Succinct non-interactive (NI) proofs are a powerful cryptographic building block with many promising applications to secure decentralized networks such as Bitcoin and its successor crypto-currencies. Although succinct proofs have been known and studied since the late 1980's, only recently has the research community started to implement them for general computations. Unfortunately, existing implementations of succinct proofs all rely on a trusted setup phase that has attracted criticism since it requires a secret trapdoor that, if compromised, completely ruins the security guarantees of such systems.
In this talk I will discuss our ongoing attempts to overcome these security issues by implementing succinct NI proofs based on quasi-linear probabilistically checkable proofs (PCP)s.
Based on joint works with Iddo Ben-Tov, Alessandro Chiesa, Ariel Gabizon, Daniel Genkin, Matan Hamilis, Evgenya Pergament, Michael Riabzev, Mark Siberstein, Eran Tromer and Madars Virza.
A couple of months ago, major browser vendors had announced the planned removal of RC4 from the list of supported TLS ciphersuites in Chrome, Firefox and Internet Explorer, effectively dismissing RC4 from its undisputed position as the most popular stream cipher in the world.
The main reason for this dramatic event, 20 years after the invention of RC4 and 14 years after the algorithm and its first significant vulnerabilities were published, was a series of attacks published in the recent years on RC4 usage in the popular SSL/TLS cryptographic protocol.
Interestingly, most of these attacks were Connect-the-Dots attacks, fairly simple applications of RC4 vulnerabilities that were known for many years to the cryptographic community, to SSL/TLS.
In this session we will present the Bar-Mitzva attack, and show how the Invariance weakness of RC4, first published in 2001 (!), can be used to mount a partial plaintext recovery attack on SSL-protected data, when RC4 is the chosen cipher.
The attack is not limited to recovery of temporal session tokens, but can be used to steal parts of permanent secret data such as account credentials when delivered as POST parameters.
Furthermore, one of the variants of the new attack requires only passive eavesdropping to SSL connections, and presents the first practical attack on SSL that does not require active Man-in-the-Middle.
Another unique characteristic of the new attack allows one of its variants to recover with non-negligible probability, parts of a secret that was transmitted only once over the TLS connection.
Itsik Mantin is Imperva's Director of Security Research.
ההרצאה תינתן באנגלית - Lecture will be given in English
In June 2013 Edward Snowden leaked a large collection of documents that describe the capabilities and technologies of the NSA and its allies. Even to security experts the scale, nature and impact of some of the techniques revealed was surprising. In addition to “active defense” technologies and a focus on subverting end systems, the documents also reveal a systematic attempt to undermine cryptographic systems. A major consequence is the increased awareness of the public at large of the existence of highly intrusive mass surveillance techniques. There has also been some impact in the business world, including a growing interest in companies that (claim to) develop end-to-end secure solutions. There is no doubt that large nation states and organized crime have carefully studied the techniques and are exploring which ones they can use for their own benefit. But after more than two years, there is little progress in legal or governance measures to address some of the excesses by increasing accountability. Moreover, the security research community seems to have been slow to respond to the new threat landscape. In this lecture we analyze these threats and speculate how they could be countered.
In June 2013, the NSA published two block ciphers named Simon and Speck and put them for public scrutiny. On the one hand, these ciphers are attractive due to their efficiency in both software and hardware. On the other hand, the NSA timing for publishing them could not have been worse, just a short while after Snowden's revelations.
This talk will discuss Simon and the lessons learned in the two years it is around, both through academic research and through direct communication with its designers at the NSA.
A fully homomorphic encryption scheme scheme (FHE) is a method of encryption where an encryption of a message x can be converted into an encryption of a related message f(x), for any f, without compromising the security of the encryption. This means that data processing can be performed in an encrypted manner, without revealing the underlying information.
FHE had been first suggested in 1978, but the first candidate scheme was only introduced by Gentry in 2009. Since then, we have seen very rapid progress in terms of security and efficiency. In my talk, I will explain how to achieve FHE and discuss the state of the art and the challenges ahead.
Cryptographic hash functions are among the main building blocks of secure communication protocols used
today. A cryptographic hash function H takes as an input a message M of arbitrary length, and maps it
to an output H(M) of a fixed length n.
Until 2004, it was widely believed that concatenating the outputs of two iterated hash functions (that
maintain a state of n bits) H1(M)||H2(M), results in a more secure construction. In a seminal work,
Joux refuted this belief and showed that the concatenation combiner is not more secure than the
individual combined hash functions.
In this talk, I will begin with the necessary background on hash functions and Joux's work. Then, I
will present an improvement of Joux's attack for the case of finding second preimages of long messages
for the concatenation combiner. Namely, given sufficiently long M, I will describe an attack that
finds a different M' such that H1(M)||H2(M) = H1(M')||H2(M') faster than Joux's attack.
The new techniques also give improved attacks on other well-studied hash function combiners such as
the XOR combiner.
Format Preserving Encryption (FPE) schemes encrypt a plaintext into a ciphertext while preserving its format (e.g., a valid social-security number is encrypted into a valid social-security number), thus allowing encrypted data to be stored and used in the same manner as unencrypted data. Motivated by the ever increasing use of cloud computing and memory delegation, which require preserving both the privacy and the format of the plaintext, several FPE schemes for general formats have been previously suggested.
In this talk, I will give a general introduction to FPE, discuss efficiency concerns of previous solutions, and show attacks on them. Then, I will present a new FPE scheme with optimal security (under the efficiency constraints) which includes, in addition to encryption and decryption algorithms, also a method of representing general (complex) formats. Our algorithms are efficient, and do not require an expensive set-up. Security is guaranteed by preserving only format-specific properties during encryption, while hiding all message-specific properties.
Authenticated encryption schemes guarantee both privacy and integrity, and have become the default level of encryption in modern protocols. One of the most popular authenticated encryption schemes today is AES-GCM due to its impressive speed. However, AES-GCM completely breaks if the same random IV is used twice. This can have disastrous effects when deploying encryption on devices with poor randomness (e.g., mobile devices) or when pseudorandom generators fail (e.g., as was discovered in Debian Linux in 2008). An encryption scheme that is resistant against such failures is called nonce misuse resistant.
In this talk, we present a new fully nonce misuse-resistant authenticated encryption scheme that is based on carefully combining the GCM building blocks into the SIV paradigm of Rogaway and Shrimpton. We provide a full proof of security of our scheme, and an optimized implementation using the AES-NI and PCLMULQDQ instruction sets. We compare our performance to the highly optimized OpenSSL 1.0.2 implementation of GCM and show that our nonce misuse- resistant scheme is only 14% slower on Haswell architecture and 19% slower on Broadwell architecture. On Broadwell, GCM-SIV encryption takes only 0.92 cycles per byte, and GCM-SIV decryption is exactly the same as GCM decryption taking only 0.77 cycles per byte. Beyond being very fast, our new mode of operation uses the same building blocks as GCM and so existing hardware and software can be utilized to easily deploy GCM-SIV. We conclude that GCM-SIV is a viable alternative to GCM, providing full nonce misuse-resistance at little cost.
Appeared at ACM CCS 2015. Joint work with Shay Gueron (Haifa University and Intel).