Mark Manulis

Public Key Cryptography — PKC 2012

Gentry’s bootstrapping technique is currently the only known method of obtaining a “pure” fully homomorphic encryption (FHE) schemes, and it may offers performance advantages even in cases that do not require pure FHE (e.g., when using the noise-control technique of Brakerski-Gentry-Vaikuntanathan). The main bottleneck in bootstrapping is the need to evaluate homomorphically the reduction of one integer modulo another. This is typically done by emulating a binary modular reduction circuit, using bit operations on binary representation of integers. We present a simpler approach that bypasses the homomorphic modularreduction bottleneck to some extent, by working with a modulus very close to a power of two. Our method is easier to describe and implement than the generic binary circuit approach, and we expect it to be faster in practice (although we did not implement it yet). In some cases it also allows us to store the encryption of the secret key as a single ciphertext, thus reducing the size of the public key. We also show how to combine our new method with the SIMD homomorphic computation techniques of Smart-Vercauteren and Gentry-Halevi-Smart, to get a bootstrapping method that works in time quasi-linear in the security parameter. This last part requires extending the techniques from prior work to handle arithmetic not only over fields, but also over some rings. (Specifically, our method uses arithmetic modulo a power of two, rather than over characteristic-two fields.)

Redactable signatures for tree-structured data: definitions and constructions

Kundu and Bertino (VLDB 2008) recently introduced the idea of structural signatures for trees which support public redaction of subtrees (by third-party distributors) while pertaining the integrity of the remaining parts. An example is given by signed XML documents of which parts should be sanitized before being published by a distributor not holding the signing key. Kundu and Bertino also provide a construction, but fall short of providing formal security definitions and proofs. Here we revisit their work and give rigorous security models for the redactable signatures for tree-structured data, relate the notions, and give a construction that can be proven secure under standard cryptographic assumptions.

Universally Composable Security Analysis of TLS

We present a security analysis of the complete TLS protocol in the Universal Composable security framework. This analysis evaluates the composition of key exchange functionalities realized by the TLS handshake with the message transmission of the TLS record layer to emulate secure communication sessions and is based on the adaption of the secure channel model from Canetti and Krawczyk to the setting where peer identities are not necessarily known prior the protocol invocation and may remain undisclosed. Our analysis shows that TLS, including the Diffie-Hellman and key transport suites in the uni-directional and bi-directional models of authentication, securely emulates secure communication sessions.

Property-Based Attestation without a Trusted Third Party

The Trusted Computing Group (TCG) has proposed the binary attestation mechanism that enables a computing platform with a dedicated security chip, the Trusted Platform Module (TPM), to report its state to remote parties. The concept of property-based attestation (PBA) improves the binary attestation and compensates for some of its main deficiencies. In particular, PBA enhances user privacy by allowing the trusted platform to prove to a remote entity that it has certain properties without revealing its own configuration. The existing PBA solutions, however, require a Trusted Third Party (TTP) to provide a reliable link of configurations to properties, e.g., by means of certificates. We present a new privacy-preserving PBA approach that avoids such a TTP. We define a formal model, propose an efficient protocol based on the ideas of ring signatures, and prove its security. The cryptographic technique deployed in our protocol is of independent interest, as it shows how ring signatures can be used to efficiently prove the knowledge of an element in a list without disclosing it.

Non-interactive and re-usable universally composable string commitments with adaptive security

We present the first provably secure constructions of universally composable (UC) commitments (in pairing-friendly groups) that simultaneously combine the key properties of being non-interactive, supporting commitments to strings (instead of bits only), and offering re-usability of the common reference string for multiple commitments. Our schemes are also adaptively secure assuming reliable erasures.

On security models and compilers for group key exchange protocols

Group key exchange (GKE) protocols can be used to guarantee confidentiality and authentication in group applications. The paradigm of provable security subsumes an abstract formalization (security model) that considers the protocol environment and identifies its security goals. The first security model for GKE protocols was proposed by Bresson, Chevassut, Pointcheval, and Quisquater in 2001, and has been subsequently applied in many security proofs. Their definitions of AKE-security (authenticated key exchange; a.k.a. indistinguishability of the key) and MA-security (mutual authentication) became meanwhile standard. In this paper we analyze the BCPQ model and some of its variants and identify several risks resulting from its technical core construction - the notion of partnering. Consequently, we propose a revised model extending AKE- and MA-security in order to capture attacks by malicious participants and strong corruptions. Then, we turn to generic solutions (known as compilers) for AKE- and MA-security in BCPQ-like models. We describe a compiler C-AMA which provides AKE- and MA-security for any GKE protocol, under standard cryptographic assumptions, that eliminates some identified limitations in existing compilers.

Malicious participants in group key exchange: key control and contributiveness in the shadow of trust

Group key exchange protocols allow their participants to compute a secret key which can be used to ensure security and privacy for various multiparty applications. The resulting group key should be computed through cooperation of all protocol participants such that none of them is trusted to have any advantage concerning the protocols output. This trust relationship states the main difference between group key exchange and group key transport protocols. Obviously, misbehaving participants in group key exchange protocols may try to influence the resulting group key, thereby disrupting this trust relationship, and also causing further security threats. This paper analyzes the currently known security models for group key exchange protocols with respect to this kind of attacks by malicious participants and proposes an extended model to remove the identified limitations. Additionally, it proposes an efficient and provably secure generic solution, a compiler, to guarantee these additional security goals for group keys exchanged in the presence of malicious participants.

Contributory group key agreement protocols, revisited for mobile ad-hoc groups

Security of various group-oriented applications for mobile ad-hoc groups requires a group secret shared between all participants. Contributory group key agreement (CGKA) protocols, originally designed for peer groups in localand wide-area wired networks, can also be used in ad-hoc scenarios because of the similar security requirements and trust relationship between participants that excludes any trusted central authority (e.g., a group manager) from the computation of the group key. We revise original protocols from the perspective of the mobile ad-hoc communication, classify mobile ad-hoc groups based on the performance of involved mobile devices, specify trust relationship between participants, propose further optimizations to original protocols to achieve better communication, computation and memory complexities

Tree-based group key agreement framework for mobile ad-hoc networks

Design of protocols for mobile ad-hoc networks (MANETs) is generally tricky compared to wired networks, because on the one hand the increased communication constraints given by the limited bandwidth and frequent network failures, and on the other hand the additional computation and memory constraints due to performance limitations of mobile devices must be considered. We focus on the problem of the establishment of the shared key in mobile ad-hoc groups. This task can be achieved by means of a contributory group key agreement (CGKA) protocol that allows group members to compute the group key based on their individual contributions providing verifiable trust relationship between participants. As shown in this paper there exists currently no CGKA protocol for mobile ad-hoc networks that provides an optimal trade-off between communication and computation efficiency. Based on the comparison results of most suitable CGKA protocols we propose a new framework for the group key agreement in mobile ad-hoc networks. Theoretical analysis and experimental results show that our framework achieves optimal communication and computation efficiency compared to other protocols.

Provably secure browser-based user-aware mutual authentication over TLS

The standard solution for user authentication on the Web is to establish a TLS-based secure channel in server authenticated mode and run a protocol on top of TLS where the user enters a password in an HTML form. However, as many studies point out, the average Internet user is unable to identify the server based on a X.509 certificate so that impersonation attacks (e.g., phishing) are feasible. We tackle this problem by proposing a protocol that allows the user to identify the server based on human perceptible authenticators (e.g., picture, voice). We prove the security of this protocol by refining the game-based security model of Bellare and Rogaway and present a proof of concept implementation.