SSE and SSD: Page-Efficient Searchable Symmetric Encryption

International audienceSearchable Symmetric Encryption (SSE) enables a client to outsource a database to an untrusted server, while retaining the ability to securely search the data. The performance bottleneck of classic SSE schemes typically does not come from their fast, symmetric cryptographic operations, but rather from the cost of memory accesses. To address this issue, many works in the literature have considered the notion of locality, a simple design criterion that helps capture the cost of memory accesses in traditional storage media, such as Hard Disk Drives. A common thread among many SSE schemes aiming to improve locality is that they are built on top of new memory allocation schemes, which form the technical core of the constructions. The starting observation of this work is that for newer storage media such as Solid State Drives (SSDs), which have become increasingly common, locality is not a good predictor of practical performance. Instead, SSD performance mainly depends on page efficiency, that is, reading as few pages as possible. We define this notion, and identify a simple memory allocation problem, Data-Independent Packing (DIP), that captures the main technical challenge required to build page-efficient SSE. As our main result, we build a page-efficient and storage-efficient data-independent packing scheme, and deduce the Tethys SSE scheme, the first SSE scheme to achieve at once O(1) page efficiency and O(1) storage efficiency. The technical core of the result is a new generalization of cuckoo hashing to items of variable size. Practical experiments show that this new approach achieves excellent performance

Sécurité prouvée pour les protocoles de la vie réelle

La sécurité prouvée est un outil cryptographique particulièrement utile pour évaluer la sécurité d'un protocole. Pour construire une preuve, il faut d'abord définir les propriétés de sécurité à atteindre, c'est-à-dire le modèle de sécurité, ainsi que le type d'adversaire auquel nous sommes confrontés. Ces deux éléments représentent le contexte de la preuve, qui sera calculée après avoir « formaté » le protocole dans le modèle. Dans cette thèse, nous introduisons (ou adaptons) des modèles dans lesquels nous donnons des preuves de sécurité pour trois types de protocoles ayant des applications pratiques : un protocole de messagerie sécurisé, une signature assainissable, et un pare-feu inversé. Pour le premier, nous proposons quelques corrections aux faiblesses du protocole Signal et de son analyse de sécurité précédente. Ensuite, pour le second, nous étendons la signature assainissable pour inclure une nouvelle fonctionnalité, et donc nous étendons les propriétés de sécurité pré-existantes pour la prendre en compte. Enfin, pour la troisième, nous proposons un modèle plus réaliste et plus inclusif que ce qui avait été fait auparavant. Dans les trois cas, nous construisons un protocole que nous prouvons sécurisé dans le modèle défini.Provable security is a very useful cryptographic tool that helps in the evaluation of the security of a protocol. In order to construct a proof, one must first define the security properties that are to be achieved, i.e., the security model, as well as what kind of adversary we are facing. These two components represent the context of the proof, which we can compute after fitting the protocol to the model. In this thesis, we introduce (or adapt) models in which we give security proofs for three kinds of protocols with real-life applications: a secure messaging protocol, a sanitizable signature, and a reverse firewall. For the first, we propose some corrections to the weaknesses of the Signal protocol and its previous security analysis. Then, for the second, we extend sanitizable signature to include a new feature, and thus extend the previous security properties to take this feature into account. Finally, for the third, we propose a more realistic and inclusive model than what had been done before. In all three, we build a protocol that we show is secure in the model we defined

Unlinkable and Invisible γ\gamma-Sanitizable Signatures

International audienceSanitizable signatures (SaS) allow a (single) sanitizer, chosen by the signer, to modify and re-sign a message in a somewhat controlled way, that is, only editing parts (or blocks) of the message that are admissible for modification.This primitive is an efficient tool, with many formally defined security properties, such as unlinkability, transparency, immutability, invisibility, and unforgeability. An SaS scheme that satisfies these properties can be a great asset to the privacy of any field it will be applied to, e.g., anonymizing medical files.In this work, we look at the notion of γ-sanitizable signatures (γSaS): we take the sanitizable signatures one step further by allowing the signer to not only decide which blocks can be modified, but also how many of them at most can be modified within a single sanitization, setting a limit, denoted with γ. We adapt the security properties listed above to γSaS and propose our own scheme, ULISS (Unlinkable Limited Invisible Sanitizable Signature), then show that it verifies these properties. This extension of SaS can not only improve current use cases, but also introduce new ones, e.g., restricting the number of changes in a document within a certain timeframe

Evil Twins: Handling Repetitions in Attack–Defense Trees: A Survival Guide

International audienceAttack–defense trees are a simple but potent and efficient way to represent and evaluate security scenarios involving a malicious attacker and a defender – their adversary. The nodes of attack–defense trees are labeled with goals of the two actors, and actions that they need to execute to achieve these goals. The objective of this paper is to provide formal guidelines on how to deal with attack–defense trees where several nodes have the same label. After discussing typical issues related to such trees, we define the notion of well-formed attack–defense trees and adapt existing semantics to correctly capture the presence of repeated labels

SSE and SSD: Page-Efficient Searchable Symmetric Encryption

International audienceSearchable Symmetric Encryption (SSE) enables a client to outsource a database to an untrusted server, while retaining the ability to securely search the data. The performance bottleneck of classic SSE schemes typically does not come from their fast, symmetric cryptographic operations, but rather from the cost of memory accesses. To address this issue, many works in the literature have considered the notion of locality, a simple design criterion that helps capture the cost of memory accesses in traditional storage media, such as Hard Disk Drives. A common thread among many SSE schemes aiming to improve locality is that they are built on top of new memory allocation schemes, which form the technical core of the constructions. The starting observation of this work is that for newer storage media such as Solid State Drives (SSDs), which have become increasingly common, locality is not a good predictor of practical performance. Instead, SSD performance mainly depends on page efficiency, that is, reading as few pages as possible. We define this notion, and identify a simple memory allocation problem, Data-Independent Packing (DIP), that captures the main technical challenge required to build page-efficient SSE. As our main result, we build a page-efficient and storage-efficient data-independent packing scheme, and deduce the Tethys SSE scheme, the first SSE scheme to achieve at once O(1) page efficiency and O(1) storage efficiency. The technical core of the result is a new generalization of cuckoo hashing to items of variable size. Practical experiments show that this new approach achieves excellent performance

SAID: Reshaping Signal into an Identity-Based Asynchronous Messaging Protocol with Authenticated Ratcheting

International audienc

Designing Reverse Firewalls for the Real World

International audienceReverse firewalls (RFs) were introduced by Mironov and Stephens-Davidowitz to address algorithm-substitution attacks (ASAs) in which an adversary subverts the implementation of a provably-secure cryptographic primitive to make it insecure. This concept was applied by Dodis et al. in the context of secure key exchange (handshake phase), where the adversary wants to exfiltrate sensitive information by using a subverted client implementation. RFs are used as a means of "sanitizing" the client-side protocol in order to prevent this exfiltration. In this paper, we propose a new security model for both the handshake and record layers, a.k.a. secure channel. We present a signed, Diffie-Hellman based secure channel protocol, and show how to design a provably-secure reverse firewall for it. Our model is stronger since the adversary has a larger surface of attacks, which makes the construction challenging. Our construction uses classical and off-the-shelf cryptography