WhatsUpp with Sender Keys? Analysis, Improvements and Security Proofs

Developing end-to-end encrypted instant messaging solutions for group conversations is an ongoing challenge that has garnered significant attention from practitioners and the cryptographic community alike. Notably, industry-leading messaging apps such as WhatsApp and Signal Messenger have adopted the Sender Keys protocol, where each group member shares their own symmetric encryption key with others. Despite its widespread adoption, Sender Keys has never been formally modelled in the cryptographic literature, raising the following natural question: What can be proven about the security of the Sender Keys protocol, and how can we practically mitigate its shortcomings? In addressing this question, we first introduce a novel security model to suit protocols like Sender Keys, deviating from conventional group key agreement-based abstractions. Our framework allows for a natural integration of two-party messaging within group messaging sessions that may be of independent interest. Leveraging this framework, we conduct the first formal analysis of the Sender Keys protocol, and prove it satisfies a weak notion of security. Towards improving security, we propose a series of efficient modifications to Sender Keys without imposing significant performance overhead. We combine these refinements into a new protocol that we call Sender Keys+, which may be of interest both in theory and practice

Laconic Function Evaluation for Turing Machines

Laconic function evaluation (LFE) allows Alice to compress a large circuit $\mathbf{C}$ into a small digest $\mathsf{d}$. Given Alice\u27s digest, Bob can encrypt some input $x$ under $\mathsf{d}$ in a way that enables Alice to recover $\mathbf{C}(x)$, without learning anything beyond that. The scheme is said to be $laconic$ if the size of $\mathsf{d}$, the runtime of the encryption algorithm, and the size of the ciphertext are all sublinear in the size of $\mathbf{C}$. Until now, all known LFE constructions have ciphertexts whose size depends on the $depth$ of the circuit $\mathbf{C}$, akin to the limitation of $levelled$ homomorphic encryption. In this work we close this gap and present the first LFE scheme (for Turing machines) with asymptotically optimal parameters. Our scheme assumes the existence of indistinguishability obfuscation and somewhere statistically binding hash functions. As further contributions, we show how our scheme enables a wide range of new applications, including two previously unknown constructions: • Non-interactive zero-knowledge (NIZK) proofs with optimal prover complexity. • Witness encryption and attribute-based encryption (ABE) for Turing machines from falsifiable assumptions

Swoosh: Practical Lattice-Based Non-Interactive Key Exchange

The advent of quantum computers has sparked significant interest in post-quantum cryptographic schemes, as a replacement for currently used cryptographic primitives. In this context, lattice-based cryptography has emerged as the leading paradigm to build post-quantum cryptography. However, all existing viable replacements of the classical Diffie-Hellman key exchange require additional rounds of interactions, thus failing to achieve all the benefits of this protocol. Although earlier work has shown that lattice-based Non-Interactive Key Exchange~(NIKE) is theoretically possible, it has been considered too inefficient for real-life applications. In this work, we challenge this folklore belief and provide the first evidence against it. We construct a practical lattice-based NIKE whose security is based on the standard module learning with errors (M-LWE) problem in the quantum random oracle model. Our scheme is obtained in two steps: (i) A passively-secure construction that achieves a strong notion of correctness, coupled with (ii) a generic compiler that turns any such scheme into an actively-secure one. To substantiate our efficiency claim, we provide an optimised implementation of our construction in Rust and Jasmin. Our implementation demonstrates the scheme\u27s applicability to real-world scenarios, yielding public keys of approximately $220$\,KBs. Moreover, the computation of shared keys takes fewer than $12$ million cycles on an Intel Skylake CPU, offering a post-quantum security level exceeding $120$ bits

On Statistical Properties of Arbiter Physical Unclonable Functions

The growing interest in the Internet of Things (IoT) has led to predictions claiming that by 2020 we can expect to be surrounded by 50 billion Internet connected devices. With more entry points to a network, adversaries can potentially use IoT devices as a stepping stone for attacking other devices connected to the network or the network itself. Information security relies on cryptographic primitives that, in turn, depend on secret keys. Furthermore, the issue of Intellectual property (IP) theft in the field of Integrated circuit (IC) design can be tackled with the help of unique device identifiers. Physical unclonable functions (PUFs) provide a tamper-resilient solution for secure key storage and fingerprinting hardware. PUFs use intrinsic manufacturing differences of ICs to assign unique identities to hardware. Arbiter PUFs utilise the differences in delays of identically designed paths, giving rise to an unpredictable response unique to a given IC. This thesis explores the statistical properties of Boolean functions induced by arbiter PUFs. In particular, this empirical study looks into the distribution of induced functions. The data gathered shows that only 3% of all possible 4-variable functions can be induced by a single 4 stage arbiter PUF. Furthermore, some individual functions are more than 5 times more likely than others. Hence, the distribution is non-uniform. We also evaluate alternate PUF designs, improving the coverage vastly, resulting in one particular implementation inducing all 65,536 4-variable functions. We hypothesise the need for n XORed PUFs to induce all 22n possible n-variable Boolean functions

On Statistical Properties of Arbiter Physical Unclonable Functions

The growing interest in the Internet of Things (IoT) has led to predictions claiming that by 2020 we can expect to be surrounded by 50 billion Internet connected devices. With more entry points to a network, adversaries can potentially use IoT devices as a stepping stone for attacking other devices connected to the network or the network itself. Information security relies on cryptographic primitives that, in turn, depend on secret keys. Furthermore, the issue of Intellectual property (IP) theft in the field of Integrated circuit (IC) design can be tackled with the help of unique device identifiers. Physical unclonable functions (PUFs) provide a tamper-resilient solution for secure key storage and fingerprinting hardware. PUFs use intrinsic manufacturing differences of ICs to assign unique identities to hardware. Arbiter PUFs utilise the differences in delays of identically designed paths, giving rise to an unpredictable response unique to a given IC. This thesis explores the statistical properties of Boolean functions induced by arbiter PUFs. In particular, this empirical study looks into the distribution of induced functions. The data gathered shows that only 3% of all possible 4-variable functions can be induced by a single 4 stage arbiter PUF. Furthermore, some individual functions are more than 5 times more likely than others. Hence, the distribution is non-uniform. We also evaluate alternate PUF designs, improving the coverage vastly, resulting in one particular implementation inducing all 65,536 4-variable functions. We hypothesise the need for n XORed PUFs to induce all 22n possible n-variable Boolean functions

On Asynchronous Group Key Agreement : Tripartite Asynchronous Ratchet Trees

The subject of secure messaging has gained notable attention lately in the cryptographic community. For communications between two parties, paradigms such as the double ratchet, used in the Signal protocol, provide provably strong security guarantees such as forward secrecy and post-compromise security. Variations of the Signal protocol have enjoyed widespread adoption and are embedded in several well known messaging services, including Signal, WhatsApp and Facebook Secret Conversations. However, providing equally strong guarantees that scale well in group settings remains somewhat less well studied and is often neglected in practice. This motivated the need for the IETF Messaging Layer Security (MLS) working group. The first continuous group key agreement (CGKA) protocol to be proposed was Asynchronous Ratcheting Trees (ART) [Cohn-Gordon et al., 2018] and formed the basis of TreeKEM [Barnes et al., 2019], the CGKA protocol currently suggested for MLS. In this thesis we propose a new asynchronous group key agreement protocol based on a one-round Tripartite Diffie-Hellman [Joux, 2000]. Furthermore, we show that our protocol can be generalised for an n-ary asynchronous ratchet tree, assuming the existence of a one-round (n + 1)-way Diffie-Hellman key exchange, based on a n-multilinear map [Boneh and Silverberg, 2003]. We analyse ART, TreeKEM, and our proposals from a complexity theoretic perspective and show that our proposals improve the cost of update operations. Finally we present some discussion and improvements to the IETF MLS standard.Ämnet om säkra meddelanden har på senare tid skapat uppmärksamhet inom kryptografiska samfundet. För kommunikationer mellan två parter ger paradigmer såsom Double Ratchet, som används i Signal-protokollet, starka bevisbara säkerhetsgarantier som forward secrecy och post-compromise security. Variationer av Signal-protokollet används mycket i praktiken och är inbäddade i flera välkända meddelandetjänster såsom Signal, WhatsApp och Facebook Secret Conversations. Däremot är protokoll som erbjuder lika starka garantier och som skalar väl i gruppsituationer något mindre studerade och ofta eftersatta i praktiken. Detta motiverade behovet av arbetsgruppen IETF Messaging Layer Security (MLS). Det första kontinuerliga gruppnyckelprotokollet (CGKA) som föreslogs var Asynchronous Ratcheting Trees (ART) [Cohn-Gordon et al., 2018] och lade grunden för TreeKEM [Barnes et al., 2019], det CGKA-protokoll som för närvarande föreslagits för MLS. I detta examensarbete föreslår vi ett nytt asynkront gruppnyckelprotokoll baserat på en en-rundad Tripartite Diffie{Hellman [Joux, 2000]. Vidare visar vi att vårt protokoll kan generaliseras för n-ary träd med hjälp av ett en-rundat (n + 1)-väg Diffie-Hellman nyckelutbyte, baserat på en multilinjär mappning [Boneh and Silverberg, 2003]. Vi analyserar ART, TreeKEM och våra förslag ur ett teoretiskt perspektiv samt visar att våra förslag förbättrar kostnaden för uppdateringsoperationer. Slutligen presenterar vi några diskussioner och förbättringar av IETF MLS-standarden

On Asynchronous Group Key Agreement : Tripartite Asynchronous Ratchet Trees

The subject of secure messaging has gained notable attention lately in the cryptographic community. For communications between two parties, paradigms such as the double ratchet, used in the Signal protocol, provide provably strong security guarantees such as forward secrecy and post-compromise security. Variations of the Signal protocol have enjoyed widespread adoption and are embedded in several well known messaging services, including Signal, WhatsApp and Facebook Secret Conversations. However, providing equally strong guarantees that scale well in group settings remains somewhat less well studied and is often neglected in practice. This motivated the need for the IETF Messaging Layer Security (MLS) working group. The first continuous group key agreement (CGKA) protocol to be proposed was Asynchronous Ratcheting Trees (ART) [Cohn-Gordon et al., 2018] and formed the basis of TreeKEM [Barnes et al., 2019], the CGKA protocol currently suggested for MLS. In this thesis we propose a new asynchronous group key agreement protocol based on a one-round Tripartite Diffie-Hellman [Joux, 2000]. Furthermore, we show that our protocol can be generalised for an n-ary asynchronous ratchet tree, assuming the existence of a one-round (n + 1)-way Diffie-Hellman key exchange, based on a n-multilinear map [Boneh and Silverberg, 2003]. We analyse ART, TreeKEM, and our proposals from a complexity theoretic perspective and show that our proposals improve the cost of update operations. Finally we present some discussion and improvements to the IETF MLS standard.Ämnet om säkra meddelanden har på senare tid skapat uppmärksamhet inom kryptografiska samfundet. För kommunikationer mellan två parter ger paradigmer såsom Double Ratchet, som används i Signal-protokollet, starka bevisbara säkerhetsgarantier som forward secrecy och post-compromise security. Variationer av Signal-protokollet används mycket i praktiken och är inbäddade i flera välkända meddelandetjänster såsom Signal, WhatsApp och Facebook Secret Conversations. Däremot är protokoll som erbjuder lika starka garantier och som skalar väl i gruppsituationer något mindre studerade och ofta eftersatta i praktiken. Detta motiverade behovet av arbetsgruppen IETF Messaging Layer Security (MLS). Det första kontinuerliga gruppnyckelprotokollet (CGKA) som föreslogs var Asynchronous Ratcheting Trees (ART) [Cohn-Gordon et al., 2018] och lade grunden för TreeKEM [Barnes et al., 2019], det CGKA-protokoll som för närvarande föreslagits för MLS. I detta examensarbete föreslår vi ett nytt asynkront gruppnyckelprotokoll baserat på en en-rundad Tripartite Diffie{Hellman [Joux, 2000]. Vidare visar vi att vårt protokoll kan generaliseras för n-ary träd med hjälp av ett en-rundat (n + 1)-väg Diffie-Hellman nyckelutbyte, baserat på en multilinjär mappning [Boneh and Silverberg, 2003]. Vi analyserar ART, TreeKEM och våra förslag ur ett teoretiskt perspektiv samt visar att våra förslag förbättrar kostnaden för uppdateringsoperationer. Slutligen presenterar vi några diskussioner och förbättringar av IETF MLS-standarden

On Statistical Properties of Arbiter Physical Unclonable Functions

The growing interest in the Internet of Things (IoT) has led to predictions claiming that by 2020 we can expect to be surrounded by 50 billion Internet connected devices. With more entry points to a network, adversaries can potentially use IoT devices as a stepping stone for attacking other devices connected to the network or the network itself. Information security relies on cryptographic primitives that, in turn, depend on secret keys. Furthermore, the issue of Intellectual property (IP) theft in the field of Integrated circuit (IC) design can be tackled with the help of unique device identifiers. Physical unclonable functions (PUFs) provide a tamper-resilient solution for secure key storage and fingerprinting hardware. PUFs use intrinsic manufacturing differences of ICs to assign unique identities to hardware. Arbiter PUFs utilise the differences in delays of identically designed paths, giving rise to an unpredictable response unique to a given IC. This thesis explores the statistical properties of Boolean functions induced by arbiter PUFs. In particular, this empirical study looks into the distribution of induced functions. The data gathered shows that only 3% of all possible 4-variable functions can be induced by a single 4 stage arbiter PUF. Furthermore, some individual functions are more than 5 times more likely than others. Hence, the distribution is non-uniform. We also evaluate alternate PUF designs, improving the coverage vastly, resulting in one particular implementation inducing all 65,536 4-variable functions. We hypothesise the need for n XORed PUFs to induce all 22n possible n-variable Boolean functions

On Asynchronous Group Key Agreement : Tripartite Asynchronous Ratchet Trees

The subject of secure messaging has gained notable attention lately in the cryptographic community. For communications between two parties, paradigms such as the double ratchet, used in the Signal protocol, provide provably strong security guarantees such as forward secrecy and post-compromise security. Variations of the Signal protocol have enjoyed widespread adoption and are embedded in several well known messaging services, including Signal, WhatsApp and Facebook Secret Conversations. However, providing equally strong guarantees that scale well in group settings remains somewhat less well studied and is often neglected in practice. This motivated the need for the IETF Messaging Layer Security (MLS) working group. The first continuous group key agreement (CGKA) protocol to be proposed was Asynchronous Ratcheting Trees (ART) [Cohn-Gordon et al., 2018] and formed the basis of TreeKEM [Barnes et al., 2019], the CGKA protocol currently suggested for MLS. In this thesis we propose a new asynchronous group key agreement protocol based on a one-round Tripartite Diffie-Hellman [Joux, 2000]. Furthermore, we show that our protocol can be generalised for an n-ary asynchronous ratchet tree, assuming the existence of a one-round (n + 1)-way Diffie-Hellman key exchange, based on a n-multilinear map [Boneh and Silverberg, 2003]. We analyse ART, TreeKEM, and our proposals from a complexity theoretic perspective and show that our proposals improve the cost of update operations. Finally we present some discussion and improvements to the IETF MLS standard.Ämnet om säkra meddelanden har på senare tid skapat uppmärksamhet inom kryptografiska samfundet. För kommunikationer mellan två parter ger paradigmer såsom Double Ratchet, som används i Signal-protokollet, starka bevisbara säkerhetsgarantier som forward secrecy och post-compromise security. Variationer av Signal-protokollet används mycket i praktiken och är inbäddade i flera välkända meddelandetjänster såsom Signal, WhatsApp och Facebook Secret Conversations. Däremot är protokoll som erbjuder lika starka garantier och som skalar väl i gruppsituationer något mindre studerade och ofta eftersatta i praktiken. Detta motiverade behovet av arbetsgruppen IETF Messaging Layer Security (MLS). Det första kontinuerliga gruppnyckelprotokollet (CGKA) som föreslogs var Asynchronous Ratcheting Trees (ART) [Cohn-Gordon et al., 2018] och lade grunden för TreeKEM [Barnes et al., 2019], det CGKA-protokoll som för närvarande föreslagits för MLS. I detta examensarbete föreslår vi ett nytt asynkront gruppnyckelprotokoll baserat på en en-rundad Tripartite Diffie{Hellman [Joux, 2000]. Vidare visar vi att vårt protokoll kan generaliseras för n-ary träd med hjälp av ett en-rundat (n + 1)-väg Diffie-Hellman nyckelutbyte, baserat på en multilinjär mappning [Boneh and Silverberg, 2003]. Vi analyserar ART, TreeKEM och våra förslag ur ett teoretiskt perspektiv samt visar att våra förslag förbättrar kostnaden för uppdateringsoperationer. Slutligen presenterar vi några diskussioner och förbättringar av IETF MLS-standarden

Ring Signatures for Deniable AKEM: Gandalf\u27s Fellowship

Ring signatures, a cryptographic primitive introduced by Rivest, Shamir and Tauman (ASIACRYPT 2001), offer signer anonymity within dynamically formed user groups. Recent advancements have focused on lattice-based constructions to improve efficiency, particularly for large signing rings. However, current state-of-the-art solutions suffer from significant overhead, especially for smaller rings. In this work, we present a novel NTRU-based ring signature scheme, Gandalf, tailored towards small rings. Our post-quantum scheme achieves a 50% reduction in signature sizes compared to the linear ring signature scheme Raptor (ACNS 2019). For rings of size two, our signatures are approximately a quarter the size of DualRing (CRYPTO 2021), another linear scheme, and remain more compact for rings up to size seven. Compared to the sublinear scheme Smile (CRYPTO 2021), our signatures are more compact for rings of up to 26. In particular, for rings of size two, our ring signatures are only 1236 bytes. Additionally, we explore the use of ring signatures to obtain deniability in authenticated key exchange mechanisms (AKEMs), the primitive behind the recent HPKE standard used in MLS and TLS. We take a fine-grained approach at formalising sender deniability within AKEM and seek to define the strongest possible notions. Our contributions extend to a black-box construction of a deniable AKEM from a KEM and a ring signature scheme for rings of size two. Our approach attains the highest level of confidentiality and authenticity, while simultaneously preserving the strongest forms of deniability in two orthogonal settings. Finally, we present parameter sets for our schemes, and show that our deniable AKEM, when instantiated with our ring signature scheme, yields ciphertexts of 2004 bytes