Elizabeth A. Quaglia

Anonymous broadcast encryption: adaptive security and efficient constructions in the standard model

In this paper we consider anonymity in the context of Broadcast Encryption (BE). This issue has received very little attention so far and all but one of the currently available BE schemes fail to provide anonymity. Yet, we argue that it is intrinsically desirable to provide anonymity in standard applications of BE and that it can be achieved at a moderate cost. We provide a security definition for Anonymous Broadcast Encryption (ANOBE) and show that it is achievable assuming only the existence of IND-CCA secure public key encryption (PKE). Focusing on reducing the size of ciphertexts, we then give two generic constructions for ANOBE. The first is from any anonymous (key-private) IND-CCA secure PKE scheme, and the second is from any IBE scheme that satisfies a weak security notion in the multi-TA setting. Furthermore, we show how randomness re-use techniques can be deployed in the ANOBE context to reduce computational and communication costs, and how a new cryptographic primitive --- anonymous hint systems --- can be used to speed up the decryption process in our ANOBE constructions. All of our results are in the standard model, achieving fully collusion-resistant ANOBE schemes secure against adaptive IND-CCA adversaries.

Time-specific encryption

This paper introduces and explores the new concept of Time-Specific Encryption (TSE). In (Plain) TSE, a Time Server broadcasts a key at the beginning of each time unit, a Time Instant Key (TIK). The sender of a message can specify any time interval during the encryption process; the receiver can decrypt to recover the message only if it has a TIK that corresponds to a time in that interval. We extend Plain TSE to the public-key and identity-based settings, where receivers are additionally equipped with private keys and either public keys or identities, and where decryption now requires the use of the private key as well as an appropriate TIK. We introduce security models for the plain, public-key and identity-based settings. We also provide constructions for schemes in the different settings, showing how to obtain Plain TSE using identity-based techniques, how to combine Plain TSE with public-key and identity-based encryption schemes, and how to build schemes that are chosen-ciphertext secure from schemes that are chosen-plaintext secure. Finally, we suggest applications for our new primitive, and discuss its relationships with existing primitives, such as Timed-Release Encryption and Broadcast Encryption.

Robust Encryption, Revisited

We revisit the notions of robustness introduced by Abdalla, Bellare, and Neven (TCC 2010). One of the main motivations for the introduction of strong robustness for public-key encryption (PKE) by Abdalla et al. is to prevent certain types of attack on Sako’s auction protocol. We show, perhaps surprisingly, that Sako’s protocol is still vulnerable to attacks exploiting robustness problems in the underlying PKE scheme, even when it is instantiated with a strongly robust scheme. This demonstrates that current notions of robustness are insufficient even for one of its most natural applications. To address this and other limitations in existing notions, we introduce a series of new robustness notions for PKE and explore their relationships. In particular, we introduce complete robustness, our strongest new notion of robustness, and give a number of constructions for completely robust PKE schemes.

Signal-flow-based analysis of wireless security protocols

Abstract Security protocols operating over wireless channels can incur significant communication costs (e.g., energy, delay), especially under adversarial attacks unique to the wireless environment such as signal jamming, fake signal transmission, etc. Since wireless devices are resource constrained, it is important to optimize security protocols for wireless environments by taking into account their communication costs. Towards this goal, we first present a novel application of a signal-flow-based approach to analyze the communication costs of security protocols in the presence of adversaries. Our approach models a protocol run as a dynamic probabilistic system and then utilizes Linear System theory to evaluate the moment generating function of the end-to-end cost. Applying this technique to the problem of secret key exchange over a wireless channel, we quantify the efficiency of existing families of key exchange cryptographic protocols, showing, for example, that an ID-based approach can offer an almost 10-fold improvement in energy consumption when compared to a traditional PKI-based protocol. We then present a new key exchange protocol that combines traditional cryptographic methods with physical-layer techniques, including the use of “ephemeral” spreading codes, cooperative jamming, and role-switching. Utilizing signal flow analysis, we demonstrate that this new protocol offers performance advantages over traditional designs.

Secret, verifiable auctions from elections

Abstract Auctions and elections are seemingly disjoint. Nevertheless, similar cryptographic primitives are used in both domains. For instance, mixnets, homomorphic encryption and trapdoor bit-commitments have been used by state-of-the-art schemes in both domains. These developments have appeared independently. For example, the adoption of mixnets in elections preceded a similar adoption in auctions by over two decades. In this paper, we demonstrate a relation between auctions and elections: we present a generic construction for auctions from election schemes. Moreover, we show that the construction guarantees secrecy and verifiability, assuming the underlying election scheme satisfies analogous security properties. We demonstrate the applicability of our work by deriving auction schemes from the Helios family of election schemes. Our results advance the unification of auctions and elections, thereby facilitating the progression of both domains.

CryptoCache: Network caching with confidentiality

End-to-end encryption seemingly signifies the death of caching, because current methods ensure that no two sessions are alike. In this paper, we show that servers can reuse encrypted content between sessions, thereby rejuvenating caching. The main idea of our technique is to allow interim nodes to cache content based on pseudo-identifiers instead of real file identities. This enables caching of reusable pseudo-identifiers, whilst maintaining content confidentiality, i.e., ensuring that only the client and the server know the actual identity of the requested file. Furthermore, we provide an extension that prevents client linkability, i.e., ensuring it is impossible to tell if two clients are viewing the same content. Finally, we formally analyse the balance between security and the hit probability performance of the cache.

Hawk and Aucitas: e-Auction Schemes from the Helios and Civitas e-Voting Schemes

The cryptographic foundations of e-auction and e-voting schemes are similar, for instance, seminal works in both domains have applied mixnets, homomorphic encryption, and trapdoor bit-commitments. However, these developments have appeared independently and the two research communities are disjoint. In this paper, we demonstrate a relation between e-auction and e-voting: we present Hawk and Aucitas, two e-auction schemes derived from the Helios and Civitas e-voting schemes. Our results make progress towards the unification of the e-auction and e-voting domains.

Authentication with Weaker Trust Assumptions for Voting Systems.

Some voting systems are reliant on external authentication services. Others use cryptography to implement their own. We combine digital signatures and non-interactive proofs to derive a generic construction for voting systems with their own authentication mechanisms, from systems that rely on external authentication services. We prove that our construction produces systems satisfying ballot secrecy and election verifiability, assuming the underlying voting system does. Moreover, we observe that works based on similar ideas provide neither ballot secrecy nor election verifiability. Finally, we demonstrate applicability of our results by applying our construction to the Helios voting system.

Conquering Generals: an NP-Hard Proof of Useful Work

Proof of Work systems are used in cryptocurrencies to obtain consensus in distributed peer-to-peer systems that share no trust. Miners of cryptocurrency compete by engaging in the Proof of Work to solve a cryptographic challenge. The first to successfully provide a solution to the challenge wins by minting new currency. The process of mining also simultaneously prevents double-spending through the creation of an append-only distributed database known as the blockchain. The most widely adopted Proof of Work is the Hashcash scheme and the most widely deployed miners are ASIC-based. Despite the popularity of Hashcash, two issues are commonly identified its use. Firstly, the high energy consumption of the scheme is perceived as wasteful because the solutions found provide no useful output, and secondly, the computational complexity class of the scheme is not formally known. Based on these deficiencies, we propose a novel Proof of Work system which achieves the following goals: - to provide a fiscally incentivized platform for algorithm research that aims to optimize an NP-Hard computational problem. This provides indirect insight into the P Versus NP Clay Institute Millennium problem, thus providing useful output. - to construct a challenge within a known hard computational complexity class. - to ensure the Proof of Work created is inclusive of ASIC hardware. Our proposal is a hybrid Proof of Work system that initially uses the Hashcash scheme and which subsequently constructs an instance of the NP-Hard Travelling Salesman Problem. We build on the ambitions of others to develop Proofs of Useful Work. We differentiate our paper from related work as the first to consider the current capital investment into ASIC hardware, thus including them in our proposal.

Increasing the Security of Wireless Communication through Relaying and Interference Generation

The exchange of confidential messages is an inherent problem in wireless communication due to the broadcast nature of the radio channel. In this paper, we enhance standard cryptography with information-theoretic techniques by exploiting relays to increase the confidentiality of wireless communication in the presence of one or more eavesdroppers with low-noise receivers. To achieve this, we present a protocol which makes use of relays in two ways. First, the relays re-transmit disjoint encrypted chunks of a message. Second, the relays utilize cooperative jamming techniques to generate pseudo-random signals in order to increase the interference level in the propagation domain. Chunks and interference levels are allocated over relays in such a way that the message can only be decoded within a critical area around the intended receiver. Our simulation results show that this area can be minimized under realistic assumptions on propagation environment and channel knowledge.