PROPYLA: Privacy Preserving Long-Term Secure Storage

An increasing amount of sensitive information today is stored electronically and a substantial part of this information (e.g., health records, tax data, legal documents) must be retained over long time periods (e.g., several decades or even centuries). When sensitive data is stored, then integrity and confidentiality must be protected to ensure reliability and privacy. Commonly used cryptographic schemes, however, are not designed for protecting data over such long time periods. Recently, the first storage architecture combining long-term integrity with long-term confidentiality protection was proposed (AsiaCCS'17). However, the architecture only deals with a simplified storage scenario where parts of the stored data cannot be accessed and verified individually. If this is allowed, however, not only the data content itself, but also the access pattern to the data (i.e., the information which data items are accessed at which times) may be sensitive information. Here we present the first long-term secure storage architecture that provides long-term access pattern hiding security in addition to long-term integrity and long-term confidentiality protection. To achieve this, we combine information-theoretic secret sharing, renewable timestamps, and renewable commitments with an information-theoretic oblivious random access machine. Our performance analysis of the proposed architecture shows that achieving long-term integrity, confidentiality, and access pattern hiding security is feasible.Comment: Few changes have been made compared to proceedings versio

Verified Security of BLT Signature Scheme

The majority of real-world applications of digital signatures use timestamping to ensure non-repudiation in face of possible key revocations. This observation led Buldas, Laanoja, and Truu to a server-assisted digital signature scheme built around cryptographic timestamping. In this paper, we report on the machine-checked proofs of existential unforgeability under the chosen-message attack (EUF-CMA) of some variations of BLT digital signature scheme. The proofs are developed and verified using the EasyCrypt framework, which provides interactive theorem proving supported by the state-of-the-art SMT solvers

Tax benefits for individuals and extent of their use in Estonia during 2007-2009

In this paper an overview of tax benefits granted by Estonian legal acts is given, and extent of tax benefits use by resident natural persons using the data from databases of Estonian Tax and Customs Board (ETCB) is analyzed. Also the possibility of tax benefits classification is considered and to whom and on which purposes stated tax benefits are addressed is analyzed. Research based on three years data shows that in Estonia tax benefits for individuals are widely used. On average uncollected amounts of tax due to tax benefits approximately equal 9% of the state budget revenues. Large amount of tax benefits is not a negative indicator per se but they aid distributed incomes to reach people who really need those benefits. In opposite case tax benefits are not reasoned but they rather create additional administrative workload. Talking about Estonian tax system roughly half of tax benefits is addresses to people who belong to low income stratum, at the same time remarkable proportion of benefits may be directed to middle-class and wealthy people

Simulating Auxiliary Inputs, Revisited

For any pair $(X,Z)$ of correlated random variables we can think of $Z$ as a randomized function of $X$. Provided that $Z$ is short, one can make this function computationally efficient by allowing it to be only approximately correct. In folklore this problem is known as \emph{simulating auxiliary inputs}. This idea of simulating auxiliary information turns out to be a powerful tool in computer science, finding applications in complexity theory, cryptography, pseudorandomness and zero-knowledge. In this paper we revisit this problem, achieving the following results: \begin{enumerate}[(a)] We discuss and compare efficiency of known results, finding the flaw in the best known bound claimed in the TCC'14 paper "How to Fake Auxiliary Inputs". We present a novel boosting algorithm for constructing the simulator. Our technique essentially fixes the flaw. This boosting proof is of independent interest, as it shows how to handle "negative mass" issues when constructing probability measures in descent algorithms. Our bounds are much better than bounds known so far. To make the simulator $(s,\epsilon)$-indistinguishable we need the complexity $O\left(s\cdot 2^{5\ell}\epsilon^{-2}\right)$ in time/circuit size, which is better by a factor $\epsilon^{-2}$ compared to previous bounds. In particular, with our technique we (finally) get meaningful provable security for the EUROCRYPT'09 leakage-resilient stream cipher instantiated with a standard 256-bit block cipher, like $\mathsf{AES256}$.Comment: Some typos present in the previous version have been correcte

A Blockchain-Assisted Hash-Based Signature Scheme

We present a server-supported, hash-based digital signature scheme. To achieve greater efficiency than current state of the art, we relax the security model somewhat. We postulate a set of design requirements, discuss some approaches and their practicality, and finally reach a forward-secure scheme with only modest trust assumptions, achieved by employing the concepts of authenticated data structures and blockchains. The concepts of blockchain authenticated data structures and the presented blockchain design could have independent value and are worth further research

Efficient Implementation of Keyless Signatures with Hash Sequence Authentication

We present new ideas for decreasing the size of secure memory needed for hardware implementations of hash-sequence based signatures proposed recently by Buldas, Laanoja and Truu (in the following referred to as BLT). In their scheme, a message $m$ is signed by time-stamping a concatenation $m\| z_t$ of the message and the one-time pseudo-random password $z_t$ intended to sign messages at a particular time $t$. The signature is valid only if the time-stamp points to the same time $t$. Hence, the one time passwords cannot be abused after their use. To efficiently and securely implement such a scheme at the client side, dedicated hardware is needed and thereby, the solutions that save the (secure) memory and computational time are important. For such schemes, the memory consumption directly depends on the efficiency of the \emph{hash sequence reversal algorithms}. The best known reversal algorithm for the BLT scheme uses $O(\log^2 \ell)$ memory. This means that for a signing key that is valid for one year (i.e. $\ell\approx 2^{25}$ with one-second time resolution), the device needs to store about $25^2=625$ hash values which for SHA-256 hashing algorithm means about $20$ K bytes of secure memory. Another problem with hash sequence reversal algorithms is that they mostly assume that the signature device is always connected to the computer or has an independent power supply. This is a serious limitation for smart-card implementations of the scheme. We show first that a mini Public Key Infrastructure in the signature device can be used to lower the memory consumption about twice. There is a master key (i.e. a hash sequence) that is used to certify short term (about five minutes) signing keys so that a signature consists of a short term certificate which is a hash chain in the master hash tree (used to authenticate the master hash sequence), and a hash chain that is used to authenticate a particular hash value $z_t$ in the sequence. We also discuss how to implement hash sequence signatures in devices that have no power supply and are not regularly connected to computers, such as smart-cards which are often used as personal digital signature devices. General-purpose cryptographic smart-cards also have many restrictions that limit the use of hash sequence signatures. For example, their hashing speed is relatively low: up to 500 hashing steps per second; their secure memory is of limited size, etc. This all combined with irregular usage patterns makes the use of hash sequence signatures questionable. We show why the hash sequence signature (in its original form) cannot be used as the CA signature in the mini PKI solution. Finally, we propose a new type of hash sequence signature that is more suitable for smart-card implementations

A Server-Assisted Hash-Based Signature Scheme

We present a practical digital signature scheme built from a cryptographic hash function and a hash-then-publish digital time- stamping scheme. We also provide a simple proof of existential unforgeability against adaptive chosen-message attack (EUF-ACM) in the random oracle (RO) model

Security Proofs for the BLT Signature Scheme

We present security proofs for the BLT signature scheme in the model, where hash functions are built from ideal components (random oracles, ideal ciphers, etc.). We show that certain strengthening of the Pre-image Awareness (PrA) conditions like boundedness of the extractor, and certain natural properties (balancedness and the so-called output one-wayness) of the hash function are sufficient for existential unforgeability of the BLT signature scheme

Tree-formed Verification Data for Trusted Platforms

The establishment of trust relationships to a computing platform relies on validation processes. Validation allows an external entity to build trust in the expected behaviour of the platform based on provided evidence of the platform's configuration. In a process like remote attestation, the 'trusted' platform submits verification data created during a start up process. These data consist of hardware-protected values of platform configuration registers, containing nested measurement values, e.g., hash values, of loaded or started components. Commonly, the register values are created in linear order by a hardware-secured operation. Fine-grained diagnosis of components, based on the linear order of verification data and associated measurement logs, is not optimal. We propose a method to use tree-formed verification data to validate a platform. Component measurement values represent leaves, and protected registers represent roots of a hash tree. We describe the basic mechanism of validating a platform using tree-formed measurement logs and root registers and show an logarithmic speed-up for the search of faults. Secure creation of a tree is possible using a limited number of hardware-protected registers and a single protected operation. In this way, the security of tree-formed verification data is maintained.Comment: 15 pages, 11 figures, v3: Reference added, v4: Revised, accepted for publication in Computers and Securit

A New Approach to Constructing Digital Signature Schemes (Extended Paper)

A new hash-based, server-supported digital signature scheme was proposed recently. We decompose the concept into forward-resistant tags and a generic cryptographic time-stamping service. Based on the decomposition, we propose more tag constructions which allow efficient digital signature schemes with interesting properties to be built. In particular, the new schemes are more suitable for use in personal signing devices, such as smart cards, which are used infrequently. We define the forward-resistant tags formally and prove that (1) the discussed constructs are indeed tags and (2) combining such tags with time-stamping services gives us signature schemes