05 Fakultät Informatik, Elektrotechnik und Informationstechnik

Permanent URI for this collectionhttps://elib.uni-stuttgart.de/handle/11682/6

Browse

Filters

2020 - 20256

Settings

Publication Type: search.filters.UBSTyp.DissertationStart date: 2020Institute: search.filters.UBSInstitut.Institut für Informationssicherheit

Search Results

Now showing 1 - 6 of 6
  • Thumbnail Image
    ItemOpen Access
    Verifiable tally-hiding remote electronic voting
    (2023) Liedtke, Julian; Küsters, Ralf (Prof. Dr.)
    Electronic voting (e-voting) refers to casting and counting votes electronically, typically through computers or other digital interfaces. E-voting systems aim to make voting secure, efficient, convenient, and accessible. Modern e-voting systems are designed to keep the votes confidential and provide verifiability, i.e., everyone can check that the published election result corresponds to how voters intended to vote. Several verifiable e-voting systems have been proposed in the literature, with Helios being one of the most prominent ones. However, almost all verifiable e-voting systems reveal not just the voting result but also the tally, consisting of the exact number of votes per candidate or even all single votes. Publishing the tally causes several issues. For example, in elections with only a few voters (e.g., boardroom or jury votings), exposing the tally prevents ballots from being anonymous, thus deterring voters from voting for their actual preference. Furthermore, attackers can exploit the tally for so-called Italian attacks that allow for easily coercing voters. Often, the voting result merely consists of a single winner or a ranking of candidates, so disclosing only this information, not the tally, is sufficient. Revealing the tally unnecessarily embarrasses defeated candidates and causes them a severe loss of reputation. For these reasons, there are several real-world elections where authorities do not publish the tally but only the result - while the current systems for this do not ensure verifiability. We call the property of disclosing the tally tally-hiding. Tally-hiding offers entirely new opportunities for voting. However, a secure e-voting system that combines tally-hiding and verifiability does not exist in the literature. Therefore, this thesis presents the first provable secure e-voting systems that achieve both tally-hiding and verifiability. Our Ordinos framework achieves the strongest notion of tally-hiding: it only reveals the election result. Many real-world elections follow an alternative variant of tally-hiding: they reveal the tally to the voting authorities and only publish the election result to the public - so far without achieving verifiability. We, for the first time, formalize this concept and coin it public tally-hiding. We propose Kryvos, which is the first provable secure e-voting system that combines public tally-hiding and verifiability. Kryvos offers a new trade-off between privacy and efficiency that differs from all previous tally-hiding systems and allows for a radically new protocol design, resulting in a practical e-voting system. We implemented and benchmarked Ordinos and Kryvos, showing the practicability of our systems for real-world elections for significant numbers of candidates, complex voting methods, and result functions. Moreover, we extensively analyze the impact of tally-hiding on privacy compared to existing practices for various elections and show that applying tally-hiding improves privacy drastically.
  • Thumbnail Image
    ItemOpen Access
    Improved usability of differential privacy in machine learning : techniques for quantifying the privacy-accuracy trade-off
    (2022) Bernau, Daniel; Küsters, Ralf (Prof.)
    Differential privacy allows bounding the influence that training data records have on a neural network. To use differential privacy in machine learning with neural networks, data scientists must choose privacy parameter epsilon. Choosing meaningful privacy parameters is key since differentially private neural networks that have been trained with weak privacy parameters might result in excessive privacy leakage, while strong privacy parameters might overly degrade model utility. However, privacy parameter values are difficult to choose for two main reasons. First, the theoretical upper bound on privacy loss epsilon might be loose, depending on the chosen sensitivity and data distribution of practical datasets. Second, legal requirements and societal norms for anonymization often refer to individual identifiability, to which epsilon is only indirectly related. Within this thesis, we address the problem of choosing epsilon from two angles. First, we quantify the empirical lower bound on the privacy loss under empirical membership inference attacks to allow data scientists to compare the empirical privacy-accuracy trade-off between local and central differential privacy. Specifically, we consider federated and non-federated discriminative models, as well as generative models. Second, we transform the privacy loss under differential privacy into an analytical bound on identifiability map legal and societal expectations w.r.t. identifiability to corresponding privacy parameters. The thesis contributes techniques for quantifying the trade-off between accuracy and privacy over epsilon. The techniques provide information for interpreting differentially private training datasets or models trained with the differentially private stochastic gradient descent to improve usability of differential privacy in machine learning. In particular, we identify preferable ranges for privacy parameter epsilon and compare local and central differential privacy mechanisms for training differentially private neural networks under membership inference adversaries. Furthermore, we contribute an implementable instance of the differential privacy adversary that can be used to audit trained models w.r.t. identifiability.
  • Thumbnail Image
    ItemOpen Access
    Differential privacy for sequential and directional data
    (2023) Weggenmann, Benjamin; Küsters, Ralf (Prof. Dr.)
    This dissertation is concerned with mechanisms to protect the privacy of individuals in special types of data that are sequential or directional in nature. Importantly, sequential data includes human language which is commonly conveyed as text or speech (i.e., a sequence of words, symbols, or speech sounds), whereas directional data includes natural examples such as geographic locations and periodic time specifications. In many cases, such data may expose sensitive information that violate the privacy of individuals or even reveal their identity. Differential privacy (DP) is a formal notion of privacy based on randomness that allows quantifying and limiting information disclosure about individuals. While many DP mechanisms exist for structured data such as scalars or numerical vectors, we found a lack of suitable mechanisms for sequential and directional data: For instance, at the time of starting this dissertation, we found no existing DP mechanisms for textual data, and existing mechanisms for geolocations assumed only planar coordinates. To fill these gaps, we aim at constructing novel privacy mechanisms for sequential and directional data and assessing their DP properties. Specifically, we develop methods to obfuscate text as an example of sequential data which either produce differentially private text representations or human-readable texts. Moreover, we introduce directional privacy, a special variant of DP for directional data along with two suitable directional privacy mechanisms that intrinsically respect the directional nature of the data to be obfuscated. We evaluate our proposed methods in realistic use cases to assess their performance regarding protection of privacy and preservation of utility in the obfuscated data. The results show that our methods for text effectively reduce re-identification risks of authorship attribution attacks while maintaining high utility for topic or sentiment analysis tasks. Furthermore, our directional mechanisms typically require fewer data to achieve a certain level of utility than standard privacy mechanisms adapted to directional data. To our best knowledge, our work contributes the first DP mechanism for text and also has inspired other mechanisms that work on a word-level. Moreover, we are the first to exploit synergies between variational autoencoders and the Gaussian mechanism to achieve DP for human-readable text - an approach that is likely extensible to other domains of sequential data. Lastly, our work on directional privacy further provides theoretical contributions to directional statistics including a novel sampling algorithm for the Purkayastha distribution.
  • Thumbnail Image
    ItemOpen Access
    Simple and flexible universal composability : definition of a framework and applications
    (2020) Rausch, Daniel; Küsters, Ralf (Prof. Dr.)
    Security protocols, such as TLS, SSH, IEEE~802.11, and DNSSEC, have become crucial tools in modern society to protect people, data, and infrastructure. They are used throughout virtually all electronic devices to achieve a wide range of different security goals, such as confidentiality, authentication, and integrity. As the long history of attacks on security protocols illustrates, it is indispensable to perform a formal security analysis of such protocols. A central tool in cryptography for taming the complexity of the design and the analysis of modern protocols is modularity, provided by security models for universal composability. Such models allow for designing and analyzing small parts of a protocol in isolation and then reusing these security results in the context of the overall protocol. This is not just easier than analyzing the whole protocol as a monolithic block but also reduces the overall effort required in building and analyzing multiple different protocols based on the same underlying components, such as cryptographic primitives. Ideally, a model for universal composability should support a protocol designer in easily creating full, precise, and detailed specifications as well as sound security proofs of various protocols for various types of adversarial models, instead of being an additional obstacle one has to overcome during a security analysis. In particular, such a model should be sound, flexible/expressive, and easy to use. Unfortunately, despite the wide spread use of models for universal composability, existing models and frameworks are still unsatisfying in these respects as none combines all of these requirements simultaneously. In this thesis we therefore develop a model for universal composability, called the iUC framework, which combines soundness, usability, and flexibility in a so far unmatched way, and hence constitutes a solid framework for designing and analyzing essentially any protocol and application in a modular, universally composable, and sound manner. We use our model in a case study to analyze multiple different key exchange protocols precisely as they are deployed in practice. This illustrates the combination of both flexibility and usability of our model. This case study is also an important independent contribution as this is the first faithful security analysis of these unmodified protocols in a universal composability setting.
  • Thumbnail Image
    ItemOpen Access
    Composable accountability for distributed ledgers
    (2024) Graf, Mike; Küsters, Ralf (Prof. Dr.)
  • Thumbnail Image
    ItemOpen Access
    Mechanized modeling and security proofs for web protocols
    (2025) Würtele, Tim; Küsters, Ralf (Prof. Dr.)
    The Web plays a central role in modern life - not only for news and social interactions, but also in security-critical applications such as banking and healthcare. Many of these applications rely on standardized protocols, for example, for authentication and authorization. Hence, the security of many applications on the Web depends on the security of these protocols. Studying the security of protocols - not just on the Web - has been an active area of research for over four decades. An important branch of this research focuses on applying formal methods to obtain rigorous, formally proven security guarantees. However, in the context of Web protocols, the complexity of the underlying infrastructure - with multiple layers of sub-protocols and intricate interactions between involved parties (e.g., in-browser communication between websites) - poses significant challenges for such analyses. Yet this complexity must be captured, since even subtle design details may have security implications, as demonstrated by past attacks. This thesis advances the state of the art in Web protocol security analysis in several ways. First, we present a formal security analysis of the FAPI 2.0 protocol family, developed and used in high-risk domains such as banking and healthcare. Our analysis accompanied the development of the FAPI 2.0 protocols and is based on the most comprehensive and detailed security analysis framework for Web protocols to date, the Web Infrastructure Model (WIM) - a pen-and-paper Dolev-Yao-style model that captures many aspects of the Web environment, and in particular, many details of the inner workings of Web browsers. To faithfully model FAPI 2.0, we extend the WIM in several ways, for example, by introducing communication channels for push messaging and support for so-called HTTP Message Signatures. These extensions are derived from relatively recent, yet already established Web standards, and are therefore of independent interest for keeping the WIM up to date. Our analysis - the largest based on the WIM so far - uncovered multiple new attacks that led to fixes in the now-finalized FAPI 2.0 standards, and started an ongoing effort within the standardization body responsible for FAPI 2.0 to apply formal analysis to more and more of their standards. At the same time, this work illustrates the limitations of pen-and-paper proofs: our analysis spans more than 100 pages of hand-written, manually verified proofs. Hence, mechanized verification promises more reliable results, but existing mechanized tools struggle with the level of detail and resulting model size required for realistic Web models. To bridge this gap, we contribute to the development of DY*, a mechanized Dolev-Yao-style protocol analysis framework that supports implementation-level executable models, highly modular proofs over an explicit global trace, an extensible equational theory, and can cope well with unbounded data structures, loops, and recursion. While the long-term goal is to develop DY* into a Web protocol analysis framework - akin to the WIM, but fully mechanized - it has already been used in several nontrivial case studies, including the first formal analysis of the Signal protocol with an unbounded number of ratcheting rounds. Finally, as a first step toward such a mechanized Web protocol analysis framework based on DY*, we use DY* to analyze the immensely popular ACME certificate issuance protocol. In the course of this analysis, we extend DY* with authenticated channels, an enhanced equational theory to more precisely capture the properties of digital signatures, and develop a methodology to execute DY* models against real-world implementations. Our analysis is the first of the final ACME standard and ranks among the most detailed mechanized protocol security analyses to date - our executable model can even interact with real-world servers.