How to prove security of communication protocols?


 Jocelin Shelton
 1 years ago
 Views:
Transcription
1 1/37 Introduction on security protocols Modeling Verification Towards cryptographic guarantees How to prove security of communication protocols? Véronique Cortier, LORIA  CNRS, Nancy Colloquium Morgenstern, June 20th, 2012 Joint work with Hubert ComonLundh, Stéphanie Delaune, Steve Kremer, Ben Smyth and Bogdan Warinschi.
2 2/37 Introduction on security protocols Modeling Verification Towards cryptographic guarantees Context : cryptographic protocols Cryptographic protocols are widely used in everyday life. They aim at securing communications over public or insecure networks.
3 3/37 Introduction on security protocols Modeling Verification Towards cryptographic guarantees Security goals Cryptographic protocols aim at preserving confidentiality of data (e.g. pin code, medical files,...) ensuring authenticity (are you really talking to your bank?) ensuring anonymous communications (for evoting protocols,...) protecting against repudiation (I never sent this message!)
4 4/37 Introduction on security protocols Modeling Verification Towards cryptographic guarantees Difficulty : there are potential powerful attackers! Presence of an attacker may participate to the protocol. may forge and send messages, may read every message sent on the net, may intercept messages,
5 5/37 Introduction on security protocols Modeling Verification Towards cryptographic guarantees Attacking Single Sign On Protocol Single Sign On Protocols enables to log in once for several services used e.g. in Google App
6 Attacking Single Sign On Protocol Single Sign On Protocols enables to log in once for several services used e.g. in Google App 5/37 A flaw discovered in 2010, now fixed (Avantssar project) Step 1 An attacker offers an interesting or funny (but malicious) new Google App Step 2 Some clients register to this malicious Application Step 3 The attacker can now access all the other applications of the client, including e.g. Gmail or Google Calendar.
7 /37 Designing protocols is error prone Software testing leaves flaws : Flaw in the authentication protocol used in Google Apps Attack on payperview devices Maninthemiddle attack These flaws rely on the design of the protocols Not on a bad implementation (bugs) Not on weaknesses of the primitives (e.g. encryption, signatures) Not on generic hacking techniques (e.g. worms, code injection)
8 /37 How to analyse security protocols?? = confidentiality authenticity nonrepudiation Methodology 1 Proposing accurate models symbolic models cryptographic/computational models 2 Proving security decision procedures transfer results Running example : electronic voting
9 8/37 Introduction on security protocols Modeling Verification Towards cryptographic guarantees Example : Electronic voting Elections are a securitysensitive process which is the cornerstone of modern democracy. Electronic voting promises Convenient, efficient and secure facility for recording and tallying votes for a variety of types of elections : from small committees or online communities through to fullscale national elections Already used e.g. in Estonia, Norway, USA, France (from abroad).
10 9/37 Introduction on security protocols Modeling Verification Towards cryptographic guarantees Two main families for evoting Voting machines Voters have to attend a voting station External authentication system (e.g. ID card) Internet voting Voters vote from home from their own computers Systems in use : Civitas (A. Myers et al), Helios,...
11 10/37 Running example : Helios http ://heliosvoting.org/ Developed by B. Adida et al, already in use : Election at Louvain University Princeton Election of the IACR board (major association in Cryptography)
12 11/37 Helios : a voting protocol for lowcoercion environment The security of Helios relies on the assumption that the voter s computer can be trusted. Not suitable for political elections A corrupted machine may : leak the choice of the voter vote for a different candidate e.g. attack by Laurent Grégoire on the Élection législatives pour les francais de l étranger, using code injection.
13 Helios : a voting protocol for lowcoercion environment The security of Helios relies on the assumption that the voter s computer can be trusted. 1/37 Not suitable for political elections A corrupted machine may : leak the choice of the voter vote for a different candidate e.g. attack by Laurent Grégoire on the Élection législatives pour les francais de l étranger, using code injection. Suitable for medium issue elections : professional elections scientific councils, students representatives, etc. union representatives Should be compared with previous voting systems in use : e.g. attack (ballot stuffing) on the 2011 paper ballots (with barcodes) CNRS election
14 Behavior of Helios (simplified) Phase 1 : voting 1 Bulletin Board Alice {v A } pk(s) v A = 0 or 1 Bob {v B } pk(s) v B = 0 or 1 Chris {v C } pk(s) v C = 0 or 1 Phase 2 : Tallying using homomorphic encryption (El Gamal) n n {v i } pk(s) = { v i } pk(s) i=1 i=1 Only the final result needs to be decrypted. 12/37 pk(s) : public key, the private key being shared among trustees.
15 Behavior of Helios (simplified) Phase 1 : voting 1 {v D } pk(s) Bulletin Board Alice {v A } pk(s) v A = 0 or 1 Bob {v B } pk(s) v B = 0 or 1 Chris {v C } pk(s) v C = 0 or 1 Phase 2 : Tallying using homomorphic encryption (El Gamal) n n {v i } pk(s) = { v i } pk(s) i=1 i=1 Only the final result needs to be decrypted. 12/37 pk(s) : public key, the private key being shared among trustees.
16 Behavior of Helios (simplified) Phase 1 : voting 1 Bulletin Board Alice {v A } pk(s) v A = 0 or 1 Bob {v B } pk(s) v B = 0 or 1 Chris {v C } pk(s) v C = 0 or 1 David {v D } pk(s) v D = 0 or 1 Phase 2 : Tallying using homomorphic encryption (El Gamal) n n {v i } pk(s) = { v i } pk(s) i=1 i=1 Only the final result needs to be decrypted. 12/37 pk(s) : public key, the private key being shared among trustees.
17 Behavior of Helios (simplified) Phase 1 : voting 1 Bulletin Board Alice {v A } pk(s) v A = 0 or 1 Bob {v B } pk(s) v B = 0 or 1 Chris {v C } pk(s) v C = 0 or 1 David {v D } pk(s) v D = 0 or Phase 2 : Tallying using homomorphic encryption (El Gamal) n n {v i } pk(s) = { v i } pk(s) based on g a g b = g a+b i=1 i=1 Only the final result needs to be decrypted! 12/37 pk(s) : public key, the private key being shared among trustees.
18 3/37 This is oversimplified! {v D } pk(s) Bulletin Board Alice {v A } pk(s) v A = 0 or 1 Bob {v B } pk(s) v B = 0 or 1 Chris {v C } pk(s) v C = 0 or 1 David {v D } pk(s) Result : {v A +v B +v C +v D + } pk(s)
19 13/37 This is oversimplified! {v D } pk(s) Bulletin Board Alice {v A } pk(s) v A = 0 or 1 Bob {v B } pk(s) v B = 0 or 1 Chris {v C } pk(s) v C = 0 or 1 David {v D } pk(s) v D = Result : {v A +v B +v C } pk(s) A malicious voter can cheat!
20 13/37 This is oversimplified! {v D } pk(s) Bulletin Board Alice {v A } pk(s) v A = 0 or 1 Bob {v B } pk(s) v B = 0 or 1 Chris {v C } pk(s) v C = 0 or 1 David {v D } pk(s) v D = Result : {v A +v B +v C +v D + } pk(s) A malicious voter can cheat! In Helios : use of (Signature of) Proof of Knowledge {v D } pk(s),spk{v D = 0 or 1}
21 14/37 How to analyse security protocols? For example, how to prove that Helios is secure?
22 14/37 How to analyse security protocols? For example, how to prove that Helios is secure? Task 1 : Modeling 1 Modeling messages 2 Modeling the behavior of the protocol 3 Modeling security
23 15/37 Modeling messages Idea 1 : keeping only the structure of the messages Messages are abstracted by terms. Example : The message { A,N a } K is represented by : A < > {} N a K
24 15/37 Modeling messages Idea 1 : keeping only the structure of the messages Messages are abstracted by terms. Example : The message { A,N a } K is represented by : A < > {} N a K Idea 2 : Equations for reflecting the properties of the primitives Decryption dec({x} y,y) = x Homomorphic encryption {x 1 } y {x 2 } y = {x 1 +x 2 } y
25 6/37 Modeling protocols Processes of the applied picalculus [Abadi & Fournet] Voter id voting v Voter(id,v) = c id ({v} pk(s),spk(v,{v} pk(s) ))
26 16/37 Modeling protocols Processes of the applied picalculus [Abadi & Fournet] Voter id voting v Voter(id,v) = c id ({v} pk(s),spk(v,{v} pk(s) )) Bulletin board for n voters BulletinBoard = c id1 (x 1 ). if Valid(x 1 ) then out(x 1 ). c idn (x n ). if Valid(x n ) then out(x n ). c tally (π 1 (x 1 ) π 1 (x n ))
27 16/37 Modeling protocols Processes of the applied picalculus [Abadi & Fournet] Voter id voting v Voter(id,v) = c id ({v} pk(s),spk(v,{v} pk(s) )) Bulletin board for n voters BulletinBoard = c id1 (x 1 ). if Valid(x 1 ) then out(x 1 ). c idn (x n ). if Valid(x n ) then out(x n ). c tally (π 1 (x 1 ) π 1 (x n )) Tallying phase Tally = c tally (y).out(dec(y,sk(s)))
28 17/37 Modeling attackers We assume that the network can be controlled by attackers may participate to the protocol. may forge and send messages, may read every message sent on the net, may intercept messages,
29 17/37 Modeling attackers We assume that the network can be controlled by attackers may participate to the protocol. may forge and send messages, may read every message sent on the net, may intercept messages, Attackers in applied picalculus A protocol P satisfies some property φ if for all process A A P = φ
30 18/37 Examples of security properties Secrecy of s If A P Q then Q out(s) Q For any attacker A and reachable process Q, the secret s remains unknown. Authentication/Agreement If A P Q then Q = Received(B,N a ) Sent(A,N a ) For any attacker A, if B receives a nonce believing it is from A then A must have sent it. Most properties can be expressed as accessibility properties
31 19/37 What is a secure voting protocol?
32 20/37 Let s have a closer look to privacy How to state formally : No one should know my vote (0 or 1)? Idea 1 : An attacker should not learn the value of my vote.
33 20/37 Let s have a closer look to privacy How to state formally : No one should know my vote (0 or 1)? Idea 1 : An attacker should not learn the value of my vote. But everyone knows 0 and 1!
34 20/37 Let s have a closer look to privacy How to state formally : No one should know my vote (0 or 1)? Idea 1 : An attacker should not learn the value of my vote. Idea 2 : An attacker should not attach my vote to my identity.
35 0/37 Let s have a closer look to privacy How to state formally : No one should know my vote (0 or 1)? Idea 1 : An attacker should not learn the value of my vote. Idea 2 : An attacker should not attach my vote to my identity. But everyone can form Alice,0 and Alice,1!
36 20/37 Let s have a closer look to privacy How to state formally : No one should know my vote (0 or 1)? Idea 1 : An attacker should not learn the value of my vote. Idea 2 : An attacker should not attach my vote to my identity. Idea 3 : An attacker cannot see the difference when I vote 0 or 1. Voter 1(0) Voter 2(v 2) Voter n(v n) Voter 1(1) Voter 2(v 2) Voter n(v n)
37 20/37 Let s have a closer look to privacy How to state formally : No one should know my vote (0 or 1)? Idea 1 : An attacker should not learn the value of my vote. Idea 2 : An attacker should not attach my vote to my identity. Idea 3 : An attacker cannot see the difference when I vote 0 or 1. Voter 1(0) Voter 2(v 2) Voter n(v n) Voter 1(1) Voter 2(v 2) Voter n(v n) The attacker always sees the difference since the tally differs. Unanimity does break privacy.
38 Let s have a closer look to privacy How to state formally : No one should know my vote (0 or 1)? Idea 1 : An attacker should not learn the value of my vote. Idea 2 : An attacker should not attach my vote to my identity. Idea 3 : An attacker cannot see the difference when I vote 0 or 1. Voter 1(0) Voter 2(v 2) Voter n(v n) Voter 1(1) Voter 2(v 2) Voter n(v n) Idea 4 : An attacker cannot see when votes are swapped. Voter 1 (0) Voter 2 (1) Voter 1 (1) Voter 2 (0) 20/37 S. Kremer & M. Ryan
39 21/37 How to analyse security protocols?? = confidentiality authenticity nonrepudiation Methodology 1 Proposing accurate models symbolic models cryptographic/computational models 2 Proving security decision procedures transfer results
40 22/37 How to analyse security protocols? First, we consider accessibility properties, e.g. confidentiality, authentication, etc. Automatic verification Unfortunately, security (e.g. confidentiality) is undecidable. No generic algorithm can work. Identification of decidable fragments analysis of a finite number of sessions restriction on the class of protocols Semidecision procedure : ProVerif
41 23/37 How does ProVerif work? Developed by Bruno Blanchet, ENS Paris, France. Implements a sound semidecision procedure (that may not terminate). The applied picalculus is translated into firstorder logic, more precisely into Horn clauses. Based on a resolution strategy well adapted to protocols.
42 24/37 Horn clauses for the intruder Horn clauses perfectly reflect the attacker symbolic manipulations on terms. x y I(x),I(y) I(< x,y >) pairing x y I(x),I(y) I({x} y ) encryption x y I({x} y ),I(y) I(x) decryption x y I(< x,y >) I(x) projection x y I(< x,y >) I(y) projection
43 25/37 Horn clauses for the protocol Protocol WMF : A S : {n a,b,k} ka S B : {n s,a,k} kb B A : {m ab } k Horn clauses : I({n a,b,k} ka ) I({x,b,y} ka ) I({n s (x,y),a,y} kb ) I({x,a,y} kb ) I({m ab } y )
44 25/37 Horn clauses for the protocol Protocol WMF : A S : {n a,b,k} ka S B : {n s,a,k} kb B A : {m ab } k Horn clauses : I({n a,b,k} ka ) I({x,b,y} ka ) I({n s (x,y),a,y} kb ) I({x,a,y} kb ) I({m ab } y ) Secrecy property is a reachability (accessibility) property I(m ab ) Checking security reduces to checking satisfiability There exists an attack iff the set of formulas corresponding to Intruder manipulations + protocol + property is NOT satisfiable.
45 26/37 How to decide satisfiability? Resolution techniques : Binary resolution D 1 D k B A 1 A n C A1 θ = Bθ (D 1 D k A 2 A n C)θ
46 6/37 How to decide satisfiability? Resolution techniques : Binary resolution D 1 D k B A 1 A n C A1 θ = Bθ (D 1 D k A 2 A n C)θ It does not terminate. Example : I(s) I(x),I(y) I( x,y )
47 6/37 How to decide satisfiability? Resolution techniques : Binary resolution D 1 D k B A 1 A n C A1 θ = Bθ (D 1 D k A 2 A n C)θ It does not terminate. Example : I(s) I(x),I(y) I( x,y ) I(y) I( s,y )
48 6/37 How to decide satisfiability? Resolution techniques : Binary resolution D 1 D k B A 1 A n C A1 θ = Bθ (D 1 D k A 2 A n C)θ It does not terminate. Example : I(s) I(x),I(y) I( x,y ) I(y) I( s,y ) I( s,s ) I( s, s,s ) I( s, s, s,s ) I( s, s, s, s,s ) I( s, s, s, s, s,s )
49 27/37 Efficient and sound resolution strategy Idea : Resolution is only applied on selected literals A 1,B that do not belong to a forbidden set S. Typically S = {I(x)}. Theorem Resolution based on selection, avoiding S, is complete w.r.t. satisfiability. If the fixed point does not contain the empty clause, then the corresponding protocol is secure. ProVerif may not terminate.
50 Efficient and sound resolution strategy Idea : Resolution is only applied on selected literals A 1,B that do not belong to a forbidden set S. Typically S = {I(x)}. Theorem Resolution based on selection, avoiding S, is complete w.r.t. satisfiability. 27/37 If the fixed point does not contain the empty clause, then the corresponding protocol is secure. ProVerif may not terminate. Performs very well in practice! Works on most of existing protocols in the literature Is also used on industrial protocols (e.g. certified protocol, JFK, Plutus filesystem) Can handle various cryptographic primitives (various encryption, signatures, blind signatures, hash, etc.)
51 28/37 Security of Helios Privacy Voter 1 (0) Voter 2 (1) Voter 1 (1) Voter 2 (0) Not an accessibility property ProVerif cannot be applied (yet).
52 28/37 Security of Helios Privacy Voter 1 (0) Voter 2 (1) Voter 1 (1) Voter 2 (0) Not an accessibility property ProVerif cannot be applied (yet). Helios is actually subject to replay attack, which breaks privacy! The fixed version (weeding duplicated ballots) provably ensures privacy
53 Security of Helios Privacy Voter 1 (0) Voter 2 (1) Voter 1 (1) Voter 2 (0) Not an accessibility property ProVerif cannot be applied (yet). Helios is actually subject to replay attack, which breaks privacy! The fixed version (weeding duplicated ballots) provably ensures privacy 28/37 Verifiability Individual verifiability : voter can check that her own ballot is included in the election s bulletin board. Universal verifiability : anyone can check that the election outcome corresponds to the ballots published on the bulletin board. Helios provably satisfies both verifiability properties.
54 29/37 Limitations of this approach? Are you ready to use any protocol verified with this technique?
55 29/37 Limitations of this approach? Are you ready to use any protocol verified with this technique? Side channel attacks Representing messages by a term algebra abstracts away many mathematical properties.
56 30/37 Setting for cryptographic/computational models Messages : (Bitstrings) Protocol : Message exchange program Use cryptographic algorithms
57 30/37 Setting for cryptographic/computational models Messages : (Bitstrings) Protocol : Message exchange program Use cryptographic algorithms Adversary A : any probabilistic polynomial Turing machine, i.e. any probabilistic polynomial program. polynomial : captures what is feasible probabilistic : the adversary may try to guess some information
58 31/37 Computational secrecy OneWayness : The probability for an adversary A to compute the secret s against a protocol P is negligible (smaller than any inverse of polynomial).
59 1/37 Computational secrecy OneWayness : The probability for an adversary A to compute the secret s against a protocol P is negligible (smaller than any inverse of polynomial). Not strong enough! The adversary may be able to compute half of the secret message. There is no guarantee in case that some partial information on the secret is known.
60 31/37 Computational secrecy OneWayness : The probability for an adversary A to compute the secret s against a protocol P is negligible (smaller than any inverse of polynomial). Not strong enough! The adversary may be able to compute half of the secret message. There is no guarantee in case that some partial information on the secret is known. Indistinguishability : the adversary should not learn a bit of the secret. Pr[A P(n 0 ) 1] Pr[A P(n 1 ) 1] is negligible
61 32/37 Formal and Cryptographic approaches Formal approach Cryptographic approach Messages terms bitstrings Encryption idealized algorithm Adversary idealized any polynomial algorithm Guarantees unclear strong Proof automatic by hand, tedious and errorprone Link between the two approaches?
62 33/37 Proving cryptographic security through symbolic models Symbolic models Computational models < > {} K A N a
63 33/37 Proving cryptographic security through symbolic models Symbolic models Computational models < > {} K A N a Idea : soundness result Show that security in symbolic models implies security in computational ones. [Abadi Rogaway 00]
64 34/37 Soundness of equivalences in the applied picalculus Result : Assuming a strong encryption scheme (INDCCA2 hypothesis) P 1 P 2 [[P 1 ]] [[P 2 ]] Symbolic equivalence of processes P 1 and P 2 Indistinguishability of the implementation of P 1 and P 2
65 4/37 Soundness of equivalences in the applied picalculus Result : Assuming a strong encryption scheme (INDCCA2 hypothesis) P 1 P 2 [[P 1 ]] [[P 2 ]] Symbolic equivalence of processes P 1 and P 2 Indistinguishability of the implementation of P 1 and P 2 Key technique Any attack trace from the concrete adversary is an attack against the symbolic protocol, or the adversary breaks encryption. Consequence : Security in symbolic models directly implies security in cryptographic models, against arbitrary attackers.
66 35/37 Benefit : modularity Cryptographic security guarantees can be obtained at the symbolic level Ideal protocol Formal approach: verification of idealized protocols Implemented protocol signature algorithm encryption algorithm Cryptographers: verification of the cryptographic primitives
67 6/37 Conclusion Formal methods form a powerful approach for analyzing security protocols Use of existing techniques : term algebra, equational theories, clauses and resolution techniques, tree automata, etc. Many decision procedures Several successful automatic tools e.g. ProVerif, Avispa/Avantssar, Scyther, NRL Protocol Analyzer Detect attacks (e.g. flaw in Gmail) Prove security of standard protocols (e.g. IKE, JFK, Certified , Helios,...) Provides cryptographic guarantees under classical assumptions on the implementation of the primitives
68 37/37 The end Special thanks to : Hubert ComonLundh Ben Smyth Stéphanie Delaune Bogdan Warinschi Steve Kremer
Verication of security protocols: from condentiality to privacy
École Doctorale Sciences Pratiques Mémoire d'habilitation à Diriger les Recherches Stéphanie Delaune Informatique Verication of security protocols: from condentiality to privacy Composition du Jury : Martín
More informationScalable Protocols for Authenticated Group Key Exchange
Scalable Protocols for Authenticated Group Key Exchange Jonathan Katz Moti Yung Abstract We consider the problem of authenticated group key exchange among n parties communicating over an insecure public
More informationCAPTCHA: Using Hard AI Problems For Security
CAPTCHA: Using Hard AI Problems For Security Luis von Ahn 1, Manuel Blum 1, Nicholas J. Hopper 1, and John Langford 2 1 Computer Science Dept., Carnegie Mellon University, Pittsburgh PA 15213, USA 2 IBM
More informationA Survey. Catherine A. Meadows. Naval Research Laboratory. We attempt to outline some of the major threads of research in this area,
Formal Verication of Cryptographic Protocols: A Survey Catherine A. Meadows Center for High Assurance Computer Systems Naval Research Laboratory Washington DC, 20375 Abstract. In this paper we give a survey
More informationElectronic Authentication Guideline.  OR  http://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800632.pdf
The attached Special Publication 800631 document (provided here for historical purposes) has been superseded by the following publication: Publication Number: Special Publication 800632 Title: Publication
More informationGroup Signatures: Authentication with Privacy
Group Signatures: Authentication with Privacy Authors Prof. Dr. Mark Manulis, Nils Fleischhacker, Felix Günther, Franziskus Kiefer, Bertram Poettering Cryptographic Protocols Group Department of Computer
More informationOfftheRecord Communication, or, Why Not To Use PGP
OfftheRecord Communication, or, Why Not To Use PGP Nikita Borisov UC Berkeley nikitab@cs.berkeley.edu Ian Goldberg ZeroKnowledge Systems ian@cypherpunks.ca Eric Brewer UC Berkeley brewer@cs.berkeley.edu
More informationFairplay A Secure TwoParty Computation System
Fairplay A Secure TwoParty Computation System Dahlia Malkhi 1, Noam Nisan 1, Benny Pinkas 2, and Yaron Sella 1 1 The School of Computer Science and Engineering The Hebrew University of Jerusalem Email:
More informationMobile Values, New Names, and Secure Communication
Mobile Values, New Names, and Secure Communication Martín Abadi Bell Labs Research Lucent Technologies Cédric Fournet Microsoft Research Abstract We study the interaction of the new construct with a rich
More informationShake Them Up! A movementbased pairing protocol for CPUconstrained devices
Shake Them Up! A movementbased pairing protocol for CPUconstrained devices Claude Castelluccia INRIA and University of California, Irvine claude.castelluccia@inria.fr Pars Mutaf INRIA pars.mutaf@inria.fr
More informationDistributed Secure Systems: Then and Now
Distributed Secure Systems: Then and Now Brian Randell * and John Rushby** * School of Computing Science Newcastle University Newcastle upon Tyne NE1 7RU, UK Brian.Randell@ncl.ac.uk ** Computer Science
More informationBreaking and Fixing Authentication over TLS
1 Triple Handshakes and Cookie Cutters: Breaking and Fixing Authentication over TLS Karthikeyan Bhargavan, Antoine DelignatLavaud, Cédric Fournet, Alfredo Pironti and PierreYves Strub INRIA ParisRocquencourt
More informationEngineering Privacy by Design
Engineering Privacy by Design Seda Gürses, Carmela Troncoso, and Claudia Diaz K.U. Leuven/IBBT, ESAT/SCDCOSIC firstname.lastname@esat.kuleuven.be Abstract. The design and implementation of privacy requirements
More informationA Study on Computational Formal Verication for Practical Cryptographic Protocol: The Case of Synchronous RFID Authentication
A Study on Computational Formal Verication for Practical Cryptographic Protocol: The Case of Synchronous RFID Authentication Yoshikazu HanataniI 1,2, Miyako Ohkubo 3, Sin'ichiro Matsuo 3, Kazuo Sakiyama
More informationNew Directions in Cryptography
644 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. IT22, NO. 6, NOVEMBER 1976 New Directions in Cryptography Invited Paper WHITFIELD DIFFIE AND MARTIN E. HELLMAN, MEMBER, IEEE AbstractTwo kinds of contemporary
More informationCLoud Computing is the long dreamed vision of
1 Enabling Secure and Efficient Ranked Keyword Search over Outsourced Cloud Data Cong Wang, Student Member, IEEE, Ning Cao, Student Member, IEEE, Kui Ren, Senior Member, IEEE, Wenjing Lou, Senior Member,
More informationThe Disadvantages of Free MIX Routes and How to Overcome Them
The Disadvantages of Free MIX Routes and How to Overcome Them Oliver Berthold 1, Andreas Pfitzmann 1, and Ronny Standtke 2 1 Dresden University of Technology, Germany {ob2,pfitza}@inf.tudresden.de 2 Secunet,
More informationEfficient construction of votetags to allow open objection to the tally in electronic elections
Information Processing Letters 75 (2000) 211 215 Efficient construction of votetags to allow open objection to the tally in electronic elections Andreu Riera a,,joseprifà b, Joan Borrell b a isoco, Intelligent
More informationTowards Statistical Queries over Distributed Private User Data
Towards Statistical Queries over Distributed Private User Data Ruichuan Chen Alexey Reznichenko Paul Francis Johannes Gehrke Max Planck Institute for Software Systems (MPISWS), Germany Cornell University,
More informationThe Best of Both Worlds: Combining InformationTheoretic and Computational PIR for Communication Efficiency
The Best of Both Worlds: Combining InformationTheoretic and Computational PIR for Communication Efficiency Casey Devet and Ian Goldberg University of Waterloo, ON, Canada {cjdevet,iang}@cs.uwaterloo.ca
More informationPublic Key Encryption and Digital Signature: How do they work?
White Paper Public Key Encryption and Digital Signature: How do they work? Business solutions through information technology Entire contents 2004 by CGI Group Inc. All rights reserved. Reproduction of
More informationTowards a Type System for Security APIs
Towards a Type System for Security APIs Gavin Keighren 1, David Aspinall 1, and Graham Steel 2 1 Laboratory for Foundations of Computer Science School of Informatics, The University of Edinburgh Informatics
More informationPrivacy by Design Solutions for Biometric OnetoMany Identification Systems
Privacy by Design Solutions for Biometric OnetoMany Identification Systems IPC Technical Report June 2014 Ann Cavoukian, Ph.D. Information and Privacy Commissioner Ontario, Canada Alex Stoianov, Ph.D.
More informationChord: A Scalable Peertopeer Lookup Service for Internet Applications
Chord: A Scalable Peertopeer Lookup Service for Internet Applications Ion Stoica, Robert Morris, David Karger, M. Frans Kaashoek, Hari Balakrishnan MIT Laboratory for Computer Science chord@lcs.mit.edu
More informationA Method for Obtaining Digital Signatures and PublicKey Cryptosystems
A Method for Obtaining Digital Signatures and PublicKey Cryptosystems R.L. Rivest, A. Shamir, and L. Adleman Abstract An encryption method is presented with the novel property that publicly revealing
More informationEfficient Similarity Search over Encrypted Data
Efficient Similarity Search over Encrypted Data Mehmet Kuzu, Mohammad Saiful Islam, Murat Kantarcioglu Department of Computer Science, The University of Texas at Dallas Richardson, TX 758, USA {mehmet.kuzu,
More informationWhy Johnny Can t Encrypt: A Usability Evaluation of PGP 5.0
Why Johnny Can t Encrypt: A Usability Evaluation of PGP 5.0 Alma Whitten School of Computer Science Carnegie Mellon University Pittsburgh, PA 15213 alma@cs.cmu.edu J. D. Tygar 1 EECS and SIMS University
More informationData protection. Protecting personal data in online services: learning from the mistakes of others
Data protection Protecting personal data in online services: learning from the mistakes of others May 2014 Contents Introduction... 2 What the DPA says... 4 Software security updates... 5 Software security
More informationEfficient Private Matching and Set Intersection
Efficient Private Matching and Set Intersection Michael J. Freedman 1, Kobbi Nissim 2, and Benny Pinkas 3 1 New York University (mfreed@cs.nyu.edu) 2 Microsoft Research SVC (kobbi@microsoft.com) 3 HP Labs
More informationCoin Flipping of Any Constant Bias Implies OneWay Functions
Coin Flipping of Any Constant Bias Implies OneWay Functions Extended Abstract] Itay Berman School of Computer Science Tel Aviv University Israel itayberm@post.tau.ac.il Iftach Haitner School of Computer
More information