Verified Security of BLT Signature Scheme

The majority of real-world applications of digital signatures use timestamping to ensure non-repudiation in face of possible key revocations. This observation led Buldas, Laanoja, and Truu to a server-assisted digital signature scheme built around cryptographic timestamping. In this paper, we report on the machine-checked proofs of existential unforgeability under the chosen-message attack (EUF-CMA) of some variations of BLT digital signature scheme. The proofs are developed and verified using the EasyCrypt framework, which provides interactive theorem proving supported by the state-of-the-art SMT solvers

The Expectation Monad in Quantum Foundations

The expectation monad is introduced abstractly via two composable adjunctions, but concretely captures measures. It turns out to sit in between known monads: on the one hand the distribution and ultrafilter monad, and on the other hand the continuation monad. This expectation monad is used in two probabilistic analogues of fundamental results of Manes and Gelfand for the ultrafilter monad: algebras of the expectation monad are convex compact Hausdorff spaces, and are dually equivalent to so-called Banach effect algebras. These structures capture states and effects in quantum foundations, and also the duality between them. Moreover, the approach leads to a new re-formulation of Gleason's theorem, expressing that effects on a Hilbert space are free effect modules on projections, obtained via tensoring with the unit interval.Comment: In Proceedings QPL 2011, arXiv:1210.029

Smart meter aggregation via secret-sharing

We design and prototype protocols for processing smart-meter readings while preserving user privacy. We provide support for computing non-linear functions on encrypted readings, implemented by adapting to our setting efficient secret-sharing-based secure multi-party computation techniques. Meter readings are jointly processed by a (public) storage service and a few independent authorities, each owning an additive share of the readings. For non-linear processing, these parties consume pre-shared materials, produced by an off-line trusted third party. This party never processes private readings; it may be implemented using trusted hardware or somewhat homomorphic encryption. The protocol involves minimal, off-line support from the meters - a few keyed hash computations and no communication overhead. © 2013 ACM

Computer-aided security proofs for the working cryptographer

Abstract. We present an automated tool for elaborating security proofs of cryptographic systemsfromproofsketches—compact,formal representationsoftheessenceofaproofasasequence of games and hints. Proof sketches are checkedautomatically using off-the-shelf SMT solvers and automated theorem provers, and then compiled into verifiable proofs in the CertiCrypt framework. The tool supports most commonly used reasoning patterns, is significantly easier to use than its predecessors, and is a plausible candidate for adoption by working cryptographers. We illustrate its application to proofs of the Cramer-Shoup cryptosystem and Hashed ElGamal encryption

Computer-Aided Cryptographic Proofs

Abstract. EasyCrypt is an automated tool that supports the machinechecked construction and verification of security proofs of cryptographic systems, and that has been used toverify emblematic examples of publickeyencryptionschemes, digital signature schemes, hash function designs, and block cipher modes of operation. The purpose of this paper is to motivate the role of computer-aided proofs in the broader context of provable security and to illustrate the workings of EasyCrypt through simple introductory examples.

Beyond Provable Security Verifiable IND-CCA Security of OAEP

International audienceOAEP is a widely used public-key encryption scheme based on trapdoor permutations. Its security proof has been scrutinized and amended repeatedly. Fifteen years after the introduction of OAEP, we present a machine-checked proof of its security against adaptive chosen-ciphertext attacks under the assumption that the underlying permutation is partial-domain one-way. The proof can be independently verified by running a small and trustworthy proof checker and fixes minor glitches that have subsisted in published proofs. We provide an overview of the proof, highlight the differences with earlier works, and explain in some detail a crucial step in the reduction: the elimination of indirect queries made by the adversary to random oracles via the decryption oracle. We also provide—within the limits of a conference paper—a broader perspective on independently verifiable security proofs