Flexible Models for Secure Systems

Modern computing and interactions have become increasingly complex over the last decade, resulting in an online ecosystem with many more options for users, but less transparent information about their security and, in particular, their privacy. The resulting gap between security and functionality has given rise to various problems and concerns. While these problems\dash e.g., the spread of malware, data breaches on (supposedly) secure servers, mining of private user data on social networks\ dash might seem quite diverse, many of them revolve around the broader issue of what happens to systems when they get deployed. Systems that may have seemed fully secure in development often fail to fulfill these security goals in the real world, as adversaries may have capabilities that were not taken into account when the system was designed, and even honest users may interact with the system in unexpected ways. In this dissertation, I describe two areas in which this gap between the abstract protocol and the deployed system leads to security concerns that ultimately impact every user of the system. The first area considers what happens when adversaries have unexpected capabilities; in particular, we examine how to model sophisticated attacks on the security of a system, such as side channels and fault injection, and then how to design flexible cryptosystems that can tolerate such attacks. The second area considers the more benign scenario in which users, purely by virtue of their own decisions, may unknowingly cede some of their own privacy. In particular, we examine user anonymity in the Bitcoin network, which is a purely virtual currency that acts as an electronic version of cash. By combining publicly available information with minimal data gathered by hand, we find that an average Bitcoin user is experiencing a fairly low level of anonymity, making Bitcoin ultimately unattractive for criminal activity such as money laundering

[1]  Lorrie Faith Cranor,et al.  You've been warned: an empirical study of the effectiveness of web browser phishing warnings , 2008, CHI.

[2]  Denis Flandre,et al.  A Formal Study of Power Variability Issues and Side-Channel Attacks for Nanoscale Devices , 2011, EUROCRYPT.

[3]  Madeline González Muñiz,et al.  Security of signature schemes in the presence of key-dependent messages , 2010 .

[4]  Mihir Bellare,et al.  Key-Versatile Signatures and Applications: RKA, KDM and Joint Enc/Sig , 2014, EUROCRYPT.

[5]  Dan Boneh,et al.  Efficient Selective-ID Secure Identity Based Encryption Without Random Oracles , 2004, IACR Cryptol. ePrint Arch..

[6]  Jean-Sébastien Coron,et al.  Universal Padding Schemes for RSA , 2002, CRYPTO.

[7]  Yevgeniy Dodis,et al.  Efficient Public-Key Cryptography in the Presence of Key Leakage , 2010, ASIACRYPT.

[8]  Ronald Cramer,et al.  Design and Analysis of Practical Public-Key Encryption Schemes Secure against Adaptive Chosen Ciphertext Attack , 2003, SIAM J. Comput..

[9]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.1 , 2006, RFC.

[10]  David Cash,et al.  Cryptography Secure Against Related-Key Attacks and Tampering , 2011, IACR Cryptol. ePrint Arch..

[11]  Moses D. Liskov,et al.  On Related-Secret Pseudorandomness , 2010, TCC.

[12]  Paul C. Kocher,et al.  Differential Power Analysis , 1999, CRYPTO.

[13]  Markulf Kohlweiss,et al.  Malleable Signatures: Complex Unary Transformations and Delegatable Anonymous Credentials , 2013, IACR Cryptol. ePrint Arch..

[14]  Ross J. Anderson,et al.  Optical Fault Induction Attacks , 2002, CHES.

[15]  Serge Vaudenay,et al.  Password Interception in a SSL/TLS Channel , 2003, CRYPTO.

[16]  Brent Waters,et al.  Efficient Identity-Based Encryption Without Random Oracles , 2005, EUROCRYPT.

[17]  Frank Stajano,et al.  The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes , 2012, 2012 IEEE Symposium on Security and Privacy.

[18]  Silvio Micali,et al.  Algorithmic Tamper-Proof (ATP) Security: Theoretical Foundations for Security against Hardware Tampering , 2004, TCC.

[19]  Björn Scheuermann,et al.  The Sniper Attack: Anonymously Deanonymizing and Disabling the Tor Network , 2014, NDSS.

[20]  David Cash,et al.  Pseudorandom Functions and Permutations Provably Secure against Related-Key Attacks , 2010, CRYPTO.

[21]  Jorge Luis Villar,et al.  Identity-Based Encryption with Master Key-Dependent Message Security and Leakage-Resilience , 2012, ESORICS.

[22]  Claus-Peter Schnorr,et al.  Efficient Identification and Signatures for Smart Cards (Abstract) , 1990, EUROCRYPT.

[23]  Jonathan Katz,et al.  Chosen-Ciphertext Security from Identity-Based Encryption , 2006 .

[24]  Simon Heron,et al.  Encryption: Advanced Encryption Standard (AES) , 2009 .

[25]  Eric Wustrow,et al.  Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices , 2012, USENIX Security Symposium.

[26]  Moti Yung,et al.  Efficient Circuit-Size Independent Public Key Encryption with KDM Security , 2011, EUROCRYPT.

[27]  Amit Sahai,et al.  Non-malleable non-interactive zero knowledge and adaptive chosen-ciphertext security , 1999, 40th Annual Symposium on Foundations of Computer Science (Cat. No.99CB37039).

[28]  Michael Backes,et al.  OAEP Is Secure under Key-Dependent Messages , 2008, ASIACRYPT.

[29]  Brent Waters,et al.  Witness encryption and its applications , 2013, STOC '13.

[30]  Xiaohu Tang,et al.  A Single Key Pair is Adequate for the Zheng Signcryption , 2011, ACISP.

[31]  Manuel Blum,et al.  An Efficient Probabilistic Public-Key Encryption Scheme Which Hides All Partial Information , 1985, CRYPTO.

[32]  Jan Camenisch,et al.  A Signature Scheme with Efficient Protocols , 2002, SCN.

[33]  Serge Vaudenay,et al.  Security Flaws Induced by CBC Padding - Applications to SSL, IPSEC, WTLS , 2002, EUROCRYPT.

[34]  Ghassan O. Karame,et al.  Evaluating User Privacy in Bitcoin , 2013, Financial Cryptography.

[35]  Johann Großschädl,et al.  Cryptographic Side-Channels from Low-Power Cache Memory , 2007, IMACC.

[36]  Georg Fuchsbauer,et al.  Structure-Preserving Signatures and Commitments to Group Elements , 2010, CRYPTO.

[37]  Phillip Rogaway,et al.  Authenticated-encryption with associated-data , 2002, CCS '02.

[38]  Walid Dabbous,et al.  One Bad Apple Spoils the Bunch: Exploiting P2P Applications to Trace and Profile Tor Users , 2011, LEET.

[39]  Taher ElGamal,et al.  A public key cyryptosystem and signature scheme based on discrete logarithms , 1985 .

[40]  Kenneth G. Paterson,et al.  Lucky Thirteen: Breaking the TLS and DTLS Record Protocols , 2013, 2013 IEEE Symposium on Security and Privacy.

[41]  John Black,et al.  Encryption-Scheme Security in the Presence of Key-Dependent Messages , 2002, Selected Areas in Cryptography.

[42]  J. Alex Halderman,et al.  Analysis of the HTTPS certificate ecosystem , 2013, Internet Measurement Conference.

[43]  Kenneth G. Paterson,et al.  Tag Size Does Matter: Attacks and Proofs for the TLS Record Protocol , 2011, ASIACRYPT.

[44]  Vlastimil Klíma,et al.  Attacking RSA-Based Sessions in SSL/TLS , 2003, CHES.

[45]  Richard J. Lipton,et al.  On the Importance of Checking Cryptographic Protocols for Faults (Extended Abstract) , 1997, EUROCRYPT.

[46]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[47]  Silvio Micali,et al.  A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks , 1988, SIAM J. Comput..

[48]  Yuichi Komano,et al.  Efficient Universal Padding Techniques for Multiplicative Trapdoor One-Way Permutation , 2003, CRYPTO.

[49]  Dennis Hofheinz,et al.  Circular Chosen-Ciphertext Security with Compact Ciphertexts , 2013, EUROCRYPT.

[50]  Alex Biryukov,et al.  Trawling for Tor Hidden Services: Detection, Measurement, Deanonymization , 2013, 2013 IEEE Symposium on Security and Privacy.

[51]  Marti A. Hearst,et al.  Why phishing works , 2006, CHI.

[52]  Yael Tauman Kalai,et al.  How to Run Turing Machines on Encrypted Data , 2013, CRYPTO.

[53]  George Danezis,et al.  Low-cost traffic analysis of Tor , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[54]  Ziming Zhao,et al.  On the Security of Picture Gesture Authentication , 2013, USENIX Security Symposium.

[55]  Mihir Bellare,et al.  Relations among Notions of Security for Public-Key Encryption Schemes , 1998, IACR Cryptol. ePrint Arch..

[56]  Ivan Damgård,et al.  A Generalisation, a Simplification and Some Applications of Paillier's Probabilistic Public-Key System , 2001, Public Key Cryptography.

[57]  Chanathip Namprempre,et al.  Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm , 2000, Journal of Cryptology.

[58]  Mihir Bellare,et al.  New Paradigms for Digital Signatures and Message Authentication Based on Non-Interative Zero Knowledge Proofs , 1989, CRYPTO.

[59]  Markus G. Kuhn,et al.  Tamper resistance: a cautionary note , 1996 .

[60]  Rafail Ostrovsky,et al.  Cryptography in the Multi-string Model , 2007, CRYPTO.

[61]  Hovav Shacham,et al.  Short Signatures from the Weil Pairing , 2001, J. Cryptol..

[62]  Benny Pinkas,et al.  Securely combining public-key cryptosystems , 2001, CCS '01.

[63]  V. Shoup,et al.  Efficient Cryptographic Primitives for Non-Interactive Zero-Knowledge Proofs and Applications , 2011 .

[64]  Lars R. Knudsen,et al.  Cryptanalysis of LOKI91 , 1992, AUSCRYPT.

[65]  Dan Boneh,et al.  Short Signatures Without Random Oracles , 2004, EUROCRYPT.

[66]  Mihir Bellare,et al.  A Theoretical Treatment of Related-Key Attacks: RKA-PRPs, RKA-PRFs, and Applications , 2003, EUROCRYPT.

[67]  Adi Shamir,et al.  Quantitative Analysis of the Full Bitcoin Transaction Graph , 2013, Financial Cryptography.

[68]  Adrienne Porter Felt,et al.  Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness , 2013, USENIX Security Symposium.

[69]  Qixiang Mei,et al.  Direct chosen ciphertext security from identity-based techniques , 2005, CCS '05.

[70]  Eli Biham,et al.  Differential Fault Analysis of Secret Key Cryptosystems , 1997, CRYPTO.

[71]  Manuel Blum,et al.  Noninteractive Zero-Knowledge , 1991, SIAM J. Comput..

[72]  Stefan Savage,et al.  A fistful of bitcoins: characterizing payments among men with no names , 2013, Internet Measurement Conference.

[73]  Tal Rabin,et al.  On the Security of Joint Signature and Encryption , 2002, EUROCRYPT.

[74]  Nir Bitansky,et al.  On Strong Simulation and Composable Point Obfuscation , 2010, CRYPTO.

[75]  Leslie Lamport,et al.  Constructing Digital Signatures from a One Way Function , 2016 .

[76]  M. Rabin DIGITALIZED SIGNATURES AND PUBLIC-KEY FUNCTIONS AS INTRACTABLE AS FACTORIZATION , 1979 .

[77]  Benny Applebaum Key-Dependent Message Security: Generic Amplification and Completeness , 2011, EUROCRYPT.

[78]  Yvo Desmedt,et al.  A New Paradigm of Hybrid Encryption Scheme , 2004, CRYPTO.

[79]  John Rompel,et al.  One-way functions are necessary and sufficient for secure signatures , 1990, STOC '90.

[80]  Ronald Cramer,et al.  A Practical Public Key Cryptosystem Provably Secure Against Adaptive Chosen Ciphertext Attack , 1998, CRYPTO.

[81]  Kenneth G. Paterson,et al.  On the Joint Security of Encryption and Signature in EMV , 2012, CT-RSA.

[82]  Stuart E. Schechter,et al.  The Emperor's New Security Indicators , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[83]  Pascal Paillier,et al.  Public-Key Cryptosystems Based on Composite Degree Residuosity Classes , 1999, EUROCRYPT.

[84]  Alfredo De Santis,et al.  Zero-knowledge proofs of knowledge without interaction , 1992, Proceedings., 33rd Annual Symposium on Foundations of Computer Science.

[85]  Ben Y. Zhao,et al.  Multi-scale dynamics in a massive online social network , 2012, Internet Measurement Conference.

[86]  Paul F. Syverson,et al.  Locating hidden servers , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[87]  T. Graepel,et al.  Private traits and attributes are predictable from digital records of human behavior , 2013, Proceedings of the National Academy of Sciences.

[88]  Fabian Monrose,et al.  Phonotactic Reconstruction of Encrypted VoIP Conversations: Hookt on Fon-iks , 2011, 2011 IEEE Symposium on Security and Privacy.

[89]  Ralph C. Merkle,et al.  A Certified Digital Signature , 1989, CRYPTO.

[90]  David Cash,et al.  Fast Cryptographic Primitives and Circular-Secure Encryption Based on Hard Learning Problems , 2009, CRYPTO.

[91]  Justine Becker Measuring privacy risk in online social networks , 2009 .

[92]  Rafail Ostrovsky,et al.  Circular-Secure Encryption from Decision Diffie-Hellman , 2008, CRYPTO.

[93]  Kenneth G. Paterson,et al.  RKA Security beyond the Linear Barrier: IBE, Encryption and Signatures , 2012, IACR Cryptol. ePrint Arch..

[94]  Jens Groth,et al.  Simulation-Sound NIZK Proofs for a Practical Language and Constant Size Group Signatures , 2006, ASIACRYPT.

[95]  Rafail Ostrovsky,et al.  Robust Non-interactive Zero Knowledge , 2001, CRYPTO.

[96]  Charles V. Wright,et al.  Spot Me if You Can: Uncovering Spoken Phrases in Encrypted VoIP Conversations , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[97]  Vinod Vaikuntanathan,et al.  Fully Homomorphic Encryption from Ring-LWE and Security for Key Dependent Messages , 2011, CRYPTO.

[98]  Mihir Bellare,et al.  The Security of Triple Encryption and a Framework for Code-Based Game-Playing Proofs , 2006, EUROCRYPT.

[99]  Birgit Pfitzmann,et al.  Key-dependent message security under active attacks - BRSIM/UC-soundness of Dolev-Yao-style encryption with key cycles , 2008, J. Comput. Secur..

[100]  Melissa Chase,et al.  On Signatures of Knowledge , 2006, CRYPTO.

[101]  Kenneth G. Paterson,et al.  On the Joint Security of Encryption and Signature, Revisited , 2011, IACR Cryptol. ePrint Arch..

[102]  Eli Biham,et al.  New Types of Cryptanalytic Attacks Using related Keys (Extended Abstract) , 1994, EUROCRYPT.

[103]  Giovanni Di Crescenzo,et al.  Necessary and Sufficient Assumptions for Non-iterative Zero-Knowledge Proofs of Knowledge for All NP Relations , 2000, ICALP.

[104]  Jan Camenisch,et al.  A public key encryption scheme secure against key dependent chosen plaintext and adaptive chosen ciphertext attacks , 2009, IACR Cryptol. ePrint Arch..

[105]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[106]  Joseph Bonneau,et al.  Cache-Collision Timing Attacks Against AES , 2006, CHES.

[107]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[108]  Jacques Stern,et al.  A new public key cryptosystem based on higher residues , 1998, CCS '98.

[109]  Mihir Bellare,et al.  Authenticated and Misuse-Resistant Encryption of Key-Dependent Data , 2011, IACR Cryptol. ePrint Arch..

[110]  Yael Tauman Kalai,et al.  On Symmetric Encryption and Point Obfuscation , 2010, TCC.