Symbolic Analysis of Cryptographic Protocols

We rely on the security properties of cryptographic protocols every day while browsing the Internet or withdrawing money from an ATM. However, many of the protocols we use today were standardized without a proof of security. Serious flaws in protocols restrict the level of security we can reach for applications. This thesis motivates why we should strive for proofs of security and provides a framework that makes using automated tools to conduct such proofs more feasible

MergeMAC:A MAC for Authentication with Strict Time Constraints and Limited Bandwidth

This paper presents MergeMAC, a MAC that is particularly suitable for environments with strict time requirements and extremely limited bandwidth. MergeMAC computes the MAC by splitting the message into two parts. We use a pseudorandom function (PRF) to map messages to random bit strings and then merge them with a very efficient keyless function. The advantage of this approach is that the outputs of the PRF can be cached for frequently needed message parts. We demonstrate the merits of MergeMAC for authenticating messages on the CAN bus where bandwidth is extremely limited and caching can be used to recover parts of the message counter instead of transmitting it. We recommend an instantiation of the merging function MERGE and analyze the security of our construction. Requirements for a merging function are formally defined and the resulting EUF-CMA security of MergeMAC is proven

Symbolic Universal Composability

We introduce a variant of the Universal Composability framework (UC; Canetti, FOCS 2001) that uses symbolic cryptography. Two salient properties of the UC framework are secure composition and the possibility of easily defining security by giving an ideal functionality as specification. These advantages are now also available in a symbolic modeling of cryptography, allowing for a modular analysis of complex protocols. We furthermore introduce a new technique for modular design of protocols that uses UC but avoids the need for powerful cryptographic primitives that often comes with UC protocols; this virtual primitives approach is unique to the symbolic setting and has no counterpart in the original computational UC framework

How to Put Usability into Focus: Using Focus Groups to Evaluate the Usability of Interactive Theorem Provers

In recent years the effectiveness of interactive theorem provers has increased to an extent that the bottleneck in the interactive process shifted to efficiency: while in principle large and complex theorems are provable (effectiveness), it takes a lot of effort for the user interacting with the system (lack of efficiency). We conducted focus groups to evaluate the usability of Isabelle/HOL and the KeY system with two goals: (a) detect usability issues in the interaction between interactive theorem provers and their user, and (b) analyze how evaluation and survey methods commonly used in the area of human-computer interaction, such as focus groups and co-operative evaluation, are applicable to the specific field of interactive theorem proving (ITP). In this paper, we report on our experience using the evaluation method focus groups and how we adapted this method to ITP. We describe our results and conclusions mainly on the ``meta-level,'' i.e., we focus on the impact that specific characteristics of ITPs have on the setup and the results of focus groups. On the concrete level, we briefly summarise insights into the usability of the ITPs used in our case study

Ribonucleoprotein-dependent localization of the yeast class V myosin Myo4p

Class V myosins are motor proteins with functions in vesicle transport, organelle segregation, and RNA localization. Although they have been extensively studied, only little is known about the regulation of their spatial distribution. Here we demonstrate that a GFP fusion protein of the budding yeast class V myosin Myo4p accumulates at the bud cortex and is a component of highly dynamic cortical particles. Bud-specific enrichment depends on Myo4p's association with its cargo, a ribonucleoprotein complex containing the RNA-binding protein She2p. Cortical accumulation of Myo4p at the bud tip can be explained by a transient retention mechanism that requires SHE2 and, apparently, localized mRNAs bound to She2p. A mutant She2 protein that is unable to recognize its cognate target mRNA, ASH1, fails to localize Myo4p. Mutant She2p accumulates inside the nucleus, indicating that She2p shuttles between the nucleus and cytoplasm and is exported in an RNA-dependent manner. Consistently, inhibition of nuclear mRNA export results in nuclear accumulation of She2p and cytoplasmic Myo4p mislocalization. Loss of She2p can be complemented by direct targeting of a heterologous lacZ mRNA to a complex of Myo4p and its associated adaptor She3p, suggesting that She2p's function in Myo4p targeting is to link an mRNA to the motor complex

On the Security of the PKCS#1 v1.5 Signature Scheme

The RSA PKCS#1 v1.5 signature algorithm is the most widely used digital signature scheme in practice. Its two main strengths are its extreme simplicity, which makes it very easy to implement, and that verification of signatures is significantly faster than for DSA or ECDSA. Despite the huge practical importance of RSA PKCS#1 v1.5 signatures, providing formal evidence for their security based on plausible cryptographic hardness assumptions has turned out to be very difficult. Therefore the most recent version of PKCS#1 (RFC 8017) even recommends a replacement the more complex and less efficient scheme RSA-PSS, as it is provably secure and therefore considered more robust. The main obstacle is that RSA PKCS#1 v1.5 signatures use a deterministic padding scheme, which makes standard proof techniques not applicable. We introduce a new technique that enables the first security proof for RSA-PKCS#1 v1.5 signatures. We prove full existential unforgeability against adaptive chosen-message attacks (EUF-CMA) under the standard RSA assumption. Furthermore, we give a tight proof under the Phi-Hiding assumption. These proofs are in the random oracle model and the parameters deviate slightly from the standard use, because we require a larger output length of the hash function. However, we also show how RSA-PKCS#1 v1.5 signatures can be instantiated in practice such that our security proofs apply. In order to draw a more complete picture of the precise security of RSA PKCS#1 v1.5 signatures, we also give security proofs in the standard model, but with respect to weaker attacker models (key-only attacks) and based on known complexity assumptions. The main conclusion of our work is that from a provable security perspective RSA PKCS#1 v1.5 can be safely used, if the output length of the hash function is chosen appropriately

Not Everybody\u27s Darling - Investigating the Acceptance of Benefits Management and Moderating Organizational Characteristics

Despite organizations\u27 substantial investments in information systems and information technology, the successful realization of appropriate benefits is still often considered a major organizational challenge. Beyond traditional project management dimensions, such as time, cost, and quality, BM emphasizes the need to identify, plan, realize, and review benefits, particularly by means of business changes. While the BM field is still evolving, most studies report on the alarmingly low BM adoption rates in practice. Therefore, we try to understand the determinants of BM acceptance by developing a conceptual model and conducting complementary, exploratory interviews. We find that an individual\u27s role in BM and specific organizational culture characteristics play a major role in influencing BM acceptance\u27s determinants. We contribute to BM research by providing a deeper understanding of BM acceptance and adoption. Practitioners can use these insights to launch more successful change initiatives while implementing BM

Proving Correctness and Security of Two-Party Computation Implemented in Java in Presence of a Semi-Honest Sender ⋆

Abstract. We provide a proof of correctness and security of a two-party-computation protocol based on garbled circuits and oblivious transfer in the presence of a semi-honest sender. To achieve this we are the first to combine a machine-assisted proof of correctness with advanced cryptographic primitives to prove security properties of Java code. The machine-assisted part of the proof is conducted with KeY, an interactive theorem prover. The proof includes a correctness result for the construction and evaluation of garbled circuits. This is particularly interesting since checking such an implementation by hand would be very tedious and error-prone. Although we stick to the secure two-party-computation of an n-bit AND in this paper, our approach is modular, and we explain how our techniques can be applied to other functions. To prove the security of the protocol for an honest-but-curious sender and an honest receiver, we use the framework presented by Küsters et al. for the cryptographic verification of Java programs. As part of our work, we add oblivious transfer to the set of cryptographic primitives supported by the framework. This is a general contribution beyond our results for concrete Java code.

Confined guessing: New signatures from standard assumptions

We put forward a new technique to construct very efficient and compact signature schemes. Our technique combines several instances of an only mildly secure signature scheme to obtain a fully secure scheme. Since the mild security notion we require is much easier to achieve than full security, we can combine our strategy with existing techniques to obtain a number of interesting new (stateless and fully secure) signature schemes. Concretely, we get: • A scheme based on the computational Diffie-Hellman (CDH) assumption in pairingfriendly groups. Signatures contain O(1) and verification keys O(log k) group elements, where k is the security parameter. Our scheme is the first fully secure CDH-based scheme with such compact verification keys. • A scheme based on the (non-strong) RSA assumption in which both signatures and verification keys contain O(1) group elements. Our scheme is significantly more efficient than existing RSA-based schemes. • A scheme based on the Short Integer Solutions (SIS) assumption. Signatures contain O(log(k) · m) and verification keys O(n · m) Zp-elements, where p may be polynomial in k, and n, m denote the usual SIS matrix dimensions. Compared to state-of-the-art SIS-based schemes, this gives very small verification keys, at the price of slightly larger signatures. In all cases, the involved constants are small, and the arising schemes provide significant improvements upon state-of-the-art schemes. The only price we pay is a rather large (polynomial) loss in the security reduction. However, this loss can be significantly reduced at the cost of an additive term in signature and verification key size