Periodic Reporting for period 3 - REWOCRYPT (Theoretically-Sound Real-World Cryptography)
Período documentado: 2021-03-01 hasta 2022-08-31
What is the problem/issue being addressed?
Modern techniques enable us to construct cryptosystems in a theoretically sound way, underpinned by mathematical arguments and based on a (relatively) small number of computational hardness assumptions that can be analyzed independently of particular cryptographic constructions. A very important insight provided by theoretical cryptography is that we have understood that there may be many useful security notions for the same cryptographic primitive. Different applications may have different security requirements, therefore the "right" security notion depends on the given application. In the recent past, we have seen a very large number of practical attacks on cryptosystems, which can be seen as a consequence of the fact that the security properties provided by a cryptosystem do not match the concrete security requirements of an application. This project aims to close this gap and addresses various concrete research questions motivated by the current state of the art.
Why is it important for society?
Cryptography is a cornerstone of secure communication in a modern interconnected and digitised society.
What are the overall objectives?
The main objective of the REWOCRYPT project is to close the gap between theoretical and real-world cryptography, by tackling the most important research challenge at the intersection of these areas: We want to achieve the same strong security guarantees for real-world cryptography that we are able to achieve in theoretical cryptography. The theoretically-sound design and security analysis of real-world cryptography will improve our understanding of the security properties required from real-world cryptosystems, whether and how these can be achieved with efficient cryptographic constructions, and ultimately contribute to the prevention of practical attacks. This will be a significant improvement of the current state-of-the-art. Providing solid technical and methodological foundations for the theoretically-sound, practice-driven formal analysis of real-world cryptosystems is a ground-breaking contribution, which will significantly deepen our understanding of "secure" real-world cryptography in both theory and practice. By identifying new security notions and understanding if and how they can be achieved, or why they can not be achieved, one can also expect valuable further contributions to cryptographic theory.
Modern techniques enable us to construct cryptosystems in a theoretically sound way, underpinned by mathematical arguments and based on a (relatively) small number of computational hardness assumptions that can be analyzed independently of particular cryptographic constructions. A very important insight provided by theoretical cryptography is that we have understood that there may be many useful security notions for the same cryptographic primitive. Different applications may have different security requirements, therefore the "right" security notion depends on the given application. In the recent past, we have seen a very large number of practical attacks on cryptosystems, which can be seen as a consequence of the fact that the security properties provided by a cryptosystem do not match the concrete security requirements of an application. This project aims to close this gap and addresses various concrete research questions motivated by the current state of the art.
Why is it important for society?
Cryptography is a cornerstone of secure communication in a modern interconnected and digitised society.
What are the overall objectives?
The main objective of the REWOCRYPT project is to close the gap between theoretical and real-world cryptography, by tackling the most important research challenge at the intersection of these areas: We want to achieve the same strong security guarantees for real-world cryptography that we are able to achieve in theoretical cryptography. The theoretically-sound design and security analysis of real-world cryptography will improve our understanding of the security properties required from real-world cryptosystems, whether and how these can be achieved with efficient cryptographic constructions, and ultimately contribute to the prevention of practical attacks. This will be a significant improvement of the current state-of-the-art. Providing solid technical and methodological foundations for the theoretically-sound, practice-driven formal analysis of real-world cryptosystems is a ground-breaking contribution, which will significantly deepen our understanding of "secure" real-world cryptography in both theory and practice. By identifying new security notions and understanding if and how they can be achieved, or why they can not be achieved, one can also expect valuable further contributions to cryptographic theory.
One main focus of this research project is the secure combination of cryptosystems with application layer protocols. In WP 1.1 we considered so-called 0-RTT protocols and their secure use in real-world applications. To this end, we developed new variants of 0-RTT protocols (so-called Bloom filter encryption schemes) and a new approach to achieve full Forward Security in 0-RTT Session Resumption Protocols. These works appeared in two research papers in the Journal of Cryptology in 2021. Furthermore, we provided the first implementation of forward-secure 0-RTT protocols and analysed its performance when used in the QUIC protocol. This work appeared at the 19th International Conference on Cryptology and Network Security 2020 (CANS 2020). Futhermore, in WP 1.2 we worked on the secure use of length-hiding encryption in practice. We described a new approach to formally capture fingerprinting attacks on encrypted communication and showed, that security can be significantly improved even with moderate padding. This work will appear at the RSA Conference, Cryptographers’ Track - CT-RSA 2022.
The second main focus of this project is to study the possibility and impossibility of constructing cryptosystems with certain properties that we consider as interesting for real-world applications. In WP 2.1 we constructed new key exchange protocols with improved tightness and showed their optimality (appeared at the 39th International Cryptology Conference - CRYPTO 2019). We considered the real-world instantiability of admissible hash functions and showed that they can currently not be instantiated very efficiently, which yields lower bounds for existing constructions of adaptively-secure verifiable random functions (VRFs) (appeared in Selected Areas in Cryptography - SAC 2019 - 26th International Conference). Furthermore, we considered symmetric key exchange protocols with forward security and introduced the new notion of synchronisation robustness for such protocols. We constructed new protocols that are significantly more efficient than prior constructions, and even can achieve concurrent security for the first time. This work appeared at the 7th Annual International Conference on the Theory and Applications of Cryptology and Information Security - ASIACRYPT 2021. We considered the problem of a data owner storing files with an untrusted storage provider, in a way that another user can later gain access to the files without communicating with the original data owner while providing forward security. We give the first provably secure constructions in this setting using post-quantum-secure building blocks, including the crucial component called a blinded key encapsulation mechanism (appeared at the Australasian Conference on Information Security and Privacy - ACISP 2020). We showed how data stored with an untrusted storage provider can be accessed by clients in multiple, geographically disparate regions in a way that leaks nothing to the storage provider except that data accesses have occurred, and in doing so we minimise the inter-client communication (appeared at the International Conference on Information and Communications Security ICICS 2020). We presented a new suite of updatable encryption schemes, allowing a data owner to store their data with an untrusted server and periodically rotate the encryption key of the stored ciphertexts efficiently, by sending only a short token (that reveals nothing about encryption keys or plaintexts). Along the way, we introduce a new security property for updatable encryption which generalizes prior notions and captures hiding the age of a plaintext element, and show that our suite of protocols meets this definition (appeared at the 40th Annual International Cryptology Conference, CRYPTO 2020).
WP 2.2 focuses on the possibility of overcoming impossibility results for tight real-world security. We gave the first tight security proof for TLS 1.3 (appeared in the Journal of Cryptology - Special Issue on TLS 1.3 2021), constructed new tightly-secure authenticated key exchange protocols (appeared at the 40th Annual International Conference on the Theory and Applications of Cryptographic Techniques - EUROCRYPT 2021 and the 41th Annual International Cryptology Conference - CRYPTO 2021). Furthermore, we considered the existence of digital signatures with tight security. We described the currently most efficient scheme with tight multi-user security (appeared at the 24th International Conference on Practice and Theory of Public-Key Cryptography - PKC 2021) and the first digital signatures with memory-tight security in the multi-challenge setting (appeared at the 27th Annual International Conference on the Theory and Applications of Cryptology and Information Security - ASIACRYPT 2021).
The second main focus of this project is to study the possibility and impossibility of constructing cryptosystems with certain properties that we consider as interesting for real-world applications. In WP 2.1 we constructed new key exchange protocols with improved tightness and showed their optimality (appeared at the 39th International Cryptology Conference - CRYPTO 2019). We considered the real-world instantiability of admissible hash functions and showed that they can currently not be instantiated very efficiently, which yields lower bounds for existing constructions of adaptively-secure verifiable random functions (VRFs) (appeared in Selected Areas in Cryptography - SAC 2019 - 26th International Conference). Furthermore, we considered symmetric key exchange protocols with forward security and introduced the new notion of synchronisation robustness for such protocols. We constructed new protocols that are significantly more efficient than prior constructions, and even can achieve concurrent security for the first time. This work appeared at the 7th Annual International Conference on the Theory and Applications of Cryptology and Information Security - ASIACRYPT 2021. We considered the problem of a data owner storing files with an untrusted storage provider, in a way that another user can later gain access to the files without communicating with the original data owner while providing forward security. We give the first provably secure constructions in this setting using post-quantum-secure building blocks, including the crucial component called a blinded key encapsulation mechanism (appeared at the Australasian Conference on Information Security and Privacy - ACISP 2020). We showed how data stored with an untrusted storage provider can be accessed by clients in multiple, geographically disparate regions in a way that leaks nothing to the storage provider except that data accesses have occurred, and in doing so we minimise the inter-client communication (appeared at the International Conference on Information and Communications Security ICICS 2020). We presented a new suite of updatable encryption schemes, allowing a data owner to store their data with an untrusted server and periodically rotate the encryption key of the stored ciphertexts efficiently, by sending only a short token (that reveals nothing about encryption keys or plaintexts). Along the way, we introduce a new security property for updatable encryption which generalizes prior notions and captures hiding the age of a plaintext element, and show that our suite of protocols meets this definition (appeared at the 40th Annual International Cryptology Conference, CRYPTO 2020).
WP 2.2 focuses on the possibility of overcoming impossibility results for tight real-world security. We gave the first tight security proof for TLS 1.3 (appeared in the Journal of Cryptology - Special Issue on TLS 1.3 2021), constructed new tightly-secure authenticated key exchange protocols (appeared at the 40th Annual International Conference on the Theory and Applications of Cryptographic Techniques - EUROCRYPT 2021 and the 41th Annual International Cryptology Conference - CRYPTO 2021). Furthermore, we considered the existence of digital signatures with tight security. We described the currently most efficient scheme with tight multi-user security (appeared at the 24th International Conference on Practice and Theory of Public-Key Cryptography - PKC 2021) and the first digital signatures with memory-tight security in the multi-challenge setting (appeared at the 27th Annual International Conference on the Theory and Applications of Cryptology and Information Security - ASIACRYPT 2021).
For the progress beyond the state of the art, see the overview of results sketched above. We are currently working on further ideas in these application domains. We will also consider concrete ideas on the secure use of legacy cryptography in WP 2.3.