Laconic Function Evaluation for Turing Machines

Laconic function evaluation (LFE) allows Alice to compress a large circuit $\mathbf{C}$ into a small digest $\mathsf{d}$. Given Alice\u27s digest, Bob can encrypt some input $x$ under $\mathsf{d}$ in a way that enables Alice to recover $\mathbf{C}(x)$, without learning anything beyond that. The scheme is said to be $laconic$ if the size of $\mathsf{d}$, the runtime of the encryption algorithm, and the size of the ciphertext are all sublinear in the size of $\mathbf{C}$. Until now, all known LFE constructions have ciphertexts whose size depends on the $depth$ of the circuit $\mathbf{C}$, akin to the limitation of $levelled$ homomorphic encryption. In this work we close this gap and present the first LFE scheme (for Turing machines) with asymptotically optimal parameters. Our scheme assumes the existence of indistinguishability obfuscation and somewhere statistically binding hash functions. As further contributions, we show how our scheme enables a wide range of new applications, including two previously unknown constructions: • Non-interactive zero-knowledge (NIZK) proofs with optimal prover complexity. • Witness encryption and attribute-based encryption (ABE) for Turing machines from falsifiable assumptions

Swoosh: Practical Lattice-Based Non-Interactive Key Exchange

The advent of quantum computers has sparked significant interest in post-quantum cryptographic schemes, as a replacement for currently used cryptographic primitives. In this context, lattice-based cryptography has emerged as the leading paradigm to build post-quantum cryptography. However, all existing viable replacements of the classical Diffie-Hellman key exchange require additional rounds of interactions, thus failing to achieve all the benefits of this protocol. Although earlier work has shown that lattice-based Non-Interactive Key Exchange~(NIKE) is theoretically possible, it has been considered too inefficient for real-life applications. In this work, we challenge this folklore belief and provide the first evidence against it. We construct a practical lattice-based NIKE whose security is based on the standard module learning with errors (M-LWE) problem in the quantum random oracle model. Our scheme is obtained in two steps: (i) A passively-secure construction that achieves a strong notion of correctness, coupled with (ii) a generic compiler that turns any such scheme into an actively-secure one. To substantiate our efficiency claim, we provide an optimised implementation of our construction in Rust and Jasmin. Our implementation demonstrates the scheme\u27s applicability to real-world scenarios, yielding public keys of approximately $220$\,KBs. Moreover, the computation of shared keys takes fewer than $12$ million cycles on an Intel Skylake CPU, offering a post-quantum security level exceeding $120$ bits

On Statistical Properties of Arbiter Physical Unclonable Functions

The growing interest in the Internet of Things (IoT) has led to predictions claiming that by 2020 we can expect to be surrounded by 50 billion Internet connected devices. With more entry points to a network, adversaries can potentially use IoT devices as a stepping stone for attacking other devices connected to the network or the network itself. Information security relies on cryptographic primitives that, in turn, depend on secret keys. Furthermore, the issue of Intellectual property (IP) theft in the field of Integrated circuit (IC) design can be tackled with the help of unique device identifiers. Physical unclonable functions (PUFs) provide a tamper-resilient solution for secure key storage and fingerprinting hardware. PUFs use intrinsic manufacturing differences of ICs to assign unique identities to hardware. Arbiter PUFs utilise the differences in delays of identically designed paths, giving rise to an unpredictable response unique to a given IC. This thesis explores the statistical properties of Boolean functions induced by arbiter PUFs. In particular, this empirical study looks into the distribution of induced functions. The data gathered shows that only 3% of all possible 4-variable functions can be induced by a single 4 stage arbiter PUF. Furthermore, some individual functions are more than 5 times more likely than others. Hence, the distribution is non-uniform. We also evaluate alternate PUF designs, improving the coverage vastly, resulting in one particular implementation inducing all 65,536 4-variable functions. We hypothesise the need for n XORed PUFs to induce all 22n possible n-variable Boolean functions

On Asynchronous Group Key Agreement : Tripartite Asynchronous Ratchet Trees

The subject of secure messaging has gained notable attention lately in the cryptographic community. For communications between two parties, paradigms such as the double ratchet, used in the Signal protocol, provide provably strong security guarantees such as forward secrecy and post-compromise security. Variations of the Signal protocol have enjoyed widespread adoption and are embedded in several well known messaging services, including Signal, WhatsApp and Facebook Secret Conversations. However, providing equally strong guarantees that scale well in group settings remains somewhat less well studied and is often neglected in practice. This motivated the need for the IETF Messaging Layer Security (MLS) working group. The first continuous group key agreement (CGKA) protocol to be proposed was Asynchronous Ratcheting Trees (ART) [Cohn-Gordon et al., 2018] and formed the basis of TreeKEM [Barnes et al., 2019], the CGKA protocol currently suggested for MLS. In this thesis we propose a new asynchronous group key agreement protocol based on a one-round Tripartite Diffie-Hellman [Joux, 2000]. Furthermore, we show that our protocol can be generalised for an n-ary asynchronous ratchet tree, assuming the existence of a one-round (n + 1)-way Diffie-Hellman key exchange, based on a n-multilinear map [Boneh and Silverberg, 2003]. We analyse ART, TreeKEM, and our proposals from a complexity theoretic perspective and show that our proposals improve the cost of update operations. Finally we present some discussion and improvements to the IETF MLS standard.Ämnet om säkra meddelanden har på senare tid skapat uppmärksamhet inom kryptografiska samfundet. För kommunikationer mellan två parter ger paradigmer såsom Double Ratchet, som används i Signal-protokollet, starka bevisbara säkerhetsgarantier som forward secrecy och post-compromise security. Variationer av Signal-protokollet används mycket i praktiken och är inbäddade i flera välkända meddelandetjänster såsom Signal, WhatsApp och Facebook Secret Conversations. Däremot är protokoll som erbjuder lika starka garantier och som skalar väl i gruppsituationer något mindre studerade och ofta eftersatta i praktiken. Detta motiverade behovet av arbetsgruppen IETF Messaging Layer Security (MLS). Det första kontinuerliga gruppnyckelprotokollet (CGKA) som föreslogs var Asynchronous Ratcheting Trees (ART) [Cohn-Gordon et al., 2018] och lade grunden för TreeKEM [Barnes et al., 2019], det CGKA-protokoll som för närvarande föreslagits för MLS. I detta examensarbete föreslår vi ett nytt asynkront gruppnyckelprotokoll baserat på en en-rundad Tripartite Diffie{Hellman [Joux, 2000]. Vidare visar vi att vårt protokoll kan generaliseras för n-ary träd med hjälp av ett en-rundat (n + 1)-väg Diffie-Hellman nyckelutbyte, baserat på en multilinjär mappning [Boneh and Silverberg, 2003]. Vi analyserar ART, TreeKEM och våra förslag ur ett teoretiskt perspektiv samt visar att våra förslag förbättrar kostnaden för uppdateringsoperationer. Slutligen presenterar vi några diskussioner och förbättringar av IETF MLS-standarden

On Asynchronous Group Key Agreement : Tripartite Asynchronous Ratchet Trees

The subject of secure messaging has gained notable attention lately in the cryptographic community. For communications between two parties, paradigms such as the double ratchet, used in the Signal protocol, provide provably strong security guarantees such as forward secrecy and post-compromise security. Variations of the Signal protocol have enjoyed widespread adoption and are embedded in several well known messaging services, including Signal, WhatsApp and Facebook Secret Conversations. However, providing equally strong guarantees that scale well in group settings remains somewhat less well studied and is often neglected in practice. This motivated the need for the IETF Messaging Layer Security (MLS) working group. The first continuous group key agreement (CGKA) protocol to be proposed was Asynchronous Ratcheting Trees (ART) [Cohn-Gordon et al., 2018] and formed the basis of TreeKEM [Barnes et al., 2019], the CGKA protocol currently suggested for MLS. In this thesis we propose a new asynchronous group key agreement protocol based on a one-round Tripartite Diffie-Hellman [Joux, 2000]. Furthermore, we show that our protocol can be generalised for an n-ary asynchronous ratchet tree, assuming the existence of a one-round (n + 1)-way Diffie-Hellman key exchange, based on a n-multilinear map [Boneh and Silverberg, 2003]. We analyse ART, TreeKEM, and our proposals from a complexity theoretic perspective and show that our proposals improve the cost of update operations. Finally we present some discussion and improvements to the IETF MLS standard.Ämnet om säkra meddelanden har på senare tid skapat uppmärksamhet inom kryptografiska samfundet. För kommunikationer mellan två parter ger paradigmer såsom Double Ratchet, som används i Signal-protokollet, starka bevisbara säkerhetsgarantier som forward secrecy och post-compromise security. Variationer av Signal-protokollet används mycket i praktiken och är inbäddade i flera välkända meddelandetjänster såsom Signal, WhatsApp och Facebook Secret Conversations. Däremot är protokoll som erbjuder lika starka garantier och som skalar väl i gruppsituationer något mindre studerade och ofta eftersatta i praktiken. Detta motiverade behovet av arbetsgruppen IETF Messaging Layer Security (MLS). Det första kontinuerliga gruppnyckelprotokollet (CGKA) som föreslogs var Asynchronous Ratcheting Trees (ART) [Cohn-Gordon et al., 2018] och lade grunden för TreeKEM [Barnes et al., 2019], det CGKA-protokoll som för närvarande föreslagits för MLS. I detta examensarbete föreslår vi ett nytt asynkront gruppnyckelprotokoll baserat på en en-rundad Tripartite Diffie{Hellman [Joux, 2000]. Vidare visar vi att vårt protokoll kan generaliseras för n-ary träd med hjälp av ett en-rundat (n + 1)-väg Diffie-Hellman nyckelutbyte, baserat på en multilinjär mappning [Boneh and Silverberg, 2003]. Vi analyserar ART, TreeKEM och våra förslag ur ett teoretiskt perspektiv samt visar att våra förslag förbättrar kostnaden för uppdateringsoperationer. Slutligen presenterar vi några diskussioner och förbättringar av IETF MLS-standarden

On Statistical Properties of Arbiter Physical Unclonable Functions

The growing interest in the Internet of Things (IoT) has led to predictions claiming that by 2020 we can expect to be surrounded by 50 billion Internet connected devices. With more entry points to a network, adversaries can potentially use IoT devices as a stepping stone for attacking other devices connected to the network or the network itself. Information security relies on cryptographic primitives that, in turn, depend on secret keys. Furthermore, the issue of Intellectual property (IP) theft in the field of Integrated circuit (IC) design can be tackled with the help of unique device identifiers. Physical unclonable functions (PUFs) provide a tamper-resilient solution for secure key storage and fingerprinting hardware. PUFs use intrinsic manufacturing differences of ICs to assign unique identities to hardware. Arbiter PUFs utilise the differences in delays of identically designed paths, giving rise to an unpredictable response unique to a given IC. This thesis explores the statistical properties of Boolean functions induced by arbiter PUFs. In particular, this empirical study looks into the distribution of induced functions. The data gathered shows that only 3% of all possible 4-variable functions can be induced by a single 4 stage arbiter PUF. Furthermore, some individual functions are more than 5 times more likely than others. Hence, the distribution is non-uniform. We also evaluate alternate PUF designs, improving the coverage vastly, resulting in one particular implementation inducing all 65,536 4-variable functions. We hypothesise the need for n XORed PUFs to induce all 22n possible n-variable Boolean functions

On Statistical Properties of Arbiter Physical Unclonable Functions

The growing interest in the Internet of Things (IoT) has led to predictions claiming that by 2020 we can expect to be surrounded by 50 billion Internet connected devices. With more entry points to a network, adversaries can potentially use IoT devices as a stepping stone for attacking other devices connected to the network or the network itself. Information security relies on cryptographic primitives that, in turn, depend on secret keys. Furthermore, the issue of Intellectual property (IP) theft in the field of Integrated circuit (IC) design can be tackled with the help of unique device identifiers. Physical unclonable functions (PUFs) provide a tamper-resilient solution for secure key storage and fingerprinting hardware. PUFs use intrinsic manufacturing differences of ICs to assign unique identities to hardware. Arbiter PUFs utilise the differences in delays of identically designed paths, giving rise to an unpredictable response unique to a given IC. This thesis explores the statistical properties of Boolean functions induced by arbiter PUFs. In particular, this empirical study looks into the distribution of induced functions. The data gathered shows that only 3% of all possible 4-variable functions can be induced by a single 4 stage arbiter PUF. Furthermore, some individual functions are more than 5 times more likely than others. Hence, the distribution is non-uniform. We also evaluate alternate PUF designs, improving the coverage vastly, resulting in one particular implementation inducing all 65,536 4-variable functions. We hypothesise the need for n XORed PUFs to induce all 22n possible n-variable Boolean functions

On Asynchronous Group Key Agreement : Tripartite Asynchronous Ratchet Trees

The subject of secure messaging has gained notable attention lately in the cryptographic community. For communications between two parties, paradigms such as the double ratchet, used in the Signal protocol, provide provably strong security guarantees such as forward secrecy and post-compromise security. Variations of the Signal protocol have enjoyed widespread adoption and are embedded in several well known messaging services, including Signal, WhatsApp and Facebook Secret Conversations. However, providing equally strong guarantees that scale well in group settings remains somewhat less well studied and is often neglected in practice. This motivated the need for the IETF Messaging Layer Security (MLS) working group. The first continuous group key agreement (CGKA) protocol to be proposed was Asynchronous Ratcheting Trees (ART) [Cohn-Gordon et al., 2018] and formed the basis of TreeKEM [Barnes et al., 2019], the CGKA protocol currently suggested for MLS. In this thesis we propose a new asynchronous group key agreement protocol based on a one-round Tripartite Diffie-Hellman [Joux, 2000]. Furthermore, we show that our protocol can be generalised for an n-ary asynchronous ratchet tree, assuming the existence of a one-round (n + 1)-way Diffie-Hellman key exchange, based on a n-multilinear map [Boneh and Silverberg, 2003]. We analyse ART, TreeKEM, and our proposals from a complexity theoretic perspective and show that our proposals improve the cost of update operations. Finally we present some discussion and improvements to the IETF MLS standard.Ämnet om säkra meddelanden har på senare tid skapat uppmärksamhet inom kryptografiska samfundet. För kommunikationer mellan två parter ger paradigmer såsom Double Ratchet, som används i Signal-protokollet, starka bevisbara säkerhetsgarantier som forward secrecy och post-compromise security. Variationer av Signal-protokollet används mycket i praktiken och är inbäddade i flera välkända meddelandetjänster såsom Signal, WhatsApp och Facebook Secret Conversations. Däremot är protokoll som erbjuder lika starka garantier och som skalar väl i gruppsituationer något mindre studerade och ofta eftersatta i praktiken. Detta motiverade behovet av arbetsgruppen IETF Messaging Layer Security (MLS). Det första kontinuerliga gruppnyckelprotokollet (CGKA) som föreslogs var Asynchronous Ratcheting Trees (ART) [Cohn-Gordon et al., 2018] och lade grunden för TreeKEM [Barnes et al., 2019], det CGKA-protokoll som för närvarande föreslagits för MLS. I detta examensarbete föreslår vi ett nytt asynkront gruppnyckelprotokoll baserat på en en-rundad Tripartite Diffie{Hellman [Joux, 2000]. Vidare visar vi att vårt protokoll kan generaliseras för n-ary träd med hjälp av ett en-rundat (n + 1)-väg Diffie-Hellman nyckelutbyte, baserat på en multilinjär mappning [Boneh and Silverberg, 2003]. Vi analyserar ART, TreeKEM och våra förslag ur ett teoretiskt perspektiv samt visar att våra förslag förbättrar kostnaden för uppdateringsoperationer. Slutligen presenterar vi några diskussioner och förbättringar av IETF MLS-standarden