chat platforms based on their perceived security, and how they developed tactics and strategies to enable pseudonymity and detect compromise.Then, we analysed two messaging applications relevant in the protest context: Bridgefy and Telegram. Bridgefy is a mobile mesh messaging application, allowing users in relative proximity to communicate without the Internet. It was being promoted as a secure communication tool for use in areas experiencing large-scale protests. We showed that Bridgefy permitted its users to be tracked, offered no authenticity, no effective confidentiality protections and lacked resilience against adversarially crafted messages. We verified these vulnerabilities by demonstrating a series of practical attacks.Telegram is a messaging platform with over 500 million users, yet prior to this work its bespoke protocol, MTProto, had received little attention from the cryptographic community. We provided the first comprehensive study of the MTProto symmetric channel as implemented in cloud chats. We gave both positive and negative results. First, we found two attacks on the existing protocol, and two attacks on its implementation in official clients which exploit timing side channels and uncover a vulnerability in the key exchange protocol. Second, we proved that a fixed version of the symmetric MTProto protocol achieves security in a suitable bidirectional secure channel model, albeit under unstudied assumptions. Our model itself advances the state-of-the-art for secure channels
SƩcuritƩ Ʃtendue de la cryptographie fondƩe sur les rƩseaux euclidiens
Lattice-based cryptography is considered as a quantum-safe alternative for the replacement of currently deployed schemes based on RSA and discrete logarithm on prime fields or elliptic curves. It offers strong theoretical security guarantees, a large array of achievable primitives, and a competitive level of efficiency. Nowadays, in the context of the NIST post-quantum standardization process, future standards may ultimately be chosen and several new lattice-based schemes are high-profile candidates. The cryptographic research has been encouraged to analyze lattice-based cryptosystems, with a particular focus on practical aspects. This thesis is rooted in this effort.In addition to black-box cryptanalysis with classical computing resources, we investigate the extended security of these new lattice-based cryptosystems, employing a broad spectrum of attack models, e.g. quantum, misuse, timing or physical attacks. Accounting that these models have already been applied to a large variety of pre-quantum asymmetric and symmetric schemes before, we concentrate our efforts on leveraging and addressing the new features introduced by lattice structures. Our contribution is twofold: defensive, i.e. countermeasures for implementations of lattice-based schemes and offensive, i.e. cryptanalysis.On the defensive side, in view of the numerous recent timing and physical attacks, we wear our designerās hat and investigate algorithmic protections. We introduce some new algorithmic and mathematical tools to construct provable algorithmic countermeasures in order to systematically prevent all timing and physical attacks. We thus participate in the actual provable protection of the GLP, BLISS, qTesla and Falcon lattice-based signatures schemes.On the offensive side, we estimate the applicability and complexity of novel attacks leveraging the lack of perfect correctness introduced in certain lattice-based encryption schemes to improve their performance. We show that such a compromise may enable decryption failures attacks in a misuse or quantum model. We finally introduce an algorithmic cryptanalysis tool that assesses the security of the mathematical problem underlying lattice-based schemes when partial knowledge of the secret is available. The usefulness of this new framework is demonstrated with the improvement and automation of several known classical, decryption-failure, and side-channel attacks.La cryptographie fondeĢe sur les reĢseaux euclidiens repreĢsente une alternative prometteuse aĢ la cryptographie asymeĢtrique utiliseĢe actuellement, en raison de sa reĢsistance preĢsumeĢe aĢ un ordinateur quantique universel. Cette nouvelle famille de scheĢmas asymeĢtriques dispose de plusieurs atouts parmi lesquels de fortes garanties theĢoriques de seĢcuriteĢ, un large choix de primitives et, pour certains de ses repreĢsentants, des performances comparables aux standards actuels. Une campagne de standardisation post-quantique organiseĢe par le NIST est en cours et plusieurs scheĢmas utilisant des reĢseaux euclidiens font partie des favoris. La communauteĢ scientifique a eĢteĢ encourageĢe aĢ les analyser car ils pourraient aĢ lāavenir eĢtre implanteĢs dans tous nos systeĢmes. Lāobjectif de cette theĢse est de contribuer aĢ cet effort.Nous eĢtudions la seĢcuriteĢ de ces nouveaux cryptosysteĢmes non seulement au sens de leur reĢsistance aĢ la cryptanalyse en āboiĢte noireā aĢ lāaide de moyens de calcul classiques, mais aussi selon un spectre plus large de modeĢles de seĢcuriteĢ, comme les attaques quantiques, les attaques supposant des failles dāutilisation, ou encore les attaques par canaux auxiliaires. Ces diffeĢrents types dāattaques ont deĢjaĢ eĢteĢ largement formaliseĢs et eĢtudieĢs par le passeĢ pour des scheĢmas asymeĢtriques et symeĢtriques preĢ-quantiques. Dans ce meĢmoire, nous analysons leur application aux nouvelles structures induites par les reĢseaux euclidiens. Notre travail est diviseĢ en deux parties compleĢmentaires : les contremesures et les attaques.La premieĢre partie regroupe nos contributions aĢ lāeffort actuel de conception de nouvelles protections algorithmiques afin de reĢpondre aux nombreuses publications reĢcentes dāattaques par canaux auxiliaires. Les travaux reĢaliseĢs en eĢquipe auxquels nous avons pris part on abouti aĢ lāintroduction de nouveaux outils matheĢmatiques pour construire des contre-mesures algorithmiques, appuyeĢes sur des preuves formelles, qui permettent de preĢvenir systeĢmatiquement les attaques physiques et par analyse de temps dāexeĢcution. Nous avons ainsi participeĢ aĢ la protection de plusieurs scheĢmas de signature fondeĢs sur les reĢseaux euclidiens comme GLP, BLISS, qTesla ou encore Falcon.Dans une seconde partie consacreĢe aĢ la cryptanalyse, nous eĢtudions dans un premier temps de nouvelles attaques qui tirent parti du fait que certains scheĢmas de chiffrement aĢ cleĢ publique ou dāeĢtablissement de cleĢ peuvent eĢchouer avec une faible probabiliteĢ. Ces eĢchecs sont effectivement faiblement correĢleĢs au secret. Notre travail a permis dāexhiber des attaques dites Ā« par eĢchec de deĢchiffrement Ā» dans des modeĢles de failles dāutilisation ou des modeĢles quantiques. Nous avons dāautre part introduit un outil algorithmique de cryptanalyse permettant dāestimer la seĢcuriteĢ du probleĢme matheĢmatique sous-jacent lorsquāune information partielle sur le secret est donneĢe. Cet outil sāest aveĢreĢ utile pour automatiser et ameĢliorer plusieurs attaques connues comme des attaques par eĢchec de deĢchiffrement, des attaques classiques ou encore des attaques par canaux auxiliaires
Security in the Presence of Key Reuse: Context-Separable Interfaces and their Applications
Key separation is often difficult to enforce in practice. While key reuse can be catastrophic for security, we know of a number of cryptographic schemes for which it is provably safe. But existing formal models, such as the notions of joint security (Haber-Pinkas, CCS ā01) and agility (Acar et al., EUROCRYPT ā10), do not address the full range of key-reuse attacksāin particular, those that break the abstraction of the scheme, or exploit protocol interactions at a higher level of abstraction. This work attends to these vectors by focusing on two key elements: the game that codifies the scheme under attack, as well as its intended adversarial model; and the underlying interface that exposes secret key operations for use by the game. Our main security experiment considers the implications of using an interface (in practice, the API of a software library or a hardware platform such as TPM) to realize the scheme specified by the game when the interface is shared with other unspecified, insecure, or even malicious applications. After building up a definitional framework, we apply it to the analysis of two real-world schemes: the EdDSA signature algorithm and the Noise protocol framework. Both provide some degree of context separability, a design pattern for interfaces and their applications that aids in the deployment of secure protocols
Non-Malleable Functions and Their Applications
We formally study ``non-malleable functions\u27\u27 (NMFs), a general cryptographic primitive which simplifies and relaxes ``non-malleable one-way/hash functions\u27\u27 (NMOWHFs) introduced by Boldyreva et al. (Asiacrypt 2009) and refined by Baecher et al. (CT-RSA 2010). NMFs focus on basic functions, rather than one-way/hash functions considered in the literature of NMOWHFs.
We mainly follow Baecher et al. to formalize a game-based definition for NMFs. Roughly, a function is non-malleable if given an image for a randomly chosen , it is hard to output a mauled image with a transformation from some prefixed transformation class s.t. . A distinctive strengthening of our non-malleable notion is that such that is allowed. We also consider adaptive non-malleability, which stipulates that non-malleability holds even when an inversion oracle is available.
We investigate the relations between non-malleability and one-wayness in depth. In non-adaptive setting, we show that for any achievable transformation class, non-malleability implies one-wayness for poly-to-one functions but not vise versa.In adaptive setting, we show that for most algebra-induced transformation class, adaptive non-malleability (ANM) is equivalent to adaptive one-wayness (AOW) for injective functions. These results establish theoretical connections between non-malleability and one-wayness for functions, which extend to trapdoor functions as well, and thus resolve the open problems left by Kiltz et al. (Eurocrypt 2010). We also study the relations between standard OW/NM and hinted OW/NM, where the latter notions are typically more useful in practice. Towards efficient realizations of NMFs, we give a deterministic construction from adaptive trapdoor functions
and a randomized construction from all-but-one lossy functions and one-time signature.
This partially solves an open problem posed by Boldyreva et al. (Asiacrypt 2009).
Finally, we explore applications of NMFs in security against related-key attacks (RKA). We first show that the implication AOW ANM provides key conceptual insight into addressing non-trivial copy attacks in RKA security. We then show that NMFs give rise to a generic construction of continuous non-malleable key derivation functions, which have proven to be very useful in achieving RKA security for numerous cryptographic primitives.
Particularly, our construction simplifies and clarifies the construction by Qin et al. (PKC 2015)
The related-key analysis of feistel constructions
Lecture Notes in Computer Science, Volume 8540, 2015.It is well known that the classical three- and four-round Feistel constructions are provably secure under chosen-plaintext and chosen-ciphertext attacks, respectively. However, irrespective of the
number of rounds, no Feistel construction can resist related-key attacks where the keys can be offset by a constant. In this paper we show that, under suitable reuse of round keys, security under related-key attacks can be provably attained. Our modification is substantially simpler and more efficient than alternatives obtained using generic transforms, namely the PRG transform of Bellare and Cash (CRYPTO 2010) and its random-oracle analogue outlined by Lucks (FSE 2004). Additionally we formalize Luckās transform and show that it does not always work if related keys are derived in an oracle-dependent way, and then prove it sound under appropriate restrictions
Related Randomness Attacks for Public Key Encryption
Abstract. Several recent and high-profile incidents give cause to believe that randomness failures of various kinds are endemic in deployed cryptographic systems. In the face of this, it behoves cryptographic researchers to develop methods to immunise ā to the extent that it is possible ā cryptographic schemes against such failures. This paper considers the practically-motivated situation where an adversary is able to force a public key encryption scheme to reuse random values, and functions of those values, in encryption computations involving adversarially chosen public keys and messages. It presents a security model appropriate to this situation, along with variants of this model. It also provides necessary conditions on the set of functions used in order to attain this security notation, and demonstrates that these conditions are also sufficient in the Random Oracle Model. Further standard model constructions achieving weaker security notions are also given, with these constructions having interesting connections to other primitives including: pseudo-random functions that are secure in the related key attack setting; Correlated Input Secure hash functions; and public key encryption schemes that are secure in the auxiliary input setting (this being a special type of leakage resilience)