Verified Correctness and Security of mbedTLS HMAC-DRBG

We have formalized the functional specification of HMAC-DRBG (NIST 800-90A), and we have proved its cryptographic security--that its output is pseudorandom--using a hybrid game-based proof. We have also proved that the mbedTLS implementation (C program) correctly implements this functional specification. That proof composes with an existing C compiler correctness proof to guarantee, end-to-end, that the machine language program gives strong pseudorandomness. All proofs (hybrid games, C program verification, compiler, and their composition) are machine-checked in the Coq proof assistant. Our proofs are modular: the hybrid game proof holds on any implementation of HMAC-DRBG that satisfies our functional specification. Therefore, our functional specification can serve as a high-assurance reference.Comment: Appearing in CCS '1

The structural transition of the production system: Regional policy in common understanding

Several scientists, politicians are perceiving a fundamental shift in the structure of the production process and the political regulation-system governing that process. Others claim that there?s nothing worth mentioning about this rage, and posit the continuation of long known cyclical and secular trends. There is a general lack of common understanding and accurate definition in the debate among and between politicians and academics. Neither the concept of ?globalisation? nor that of ?regionalisation? seems to be an accurate ?description? nor an ?explanation? of the structural transformations of the European economy. Yet these vague nominations do have real implications for the perception and situation-definition of the mass and their leaders. Using theoretical tools as the ?Rule of Anticipated Reactions?, ?Hidden Faces of Power?, ?non-decision-making? etc., the proposition is that the ?invisible hands? of market-law and (supra-)state policies have altered the bargaining positions of ?states? and organisations favouring business. The debate about the ?retreat? or ?withering away? of the state, vs. scientists pleading to ?bring the state back in? the analysis, is noticeable in most countries. But the ?objective data? used is unsuitable: they cannot measure accurately the transition under research. The current discussion cannot reveal the importance of the concept of ?structural power? in social relationships: the shifting balance of power between states and markets and between labour and capital. Because of the current division of social sciences, individual disciplines cannot capture thoroughly the transition of the economic system. This transition consists of the shift away from a ?Fordist Regulation? towards ?Something Else?. This transition has farreaching consequences for the neo-corporatist organisation of the ?European? economies and the underlying social differentiation. It is endangering the necessary social cohesion and hindering the supple functioning of the labour market. The classic ?European? Keynesian Welfare State, is undergoing strong incentives, perhaps dictates, towards drastic adjustment. The conditions imposed by mobile capital, both financial and productive, are narrowing the policy-options of national and regional governments: the decrease of difference. At least, this is what is proclaimed in popular discours, in contrast to different findings of scientific research. The modern version of ?beggar-they-neighbour?, the competitive provision of investment-incentives, the involuntarily condescending attitude towards the captains of industry ... are disciplining the labour-force and leading to unemployment and poverty. Because of the delegation of important parts of the socio-economical policy-domains towards the regional government, these too are forced to play the game. Intra-Union and even intra-state social dumping, sometimes for the sake of the European subsidy-policy, are complicating an ?regional understanding?. How can the regions answer this common threat without resulting in a ?mutually assured destruction?? How can they counter these ?structural adjustment plans? without a suitable adequate institutional apparatus on the Union level? What is known in political geography as the ?jumping of scales? is changing the relationship between different policy-levels. The ?regional question? at the turn of the Century is a difficult one: how can the regions defy the obligations of the global production system without rendering a community of regions impossible before it is constructed.

A Touch of Evil: High-Assurance Cryptographic Hardware from Untrusted Components

The semiconductor industry is fully globalized and integrated circuits (ICs) are commonly defined, designed and fabricated in different premises across the world. This reduces production costs, but also exposes ICs to supply chain attacks, where insiders introduce malicious circuitry into the final products. Additionally, despite extensive post-fabrication testing, it is not uncommon for ICs with subtle fabrication errors to make it into production systems. While many systems may be able to tolerate a few byzantine components, this is not the case for cryptographic hardware, storing and computing on confidential data. For this reason, many error and backdoor detection techniques have been proposed over the years. So far all attempts have been either quickly circumvented, or come with unrealistically high manufacturing costs and complexity. This paper proposes Myst, a practical high-assurance architecture, that uses commercial off-the-shelf (COTS) hardware, and provides strong security guarantees, even in the presence of multiple malicious or faulty components. The key idea is to combine protective-redundancy with modern threshold cryptographic techniques to build a system tolerant to hardware trojans and errors. To evaluate our design, we build a Hardware Security Module that provides the highest level of assurance possible with COTS components. Specifically, we employ more than a hundred COTS secure crypto-coprocessors, verified to FIPS140-2 Level 4 tamper-resistance standards, and use them to realize high-confidentiality random number generation, key derivation, public key decryption and signing. Our experiments show a reasonable computational overhead (less than 1% for both Decryption and Signing) and an exponential increase in backdoor-tolerance as more ICs are added

Verifiable Electronic Voting System: An Open Source Solution

Elections, referenda and polls are vital processes for the operation of a modern democracy. They form the mechanism for transferring power from citizens to their representatives. Although some commentators claim that the pencil-and-paper systems used in countries such as Canada and UK are still the best method of avoiding voterigging, recent election problems, and the need for faster, better, cheaper vote counting, have stimulated great interest in managing the election process through the use of electronic voting systems. While computer scientists, for the most part, have been warning of the possible perils of such action, vendors have forged ahead with their products, claiming increased security and reliability. Many democracies have adopted electronic systems, and the number of deployed systems is rising. Although the electronic voting process has gained popularity and users, it is a great challenge to provide a reliable system. The existing systems available to perform the election tasks are far from trustworthy. In this paper we describe VEV (Verifiable E-Voting), an electronic voting system which is opne, but also provides for secret and secure voting, and can be used and verified over existing network system

Concurrent Non-Malleable Commitments (and More) in 3 Rounds

The round complexity of commitment schemes secure against man-in-the-middle attacks has been the focus of extensive research for about 25 years. The recent breakthrough of Goyal et al. [22] showed that 3 rounds are sufficient for (one-left, one-right) non-malleable commitments. This result matches a lower bound of [41]. The state of affairs leaves still open the intriguing problem of constructing 3-round concurrent non-malleable commitment schemes. In this paper we solve the above open problem by showing how to transform any 3-round (one-left one-right) non-malleable commitment scheme (with some extractability property) in a 3-round concurrent nonmalleable commitment scheme. Our transform makes use of complexity leveraging and when instantiated with the construction of [22] gives a 3-round concurrent non-malleable commitment scheme from one-way permutations secure w.r.t. subexponential-time adversaries. We also show a 3-round arguments of knowledge and a 3-round identification scheme secure against concurrent man-in-the-middle attacks

Four-Round Concurrent Non-Malleable Commitments from One-Way Functions

How many rounds and which assumptions are required for concurrent non-malleable commitments? The above question has puzzled researchers for several years. Pass in [TCC 2013] showed a lower bound of 3 rounds for the case of black-box reductions to falsifiable hardness assumptions with respect to polynomial-time adversaries. On the other side, Goyal [STOC 2011], Lin and Pass [STOC 2011] and Goyal et al. [FOCS 2012] showed that one-way functions (OWFs) are sufficient with a constant number of rounds. More recently Ciampi et al. [CRYPTO 2016] showed a 3-round construction based on subexponentially strong one-way permutations. In this work we show as main result the first 4-round concurrent non-malleable commitment scheme assuming the existence of any one-way function. Our approach builds on a new security notion for argument systems against man-in-the-middle attacks: Simulation-Witness-Independence. We show how to construct a 4-round one-many simulation-witnesses-independent argument system from one-way functions. We then combine this new tool in parallel with a weak form of non-malleable commitments constructed by Goyal et al. in [FOCS 2014] obtaining the main result of our work

Generic Superlight Client for Permissionless Blockchains

We conduct a systematic study on the light client of permissionless blockchains, in the setting where the full nodes and the light clients are rational. Under such a game-theoretic model, we design a superlight-client protocol to enable a client to employ some relaying full nodes (e.g. two or one) to read the blockchain. The protocol is "generic", i.e., it can be deployed disregarding the underlying consensuses, and also "superlight", i.e., the computational cost of the light client to predicate the (non)existence of a transaction in the blockchain becomes a small constant. Since our protocol resolves a fundamental challenge of broadening the usage of blockchain technology, it captures a wide variety of important use-cases such as multi-chain wallets, DApp browsers and more

UC-Secure OT from LWE, Revisited

We build a two-round, UC-secure oblivious transfer protocol (OT) in the common reference string (CRS) model under the Learning with Errors assumption (LWE) with sub-exponential modulus-to-noise ratio. We do so by instantiating the dual-mode encryption framework of Peikert, Vaikuntanathan and Waters (CRYPTO\u2708). The resulting OT can be instantiated in either one of two modes: one providing statistical sender security, and the other statistical receiver security. Furthermore, our scheme allows the sender and the receiver to reuse the CRS across arbitrarily many executions of the protocol. To the best of our knowledge, this gives the first construction of a UC-secure OT from LWE that achieves both statistical receiver security and unbounded reusability of the CRS. For comparison, there was, until recently, no such construction from LWE satisfying either one of these two properties. In particular, the construction of UC-secure OT from LWE of Peikert, Vaikuntanathan and Waters only provides computational receiver security and bounded reusability of the CRS. Our main technical contribution is a public-key encryption scheme from LWE where messy public keys (under which encryptions hide the underlying message statistically) can be recognized in time essentially independent of the LWE modulus $q$