Resettable Public-Key Encryption: How to Encrypt on a Virtual Machine

Typical security models used for proving security of deployed cryptographic primitives do not allow adversaries to rewind or reset honest parties to an earlier state. Thus, it is common to see cryptographic protocols rely on the assumption that fresh random numbers can be continually generated. In this paper, we argue that because of the growing popularity of virtual machines and, specifically, their state snapshot and revert features, the security of cryptographic protocols proven under these assumptions is called into question. We focus on public-key encryption security in a setting where resetting is possible and random numbers might be reused. We show that existing schemes and security models are insufficient in this setting. We then provide new formal security models and show that making a simple and efficient modification to any existing PKE scheme gives us security under our new models

Encryption Schemes Secure under Selective Opening Attack

We provide the first public key encryption schemes proven secure against selective opening attack (SOA). This means that if an adversary obtains a number of ciphertexts and then corrupts some fraction of the senders, obtaining not only the corresponding messages but also the coins under which they were encrypted then the security of the other messages is guaranteed. Whether or not schemes with this property exist has been open for many years. Our schemes are based on a primitive we call lossy encryption. Our schemes have short keys (public and secret keys of a fixed length suffice for encrypting an arbitrary number of messages), are stateless, are non-interactive, and security does not rely on erasures. The schemes are without random oracles, proven secure under standard assumptions (DDH, Paillier’s DCR, QR, lattices), and even efficient. We are able to meet both an indistinguishability (IND-SOA-C) and a simulation-style, semantic security (SS-SOA-C) definition

Public-key encryption secure in the presence of randomness failures

Public-key encryption (PKE) is a central tool for protecting the privacy of digital information. To achieve desirable strong notions of security like indistinguishability under chosen-plaintext attack (IND- CPA), it is essential for an encryption algorithm to have access to a source of fresh, uniform random bits. Further, these bits should never be revealed and never reused. In practice, our machines typically generate these random bits with software random number generators (RNGs). Unfortunately, RNGs are prone to problems. The resulting randomness failures can have disastrous consequences for the security of existing PKE schemes that rely on good randomness. In this dissertation we focus PKE security in the presence of three types of randomness failures: predictable randomness, repeated randomness, and revealed randomness. For predictable randomness, where the encryption algorithm is given random inputs that are predictable to an adversary, we argue that we want PKE schemes that are hedged against bad randomness: if the encryption scheme is given good randomness it provably meets traditional notions like IND-CPA, while if it is given poor randomness, it still provably provides some security. We formalize this security notion and give provably-secure constructions of hedged public-key encryption. Next, we show how repeated randomness failures, where the encryption algorithm is given random inputs that it was given previously, can occur in practice due to virtual machine snapshots. In particular, we show how many popular web browsers are vulnerable to these failures. We then turn to building PKE schemes that still provide provable security when given repeated randomness. We develop new models of security to capture this situation and prove that a simple and efficient modification to any existing secure scheme gives security under our new models. Finally, we study the strange effects revealed randomness failures, where the random inputs used for encryption are later revealed to an adversary, can have on public-key encryption security. Specifically, we focus on selective opening attacks. We show that a large class of PKE schemes, called lossy encryption schemes, provably resists selective opening attack

This is the full version. The Power of Proofs-of-Possession: Securing Multiparty Signatures against Rogue-Key Attacks

Multiparty signature protocols need protection against rogue-key attacks, made possible whenever an adversary can choose its public key(s) arbitrarily. For many schemes, provable security has only been established under the knowledge of secret key (KOSK) assumption where the adversary is required to reveal the secret keys it utilizes. In practice, certifying authorities rarely require the strong proofs of knowledge of secret keys required to substantiate the KOSK assumption. Instead, proofs of possession (POPs) are required and can be as simple as just a signature over the certificate request message. We propose a general registered key model, within which we can model both the KOSK assumption and in-use POP protocols. We show that simple POP protocols yield provable security of Boldyreva’s multisignature scheme [11], the LOSSW multisignature scheme [28], and a 2-user ring signature scheme due to Bender, Katz, and Morselli [10]. Our results are the first to provide formal evidence that POPs can sto