IMPROVING THE ROUND COMPLEXITY OF IDEAL-CIPHER CONSTRUCTIONS

Block ciphers are an essential ingredient of modern cryptography. They are widely used as building blocks in many cryptographic constructions such as encryption schemes, hash functions etc. The security of block ciphers is not currently known to reduce to well-studied, easily formulated, computational problems. Nevertheless, modern block-cipher constructions are far from ad-hoc, and a strong theory for their design has been developed. Two classical paradigms for block cipher design are the Feistel network and the key-alternating cipher (which is encompassed by the popular substitution-permutation network). Both of these paradigms that are iterated structures that involve applications of random-looking functions/permutations over many rounds. An important area of research is to understand the provable security guarantees offered by these classical design paradigms for block cipher constructions. This can be done using a security notion called indifferentiability which formalizes what it means for a block cipher to be ideal. In particular, this notion allows us to assert the structural robustness of a block cipher design. In this thesis, we apply the indifferentiability notion to the two classical paradigms mentioned above and improve upon the previously known round complexity in both cases. Specifically, we make the following two contributions: (1) We show that a 10-round Feistel network behaves as an ideal block cipher when the keyed round functions are built using a random oracle. (2) We show that a 5-round key-alternating cipher (also known as the iterated Even-Mansour construction) with identical round keys behaves as an ideal block cipher when the round permutations are independent, public random permutations

The Multi-user Security of GCM, Revisited: Tight Bounds for Nonce Randomization

Multi-user (mu) security considers large-scale attackers (e.g., state actors) that given access to a number of sessions, attempt to compromise {\em at least} one of them. Mu security of authenticated encryption (AE) was explicitly considered in the development of TLS 1.3. This paper revisits the mu security of GCM, which remains to date the most widely used dedicated AE mode. We provide new concrete security bounds which improve upon previous work by adopting a refined parameterization of adversarial resources that highlights the impact on security of (1) nonce re-use across users and of (2) re-keying. As one of the main applications, we give tight security bounds for the nonce-randomization mechanism adopted in the record protocol of TLS 1.3 as a mitigation of large-scale multi-user attacks. We provide tight security bounds that yield the first validation of this method. In particular, we solve the main open question of Bellare and Tackmann (CRYPTO \u2716), who only considered restricted attackers which do not attempt to violate integrity, and only gave non-tight bounds

Byzantine Resilient Computing with the Cloud

We study a framework for modeling distributed network systems assisted by a reliable and powerful cloud service. Our framework aims at capturing hybrid systems based on a point to point message passing network of machines, with the additional capability of being able to access the services of a trusted high-performance external entity (the cloud). We focus on one concrete aspect that was not studied before, namely, ways of utilizing the cloud assistance in order to attain increased resilience against Byzantine behavior of machines in the network. Our network is modeled as a congested clique comprising $k$ machines that are completely connected to form a clique and can communicate with each other by passing small messages. In every execution, up to $\beta k$ machines (for suitable values of $\beta \in [0, 1)$) are allowed to be Byzantine, i.e., behave maliciously including colluding with each other, with the remaining $\gamma k$ or more machines being \emph{honest} (for $\gamma=1-\beta$). Additionally, the machines in our congested clique can access data through a trusted cloud via queries. This externality of the data captures many real-world distributed computing scenarios and provides a natural context for exploring Byzantine resilience for essentially all conceivable problems. Moreover, we are no longer bound by the usual limits of $\beta < 1/3$ or even $\beta < 1/2$ that are typically seen in Byzantine Agreement. We focus on a few fundamental problems. We start with the ${\textsf{Download}}$ problem, wherein the cloud stores $n$ bits and these $n$ bits must be downloaded to all of the $k$ machines. In addition to ${\textsf{Download}}$, we also consider the problem of computing the ${\textsf{Disjunction}}$ and ${\textsf{Parity}}$ of the bits in the cloud. We study these problems under several settings comprising various $\beta$ values and adversarial capabilities.Comment: 54 page

Verifiable Oblivious Storage

We formalize the notion of Verifiable Oblivious Storage (VOS), where a client outsources the storage of data to a server while ensuring data confidentiality, access pattern privacy, and integrity and freshness of data accesses. VOS generalizes the notion of Oblivious RAM (ORAM) in that it allows the server to perform computation, and also explicitly considers data integrity and freshness. We show that allowing server-side computation enables us to construct asymptotically more efficient VOS schemes whose bandwidth overhead cannot be matched by any ORAM scheme, due to a known lower bound by Goldreich and Ostrovsky. Specifically, for large block sizes we can construct a VOS scheme with constant bandwidth per query; further, answering queries requires only poly-logarithmic server computation. We describe applications of VOS to Dynamic Proofs of Retrievability, and RAM-model secure multi-party computation

Provable Security of (Tweakable) Block Ciphers Based on Substitution-Permutation Networks

Substitution-Permutation Networks (SPNs) refer to a family of constructions which build a wn-bit block cipher from n-bit public permutations (often called S-boxes), which alternate keyless and “local” substitution steps utilizing such S-boxes, with keyed and “global” permu- tation steps which are non-cryptographic. Many widely deployed block ciphers are constructed based on the SPNs, but there are essentially no provable-security results about SPNs. In this work, we initiate a comprehensive study of the provable security of SPNs as (possibly tweakable) wn-bit block ciphers, when the underlying n-bit permutation is modeled as a public random permutation. When the permutation step is linear (which is the case for most existing designs), we show that 3 SPN rounds are necessary and sufficient for security. On the other hand, even 1-round SPNs can be secure when non-linearity is allowed. Moreover, 2-round non-linear SPNs can achieve “beyond- birthday” (up to 2 2n/3 adversarial queries) security, and, as the number of non-linear rounds increases, our bounds are meaningful for the number of queries approaching 2 n . Finally, our non-linear SPNs can be made tweakable by incorporating the tweak into the permutation layer, and provide good multi-user security. As an application, our construction can turn two public n-bit permuta- tions (or fixed-key block ciphers) into a tweakable block cipher working on wn-bit inputs, 6n-bit key and an n-bit tweak (for any w ≥ 2); the tweakable block cipher provides security up to 2 2n/3 adversarial queries in the random permutation model, while only requiring w calls to each permutation, and 3w field multiplications for each wn-bit input

Provable Security of Substitution-Permutation Networks

Many modern block ciphers are constructed based on the paradigm of substitution-permutation networks (SPNs). But, somewhat surprisingly---especially in comparison with Feistel networks, which have been analyzed by dozens of papers going back to the seminal work of Luby and Rackoff---there are essentially no provable-security results about SPNs. In this work, we initiate a comprehensive study of the security of SPNs as strong pseudorandom permutations when the underlying $S$-box is modeled as a public random permutation. We show that 3~rounds of S-boxes are necessary and sufficient for secure linear SPNs, but that even 1-round SPNs can be secure when non-linearity is allowed. Additionally, our results imply security in settings where an SPN structure is used for domain extension of a block cipher, even when the attacker has direct access to the small-domain block cipher

Role of matrix metalloproteinases in multi-system inflammatory syndrome and acute COVID-19 in children

INTRODUCTION: Multisystem Inflammatory Syndrome in children (MIS-C) is a serious inflammatory sequela of SARS-CoV2 infection. The pathogenesis of MIS-C is vague and matrix metalloproteinases (MMPs) may have an important role. Matrix metalloproteinases (MMPs) are known drivers of lung pathology in many diseases. METHODS: To elucidate the role of MMPs in pathogenesis of pediatric COVID-19, we examined their plasma levels in MIS-C and acute COVID-19 children and compared them to convalescent COVID-19 and children with other common tropical diseases (with overlapping clinical manifestations). RESULTS: Children with MIS-C had elevated levels of MMPs (P < 0.005 statistically significant) in comparison to acute COVID-19, other tropical diseases (Dengue fever, typhoid fever, and scrub typhus fever) and convalescent COVID-19 children. PCA and ROC analysis (sensitivity 84–100% and specificity 80–100%) showed that MMP-8, 12, 13 could help distinguish MIS-C from acute COVID-19 and other tropical diseases with high sensitivity and specificity. Among MIS-C children, elevated levels of MMPs were seen in children requiring intensive care unit admission as compared to children not needing intensive care. Similar findings were noted when children with severe/moderate COVID-19 were compared to children with mild COVID-19. Finally, MMP levels exhibited significant correlation with laboratory parameters, including lymphocyte counts, CRP, D-dimer, Ferritin and Sodium levels. DISCUSSION: Our findings suggest that MMPs play a pivotal role in the pathogenesis of MIS-C and COVID-19 in children and may help distinguish MIS-C from other conditions with overlapping clinical presentation