2019:

Securing V2X Communications for the Future - Can PKI Systems offer the answer?, Giannetsos, Thanassis; Krontiris, Ioannis

expand[ More ]


Abstract:Over recent years, emphasis in secure V2X communications research has converged on the use of Vehicular Public Key Infrastructures (VPKIs) for credential management and privacy-friendly authentication services. However, despite the security and privacy guarantees offered by such solutions, there are still a number of challenges to be conquered. By reflecting on state-of-the-art PKI-based architectures, in this paper, we identify their limitations focusing on scalability, interoperability, pseudonym reusage policies and revocation mechanisms. We argue that in their current form such mechanisms cannot capture the strict security, privacy, and trust requirements of all involved stakeholders. Motivated by these weaknesses, we then proceed on proposing the use of trusted computing technologies as an enabler for more decentralized approaches where trust is shifted from the back-end infrastructure to the edge. We debate on the advantages offered and underline the specifis of such a novel approach based on the use of advanced cryptographic primitives, using Direct Anonymous Attestation (DAA) as a concrete example. Our goal is to enhance run-time security, privacy and trustworthiness of edge devices with a scalable and decentralized solution eliminating the need for federated infrastructure trust. Based on our findings, we posit open issues and challenges, and discuss possible ways to address them.


On Deception-Based Protection Against Cryptographic Ransomware, Alper Genç, Ziya; Lenzini, Gabriele; Sgandurra, Daniele

expand[ More ]


Abstract: In order to detect malicious file system activity, some commercial and academic anti-ransomware solutions implement deception-based techniques, specifically by placing decoy files among user files. While this approach raises the bar against current ransomware, as any access to a decoy file is a sign of malicious activity, the robustness of decoy strategies has not been formally analyzed and fully tested. In this paper, we analyze existing decoy strategies and discuss how they are effective in countering current ransomware by defining a set of metrics to measure their robustness. To demonstrate how ransomware can identify existing deception-based detection strategies, we have implemented a proof-ofconcept anti-decoy ransomware that successfully bypasses decoys by using a decision engine with few rules. Finally, we discuss existing issues in decoy-based strategies and propose practical solutions to mitigate them.


Optimal TNFS-secure pairings on elliptic curves with composite embedding degree, Georgios Fotiadis), Chloe Martindale

expand[ More ]


Abstract: In this paper we present a comprehensive comparison between pairing-friendly elliptic curves, considering different curve forms and twists where possible. We define a measure of the efficiency of a parametrized pairing-friendly family that takes into account the number field sieve (NFS) attacks (unlike the ρ-value). This measure includes an approximation of the security of the discrete logarithm problem in F∗pk, computed via the method of Barbulescu and Duquesne [4]. We compute the security of the families presented by Fotiadis and Konstantinou in [13], compute some new families, and compare the efficiency of both of these with the (adjusted) BLS, KSS, and BN families, and with the new families of [19]. Finally, we present an optimal pairing-friendly elliptic curve for security level 128 and recommend two pairing-friendly elliptic curves for security level 192.


Certificateless public key signature schemes from standard algorithms, Zhaohui Chen, Liqun Chen

expand[ More ]


Abstract: Certificateless public key cryptography (CL-PKC) is designed to have succinct public key management without using certificates at the same time avoid the key-escrow attribute in the identity-based cryptography. Security mechanisms employing implicit certificates achieve same goals. In this work, we first unify the security notions of these two types of mechanisms with a modified CL-PKC formulation. We further present a general key-pair generation algorithm for CL-PKC schemes and use it to construct certificateless public key signature (CL-PKS) schemes from standard algorithms. The technique, which we apply, helps defeat known-attacks against existing constructions, and the resulting schemes could be quickly deployed based on the existing standard algorithm implementations.


A Symbolic Analysis of ECC-based Direct Anonymous Attestation, Whitefield Jorden, Chen Liqun, Sasse Ralf, Schneider Steve, Treharne Helen and Wesemeyer Stephan

expand[ More ]


Abstract: Direct Anonymous Attestation (DAA) is a crypto-graphic scheme that provides Trusted Platform Module (TPM)-backed anonymous credentials. We develop TAMARINmodellingof the ECC-based version of the protocol as it is standardisedand provide the first mechanised analysis of this standard. Ouranalysis confirms that the scheme is secure when all TPMs areassumed honest, but reveals a break in the protocol’s expectedauthentication and secrecy properties for all TPMs even if onlyone is compromised. We propose and formally verify a minimalfix to the standard. In addition to developing the first formalanalysis of ECC-DAA, the paper contributes to the growing bodyof work demonstrating the use of formal tools in supportingstandardisation processes for cryptographic protocols.Index Terms—Direct Anonymous Attestation, symbolic verifi-cation, TAMARINPROVER, authentication, secrecy


An HPR variant of the FV scheme, Computationally Cheaper, Asymptotically Faster; Jean-Claude Bajard, Julien Eynard, Paulo Martins, Leonel Sousa and Vincent Zucca

expand[ More ]


Abstract: State-of-the-art implementations of homomorphic encryption exploit the Fan and Vercauteren (FV) scheme and the Residue Number System (RNS). While the RNS breaks down large integer arithmetic into smaller independent channels, its non-positional nature makes operations such as division and rounding hard to implement, and makes the representation of small values inefficient. In this work, we propose the application of the Hybrid Position-Residues Number System representation to the FV scheme. This is a positional representation of large radix where the digits are represented in RNS. It inherits the benefits from RNS and allows to accelerate the critical division and rounding operations while also making the representation of smaller values more compact. This directly benefits the decryption and the homomorphic multiplication procedures, reducing their asymptotic complexity, in dimension n, from O(n2logn) to O(nlogn) and from O(n3logn) to O(n3), respectively. This has also resulted in noticeable speedups when experimentally compared to related art RNS implementations.


Can You Sign A Quantum State?, Gorjan Alagic, Tommaso Gagliardoni, and Christian Majenz

expand[ More ]


Abstract: Cryptography with quantum states exhibits a number of surprising and counterintuitive features. In a 2002 work, Barnum et al. argued informally that these strange features should imply that digital signatures for quantum states are impossible (Barnum et al., FOCS 2002). In this work, we perform the first rigorous study of the problem of signing quantum states. We first show that the intuition of Barnum et al. was correct, by proving an impossibility result which rules out even very weak forms of signing quantum states. Essentially, we show that any non-trivial combination of correctness and security requirements results in negligible security. This rules out all quantum signature schemes except those which simply measure the state and then sign the outcome using a classical scheme. In other words, only classical signature schemes exist. We then show a positive result: it is possible to sign quantum states, provided that they are also encrypted with the public key of the intended recipient. Following classical nomenclature, we call this notion quantum signcryption. Classically, signcryption is only interesting if it provides superior efficiency to simultaneous encryption and signing. Our results imply that, quantumly, it is far more interesting: by the laws of quantum mechanics, it is the only signing method available. We develop security definitions for quantum signcryption, ranging from a simple one-time two-user setting, to a chosen-ciphertext-secure many-time multi-user setting. We also give secure constructions based on post-quantum public-key primitives. Along the way, we show that a natural hybrid method of combining classical and quantum schemes can be used to "upgrade" a secure classical scheme to the fully-quantum setting, in a wide range of cryptographic settings including signcryption, authenticated encryption, and chosen-ciphertext security.


Algebraic Techniques for Short(er) Exact Lattice-Based Zero-Knowledge Proofs, Bootle, Jonathan; Lyubashevsky, Vadim; Seiler, Gregor

expand[ More ]


Abstract: key component of many lattice-based protocols is a zero-knowledge proof of knowledge of a vector~swith small coecients sa-tisfyingA~s=~umodq. While there exist fairly ecient proofs for arelaxed version of this equation which prove the knowledge of~s0andcsatisfyingA~s0=~ucwherek~s0k  k~skandcis some small elementin the ring over which the proof is performed, the proofs for the exactversion of the equation are considerably less practical. The best suchproof technique is an adaptation of Stern's protocol (Crypto '93), forproving knowledge of nearby codewords, to larger moduli. The scheme isa-protocol, each of whose iterations has soundness error 2=3, and thusrequires over 200 repetitions to obtain soundness error of 2128, whichis the main culprit behind the large size of the proofs produced.In this paper, we propose the rst lattice-based proof system that signi- cantly outperforms Stern-type proofs for proving knowledge of a short~ssatisfyingA~s=~umodq. Unlike Stern's proof, which is combinatorialin nature, our proof is more algebraic and uses various relaxed zero-knowledge proofs as sub-routines. The main savings in our proof systemcomes from the fact that each round has soundness error of 1=n, wherenis the number of columns ofA. For typical applications,nis a fewthousand, and therefore our proof needs to be repeated around 10 timesto achieve a soundness error of 2128. For concrete parameters, it pro-duces proofs that are around an order of magnitude smaller than thoseproduced using Stern's approach.


Short Discrete Log Proofs for FHE and Ring-LWE Ciphertexts, del Pino, Rafael; Lyubashevsky, Vadim; Seiler, Gregor

expand[ More ]


Abstract: Applications of fully-homomorphic encryption (FHE) that involve computation on en-cryptions produced by several users, it is important that each user proves that her input is indeedwell-formed. This may simply mean that the inputs are valid FHE ciphertexts or, more generally, thatthe plaintextsmadditionally satisfyf(m) = 1 for some public functionf. The most ecient FHEschemes are based on the hardness of the Ring-LWE problem and so a natural solution would be to uselattice-based zero-knowledge proofs for proving properties about the ciphertext. Such methods, howe-ver, require larger-than-necessary parameters and result in rather long proofs, especially when provinggeneral relationships.In this paper, we show that one can get much shorter proofs (roughly 1:25KB) by rst creating aPedersen commitment from the vector corresponding to the randomness and plaintext of the FHEciphertext. To prove validity of the ciphertext, one can then prove that this commitment is indeed tothe message and randomness and these values are in the correct range. Our protocol utilizes a con-nection between polynomial operations in the lattice scheme and inner product proofs for Pedersencommitments of Bunz et al. (S&P 2018). Furthermore, our proof of equality between the ciphertextand the commitment is very amenable to amortization { proving the equivalence ofkciphertext /commitment pairs only requires an additive factor ofO(logk) extra space than for one such proof. Forproving additional properties of the plaintext(s), one can then directly use the logarithmic-space proofsof Bootle et al. (Eurocrypt 2016) and Bunz et al. (IEEE S&P 2018) for proving arbitrary relations ofdiscrete log commitment.Our technique is not restricted to FHE ciphertexts and can be applied to proving many other relationsthat arise in lattice-based cryptography. For example, we can create very ecient veri able encryption/ decryption schemes with short proofs in which con dentiality is based on the hardness of Ring-LWEwhile the soundness is based on the discrete logarithm problem. While such proofs are not fully post-quantum, they are adequate in scenarios where secrecy needs to be future-proofed, but one only needsto be convinced of the validity of the proof in the pre-quantum era. We furthermore show that ourzero-knowledge protocol can be easily modi ed to have the property that breaking soundness impliessolving discrete log in a short amount of time. Since building quantum computers capable of solvingdiscrete logarithm in seconds requires overcoming many more fundamental challenges, such proofs mayeven remain valid in the post-quantum era.


NTTRU: Truly Fast NTRU Using NTT, Lyubashevsky, Vadim; Seiler, Gregor

expand[ More ]


Abstract: We present NTTRU – an IND-CCA2 secure NTRU-based key encapsulationscheme that uses the number theoretic transform (NTT) over the cyclotomic ringZ7681[X]/(X768−X384+1)and produces public keys and ciphertexts of approximately1.25KB at the128-bit security level. The number of cycles on a Skylake CPU of ourconstant-time AVX2 implementation of the scheme for key generation, encapsulationand decapsulation is approximately6.4K,6.1K, and7.9K, which is more than 30X,5X, and 8X faster than these respective procedures in the NTRU schemes that weresubmitted to the NIST post-quantum standardization process. These running timesare also, by a large margin, smaller than those for all the other schemes in the NISTprocess. We also give a simple transformation that allows one to provably deal withsmall decryption errors in OW-CPA encryption schemes (such as NTRU) when usingthem to construct an IND-CCA2 key encapsulation.


Floppy-Sized Group Signatures from Lattices, Boschini Cecilia; Camenisch Jan; Neven Gregory

expand[ More ]


Abstract: We present the rst lattice-based group signature schemewhose cryptographic artifacts are of size small enough to be usable inpractice: for a group of 225users, signatures take 910 kB and public keysare 501 kB. Our scheme builds upon two recently proposed lattice-basedprimitives: the veri able encryption scheme by Lyubashevsky and Neven(Eurocrypt 2017) and the signature scheme by Boschini, Camenisch, andNeven (IACR ePrint 2017). To achieve such short signatures and keys,we rst re-de ne veri able encryption to allow one to encrypt a func-tion of the witness, rather than the full witness. This de nition enablesmore ecient realizations of veri able encryption and is of independentinterest. Second, to minimize the size of the signatures and public keysof our group signature scheme, we revisit the proof of knowledge of asignature and the proofs in the veri able encryption scheme provided inthe respective papers.


[Preprint] Transforming malicious code to ROP gadgets for antivirus evasion, Ntantogian Christoforos; Poulios Georgios; Karopoulos Georgios; Xenakis Christos (UPRC)

expand[ More ]


Abstract: The downside of current polymorphism techniques lies to the fact that they require a writeable code section, either marked as such in the corresponding Portable Executable (PE) section header, or by changing permissions during runtime. Both approaches are identified by AV software as alarming characteristics and/or behavior, since they are rarely found in benign PEs unless they are packed. In this paper we propose the use of Return-Oriented Programming (ROP) as a new way to achieve polymorphism and evade AV software. To this end, we have developed a tool named ROPInjector which, given any piece of shellcode and any non-packed Portable Executable (PE) file, it transforms the shellcode to its ROP equivalent and patches it into (i.e. infects) the PE file. After trying various combinations of evasion techniques, the results show that ROPInjector can evade nearly and completely all antivirus software employed in the online VirusTotal service. The main outcome of this research is the developed algorithms for: a) analysis and manipulation of assembly code on the x86 instruction set, and b) the automatic chaining of gadgets by ROPInjector to form safe, and functional ROP code that is equivalent to a given shellcode.


[Preprint] A Survey of Voice and Communication Protection Solutions Against Wiretapping, Ntantogian Christoforos; Veroni Eleni; Karopoulos Georgios; Xenakis Christos (UPRC)

expand[ More ]


Abstract: This paper categorizes, presents and evaluates a set of schemes and solutions that provide end-to-end encryption for voice communications. First, we analyze the research works that propose new schemes that enable the transfer of encrypted speech over the voice channel of the 2nd generation mobile network. Next, we analyze a set of popular widespread software applications that use Voice over IP technology to provide secure communications, and finally, we investigate commercial solutions, which are hardware-based and offer voice encryption for both 2nd generation and Voice over IP communications. After the presentation of the existing solutions, we evaluate them based on the following criteria: i) security level provided, ii) possible performance issues and iii) usability. We conclude this work by providing future research directions. To the best of our knowledge, this is the first paper that categorizes and provides a comprehensive evaluation of end-to-end voice encryption schemes for mobile networks.


HyPoRes: An Hybrid Representation System for ECC, Paulo Martins and Leonel Sousa (INESC-ID), Jérémy Marrez and Jean-Claude Bajard (Sorbonne Université)

expand[ More ]


Abstract: The Residue Number System (RNS) is a numeral representation enabling for more efficient addition and multiplication implementations. However, due its non-positional nature, modular reductions, required for example by Elliptic Curve (EC) Cryptography (ECC), become costlier. Traditional approaches to RNS modular reduction resort to the Montgomery algorithm, underpinned by large basis extensions. Recently, Hybrid-Positional Residue Number Systems (HPRs) have been proposed, providing a trade-off between the efficiency of RNS and the flexibility of positional number representations. Numbers are represented in a positional representation with the coefficients represented in RNS. By crafting primes of a special form, the complexity of reductions modulo those primes is mitigated, relying on extensions of smaller bases. Due to the need of crafting special primes, this approach is not directly extensible to group operations over currently standardised elliptic curves. In this paper, the Hybrid-Polynomial Residue Number System (HyPoRes) is proposed, enabling for improved modular reductions for any prime. Experimental results show that the modular reduction of HyPoRes, although at most 1.4 times slower than HPR for HPR-crafted primes, is up to 1.4 times faster than a generic RNS approach for primes of ECC standards.


[Preprint] Evaluation of Password Hashing Schemes in Open Source Web Platforms, Ntantogian Christoforos; Maliaros Stefanos; Xenakis Christos (UPRC)


expand[ More ]


Abstract: Nowadays, the majority of web platforms in the Internet originate either from CMS to easily deploy websites or by web applications frameworks that allow developers to design and implement web applications. Considering the fact that CMS are intended to be plug and play solutions and their main aim is to allow even non-developers to deploy websites, we argue that the default hashing schemes rarely are modified. Also, recent studies suggest that even developers do not use appropriate hash functions to protect passwords, since they may not have adequate security expertise. Therefore, the default settings of CMS and web applications frameworks play an important role in the security of password storage. This paper evaluates the default hashing schemes of popular CMS and web application frameworks. First, we formulate the cost time of password guessing attacks and next we investigate the default hashing schemes of popular CMS and web applications frameworks. We then apply our framework to perform a comparative analysis of the cost time of password guessing attacks between the various CMS and web application frameworks. Finally, considering that intensive hash functions consume computational resources, we analyze hashing schemes from a different perspective. That is, we investigate if it is feasible and under what conditions to perform slow rate denial of service attacks from concurrent login attempts. Through our study we have derived a set of critical observations. We have discovered that many CMS and web application frameworks use outdated hash functions, arbitrary number of hash iterations, while there is a lack of password policies and salt. Notably, the popular WordPress still uses MD5 with low number of hash iterations. Overall, we believe that the security status of the hashing schemes of CMS and web application frameworks calls for changes to the default settings from an opt-in to an opt-out security policy. More security audits and official library implementations are also required to accelerate the adoption of memory hard functions both by policy makers and the industry..


L-DAA: Lattice-Based Direct Anonymous Attestation, Nada El Kassem and Liqun Chen (Surrey), Jan Camenisch (IBM), Rachid El Bansarkhani (TU Darmstadt), Ali El Kaafarani and Patrick Hough (Oxford), Paulo Martins and Leonel Sousa (INESC_ID)

expand[ More ]


Abstract: The Cloud-Edges (CE) framework, wherein small groups of Internet of Things (IoT) devices are serviced by local edge devices, enables a more scalable solution to IoT networks. The trustworthiness of the network may be ensured with Trusted Platform Modules (TPMs). This small hardware chip is capable of measuring and reporting a representation of the state of an IoT device. When connecting to a network, the IoT platform might have its state signed by the TPM in an anonymous way to prove both its genuineness and secure state through the Direct Anonymous Attestation (DAA) protocol. Currently standardised DAA schemes have their security supported on the factoring and discrete logarithm problems. Should a quantum-computer become available in the next few decades, these schemes will be broken. There is therefore a need to start developing a post-quantum DAA protocol. This paper presents a Lattice-based DAA (LDAA) scheme to meet this requirement. The security of this scheme is proved in the Universally Composable (UC) security model under the hardness assumptions of the Ring Inhomogeneous Short Integer Solution (Ring-ISIS) and Ring Learning With Errors (Ring-LWE) problems. Compared to the only other post-quantum DAA scheme available in related art, the storage requirements of the TPM are reduced twofold and the signature sizes 5 times. Moreover, experimental results show that the signing and verification operations are accelerated 1.1 and 2.0 times, respectively.


2018:

Implementing RLWE-based Schemes Using an RSA Co-Processor, Martin R. Albrecht, Christian Hanser, Andrea Hoeller, Thomas Pöppelmann, Fernando Virdia and Andreas Wallner

expand[ More ]


Abstract: We repurpose existing RSA/ECC co-processors for (ideal) lattice-based cryptography by exploiting the availability of fast long integer multiplication. Such co-processors are deployed in smart cards in passports and identity cards, secured microcontrollers and hardware security modules (HSM). In particular, we demonstrate an implementation of a variant of the Module-LWE-based Kyber Key Encapsulation Mechanism (KEM) that is tailored for optimal performance on a commercially available smart card chip (SLE 78). To benefit from the RSA/ECC co-processor we use Kronecker substitution in combination with schoolbook and Karatsuba polynomial multiplication. Moreover, we speed-up symmetric operations in our Kyber variant using the AES co-processor to implement a PRNG and a SHA-256 co-processor to realise hash functions. This allows us to execute CCA-secure Kyber768 key generation in 79.6 ms, encapsulation in 102.4 ms and decapsulation in 132.7 ms.