Cryptographic security models are defined in terms of the capabilities of the adversary, including computational limitations and what access he is allowed to the system. The security of protocols is then proven with respect to such adversaries, in a well-defined, rigorous and quantifiable way (typically relying on some computational hardness assumption). However, traditional models are often not adequate, especially in light of the widespread use of cryptography today. Since we cannot predict everything the adversary can do a priori, it is important to reduce the assumptions about the adversary's (in)capabilities as much as possible.
Here, we propose to expand the traditional cryptographic foundations so as to withstand attacks by stronger, more realistic adversaries. In particular, we challenge the classical assumption that the adversary has no access whatsoever to the legitimate parties' secret keys. We will study the strongest existing models, design new models, develop protocols, and explore the limits of what is possible to achieve, for the following types of attacks:
Chosen ciphertext attack: can we achieve CCA security from any scheme satisfying only standard semantic security? What are the relations among the different notions of security for public key encryption?
Tampering attacks: can we achieve security for various cryptographic applications when the adversary can tamper with the secret key, e.g. through fault attacks?
Key exposure attacks: can we achieve security when the adversary can obtain the secret key? how to design and instantiate key evolving schemes with optimal security and efficiency to limit damage caused by key exposure?
We will seek both positive and negative results in the above areas, in order to better understand the relevant implications and requirements, and to obtain optimal solutions.
A proof of security for a cryptographic protocol begins with an adversarial model, defining which types of attacks the protocol can withstand. However, traditional cryptographic models are often not adequate in light of the widespread use of cryptography today, in areas from electronic commerce and networked systems, to database privacy and intelligence applications, used over the Internet, on hand-held devices, or for storing data on the cloud. Since we cannot predict everything the attacker can do a priory, it is important to reduce assumptions about the attacker's capabilities as much as possible. The goal of our project is to expand the foundations of cryptography so as to withstand attacks by stronger, more realistic adversaries. In particular, we challenge the classical assumption that the adversary has no access whatsoever to the legitimate parties'secret keys. One of our major research findings includes new models and constructions of public key encryption and other cryptographic primitives, that can be proven secure even in the presence of very strong adversaries, who can read or modify the secrets, e.g., by applying physical attacks on the device storing them. We have pioneered the area of security against tampering attacks, where the adversary can modify the secrets at will. We have also made significant progress in the area of security against side channel (leakage) and key exposure attacks, where the adversary can read a portion of the secret key, or even the entire secret key for a limited period of time. The challenge in these areas is first in formulating a meaningful mathematical model that captures such practical attacks, and second in constructing protocols that can be proven secure in this setting, while minimizing assumptions and maximizing efficiency. In a different direction, we studied how to bring "secure multiparty computation" closer to practice, in terms of both security and efficiency. Secure multiparty computation is one of the most fundamental cryptographic tasks, and is in a sense the ultimate problem of security over a network. It is concerned with the question of when can a group of mutually distrustful parties jointly perform a given computation on their inputs, guaranteeing that none of them can sabotage the outcome or extract extra information. Seminal results in cryptography, initiated in the early 1980s and continued by a long line of research, show that in principle, anything that can be computed, can be computed securely. However, for many years this area was purely theoretical, as the feasibility results have not been considered even close to practical, both in terms of efficiency, and because of restrictions on the settings and attack models. Our project addresses this on several fronts. We have designed algorithms for "immunizing" protocols that are only weakly secure, by transforming them to protocols that are secure against much stronger attacks. These include attacks that can be mounted over the Internet, where the attacker can launch several copies of the protocol with various participants, or when the attacker can compromise various parties while they are running the protocol. We have also addressed the efficiency issue, through implementation and optimization, as well as through theoretical study, developing new models and algorithms to overcome inherent inefficiency in previous approaches. Our project addressed general secure computation for arbitrarily chosen computations, as well as secure computation for specific classes of functions that come up in areas such as data search, cloud computing, statistics, vision, and machine learning.
