Bilinear Mappings in Formal Cryptography

Krüptograafiliste protokollide turvalisuse testimiseks on loodud erinevad analüsaatorid. Osa neist põhineb predikaatloogika valemitel. Formaalses mudelis pole aga mugav realiseerida aritmeetilisi funktsioone. On kerge arvutada g^a, kui on teada nii g kui a väärtused, kuid protokollides on muutujad üldjuhul väärtustamata. Algebraliste struktuuride omadusi on vaja kirjeldada loogika valemite abil. Mõnede sellist liiki probleemidega on juba tegeldud. Näiteks on realiseeritud Diffie-Hellmani astendamine Horni valemitel põhineva analüsaatoriga ProVerif. Kahjuks see töötab vaid erinevate astendajate lõpliku arvu korral. Peale astendamist pakuvad aga krüptograafia valdkonnale huvi ka muud algebralised struktuurid, nende hulgas ka bilineaarsed kujutused. Antud uurimistöö eesmärk oli realiseerida bilineaarsete kujutuste arvutamist analüsaatoriga ProVerif ning analüüsida moodustatud protokolliteisendaja abil mõningaid bilineaarseid kujutusi kasutavaid protokolle.Bilinear mappings are quite powerful mathematical structures that can be used in cryptography. They allow constructing cryptographic primitives that would be otherwise ineffective or even impossible. In formal cryptography, the protocols are based on term algebras and process calculi, and can be represented through Horn clauses for analysis purposes. The security of these protocols can be tested with analyzers based on resolution methods. However, there are problems with realization of arithmetic operations. It is easy to compute g^a if the values of both g and a are known, but the values are usually undefned in the protocols. Some research works have been written about the representation of exponentiation in formal model, but there are still many things that should be done. In this work, an attempt to implement an analysis of bilinear mappings in formal cryptography has been done

Insecurity of Transformation-Based Privacy-Preserving Linear Programming

Rakendusmatemaatikat kasutatakse paljudes reaalse maailma probleemides. Nende probleemide lahendamine võib olla seotud tundlike andmetega. Sellisel juhul läheb tarvis krüptograafilisi meetodeid. Kuigi on tõestatud, et iga funktsiooni saab arvutada turvaliselt, on küsimus selles, kuidas teha seda efektiivselt. Üldiselt võib olla keeruline lahendada optimeerimisülesandeid nii turvaliselt kui ka efektiivselt, kuid häid lahendeid saab leida kitsamatele ülesannete klassidele, näiteks lineaarse planeerimise ülesannetele. Käesolev töö annab ülevaate teisenduspõhisest privaatsust säilitavast lineaarsest planeerimisest, tutvustades mõningaid probleeme eelmistes töödes ja näidates teisenduspõhise meetodi ebaturvalisust. Töö esitab konkreetseid ründeid olemasolevate teisendusmeetodite vastu. Töös pakutakse välja võimalikud viisid nende rünnete eest kaitsmiseks ja seejärel näidatakse, et mõned teisenduspõhise meetodi puudused ei ole üldse ületatavad, vähemalt eelmistes töödes kasutatud teatud teisenduste klassi raamesse jäädes.Applied mathematics is used in many real-world problems. Solving some of these problems may involve sensitive data. In this case, cryptographic techniques become necessary. Although it has been proven that any function can be computed securely, it is still a question how to do it efficiently. While it may be difficult to solve optimization tasks securely and efficiently in general, there may still be solutions for some particular classes of tasks, such as linear programming. This thesis gives an overview of the transformation-based privacy-preserving linear programming. The thesis introduces some problems of this approach that have been present in the previous works and demonstrates its insecurity. It presents concrete attacks against published methods following this approach. Possible methods of protection against these attacks are proposed. It has been proven that there are issues that cannot be resolved at all using the particular known class of efficient transformations that has been used before

Tõhus peit- ja aktiivse ründaja vastu kaitstud turvaline ühisarvutus

Turvaline ühisarvutus on tänapäevase krüptograafia üks tähtsamaid kasutusviise, mis koondab elegantsed matemaatilised lahendused praktiliste rakenduste ehitamiseks, võimaldades mitmel erineval andmeomanikul sooritada oma andmetega suvalisi ühiseid arvutusi, ilma neid andmeid üksteisele avaldamata. Passiivse ründaja vastu turvalised protokollid eeldavad, et kõik osapooled käituvad ausalt. Aktiivse ründaja vastu turvalised protokollid ei lekita privaatseid andmeid sõltumata ründaja käitumisest. Käesolevas töös esitatakse üldine meetod, mis teisendab passiivse ründaja vastu turvalised ühisarvutusprotokollid turvaliseks aktiivse ründaja vastu. Meetod on optimeeritud kolme osapoolega arvutusteks üle algebraliste ringide; praktikas on see väga efektiivne mudel, mis teeb reaalse maailma rakendused teostatavateks. Meetod lisab esialgsele arvutusprotokollile täitmisjärgse verifitseerimisfaasi, mis muudab valesti käitunud osapooltel vahelejäämise vältimise tõenäosuse kaduvväikseks, säilitades esialgse protokolli turvagarantiid. Lisaks uurib käesolev töö rünnete uut eesmärki, mis seisneb mingi ausa osapoole vaate manipuleerimises sellisel viisil, et ta saaks midagi teada teise ausa osapoole privaatsete andmete kohta. Ründaja ise ei tarvitse seda infot üldse teada saada. Sellised ründed on olulised, sest need kohustavad ausat osapoolt tühjendama oma süsteemi teiste osapoolte andmetest, kuid see ülesanne võib olla päris mittetriviaalne. Eelnevalt pakutud verifitseerimismehhanisme täiendatakse nii, et privaatsed andmed oleksid kaitstud ka ausate osapoolte eest. Paljud ühisarvutusplatvormid on varustatud programmeerimiskeelega, mis võimaldab kirjutada privaatsust säilitavaid rakendusi ilma allolevale krüptograafiale mõtlemata. Juhul, kui programm sisaldab tingimuslauseid, kus arvutusharu valik sõltub privaatsetest andmetest, ei tohi ükski osapool haru valikust midagi teada, nii et üldjuhul peavad osapooled täitma kõik harud. Harude suure arvu kor-ral võib arvutuslik lisakulu olla ülisuur, sest enamik vahetulemustest visatakse ära. Käesolevas töös pakutakse selliseid lisakulusid vähendavat optimeerimist.Secure multiparty computation is one of the most important employments of modern cryptography, bringing together elegant mathematical solutions to build up useful practical applications. It allows several distinct data owners to perform arbitrary collaborative computation on their private data without leaking any information to each other. Passively secure protocols assume that all parties follow the protocol rules. Actively secure protocols do not leak private data regardless of the attacker’s behaviour. This thesis presents a generic method for turning passively secure multiparty protocols to actively secure ones. The method is optimized for three party computation over algebraic rings, which has proven to be quite an efficient model, making large real-world applications feasible. Our method adds to the protocol a post-execution verification phase that allows a misbehaving party to escape detection only with negligible probability. It preserves the privacy guarantees of the original protocol. In this thesis, we also study a new adversarial goal in multiparty protocols. The goal is to manipulate the view of some honest party in such a way, that this honest party learns the private data of some other honest party. The adversary itself might not learn this data at all. Such attacks are significant because they create a liability to the first honest party to clean its systems from the second honest party’s data, which may be a highly non-trivial task in practice. We check the security of our verification mechanism in this new model, and we propose some minor modifications that ensure data protection also from the honest parties. Many secure multiparty computation platforms come with a programming language that allows the developer to write privacy-preserving applications without thinking of the underlying cryptography. If a program contains conditional statements where the choice of the computational branch depends on private data, then no party should know which branch has been executed, so in general the parties need to execute all of them. If the number of branches is large, the computational overhead may be enormous, as most of the intermediate results are just discarded. In this thesis, we propose an automatic optimization that reduces this overhead

Relations between Privacy, Verifiability, Accountability and Coercion-Resistance in Voting Protocols

This paper studies quantitative relationships between privacy, verifiability, accountability, and coercion-resistance of voting protocols. We adapt existing definitions to make them better comparable with each other and determine which bounds a certain requirement on one property poses on some other property. It turns out that, in terms of proposed definitions, verifiability and accountability do not necessarily put constraints on privacy and coercion-resistance. However, the relations between these notions become more interesting in the context of particular attacks. Depending on the assumptions and the attacker\u27s goal, voter coercion may benefit from a too weak as well as too strong verifiability

Optimizing Secure Computation Programs with Private Conditionals

Secure multiparty computation platforms are often provided with a programming language that allows to write privacy-preserving applications without thinking of the underlying cryptography. The control flow of these programs is expensive to hide, hence they typically disallow branching on private values. The application programmers have to specify their programs in terms of allowed constructions, either using ad-hoc methods to avoid such branchings, or the general methodology of executing all branches and obliviously selecting the effects of one at the end. There may be compiler support for the latter. The execution of all branches introduces significant computational overhead. If the branches perform similar private operations, then it may make sense to compute repeating patterns only once, even though the necessary bookkeeping also has overheads. In this paper, we propose a program optimization doing exactly that, allowing the overhead of private conditionals to be reduced. The optimization is quite general, and can be applied to various privacy-preserving platforms

Privacy-preserving Frequent Itemset Mining for Sparse and Dense Data

Frequent itemset mining is a task that can in turn be used for other purposes such as associative rule mining. One problem is that the data may be sensitive, and its owner may refuse to give it for analysis in plaintext. There exist many privacy-preserving solutions for frequent itemset mining, but in any case enhancing the privacy inevitably spoils the efficiency. Leaking some less sensitive information such as data density might improve the efficiency. In this paper, we devise an approach that works better for sparse matrices and compare it to the related work that uses similar security requirements on similar secure multiparty computation platform

Preprocessing-Based Verification of Multiparty Protocols with Honest Majority

This paper presents a generic “GMW-style” method for turning passively secure protocols into protocols secure against covert attacks, adding relatively cheap offline preprocessing and post-execution verification phases. In the preprocessing phase, each party generates and shares a sufficient amount of verified multiplication triples that will be later used to assist that party’s proof. The execution phase, after which the computed result is already available to the parties, has only negligible overhead that comes from signatures on sent messages. In the postprocessing phase, the verifiers repeat the computation of the prover in secret-shared manner, checking that they obtain the same messages that the prover sent out during execution. The verification preserves the privacy guarantees of the original protocol. It is applicable to protocols doing computations over finite rings, even if the same protocol performs its computation over several distinct rings. We apply our verification method to the Sharemind platform for secure multiparty computations (SMC), evaluate its performance and compare it to other existing SMC platforms offering security against stronger than passive attackers