Periodic Reporting for period 4 - REWOCRYPT (Theoretically-Sound Real-World Cryptography)
Período documentado: 2022-09-01 hasta 2024-03-31
What is the problem/issue being addressed?
Modern techniques enable us to construct cryptosystems in a theoretically sound way, underpinned by mathematical arguments and based on a (relatively) small number of computational hardness assumptions that can be analyzed independently of particular cryptographic constructions. A very important insight provided by theoretical cryptography is that we have understood that there may be many useful security notions for the same cryptographic primitive. Different applications may have different security requirements, therefore the "right" security notion depends on the given application. In the recent past, we have seen a very large number of practical attacks on cryptosystems, which can be seen as a consequence of the fact that the security properties provided by a cryptosystem do not match the concrete security requirements of an application. This project aims to close this gap and addresses various concrete research questions motivated by the current state of the art.
Why is it important for society?
Secure communication is essential to our everyday lives, society, and economy, and this dependence is growing. The security of this communication is protected by cryptographic protocols. This project contributes to protecting the security, privacy, and thus the freedom of citizens and thus our society.
What are the overall objectives?
The main objective of the REWOCRYPT project is to close the gap between theoretical and real-world cryptography, by tackling the most important research challenge at the intersection of these areas: We want to achieve the same strong security guarantees for real-world cryptography that we are able to achieve in theoretical cryptography. The theoretically-sound design and security analysis of real-world cryptography will improve our understanding of the security properties required from real-world cryptosystems, whether and how these can be achieved with efficient cryptographic constructions, and ultimately contribute to the prevention of practical attacks. This will be a significant improvement of the current state-of-the-art. Providing solid technical and methodological foundations for the theoretically-sound, practice-driven formal analysis of real-world cryptosystems is a ground-breaking contribution, which will significantly deepen our understanding of "secure" real-world cryptography in both theory and practice. By identifying new security notions and understanding if and how they can be achieved, or why they can not be achieved, one can also expect valuable further contributions to cryptographic theory.
Modern techniques enable us to construct cryptosystems in a theoretically sound way, underpinned by mathematical arguments and based on a (relatively) small number of computational hardness assumptions that can be analyzed independently of particular cryptographic constructions. A very important insight provided by theoretical cryptography is that we have understood that there may be many useful security notions for the same cryptographic primitive. Different applications may have different security requirements, therefore the "right" security notion depends on the given application. In the recent past, we have seen a very large number of practical attacks on cryptosystems, which can be seen as a consequence of the fact that the security properties provided by a cryptosystem do not match the concrete security requirements of an application. This project aims to close this gap and addresses various concrete research questions motivated by the current state of the art.
Why is it important for society?
Secure communication is essential to our everyday lives, society, and economy, and this dependence is growing. The security of this communication is protected by cryptographic protocols. This project contributes to protecting the security, privacy, and thus the freedom of citizens and thus our society.
What are the overall objectives?
The main objective of the REWOCRYPT project is to close the gap between theoretical and real-world cryptography, by tackling the most important research challenge at the intersection of these areas: We want to achieve the same strong security guarantees for real-world cryptography that we are able to achieve in theoretical cryptography. The theoretically-sound design and security analysis of real-world cryptography will improve our understanding of the security properties required from real-world cryptosystems, whether and how these can be achieved with efficient cryptographic constructions, and ultimately contribute to the prevention of practical attacks. This will be a significant improvement of the current state-of-the-art. Providing solid technical and methodological foundations for the theoretically-sound, practice-driven formal analysis of real-world cryptosystems is a ground-breaking contribution, which will significantly deepen our understanding of "secure" real-world cryptography in both theory and practice. By identifying new security notions and understanding if and how they can be achieved, or why they can not be achieved, one can also expect valuable further contributions to cryptographic theory.
The “common denominator” shared across all work packages is the novel idea to extend the classical provable security approach beyond the pure cryptography. This makes it possible to exploit properties of applications running on top of cryptosystems, and to meet real-world requirements that have not been achievable with today’s approaches. This will yield new methodology which makes it possible to extend the scope of cryptographic research significantly beyond the current state-of-the-art.
One main focus of this research project is the secure combination of cryptosystems with application layer protocols. In WP 1.1 we considered so-called 0-RTT protocols and their secure use in real-world applications. To this end, we developed new variants of 0-RTT protocols (so-called Bloom filter encryption schemes) and a new approach to achieve full Forward Security in 0-RTT Session Resumption Protocols. These works appeared in two research papers in the Journal of Cryptology in 2021. Furthermore, we provided the first implementation of forward-secure 0-RTT protocols and analysed its performance when used in the QUIC protocol. This work appeared at the 19th International Conference on Cryptology and Network Security 2020 (CANS 2020). We were also able to develop new insights into the security of the important TLS 1.3 protocol, which appeared in a research paper at the 41th Annual International Conference on the Theory and Applications of Cryptographic Techniques - EUROCRYPT 2022.
In WP 1.2 we worked on the secure use of length-hiding encryption in practice. We described a new approach to formally capture fingerprinting attacks on encrypted communication and showed, that security can be significantly improved even with moderate padding. This appeared at the RSA Conference, Cryptographers’ Track - CT-RSA 2022.
The second main focus of this project is to precisely study the possibility and impossibility of constructing cryptosystems with certain properties that we consider as interesting for real-world applications. In WP 2.1 we constructed new key exchange protocols with improved tightness and showed their optimality (appeared at the 39th International Cryptology Conference - CRYPTO 2019). This result was extended by a publication appearing at the 43rd Annual International Cryptology Conference - CRYPTO 2023. We considered the real-world instantiability of admissible hash functions and showed that they can currently not be instantiated very efficiently, which yields lower bounds for existing constructions of adaptively-secure verifiable random functions (VRFs) (appeared in Selected Areas in Cryptography - SAC 2019 - 26th International Conference). Furthermore, we considered symmetric key exchange protocols with forward security and introduced the new notion of synchronisation robustness for such protocols. We constructed new protocols that are significantly more efficient than prior constructions, and even can achieve concurrent security for the first time. This work appeared at the 7th Annual International Conference on the Theory and Applications of Cryptology and Information Security - ASIACRYPT 2021. Another result about provably secure cryptographic primitives for modern applications considers the security of the newly introduced WhatsApp Backup Protocol, which also appeared at the 43rd Annual International Cryptology Conference - CRYPTO 2023. Furthermore, we studied the security of primitives in real-world security models in a publication appearing at the 21st International Conference on Applied Cryptography and Network Security - ACNS 2023.
WP 2.2 focuses on the possibility of overcoming impossibility results for tight real-world security. We gave the first tight security proof for TLS 1.3 (appeared in the Journal of Cryptology - Special Issue on TLS 1.3 2021), constructed new tightly-secure authenticated key exchange protocols (appeared at the 40th Annual International Conference on the Theory and Applications of Cryptographic Techniques - EUROCRYPT 2021 and the 41th Annual International Cryptology Conference - CRYPTO 2021). Furthermore, we considered the existence of digital signatures with tight security. We described the currently most efficient scheme with tight multi-user security (appeared at the 24th International Conference on Practice and Theory of Public-Key Cryptography - PKC 2021) and the first digital signatures with memory-tight security in the multi-challenge setting (appeared at the 27th Annual International Conference on the Theory and Applications of Cryptology and Information Security - ASIACRYPT 2021).
One main focus of this research project is the secure combination of cryptosystems with application layer protocols. In WP 1.1 we considered so-called 0-RTT protocols and their secure use in real-world applications. To this end, we developed new variants of 0-RTT protocols (so-called Bloom filter encryption schemes) and a new approach to achieve full Forward Security in 0-RTT Session Resumption Protocols. These works appeared in two research papers in the Journal of Cryptology in 2021. Furthermore, we provided the first implementation of forward-secure 0-RTT protocols and analysed its performance when used in the QUIC protocol. This work appeared at the 19th International Conference on Cryptology and Network Security 2020 (CANS 2020). We were also able to develop new insights into the security of the important TLS 1.3 protocol, which appeared in a research paper at the 41th Annual International Conference on the Theory and Applications of Cryptographic Techniques - EUROCRYPT 2022.
In WP 1.2 we worked on the secure use of length-hiding encryption in practice. We described a new approach to formally capture fingerprinting attacks on encrypted communication and showed, that security can be significantly improved even with moderate padding. This appeared at the RSA Conference, Cryptographers’ Track - CT-RSA 2022.
The second main focus of this project is to precisely study the possibility and impossibility of constructing cryptosystems with certain properties that we consider as interesting for real-world applications. In WP 2.1 we constructed new key exchange protocols with improved tightness and showed their optimality (appeared at the 39th International Cryptology Conference - CRYPTO 2019). This result was extended by a publication appearing at the 43rd Annual International Cryptology Conference - CRYPTO 2023. We considered the real-world instantiability of admissible hash functions and showed that they can currently not be instantiated very efficiently, which yields lower bounds for existing constructions of adaptively-secure verifiable random functions (VRFs) (appeared in Selected Areas in Cryptography - SAC 2019 - 26th International Conference). Furthermore, we considered symmetric key exchange protocols with forward security and introduced the new notion of synchronisation robustness for such protocols. We constructed new protocols that are significantly more efficient than prior constructions, and even can achieve concurrent security for the first time. This work appeared at the 7th Annual International Conference on the Theory and Applications of Cryptology and Information Security - ASIACRYPT 2021. Another result about provably secure cryptographic primitives for modern applications considers the security of the newly introduced WhatsApp Backup Protocol, which also appeared at the 43rd Annual International Cryptology Conference - CRYPTO 2023. Furthermore, we studied the security of primitives in real-world security models in a publication appearing at the 21st International Conference on Applied Cryptography and Network Security - ACNS 2023.
WP 2.2 focuses on the possibility of overcoming impossibility results for tight real-world security. We gave the first tight security proof for TLS 1.3 (appeared in the Journal of Cryptology - Special Issue on TLS 1.3 2021), constructed new tightly-secure authenticated key exchange protocols (appeared at the 40th Annual International Conference on the Theory and Applications of Cryptographic Techniques - EUROCRYPT 2021 and the 41th Annual International Cryptology Conference - CRYPTO 2021). Furthermore, we considered the existence of digital signatures with tight security. We described the currently most efficient scheme with tight multi-user security (appeared at the 24th International Conference on Practice and Theory of Public-Key Cryptography - PKC 2021) and the first digital signatures with memory-tight security in the multi-challenge setting (appeared at the 27th Annual International Conference on the Theory and Applications of Cryptology and Information Security - ASIACRYPT 2021).
For the progress beyond the state of the art, see the overview of results sketched above. We are currently working on further ideas in these application domains.