2020:

Authenticated Key Distribution: When the Coupon Collector is Your Enemy, Beunardeau, M.; Orche, F.; Maimuţ, D.; Naccache, D.; Rønne, P.; Ryan, P.

expand[ More ]


Abstract:We introduce new authenticated key exchange protocols which on the one hand do not resort to standard public key setups with corresponding assumptions of computationally hard problems, but on the other hand, are more efficient than distributing symmetric keys among the participants. To this end, we rely on a trusted central authority distributing key material whose size is independent of the total number of users, and which allows the users to obtain shared secret keys. We analyze the security of our construction, taking into account various attack models. Importantly, only symmetric primitives are needed in the protocol making it an alternative to quantum-safe key exchange protocols which rely on hardness assumptions.


A Lightweight Implementation of NTRU Prime for the Post-Quantum Internet of Things, Cheng, H.; Dinu, D.; Großschädl, P.; Rønne, P.; Ryan, P.

expand[ More ]


Abstract:The dawning era of quantum computing has initiated various initiatives for the standardization of post-quantum cryptosystems with the goal of (eventually) replacing RSA and ECC. NTRU Prime is a variant of the classical NTRU cryptosystem that comes with a couple of tweaks to minimize the attack surface; most notably, it avoids rings with “worrisome” structure. This paper presents, to our knowledge, the first assembler-optimized implementation of Streamlined NTRU Prime for an 8-bit AVR microcontroller and shows that high-security latticebased cryptography is feasible for small IoT devices. An encapsulation operation using parameters for 128-bit post-quantum security requires 8.2 million clock cycles when executed on an 8-bit ATmega1284 microcontroller. The decapsulation is approximately twice as costly and has an execution time of 15.6 million cycles. We achieved this performance through (i) new low-level software optimization techniques to accelerate Karatsuba-based polynomial multiplication on the 8-bit AVR platform and (ii) an efficient implementation of the coefficient modular reduction written in assembly language. The execution time of encapsulation and decapsulation is independent of secret data, which makes our software resistant against timing attacks. Finally, we assess the performance one could theoretically gain by using a so-called product-form polynomial as part of the secret key and discuss potential security implications.


Risk-Limiting Tallies, Jamroga, W.; Roenne, P.; Ryan, P.; Stark, P.

expand[ More ]


Abstract:Many voter-verifiable, coercion-resistant schemes have been proposed, but even the most carefully designed systems necessarily leak information via the announced result. In corner cases, this may be problematic. For example, if all the votes go to one candidate then all vote privacy evaporates. The mere possibility of candidates getting no or few votes could have implications for security in practice: if a coercer demands that a voter cast a vote for such an unpopular candidate, then the voter may feel obliged to obey, even if she is confident that the voting system satisfies the standard coercion resistance definitions. With complex ballots, there may also be a danger of “Italian” style (aka “signature”) attacks: the coercer demands the voter cast a ballot with a specific, identifying pattern. Here we propose an approach to tallying end-to-end verifiable schemes that avoids revealing all the votes but still achieves whatever confidence level in the announced result is desired. Now a coerced voter can claim that the required vote must be amongst those that remained shrouded. Our approach is based on the well-established notion of Risk-Limiting Audits, but here applied to the tally rather than to the audit. We show that this approach counters coercion threats arising in extreme tallies and “Italian” attacks. We illustrate our approach by applying it to the Selene scheme, and we extend the approach to Risk-Limiting Verification, where not all vote trackers are revealed, thereby enhancing the coercion mitigation properties of Selene.


The Role of Non-Positional Arithmetic on Efficient Emerging Cryptographic Algorithms, Martins, Paulo; Sousa, Leonel

expand[ More ]


Abstract:Number representation systems establish ways in which numbers are mapped to computer architectures, and how operations over the numbers are translated into computer instructions. The efficiency of public-key cryptography is strongly affected by the used number representations, as these systems are constructed from mathematically inspired problems to ensure security, and thus rely on operations over large integers. In this paper, unconventional representations systems, including the Residue Number System (RNS) and stochastic number representations, are systematically reviewed. Homomorphic representations, which allow for parties to operate on data without having access to their plaintext representation, are also considered. The main goal of this survey is to introduce the reader to key aspects of non-traditional number representations that may be exploited for public-key cryptography, without delving too much into the details. Examples of the methods and algorithms herein surveyed include subquadratic modular multiplication for isogeny-based cryptography, the acceleration of Goldreich-Goldwasser-Halevi (GGH) decryption by an order of magnitude, the improvement of the Direct Anonymous Attestation (DAA) protocol both in terms of storage requirements and the time taken to execute it, and efficient algorithm-hiding Fully Homomorphic Encryption (FHE). The implementation of this type of systems in both sequential and parallel platforms is analysed, and their performance is compared with traditional approaches. We hope this work sows the seed of further research on the application of non-positional number arithmetic to other cryptographic use-cases.


Efficient and Secured Implementation of PostQuantum Cryptography, Pöppelmann, T.

expand[ More ]


Abstract:Due to their computing power, quantum computers may have the disruptive potential to break various currently used encryption and authentication algorithms within the next 15 to 20 years. Once available, quantum computers would threaten currently used asymmetric algorithms such as RSA and elliptic curve cryptography (ECC). An approach that aims to replace RSA and ECC in next generation security protocols is post-quantum cryptography (PQC). In this work, we show the challenges of implementing PQC on embedded devices and smart cards. One important aspect is the protection of schemes against attacks like power analysis and fault injection and research on this topic is still at a very early stage. Moreover, we describe how existing cryptographic hardware on smart cards or embedded microcontrollers can be used to accelerate post-quantum cryptography.


Plundervolt: Software-based Fault Injection Attacks against Intel SGX, Murdock, K.; Oswald, D.; Garcia, F.; Bulck, J.; Gruss, D.; Piessens, F.

expand[ More ]


Abstract:Dynamic frequency and voltage scaling features have been introduced to manage ever-growing heat and power consumption in modern processors. Design restrictions ensure frequency and voltage are adjusted as a pair, based on the current load, because for each frequency there is only a certain voltage range where the processor can operate correctly. For this purpose, many processors (including the widespread Intel Core series) expose privileged software interfaces to dynamically regulate processor frequency and operating voltage. In this paper, we demonstrate that these privileged interfaces can be reliably exploited to undermine the system’s security. We present the Plundervolt attack, in which a privileged software adversary abuses an undocumented Intel Core voltage scaling interface to corrupt the integrity of Intel SGX enclave computations. Plundervolt carefully controls the processor’s supply voltage during an enclave computation, inducing predictable faults within the processor package. Consequently, even Intel SGX’s memory encryption/authentication technology cannot protect against Plundervolt. In multiple case studies, we show how the induced faults in enclave computations can be leveraged in real-world attacks to recover keys from cryptographic algorithms (including the AES-NI instruction set extension) or to induce memory safety vulnerabilities into bug-free enclave code. We finally discuss why mitigating Plundervolt is not trivial, requiring trusted computing base recovery through microcode updates or hardware changes.


Substitution Attacks against Message Authentication, Armour, M.; Poettering, B.

expand[ More ]


Abstract:This work introduces Algorithm Substitution Attacks (ASAs) on message authentication schemes. In light of revelations concerning mass surveillance, ASAs were initially introduced by Bellare, Paterson and Rogaway as a novel attack class against the confidentiality of encryption schemes. Such an attack replaces one or more of the regular scheme algorithms with a subverted version that aims to reveal information to an adversary (engaged in mass surveillance), while remaining undetected by users. While most prior work focused on subverting encryption systems, we study options to subvert symmetric message authentication protocols. In particular we provide powerful generic attacks that apply e.g. to HMAC or Carter–Wegman based schemes, inducing only a negligible implementation overhead. As subverted authentication can act as an enabler for subverted encryption (software updates can be manipulated to include replacements of encryption routines), we consider attacks of the new class highly impactful and dangerous.


Subverting Decryption in AEAD, Armour, M.; Poettering, B.

expand[ More ]


Abstract:This work introduces a new class of Algorithm Substitution Attack (ASA) on Symmetric Encryption Schemes. ASAs were introduced by Bellare, Paterson and Rogaway in light of revelations concerning mass surveillance. An ASA replaces an encryption scheme with a subverted version that aims to reveal information to an adversary engaged in mass surveillance, while remaining undetected by users. Previous work posited that a particular class of AEAD scheme (satisfying certain correctness and uniqueness properties) is resilient against subversion. Many if not all real-world constructions – such as GCM, CCM and OCB – are members of this class. Our results stand in opposition to those prior results. We present a potent ASA that generically applies to any AEAD scheme, is undetectable in all previous frameworks and which achieves successful exfiltration of user keys. We give even more efficient non-generic attacks against a selection of AEAD implementations that are most used in practice. In contrast to prior work, our new class of attack targets the decryption algorithm rather than encryption. We argue that this attack represents an attractive opportunity for a mass surveillance adversary. Our work serves to refine the ASA model and contributes to a series of papers that raises awareness and understanding about what is possible with ASAs.


[Preprint] ObjectMap: Detecting Insecure Object Deserialization, Koutroumpouchos Nikolaos; Lavdanis Georgios; Veroni Eleni; Ntantogian Christoforos; Xenakis Christos

expand[ More ]


Abstract:In recent years there is a surge of serialization-based vulnerabilities in web applications which have led to serious incidents, exposing private data of millions of individuals. Although there have been some efforts in addressing this problem, there is still no unified solution that is able to detect implementation-agnostic vulnerabilities. We aim to fill this gap by proposing ObjectMap, an extendable tool for the detection of deserialization and object injection vulnerabilities in Java and PHP based web applications. Furthermore, we also introduce the first deserialization test environment which can be used to test deserialization vulnerability detection tools and for educational purposes. Both of these tools are easily extendable and the first to implement this combination of features to the best of our knowledge and they bring together a synthesis of cross-complementing functionalities that are able to ignite further research in the field and help in the development of more feature-rich solutions.


A Game of "Cut and Mouse": Bypassing Antivirus by Simulating User Inputs, Genç, Z.; Lenzini, G.; Sgandurra, D.

expand[ More ]


Abstract:To protect their digital assets from malware attacks, most users and companies rely on anti-virus (AV) software. But AVs’ protection is a full-time task and AVs are engaged in a cat-and-mouse game where malware, e.g., through obfuscation and polymorphism, denial of service attacks and malformed packets and parameters, try to circumvent AV defences or make them crash. On the other hand, AVs react by complementing signature-based with anomaly or behavioral detection, and by using OS protection, standard code, and binary protection techniques. Further, malware counter-act, for instance by using adversarial inputs to avoid detection, et cetera. This paper investigates two novel moves for the malware side. The first one consists in simulating mouse events to control AVs, namely to send them mouse “clicks” to deactivate their protection. We prove that many AVs can be disabled in this way, and we call this class of attacks Ghost Control. The second one consists in controlling high-integrity white-listed applications, such as Notepad, by sending them keyboard events (such as “copy-and-paste”) to perform malicious operations on behalf of the malware. We prove that the anti-ransomware protection feature of some AVs can be bypassed if we use Notepad as a "puppet" to rewrite the content of protected files as a ransomware would do. Playing with the words, and recalling the cat-and-mouse game, we call this class of attacks Cut-and-Mouse.


Machine-Checked Proofs for Cryptographic Standards, Almeida, J.; Baritel-Ruet, C.; Barbosa, M.; Barthe, G.; Dupressoir, F.; Grégoire, B.; Laporte, V.; Stoughton; A.; Strub, P.

expand[ More ]


Abstract:We present a high-assurance and high-speed implementation of the SHA-3 hash function. Our implementation is written in the Jasmin programming language, and is formally verified for functional correctness, provable security and timing attack resistance in the EasyCrypt proof assistant. Our implementation is the first to achieve simultaneously the four desirable properties (efficiency, correctness, provable security, and side-channel protection) for a non-trivial cryptographic primitive. Concretely, our mechanized proofs show that: 1) the SHA-3 hash function is indifferentiable from a random oracle, and thus is resistant against collision, first and second preimage attacks; 2) the SHA-3 hash function is correctly implemented by a vectorized x86 implementation. Furthermore, the implementation is provably protected against timing attacks in an idealized model of timing leaks. The proofs include new EasyCrypt libraries of independent interest for programmable random oracles and modular indifferentiability proofs.


A Lightweight Implementation of NTRUEncrypt for 8-bit AVR Microcontrollers, Cheng, H.; Großschädl, J.; Rønne, P.; Ryan, P.

expand[ More ]


Abstract:Introduced in 1996, NTRUEncrypt is not only one of the earliest but also one of the most scrutinized lattice-based cryptosystems and a serious contender in NIST’s ongoing Post-Quantum Cryptography (PQC) standardization project. An important criterion for the assessment of candidates is their computational cost in various hardware and software environments. This paper contributes to the evaluation of NTRUEncrypt on the ATmega class of AVR microcontrollers, which belongs to the most popular 8-bit platforms in the embedded domain. More concretely, we present AvrNtru, a carefully-optimized implementation of NTRUEncrypt that we developed from scratch with the goal of achieving high performance and resistance to timing attacks. AvrNtru complies with version 3.3 of the EESS#1 specification and supports recent product-form parameter sets like ees443ep1, ees587ep1, and ees743ep1. A full encryption operation (including mask generation and blindingpolynomial generation) using the ees443ep1 parameters takes 834,272 clock cycles on an ATmega1281 microcontroller; the decryption is slightly more costly and has an execution time of 1,061,683 cycles. When choosing the ees743ep1 parameters to achieve a 256-bit security level, 1,539,829 clock cycles are cost for encryption and 2,103,228 clock cycles for decryption. We achieved these results thanks to a novel hybrid technique for multiplication in truncated polynomial rings where one of the operands is a sparse ternary polynomial in product form. Our hybrid technique is inspired by Gura et al’s hybrid method for multiple-precision integer multiplication (CHES 2004) and takes advantage of the large register file of the AVR architecture to minimize the number of load instructions. A constant-time multiplication in the ring specified by the ees443ep1 parameters requires only 210,827 cycles, which sets a new speed record for the arithmetic component of a lattice-based cryptosystem on an 8-bit microcontroller.


2019:

Secure Edge Computing with Lightweight Control-Flow Property-based Attestation, Nikos Koutroumpouchos; Christoforos Ntantogian; Sofia-Anna Menesidou; Kaitai Liang; Panagiotis Gouvas; Christos Xenakis; Thanassis Giannetsos

expand[ More ]


Abstract:The Internet of Things (IoT) is rapidly evolving, while introducing several new challenges regarding security, resilience and operational assurance. In the face of an increasing attack landscape, it is necessary to cater for the provision of efficient mechanisms to collectively verify software- and device-integrity in order to detect run-time modifications. Towards this direction, remote attestation has been proposed as a promising defense mechanism. It allows a third party, the verifier, to ensure the integrity of a remote device, the prover. However, this family of solutions do not capture the real-time requirements of industrial IoT applications and suffer from scalability and efficiency issues. In this paper, we present a lightweight dynamic control-flow property-based attestation architecture (CFPA) that can be applied on both resource-constrained edge and cloud devices and services. It is a first step towards a new line of security mechanisms that enables the provision of control-flow attestation of only those specific, critical software components that are comparatively small, simple and limited in function, thus, allowing for a much more efficient verification. Our goal is to enhance run-time software integrity and trustworthiness with a scalable and decentralized solution eliminating the need for federated infrastructure trust. Based on our findings, we posit open issues and challenges, and discuss possible ways to address them, so that security do not hinder the deployment of intelligent edge computing systems.


Securing V2X Communications for the Future - Can PKI Systems offer the answer?, Giannetsos, Thanassis; Krontiris, Ioannis

expand[ More ]


Abstract:Over recent years, emphasis in secure V2X communications research has converged on the use of Vehicular Public Key Infrastructures (VPKIs) for credential management and privacy-friendly authentication services. However, despite the security and privacy guarantees offered by such solutions, there are still a number of challenges to be conquered. By reflecting on state-of-the-art PKI-based architectures, in this paper, we identify their limitations focusing on scalability, interoperability, pseudonym reusage policies and revocation mechanisms. We argue that in their current form such mechanisms cannot capture the strict security, privacy, and trust requirements of all involved stakeholders. Motivated by these weaknesses, we then proceed on proposing the use of trusted computing technologies as an enabler for more decentralized approaches where trust is shifted from the back-end infrastructure to the edge. We debate on the advantages offered and underline the specifis of such a novel approach based on the use of advanced cryptographic primitives, using Direct Anonymous Attestation (DAA) as a concrete example. Our goal is to enhance run-time security, privacy and trustworthiness of edge devices with a scalable and decentralized solution eliminating the need for federated infrastructure trust. Based on our findings, we posit open issues and challenges, and discuss possible ways to address them.


On Deception-Based Protection Against Cryptographic Ransomware, Alper Genç, Ziya; Lenzini, Gabriele; Sgandurra, Daniele

expand[ More ]


Abstract: In order to detect malicious file system activity, some commercial and academic anti-ransomware solutions implement deception-based techniques, specifically by placing decoy files among user files. While this approach raises the bar against current ransomware, as any access to a decoy file is a sign of malicious activity, the robustness of decoy strategies has not been formally analyzed and fully tested. In this paper, we analyze existing decoy strategies and discuss how they are effective in countering current ransomware by defining a set of metrics to measure their robustness. To demonstrate how ransomware can identify existing deception-based detection strategies, we have implemented a proof-ofconcept anti-decoy ransomware that successfully bypasses decoys by using a decision engine with few rules. Finally, we discuss existing issues in decoy-based strategies and propose practical solutions to mitigate them.


Optimal TNFS-secure pairings on elliptic curves with composite embedding degree, Georgios Fotiadis), Chloe Martindale

expand[ More ]


Abstract: In this paper we present a comprehensive comparison between pairing-friendly elliptic curves, considering different curve forms and twists where possible. We define a measure of the efficiency of a parametrized pairing-friendly family that takes into account the number field sieve (NFS) attacks (unlike the ρ-value). This measure includes an approximation of the security of the discrete logarithm problem in F∗pk, computed via the method of Barbulescu and Duquesne [4]. We compute the security of the families presented by Fotiadis and Konstantinou in [13], compute some new families, and compare the efficiency of both of these with the (adjusted) BLS, KSS, and BN families, and with the new families of [19]. Finally, we present an optimal pairing-friendly elliptic curve for security level 128 and recommend two pairing-friendly elliptic curves for security level 192.


Certificateless public key signature schemes from standard algorithms, Zhaohui Chen, Liqun Chen

expand[ More ]


Abstract: Certificateless public key cryptography (CL-PKC) is designed to have succinct public key management without using certificates at the same time avoid the key-escrow attribute in the identity-based cryptography. Security mechanisms employing implicit certificates achieve same goals. In this work, we first unify the security notions of these two types of mechanisms with a modified CL-PKC formulation. We further present a general key-pair generation algorithm for CL-PKC schemes and use it to construct certificateless public key signature (CL-PKS) schemes from standard algorithms. The technique, which we apply, helps defeat known-attacks against existing constructions, and the resulting schemes could be quickly deployed based on the existing standard algorithm implementations.


A Symbolic Analysis of ECC-based Direct Anonymous Attestation, Whitefield Jorden, Chen Liqun, Sasse Ralf, Schneider Steve, Treharne Helen and Wesemeyer Stephan

expand[ More ]


Abstract: Direct Anonymous Attestation (DAA) is a crypto-graphic scheme that provides Trusted Platform Module (TPM)-backed anonymous credentials. We develop TAMARINmodellingof the ECC-based version of the protocol as it is standardisedand provide the first mechanised analysis of this standard. Ouranalysis confirms that the scheme is secure when all TPMs areassumed honest, but reveals a break in the protocol’s expectedauthentication and secrecy properties for all TPMs even if onlyone is compromised. We propose and formally verify a minimalfix to the standard. In addition to developing the first formalanalysis of ECC-DAA, the paper contributes to the growing bodyof work demonstrating the use of formal tools in supportingstandardisation processes for cryptographic protocols.Index Terms—Direct Anonymous Attestation, symbolic verifi-cation, TAMARINPROVER, authentication, secrecy


An HPR variant of the FV scheme, Computationally Cheaper, Asymptotically Faster; Jean-Claude Bajard, Julien Eynard, Paulo Martins, Leonel Sousa and Vincent Zucca

expand[ More ]


Abstract: State-of-the-art implementations of homomorphic encryption exploit the Fan and Vercauteren (FV) scheme and the Residue Number System (RNS). While the RNS breaks down large integer arithmetic into smaller independent channels, its non-positional nature makes operations such as division and rounding hard to implement, and makes the representation of small values inefficient. In this work, we propose the application of the Hybrid Position-Residues Number System representation to the FV scheme. This is a positional representation of large radix where the digits are represented in RNS. It inherits the benefits from RNS and allows to accelerate the critical division and rounding operations while also making the representation of smaller values more compact. This directly benefits the decryption and the homomorphic multiplication procedures, reducing their asymptotic complexity, in dimension n, from O(n2logn) to O(nlogn) and from O(n3logn) to O(n3), respectively. This has also resulted in noticeable speedups when experimentally compared to related art RNS implementations.


Can You Sign A Quantum State?, Gorjan Alagic, Tommaso Gagliardoni, and Christian Majenz

expand[ More ]


Abstract: Cryptography with quantum states exhibits a number of surprising and counterintuitive features. In a 2002 work, Barnum et al. argued informally that these strange features should imply that digital signatures for quantum states are impossible (Barnum et al., FOCS 2002). In this work, we perform the first rigorous study of the problem of signing quantum states. We first show that the intuition of Barnum et al. was correct, by proving an impossibility result which rules out even very weak forms of signing quantum states. Essentially, we show that any non-trivial combination of correctness and security requirements results in negligible security. This rules out all quantum signature schemes except those which simply measure the state and then sign the outcome using a classical scheme. In other words, only classical signature schemes exist. We then show a positive result: it is possible to sign quantum states, provided that they are also encrypted with the public key of the intended recipient. Following classical nomenclature, we call this notion quantum signcryption. Classically, signcryption is only interesting if it provides superior efficiency to simultaneous encryption and signing. Our results imply that, quantumly, it is far more interesting: by the laws of quantum mechanics, it is the only signing method available. We develop security definitions for quantum signcryption, ranging from a simple one-time two-user setting, to a chosen-ciphertext-secure many-time multi-user setting. We also give secure constructions based on post-quantum public-key primitives. Along the way, we show that a natural hybrid method of combining classical and quantum schemes can be used to "upgrade" a secure classical scheme to the fully-quantum setting, in a wide range of cryptographic settings including signcryption, authenticated encryption, and chosen-ciphertext security.


Algebraic Techniques for Short(er) Exact Lattice-Based Zero-Knowledge Proofs, Bootle, Jonathan; Lyubashevsky, Vadim; Seiler, Gregor

expand[ More ]


Abstract: key component of many lattice-based protocols is a zero-knowledge proof of knowledge of a vector~swith small coecients sa-tisfyingA~s=~umodq. While there exist fairly ecient proofs for arelaxed version of this equation which prove the knowledge of~s0andcsatisfyingA~s0=~ucwherek~s0k  k~skandcis some small elementin the ring over which the proof is performed, the proofs for the exactversion of the equation are considerably less practical. The best suchproof technique is an adaptation of Stern's protocol (Crypto '93), forproving knowledge of nearby codewords, to larger moduli. The scheme isa-protocol, each of whose iterations has soundness error 2=3, and thusrequires over 200 repetitions to obtain soundness error of 2128, whichis the main culprit behind the large size of the proofs produced.In this paper, we propose the rst lattice-based proof system that signi- cantly outperforms Stern-type proofs for proving knowledge of a short~ssatisfyingA~s=~umodq. Unlike Stern's proof, which is combinatorialin nature, our proof is more algebraic and uses various relaxed zero-knowledge proofs as sub-routines. The main savings in our proof systemcomes from the fact that each round has soundness error of 1=n, wherenis the number of columns ofA. For typical applications,nis a fewthousand, and therefore our proof needs to be repeated around 10 timesto achieve a soundness error of 2128. For concrete parameters, it pro-duces proofs that are around an order of magnitude smaller than thoseproduced using Stern's approach.


Short Discrete Log Proofs for FHE and Ring-LWE Ciphertexts, del Pino, Rafael; Lyubashevsky, Vadim; Seiler, Gregor

expand[ More ]


Abstract: Applications of fully-homomorphic encryption (FHE) that involve computation on en-cryptions produced by several users, it is important that each user proves that her input is indeedwell-formed. This may simply mean that the inputs are valid FHE ciphertexts or, more generally, thatthe plaintextsmadditionally satisfyf(m) = 1 for some public functionf. The most ecient FHEschemes are based on the hardness of the Ring-LWE problem and so a natural solution would be to uselattice-based zero-knowledge proofs for proving properties about the ciphertext. Such methods, howe-ver, require larger-than-necessary parameters and result in rather long proofs, especially when provinggeneral relationships.In this paper, we show that one can get much shorter proofs (roughly 1:25KB) by rst creating aPedersen commitment from the vector corresponding to the randomness and plaintext of the FHEciphertext. To prove validity of the ciphertext, one can then prove that this commitment is indeed tothe message and randomness and these values are in the correct range. Our protocol utilizes a con-nection between polynomial operations in the lattice scheme and inner product proofs for Pedersencommitments of Bunz et al. (S&P 2018). Furthermore, our proof of equality between the ciphertextand the commitment is very amenable to amortization { proving the equivalence ofkciphertext /commitment pairs only requires an additive factor ofO(logk) extra space than for one such proof. Forproving additional properties of the plaintext(s), one can then directly use the logarithmic-space proofsof Bootle et al. (Eurocrypt 2016) and Bunz et al. (IEEE S&P 2018) for proving arbitrary relations ofdiscrete log commitment.Our technique is not restricted to FHE ciphertexts and can be applied to proving many other relationsthat arise in lattice-based cryptography. For example, we can create very ecient veri able encryption/ decryption schemes with short proofs in which con dentiality is based on the hardness of Ring-LWEwhile the soundness is based on the discrete logarithm problem. While such proofs are not fully post-quantum, they are adequate in scenarios where secrecy needs to be future-proofed, but one only needsto be convinced of the validity of the proof in the pre-quantum era. We furthermore show that ourzero-knowledge protocol can be easily modi ed to have the property that breaking soundness impliessolving discrete log in a short amount of time. Since building quantum computers capable of solvingdiscrete logarithm in seconds requires overcoming many more fundamental challenges, such proofs mayeven remain valid in the post-quantum era.


NTTRU: Truly Fast NTRU Using NTT, Lyubashevsky, Vadim; Seiler, Gregor

expand[ More ]


Abstract: We present NTTRU – an IND-CCA2 secure NTRU-based key encapsulationscheme that uses the number theoretic transform (NTT) over the cyclotomic ringZ7681[X]/(X768−X384+1)and produces public keys and ciphertexts of approximately1.25KB at the128-bit security level. The number of cycles on a Skylake CPU of ourconstant-time AVX2 implementation of the scheme for key generation, encapsulationand decapsulation is approximately6.4K,6.1K, and7.9K, which is more than 30X,5X, and 8X faster than these respective procedures in the NTRU schemes that weresubmitted to the NIST post-quantum standardization process. These running timesare also, by a large margin, smaller than those for all the other schemes in the NISTprocess. We also give a simple transformation that allows one to provably deal withsmall decryption errors in OW-CPA encryption schemes (such as NTRU) when usingthem to construct an IND-CCA2 key encapsulation.


Floppy-Sized Group Signatures from Lattices, Boschini Cecilia; Camenisch Jan; Neven Gregory

expand[ More ]


Abstract: We present the rst lattice-based group signature schemewhose cryptographic artifacts are of size small enough to be usable inpractice: for a group of 225users, signatures take 910 kB and public keysare 501 kB. Our scheme builds upon two recently proposed lattice-basedprimitives: the veri able encryption scheme by Lyubashevsky and Neven(Eurocrypt 2017) and the signature scheme by Boschini, Camenisch, andNeven (IACR ePrint 2017). To achieve such short signatures and keys,we rst re-de ne veri able encryption to allow one to encrypt a func-tion of the witness, rather than the full witness. This de nition enablesmore ecient realizations of veri able encryption and is of independentinterest. Second, to minimize the size of the signatures and public keysof our group signature scheme, we revisit the proof of knowledge of asignature and the proofs in the veri able encryption scheme provided inthe respective papers.


[Preprint] Transforming malicious code to ROP gadgets for antivirus evasion, Ntantogian Christoforos; Poulios Georgios; Karopoulos Georgios; Xenakis Christos (UPRC)

expand[ More ]


Abstract: The downside of current polymorphism techniques lies to the fact that they require a writeable code section, either marked as such in the corresponding Portable Executable (PE) section header, or by changing permissions during runtime. Both approaches are identified by AV software as alarming characteristics and/or behavior, since they are rarely found in benign PEs unless they are packed. In this paper we propose the use of Return-Oriented Programming (ROP) as a new way to achieve polymorphism and evade AV software. To this end, we have developed a tool named ROPInjector which, given any piece of shellcode and any non-packed Portable Executable (PE) file, it transforms the shellcode to its ROP equivalent and patches it into (i.e. infects) the PE file. After trying various combinations of evasion techniques, the results show that ROPInjector can evade nearly and completely all antivirus software employed in the online VirusTotal service. The main outcome of this research is the developed algorithms for: a) analysis and manipulation of assembly code on the x86 instruction set, and b) the automatic chaining of gadgets by ROPInjector to form safe, and functional ROP code that is equivalent to a given shellcode.


[Preprint] A Survey of Voice and Communication Protection Solutions Against Wiretapping, Ntantogian Christoforos; Veroni Eleni; Karopoulos Georgios; Xenakis Christos (UPRC)

expand[ More ]


Abstract: This paper categorizes, presents and evaluates a set of schemes and solutions that provide end-to-end encryption for voice communications. First, we analyze the research works that propose new schemes that enable the transfer of encrypted speech over the voice channel of the 2nd generation mobile network. Next, we analyze a set of popular widespread software applications that use Voice over IP technology to provide secure communications, and finally, we investigate commercial solutions, which are hardware-based and offer voice encryption for both 2nd generation and Voice over IP communications. After the presentation of the existing solutions, we evaluate them based on the following criteria: i) security level provided, ii) possible performance issues and iii) usability. We conclude this work by providing future research directions. To the best of our knowledge, this is the first paper that categorizes and provides a comprehensive evaluation of end-to-end voice encryption schemes for mobile networks.


HyPoRes: An Hybrid Representation System for ECC, Paulo Martins and Leonel Sousa (INESC-ID), Jérémy Marrez and Jean-Claude Bajard (Sorbonne Université)

expand[ More ]


Abstract: The Residue Number System (RNS) is a numeral representation enabling for more efficient addition and multiplication implementations. However, due its non-positional nature, modular reductions, required for example by Elliptic Curve (EC) Cryptography (ECC), become costlier. Traditional approaches to RNS modular reduction resort to the Montgomery algorithm, underpinned by large basis extensions. Recently, Hybrid-Positional Residue Number Systems (HPRs) have been proposed, providing a trade-off between the efficiency of RNS and the flexibility of positional number representations. Numbers are represented in a positional representation with the coefficients represented in RNS. By crafting primes of a special form, the complexity of reductions modulo those primes is mitigated, relying on extensions of smaller bases. Due to the need of crafting special primes, this approach is not directly extensible to group operations over currently standardised elliptic curves. In this paper, the Hybrid-Polynomial Residue Number System (HyPoRes) is proposed, enabling for improved modular reductions for any prime. Experimental results show that the modular reduction of HyPoRes, although at most 1.4 times slower than HPR for HPR-crafted primes, is up to 1.4 times faster than a generic RNS approach for primes of ECC standards.


[Preprint] Evaluation of Password Hashing Schemes in Open Source Web Platforms, Ntantogian Christoforos; Maliaros Stefanos; Xenakis Christos (UPRC)


expand[ More ]


Abstract: Nowadays, the majority of web platforms in the Internet originate either from CMS to easily deploy websites or by web applications frameworks that allow developers to design and implement web applications. Considering the fact that CMS are intended to be plug and play solutions and their main aim is to allow even non-developers to deploy websites, we argue that the default hashing schemes rarely are modified. Also, recent studies suggest that even developers do not use appropriate hash functions to protect passwords, since they may not have adequate security expertise. Therefore, the default settings of CMS and web applications frameworks play an important role in the security of password storage. This paper evaluates the default hashing schemes of popular CMS and web application frameworks. First, we formulate the cost time of password guessing attacks and next we investigate the default hashing schemes of popular CMS and web applications frameworks. We then apply our framework to perform a comparative analysis of the cost time of password guessing attacks between the various CMS and web application frameworks. Finally, considering that intensive hash functions consume computational resources, we analyze hashing schemes from a different perspective. That is, we investigate if it is feasible and under what conditions to perform slow rate denial of service attacks from concurrent login attempts. Through our study we have derived a set of critical observations. We have discovered that many CMS and web application frameworks use outdated hash functions, arbitrary number of hash iterations, while there is a lack of password policies and salt. Notably, the popular WordPress still uses MD5 with low number of hash iterations. Overall, we believe that the security status of the hashing schemes of CMS and web application frameworks calls for changes to the default settings from an opt-in to an opt-out security policy. More security audits and official library implementations are also required to accelerate the adoption of memory hard functions both by policy makers and the industry..


L-DAA: Lattice-Based Direct Anonymous Attestation, Nada El Kassem and Liqun Chen (Surrey), Jan Camenisch (IBM), Rachid El Bansarkhani (TU Darmstadt), Ali El Kaafarani and Patrick Hough (Oxford), Paulo Martins and Leonel Sousa (INESC_ID)

expand[ More ]


Abstract: The Cloud-Edges (CE) framework, wherein small groups of Internet of Things (IoT) devices are serviced by local edge devices, enables a more scalable solution to IoT networks. The trustworthiness of the network may be ensured with Trusted Platform Modules (TPMs). This small hardware chip is capable of measuring and reporting a representation of the state of an IoT device. When connecting to a network, the IoT platform might have its state signed by the TPM in an anonymous way to prove both its genuineness and secure state through the Direct Anonymous Attestation (DAA) protocol. Currently standardised DAA schemes have their security supported on the factoring and discrete logarithm problems. Should a quantum-computer become available in the next few decades, these schemes will be broken. There is therefore a need to start developing a post-quantum DAA protocol. This paper presents a Lattice-based DAA (LDAA) scheme to meet this requirement. The security of this scheme is proved in the Universally Composable (UC) security model under the hardness assumptions of the Ring Inhomogeneous Short Integer Solution (Ring-ISIS) and Ring Learning With Errors (Ring-LWE) problems. Compared to the only other post-quantum DAA scheme available in related art, the storage requirements of the TPM are reduced twofold and the signature sizes 5 times. Moreover, experimental results show that the signing and verification operations are accelerated 1.1 and 2.0 times, respectively.


2018:

A Forensic Investigation of Android Mobile Applications, Theodoula-Ioanna Kitsaki; Anna Angelogianni; Christoforos Ntantogian; Christos Xenakis

expand[ More ]


Abstract:This paper performs a forensic investigation to a set of Android mobile applications aiming at discovering sensitive information related to the owner of the mobile device. These applications were chosen based on the fact that: i) they are very popular on Google Play Store, ii) they handle sensitive personal information, iii) they have not been researched by previous works and iv) they are free to download and install. The three chosen applications belong to the following categories: bank, mobile network carrier and public transport. The evaluation of the security of the applications was performed using two techniques: code and disk analysis, as followed in the literature. Based on our findings we derive the conclusion that these applications despite their criticality have failed to incorporate security techniques to protect user's sensitive data and a forensic analysis can reveal crucial and significant information from a forensics point of view.


Implementing RLWE-based Schemes Using an RSA Co-Processor, Martin R. Albrecht, Christian Hanser, Andrea Hoeller, Thomas Pöppelmann, Fernando Virdia and Andreas Wallner

expand[ More ]


Abstract: We repurpose existing RSA/ECC co-processors for (ideal) lattice-based cryptography by exploiting the availability of fast long integer multiplication. Such co-processors are deployed in smart cards in passports and identity cards, secured microcontrollers and hardware security modules (HSM). In particular, we demonstrate an implementation of a variant of the Module-LWE-based Kyber Key Encapsulation Mechanism (KEM) that is tailored for optimal performance on a commercially available smart card chip (SLE 78). To benefit from the RSA/ECC co-processor we use Kronecker substitution in combination with schoolbook and Karatsuba polynomial multiplication. Moreover, we speed-up symmetric operations in our Kyber variant using the AES co-processor to implement a PRNG and a SHA-256 co-processor to realise hash functions. This allows us to execute CCA-secure Kyber768 key generation in 79.6 ms, encapsulation in 102.4 ms and decapsulation in 132.7 ms.