Studies on the Security of Selected Advanced Asymmetric Cryptographic Primitives

The main goal of asymmetric cryptography is to provide confidential communication, which allows two parties to communicate securely even in the presence of adversaries. Ever since its invention in the seventies, asymmetric cryptography has been improved and developed further, and a formal security framework has been established around it. This framework includes different security goals, attack models, and security notions. As progress was made in the field, more advanced asymmetric cryptographic primitives were proposed, with other properties in addition to confidentiality. These new primitives also have their own definitions and notions of security. This thesis consists of two parts, where the first relates to the security of fully homomorphic encryption and related primitives. The second part presents a novel cryptographic primitive, and defines what security goals the primitive should achieve. The first part of the thesis consists of Article I, II, and III, which all pertain to the security of homomorphic encryption schemes in one respect or another. Article I demonstrates that a particular fully homomorphic encryption scheme is insecure in the sense that an adversary with access only to the public material can recover the secret key. It is also shown that this insecurity mainly stems from the operations necessary to make the scheme fully homomorphic. Article II presents an adaptive key recovery attack on a leveled homomorphic encryption scheme. The scheme in question claimed to withstand precisely such attacks, and was the only scheme of its kind to do so at the time. This part of the thesis culminates with Article III, which is an overview article on the IND-CCA1 security of all acknowledged homomorphic encryption schemes. The second part of the thesis consists of Article IV, which presents Vetted Encryption (VE), a novel asymmetric cryptographic primitive. The primitive is designed to allow a recipient to vet who may send them messages, by setting up a public filter with a public verification key, and providing each vetted sender with their own encryption key. There are three different variants of VE, based on whether the sender is identifiable to the filter and/or the recipient. Security definitions, general constructions and comparisons to already existing cryptographic primitives are provided for all three variants.Doktorgradsavhandlin

Post Quantum Cryptography

Riassunto tesi magistrale: Post Quantum Cryptography Candidato: VAIRA Antonio Durante la stesura della mia tesi, su cui ho lavorato quest'ultimo anno della mia carriera universitaria, ho cercato di rispondere alla domanda: Qual è lo stato dell'arte della crittografia odierna in grado di sostenere un attacco da parte di utente malevolo in possesso di un “grande” computer quantistico? Per “grande” si intende un computer quantistico che abbia un registro di diverse migliaia di qubit e quindi sia in grado di far girare degli algoritmi quantistici effettivamente utilizzabili. Ad oggi sono stati ideati solamente due algoritmi quantistici per scopi cripto-analitici ed uno di questi, l’algoritmo di Shor, permette di fattorizzare grandi numeri in un tempo ridotto. Questo “semplice” problema matematico (o meglio algoritmico) è alla base della sicurezza dei cripto-sistemi a chiave pubblica utilizzati oggi. In un sistema a chiave pubblica odierno, come l'RSA, la difficoltà di manomissione è legata alla difficoltà algoritmica di fattorizzare grandi numeri, dove difficoltà implica non l'impossibilità ma bensì un dispendio di risorse/tempo per l’hacking maggiore del valore stesso dell'informazione che si otterrebbe da tale hacking. Nel mio lavoro inizialmente ho preso in esame, in linea di massima, sia i cripto-sistemi utilizzati oggi sia gli algoritmi quantistici utilizzabili in un ipotetico futuro per comprometterli. Successivamente, ho focalizzato la mia attenzione sulle alternative “mainstream” ai cripto-sistemi impiegati oggi: ovvero algoritmi post-quantum, proposti dalla comunità di cripto-analisti attivi nel campo, e ho provato a costruire un framework per valutarne l'effettivo impiego. In questo framework, quindi, ho scelto di approfondire lo studio della famiglia dei lattice-based (algoritmi la cui sicurezza è basata sulla difficoltà di risolvere problemi relativi ai lattici multidimensionali). All'interno di questa famiglia di cripto-sistemi ne ho individuato uno in particolare, lo NTRU, particolarmente promettente per un impiego, nell'immediato futuro, all'interno di una corporate PKI (un esempio a me vicino è la PKI sviluppata all'interno dell'Airbus, per la quale ho lavorato durante quest'ultimo anno). Ho in seguito approfondito lo studio di un altro algoritmo appartenente alla medesima famiglia dei cripto-sistemi lattice-based : il ring-LWE in quanto molto più interessante da un punto di vista accademico ma ancora relativamente sconosciuto. Successivamente ho elaborato alcune modifiche per lo stesso algoritmo con lo scopo di renderlo più veloce e affidabile, incrementando così la probabilità di recuperare un messaggio corretto dal corrispondente crittogramma. Come ultima tappa, ho implementato l'algoritmo di criptazione modificato utilizzando un linguaggio ad alto livello (molto vicino a python) e ho comparato sia i tempi di esecuzione sia le risorse utilizzate con un versione non modificata ma implementata con lo stesso linguaggio, rendendo così i confronti il più coerenti possibile. Dai risultati ottenuti risulta che la versione modificata del ring-LWE è estremamente promettente ma necessita di una più approfondila analisi da un punto di vista cripto-analitico, ovvero è necessario stressare l'algoritmo per capire se introduca o meno ulteriori vulnerabilità rispetto alla versione originale. In conclusione l'algoritmo ring-LWE, che ho maggiormente approfondito, offre diversi e interessanti spunti di riflessione ma è ben lontano dall'essere implementato in una infrastruttura reale. Nel evenienza di una sostituzione immediata è in generale buona norma in crittografia ripiegare su strade già battute e implementazioni più vecchie e fidate, un esempio all'interno degli algoritmi post-quantum è sicuramente lo NTRU (già dal 2008 standard IEEE: Std 1363.1). Come ultima riflessione personale vorrei aggiungere che malgrado in questo mio lavoro di tesi l'aspetto fisico appaia marginale è solo grazie alla preparazione, che ho maturato nel mio percorso di studi, che ho potuto svolgerlo senza grandi difficoltà e facendo un esperienza davvero costruttiva in una grande azienda come l'Airbus. Dopo tutto un bagaglio fisico ci rende dei “problem-solver” nelle situazioni più disparate

Decryption Failure Attacks on Post-Quantum Cryptography

This dissertation discusses mainly new cryptanalytical results related to issues of securely implementing the next generation of asymmetric cryptography, or Public-Key Cryptography (PKC).PKC, as it has been deployed until today, depends heavily on the integer factorization and the discrete logarithm problems.Unfortunately, it has been well-known since the mid-90s, that these mathematical problems can be solved due to Peter Shor's algorithm for quantum computers, which achieves the answers in polynomial time.The recently accelerated pace of R&D towards quantum computers, eventually of sufficient size and power to threaten cryptography, has led the crypto research community towards a major shift of focus.A project towards standardization of Post-quantum Cryptography (PQC) was launched by the US-based standardization organization, NIST. PQC is the name given to algorithms designed for running on classical hardware/software whilst being resistant to attacks from quantum computers.PQC is well suited for replacing the current asymmetric schemes.A primary motivation for the project is to guide publicly available research toward the singular goal of finding weaknesses in the proposed next generation of PKC.For public key encryption (PKE) or digital signature (DS) schemes to be considered secure they must be shown to rely heavily on well-known mathematical problems with theoretical proofs of security under established models, such as indistinguishability under chosen ciphertext attack (IND-CCA).Also, they must withstand serious attack attempts by well-renowned cryptographers both concerning theoretical security and the actual software/hardware instantiations.It is well-known that security models, such as IND-CCA, are not designed to capture the intricacies of inner-state leakages.Such leakages are named side-channels, which is currently a major topic of interest in the NIST PQC project.This dissertation focuses on two things, in general:1) how does the low but non-zero probability of decryption failures affect the cryptanalysis of these new PQC candidates?And 2) how might side-channel vulnerabilities inadvertently be introduced when going from theory to the practice of software/hardware implementations?Of main concern are PQC algorithms based on lattice theory and coding theory.The primary contributions are the discovery of novel decryption failure side-channel attacks, improvements on existing attacks, an alternative implementation to a part of a PQC scheme, and some more theoretical cryptanalytical results

Cloud-based homomorphic encryption for privacy-preserving machine learning in clinical decision support

While privacy and security concerns dominate public cloud services, Homomorphic Encryption (HE) is seen as an emerging solution that ensures secure processing of sensitive data via untrusted networks in the public cloud or by third-party cloud vendors. It relies on the fact that some encryption algorithms display the property of homomorphism, which allows them to manipulate data meaningfully while still in encrypted form; although there are major stumbling blocks to overcome before the technology is considered mature for production cloud environments. Such a framework would find particular relevance in Clinical Decision Support (CDS) applications deployed in the public cloud. CDS applications have an important computational and analytical role over confidential healthcare information with the aim of supporting decision-making in clinical practice. Machine Learning (ML) is employed in CDS applications that typically learn and can personalise actions based on individual behaviour. A relatively simple-to-implement, common and consistent framework is sought that can overcome most limitations of Fully Homomorphic Encryption (FHE) in order to offer an expanded and flexible set of HE capabilities. In the absence of a significant breakthrough in FHE efficiency and practical use, it would appear that a solution relying on client interactions is the best known entity for meeting the requirements of private CDS-based computation, so long as security is not significantly compromised. A hybrid solution is introduced, that intersperses limited two-party interactions amongst the main homomorphic computations, allowing exchange of both numerical and logical cryptographic contexts in addition to resolving other major FHE limitations. Interactions involve the use of client-based ciphertext decryptions blinded by data obfuscation techniques, to maintain privacy. This thesis explores the middle ground whereby HE schemes can provide improved and efficient arbitrary computational functionality over a significantly reduced two-party network interaction model involving data obfuscation techniques. This compromise allows for the powerful capabilities of HE to be leveraged, providing a more uniform, flexible and general approach to privacy-preserving system integration, which is suitable for cloud deployment. The proposed platform is uniquely designed to make HE more practical for mainstream clinical application use, equipped with a rich set of capabilities and potentially very complex depth of HE operations. Such a solution would be suitable for the long-term privacy preserving-processing requirements of a cloud-based CDS system, which would typically require complex combinatorial logic, workflow and ML capabilities

Theory and Practice of Cryptography and Network Security Protocols and Technologies

In an age of explosive worldwide growth of electronic data storage and communications, effective protection of information has become a critical requirement. When used in coordination with other tools for ensuring information security, cryptography in all of its applications, including data confidentiality, data integrity, and user authentication, is a most powerful tool for protecting information. This book presents a collection of research work in the field of cryptography. It discusses some of the critical challenges that are being faced by the current computing world and also describes some mechanisms to defend against these challenges. It is a valuable source of knowledge for researchers, engineers, graduate and doctoral students working in the field of cryptography. It will also be useful for faculty members of graduate schools and universities

Secure multi party computations for electronic voting

Στην παρούσα εργασία, μελετούμε το πρόβλημα της ηλεκτρονικής ψηφοφορίας. Θεωρούμε ότι είναι έκφανση μιας γενικής διαδικασίας αποφάσεων που μπορεί να υλοποιηθεί μέσω υπολογισμών πολλαπλών οντοτήτων, οι οποίοι πρέπει να ικανοποιούν πολλές και αντικρουόμενες απαιτήσεις ασφαλείας. Έτσι μελετούμε σχετικές προσεγγίσεις οι οποίες βασιζονται σε κρυπτογραφικές τεχνικές, όπως τα ομομορφικά κρυπτοσυστήματα, τα δίκτυα μίξης και οι τυφλές υπογραφές. Αναλύουμε πώς προσφέρουν ακεραιότητα και ιδιωτικότητα (μυστικότητα) στην διαδικασία και την σχέση τους με την αποδοτικότητα. Εξετάζουμε τα είδη λειτουργιών κοινωνικής επιλογής που μπορούν να υποστηρίξουν και παρέχουμε δύο υλοποιήσεις. Επιπλέον ασχολούμαστε με την αντιμετώπιση ισχυρότερων αντιπάλων μη παρέχοντας αποδείξεις ψήφου ή προσφέροντας δυνατότητες αντίστασης στον εξαναγκασμό. Με βάση την τελευταία έννοια προτείνουμε μια τροποποίηση σε ένα ευρέως χρησιμοποιούμενο πρωτόκολλο. Τέλος μελετούμε δύο γνωστές υλοποιήσεις συστημάτων ηλεκτρονικής ψηφοφοριας το Helios και το Pret a Voter .In this thesis, we study the problem of electronic voting as a general decision making process that can be implemented using multi party computations, fulfilling strict and often conflicting security requirements. To this end, we review relevant cryptographic techniques and their combinations to form voting protocols. More specifically, we analyze schemes based on homomorphic cryptosystems, mixnets with proofs of shuffles and blind signatures. We analyze how they achieve integrity and privacy in the voting process, while keeping efficiency. We examine the types of social choice functions that can be supported by each protocol. We provide two proof of concept implementations. Moreover, we review ways to thwart stronger adversaries by adding receipt freeness and coercion resistance to voting systems. We build on the latter concept to propose a modification to a well known protocol. Finally, we study two actual e-Voting implementations namely Helios and Pret a Voter

BIKE: Bit Flipping Key Encapsulation

Submission to the NIST post quantum standardization proces

Algorithmes quantiques pour la cryptanalyse et cryptographie symétrique post-quantique

Modern cryptography relies on the notion of computational security. The level of security given by a cryptosystem is expressed as an amount of computational resources required to break it. The goal of cryptanalysis is to find attacks, that is, algorithms with lower complexities than the conjectural bounds.With the advent of quantum computing devices, these levels of security have to be updated to take a whole new notion of algorithms into account. At the same time, cryptography is becoming widely used in small devices (smart cards, sensors), with new cost constraints.In this thesis, we study the security of secret-key cryptosystems against quantum adversaries.We first build new quantum algorithms for k-list (k-XOR or k-SUM) problems, by composing exhaustive search procedures. Next, we present dedicated cryptanalysis results, starting with a new quantum cryptanalysis tool, the offline Simon's algorithm. We describe new attacks against the lightweight algorithms Spook and Gimli and we perform the first quantum security analysis of the standard cipher AES.Finally, we specify Saturnin, a family of lightweight cryptosystems oriented towards post-quantum security. Thanks to a very similar structure, its security relies largely on the analysis of AES.La cryptographie moderne est fondée sur la notion de sécurité computationnelle. Les niveaux de sécurité attendus des cryptosystèmes sont exprimés en nombre d'opérations ; une attaque est un algorithme d'une complexité inférieure à la borne attendue. Mais ces niveaux de sécurité doivent aujourd'hui prendre en compte une nouvelle notion d'algorithme : le paradigme du calcul quantique. Dans le même temps,la délégation grandissante du chiffrement à des puces RFID, objets connectés ou matériels embarqués pose de nouvelles contraintes de coût.Dans cette thèse, nous étudions la sécurité des cryptosystèmes à clé secrète face à un adversaire quantique.Nous introduisons tout d'abord de nouveaux algorithmes quantiques pour les problèmes génériques de k-listes (k-XOR ou k-SUM), construits en composant des procédures de recherche exhaustive.Nous présentons ensuite des résultats de cryptanalyse dédiée, en commençant par un nouvel outil de cryptanalyse quantique, l'algorithme de Simon hors-ligne. Nous décrivons de nouvelles attaques contre les algorithmes Spook et Gimli et nous effectuons la première étude de sécurité quantique du chiffrement AES. Dans un troisième temps, nous spécifions Saturnin, une famille de cryptosystèmes à bas coût orientés vers la sécurité post-quantique. La structure de Saturnin est proche de celle de l'AES et sa sécurité en tire largement parti