High-level Cryptographic Abstractions

The interfaces exposed by commonly used cryptographic libraries are clumsy, complicated, and assume an understanding of cryptographic algorithms. The challenge is to design high-level abstractions that require minimum knowledge and effort to use while also allowing maximum control when needed. This paper proposes such high-level abstractions consisting of simple cryptographic primitives and full declarative configuration. These abstractions can be implemented on top of any cryptographic library in any language. We have implemented these abstractions in Python, and used them to write a wide variety of well-known security protocols, including Signal, Kerberos, and TLS. We show that programs using our abstractions are much smaller and easier to write than using low-level libraries, where size of security protocols implemented is reduced by about a third on average. We show our implementation incurs a small overhead, less than 5 microseconds for shared key operations and less than 341 microseconds (< 1%) for public key operations. We also show our abstractions are safe against main types of cryptographic misuse reported in the literature

Automatic generation of high speed elliptic curve cryptography code

Apparently, trust is a rare commodity when power, money or life itself are at stake. History is full of examples. Julius Caesar did not trust his generals, so that: ``If he had anything confidential to say, he wrote it in cipher, that is, by so changing the order of the letters of the alphabet, that not a word could be made out. If anyone wishes to decipher these, and get at their meaning, he must substitute the fourth letter of the alphabet, namely D, for A, and so with the others.'' And so the history of cryptography began moving its first steps. Nowadays, encryption has decayed from being an emperor's prerogative and became a daily life operation. Cryptography is pervasive, ubiquitous and, the best of all, completely transparent to the unaware user. Each time we buy something on the Internet we use it. Each time we search something on Google we use it. Everything without (almost) realizing that it silently protects our privacy and our secrets. Encryption is a very interesting instrument in the "toolbox of security" because it has very few side effects, at least on the user side. A particularly important one is the intrinsic slow down that its use imposes in the communications. High speed cryptography is very important for the Internet, where busy servers proliferate. Being faster is a double advantage: more throughput and less server overhead. In this context, however, the public key algorithms starts with a big handicap. They have very bad performances if compared to their symmetric counterparts. Due to this reason their use is often reduced to the essential operations, most notably key exchanges and digital signatures. The high speed public key cryptography challenge is a very practical topic with serious repercussions in our technocentric world. Using weak algorithms with a reduced key length to increase the performances of a system can lead to catastrophic results. In 1985, Miller and Koblitz independently proposed to use the group of rational points of an elliptic curve over a finite field to create an asymmetric algorithm. Elliptic Curve Cryptography (ECC) is based on a problem known as the ECDLP (Elliptic Curve Discrete Logarithm Problem) and offers several advantages with respect to other more traditional encryption systems such as RSA and DSA. The main benefit is that it requires smaller keys to provide the same security level since breaking the ECDLP is much harder. In addition, a good ECC implementation can be very efficient both in time and memory consumption, thus being a good candidate for performing high speed public key cryptography. Moreover, some elliptic curve based techniques are known to be extremely resilient to quantum computing attacks, such as the SIDH (Supersingular Isogeny Diffie-Hellman). Traditional elliptic curve cryptography implementations are optimized by hand taking into account the mathematical properties of the underlying algebraic structures, the target machine architecture and the compiler facilities. This process is time consuming, requires a high degree of expertise and, ultimately, error prone. This dissertation' ultimate goal is to automatize the whole optimization process of cryptographic code, with a special focus on ECC. The framework presented in this thesis is able to produce high speed cryptographic code by automatically choosing the best algorithms and applying a number of code-improving techniques inspired by the compiler theory. Its central component is a flexible and powerful compiler able to translate an algorithm written in a high level language and produce a highly optimized C code for a particular algebraic structure and hardware platform. The system is generic enough to accommodate a wide array of number theory related algorithms, however this document focuses only on optimizing primitives based on elliptic curves defined over binary fields

End-to-end security for mobile devices

Thesis (Master)--Izmir Institute of Technology, Computer Engineering, Izmir, 2004Includes bibliographical references (leaves: 120)Text in English; Abstract: Turkish and Englishix, 133 leavesEnd-to-end security has been an emerging need for mobile devices with the widespread use of personal digital assistants and mobile phones. Transport Layer Security Protocol (TLS) is an end-to-end security protocol that is commonly used in Internet, together with its predecessor, SSL protocol. By using TLS protocol in mobile world, the advantage of the proven security model of this protocol can be taken.J2ME (Java 2 Micro Edition) has been the de facto application platform used in mobile devices. This thesis aims to provide an end-to-end security protocol implementation based on TLS 1.0 specification and that can run on J2ME MIDP (Mobile Information Device Profile) environment. Because of the resource intensive public-key operations used in TLS, this protocol needs high resources and has low performance. Another motivation for the thesis is to adapt the protocol for mobile environment and to show that it is possible to use the protocol implementation in both client and server modes. An alternative serialization mechanism is used instead of the standard Java object serialization that is lacking in MIDP. In this architecture, XML is used to transmit object data.The mobile end-to-end security protocol has the main design issues of maintainability and extensibility. Cryptographic operations are performed with a free library, Bouncy Castle Cryptography Package. The object-oriented architecture of the protocol implementation makes the replacement of this library with another cryptography package easier.Mobile end-to-end security protocol is tested with a mobile hospital reservation system application. Test cases are prepared to measure the performance of the protocol implementation with different cipher suites and platforms. Measured values of all handshake operation and defined time spans are given in tables and compared with graphs

Noise Explorer: Fully Automated Modeling and Verification for Arbitrary Noise Protocols

International audienceThe Noise Protocol Framework, introduced recently, allows for the design and construction of secure channel protocols by describing them through a simple, restricted language from which complex key derivation and local state transitions are automatically inferred. Noise "Handshake Patterns" can support mutual authentication, forward secrecy, zero round-trip encryption, identity hiding and other advanced features. Since the framework's release, Noise-based protocols have been adopted by WhatsApp, WireGuard and other high-profile applications.We present Noise Explorer, an online engine for designing, reasoning about, formally verifying and implementing arbitrary Noise Handshake Patterns. Based on our formal treatment of the Noise Protocol Framework, Noise Explorer can validate any Noise Handshake Pattern and then translate it into a model ready for automated verification and also into a production-ready software implementation written in Go or in Rust. We use Noise Explorer to analyze more than 57 handshake patterns. We confirm the stated security goals for 12 fundamental patterns and provide precise properties for the rest. We also analyze unsafe handshake patterns and document weaknesses that occur when validity rules are not followed. All of this work is consolidated into a usable online tool that presents a compendium of results and can parse formal verification results to generate detailed-but-pedagogical reports regarding the exact security goals of each message of a Noise Handshake Pattern with respect to each party, under an active attacker and including malicious principals. Noise Explorer evolves alongside the standard Noise Protocol Framework, having already contributed new security goal verification results and stronger definitions for pattern validation and security parameters

Preuves mécanisées de protocoles cryptographiques et leur lien avec des implémentations vérifiées

Cryptographic protocols are one of the foundations for the trust people put in computer systems nowadays, be it online banking, any web or cloud services, or secure messaging. One of the best theoretical assurances for cryptographic protocol security is reached through proofs in the computational model. Writing such proofs is prone to subtle errors that can lead to invalidation of the security guarantees and, thus, to undesired security breaches. Proof assistants strive to improve this situation, have got traction, and have increasingly been used to analyse important real-world protocols and to inform their development. Writing proofs using such assistants requires a substantial amount of work. It is an ongoing endeavour to extend their scope through, for example, more automation and detailed modelling of cryptographic building blocks. This thesis shows on the example of the CryptoVerif proof assistant and two case studies, that mechanized cryptographic proofs are practicable and useful in analysing and designing complex real-world protocols.The first case study is on the free and open source Virtual Private Network (VPN) protocol WireGuard that has recently found its way into the Linux kernel. We contribute proofs for several properties that are typical for secure channel protocols. Furthermore, we extend CryptoVerif with a model of unprecedented detail of the popular Diffie-Hellman group Curve25519 used in WireGuard.The second case study is on the new Internet standard Hybrid Public Key Encryption (HPKE), that has already been picked up for use in a privacy-enhancing extension of the TLS protocol (ECH), and in the Messaging Layer Security secure group messaging protocol. We accompanied the development of this standard from its early stages with comprehensive formal cryptographic analysis. We provided constructive feedback that led to significant improvements in its cryptographic design. Eventually, we became an official co-author. We conduct a detailed cryptographic analysis of one of HPKE's modes, published at Eurocrypt 2021, an encouraging step forward to make mechanized cryptographic proofs more accessible to the broader cryptographic community.The third contribution of this thesis is of methodological nature. For practical purposes, security of implementations of cryptographic protocols is crucial. However, there is frequently a gap between a cryptographic security analysis and an implementation that have both been based on a protocol specification: no formal guarantee exists that the two interpretations of the specification match, and thus, it is unclear if the executable implementation has the guarantees proved by the cryptographic analysis. In this thesis, we close this gap for proofs written in CryptoVerif and implementations written in F*. We develop cv2fstar, a compiler from CryptoVerif models to executable F* specifications using the HACL* verified cryptographic library as backend. cv2fstar translates non-cryptographic assumptions about, e.g., message formats, from the CryptoVerif model to F* lemmas. This allows to prove these assumptions for the specific implementation, further deepening the formal link between the two analysis frameworks. We showcase cv2fstar on the example of the Needham-Schroeder-Lowe protocol. cv2fstar connects CryptoVerif to the large F* ecosystem, eventually allowing to formally guarantee cryptographic properties on verified, efficient low-level code.Les protocoles cryptographiques sont l'un des fondements de la confiance que la société accorde aujourd'hui aux systèmes informatiques, qu'il s'agisse de la banque en ligne, d'un service web, ou de la messagerie sécurisée. Une façon d'obtenir des garanties théoriques fortes sur la sécurité des protocoles cryptographiques est de les prouver dans le modèle calculatoire. L'écriture de ces preuves est délicate : des erreurs subtiles peuvent entraîner l'invalidation des garanties de sécurité et, par conséquent, des failles de sécurité. Les assistants de preuve visent à améliorer cette situation. Ils ont gagné en popularité et ont été de plus en plus utilisés pour analyser des protocoles importants du monde réel, et pour contribuer à leur développement. L'écriture de preuves à l'aide de tels assistants nécessite une quantité substantielle de travail. Un effort continu est nécessaire pour étendre leur champ d'application, par exemple, par une automatisation plus poussée et une modélisation plus détaillée des primitives cryptographiques. Cette thèse montre sur l'exemple de l'assistant de preuve CryptoVerif et deux études de cas, que les preuves cryptographiques mécanisées sont praticables et utiles pour analyser et concevoir des protocoles complexes du monde réel. La première étude de cas porte sur le protocole de réseau virtuel privé (VPN) libre et open source WireGuard qui a récemment été intégré au noyau Linux. Nous contribuons des preuves pour plusieurs propriétés typiques des protocoles de canaux sécurisés. En outre, nous étendons CryptoVerif avec un modèle d'un niveau de détail sans précédent du groupe Diffie-Hellman populaire Curve25519 utilisé dans WireGuard. La deuxième étude de cas porte sur la nouvelle norme Internet Hybrid Public Key Encryption (HPKE), qui est déjà utilisée dans une extension du protocole TLS destinée à améliorer la protection de la vie privée (ECH), et dans Messaging Layer Security, un protocole de messagerie de groupe sécurisée. Nous avons accompagné le développement de cette norme dès les premiers stades avec une analyse cryptographique formelle. Nous avons fourni des commentaires constructifs ce qui a conduit à des améliorations significatives dans sa conception cryptographique. Finalement, nous sommes devenus un co-auteur officiel. Nous effectuons une analyse cryptographique détaillée de l'un des modes de HPKE, publiée à Eurocrypt 2021, un pas encourageant pour rendre les preuves cryptographiques mécanisées plus accessibles à la communauté des cryptographes. La troisième contribution de cette thèse est de nature méthodologique. Pour des utilisations pratiques, la sécurité des implémentations de protocoles cryptographiques est cruciale. Cependant, il y a souvent un écart entre l'analyse de la sécurité cryptographique et l'implémentation, tous les deux basées sur la même spécification d'un protocole : il n'existe pas de garantie formelle que les deux interprétations de la spécification correspondent, et donc, il n'est pas clair si l'implémentation exécutable a les garanties prouvées par l'analyse cryptographique. Dans cette thèse, nous comblons cet écart pour les preuves écrites en CryptoVerif et les implémentations écrites en F*. Nous développons cv2fstar, un compilateur de modèles CryptoVerif vers des spécifications exécutables F* en utilisant la bibliothèque cryptographique vérifiée HACL* comme fournisseur de primitives cryptographiques. cv2fstar traduit les hypothèses non cryptographiques concernant, par exemple, les formats de messages, du modèle CryptoVerif vers des lemmes F*. Cela permet de prouver ces hypothèses pour l'implémentation spécifique, ce qui approfondit le lien formel entre les deux cadres d'analyse. Nous présentons cv2fstar sur l'exemple du protocole Needham-Schroeder-Lowe. cv2fstar connecte CryptoVerif au grand écosystème F*, permettant finalement de garantir formellement des propriétés cryptographiques sur du code de bas niveau efficace vérifié

Analysis of BCNS and Newhope Key-exchange Protocols

Lattice-based cryptographic primitives are believed to offer resilience against attacks by quantum computers. Following increasing interest from both companies and government agencies in building quantum computers, a number of works have proposed instantiations of practical post-quantum key-exchange protocols based on hard problems in lattices, mainly based on the Ring Learning With Errors (R-LWE) problem. In this work we present an analysis of Ring-LWE based key-exchange mechanisms and compare two implementations of Ring-LWE based key-exchange protocol: BCNS and NewHope. This is important as NewHope protocol implementation outperforms state-of-the art elliptic curve based Diffie-Hellman key-exchange X25519, thus showing that using quantum safe key-exchange is not only a viable option but also a faster one. Specifically, this thesis compares different reconciliation methods, parameter choices, noise sampling algorithms and performance

Enhanced cryptographic approaches for SCADA network security.

Due to the overwhelming increase in open source code, off-the-shelf software packages, third party and vendor codes, along with the ease of getting information about hacking network security systems and attacking the well known holes in security systems, the problem of having a secure network system is much more difficult than before this boom in technology and information broadcast. What makes the problem even worse is trying to secure a network for real time control, such as a network using supervisory control and data acquisition (SCADA) systems, because now the problem has two faces: securing the real time control system and at the same time keeping the response time of the system in the acceptable range for the transactions\u27 level of service. There is a strong trend to chose security frameworks that have been popular in the e-commerce sites of the web, particularly because they proven to be very mature and secure for more than one and half decades. Examples include the transport level security (TLS) and its predecessor secured socket layer (SSL) framework that is based on the very popular public key cryptography and key distribution algorithms, such as Rivest, Shamir and Adleman (RSA), elliptic curve cryptography (ECC), and Diffie-Hellman. Despite the fact that these algorithms proved to be very powerful against most types of attacks, they are not tailored to secure SCADA networks, and consequently cause a significant degradation in the performance time of real time transactions. This dissertation offers two novel encryption algorithms for securing a SCADA network, the N-Secrecy and the Security Spectrum algorithms. N-Secrecy gave very good results when compared with the SSL; with N-Secrecy performance time in the range of one thousandth of the SSL. The Security Spectrum approach moved the encryption methodology from using numerical representations into using a physical representation based on modeling the conditions of the two communicating parties with a system of non-linear polynomials and then using computer algebra techniques. Both approaches have the potential to significantly enhance the security of commercial SCADA installations

Key establishment --- security models, protocols and usage

Key establishment is the process whereby two or more parties derive a shared secret, typically used for subsequent confidential communication. However, identifying the exact security requirements for key establishment protocols is a non-trivial task. This thesis compares, extends and merges existing security definitions and models for key establishment protocols. The primary focus is on two-party key agreement schemes in the public-key setting. On one hand new protocols are proposed and analyzed in the existing Canetti-Krawzcyk model. On the other hand the thesis develops a security model and novel definition that capture the essential security attributes of the standardized Unified Model key agreement protocol. These analyses lead to the development of a new security model and related definitions that combine and extend the Canetti-Krawzcyk pre- and post- specified peer models in terms of provided security assurances. The thesis also provides a complete analysis of a one-pass key establishment scheme. There are security goals that no one-pass key establishment scheme can achieve, and hence the two-pass security models and definitions need to be adapted for one-pass protocols. The analysis provided here includes the description of the required modification to the underlying security model. Finally, a complete security argument meeting these altered conditions is presented as evidence supporting the security of the one-pass scheme. Lastly, validation and reusing short lived key pairs are related to efficiency, which is a major objective in practice. The thesis considers the formal implication of omitting validation steps and reusing short lived key pairs. The conclusions reached support the generally accepted cryptographic conventions that incoming messages should not be blindly trusted and extra care should be taken when key pairs are reused

Adaptively Secure BLS Threshold Signatures from DDH and co-CDH

Threshold signature is one of the most important cryptographic primitives in distributed systems. A popular choice of threshold signature scheme is the BLS threshold signature introduced by Boldyreva (PKC\u2703). Some attractive properties of Boldyreva\u27s threshold signature are that the signatures are unique and short, the signing process is non-interactive, and the verification process is identical to that of non-threshold BLS. These properties have resulted in its practical adoption in several decentralized systems. However, despite its popularity and wide adoption, up until recently, the Boldyreva scheme has been proven secure only against a static adversary. Very recently, Bacho and Loss (CCS\u2722) presented the first proof of adaptive security for Boldyreva\u27s threshold signature, but they have to rely on strong and non-standard assumptions such as the hardness of one-more discrete log (OMDL) and the Algebraic Group Model~(AGM). In this paper, we present the first adaptively secure threshold BLS signature scheme that relies on the hardness of DDH and co-CDH in asymmetric pairing group in the Random Oracle Model (ROM). Our signature scheme also has non-interactive signing, compatibility with non-threshold BLS verification, and practical efficiency like Boldyreva\u27s scheme. Moreover, to achieve static security, our scheme only needs the hardness of CDH in the ROM, which is the same as the standard non-threshold BLS signature. These properties make our protocol a suitable candidate for practical adoption with the added benefit of provable adaptive security. We also present an efficient distributed key generation (DKG) protocol to set up the signing keys for our signature scheme. We implement our scheme in Go and evaluate its signing and aggregation costs