Reihaneh Safavi-Naini

Sepideh Avizeh, Tushin Mallick, Alina Oprea et al.

Our computing ecosystem is being transformed by two emerging paradigms: the increased deployment of agentic AI systems and advancements in quantum computing. With respect to agentic AI systems, one of the most critical problems is creating secure governing architectures that ensure agents follow their owners' communication and interaction policies and can be held accountable for the messages they exchange with other agents. With respect to quantum computing, existing systems must be retrofitted and new cryptographic mechanisms must be designed to ensure long-term security and quantum resistance. In fact, NIST recommends that standard public-key cryptographic algorithms, including RSA, Diffie-Hellman (DH), and elliptic-curve constructions (ECC), be deprecated starting in 2030 and disallowed after 2035. In this paper, we present MAGIQ, a framework for policy definition and enforcement in multi-agent AI systems using novel, highly efficient, quantum-resistant cryptographic protocols with proven security guarantees. MAGIQ (i) allows users to define rich communication and access-control policy budgets for agent-to-agent sessions and tasks, including global budgets for one-to-many agent sessions; (ii) enforces such policies using post-quantum cryptographic primitives; (iii) supports session-based enforcement of policies for agent-to-agent and one-to-many agent sessions; and (iv) provides accountability of agents to their users through message attribution. We formally model and prove the correctness and security of the system using the Universal Composability (UC) framework. We evaluate the computation and communication overhead of our framework and compare it with the state-of-the-art agentic AI framework SAGA. MAGIQ is a first step toward post-quantum-secure solutions for agentic AI systems.

Setareh Sharifian, Reihaneh Safavi-Naini

A hybrid encryption scheme is a public-key encryption system that consists of a public-key part called the key encapsulation mechanism (KEM), and a (symmetric) secret-key part called data encapsulation mechanism (DEM): the public-key part is used to generate a shared secret key between two parties, and the symmetric key part is used to encrypt the message using the generated key. Hybrid encryption schemes are widely used for secure communication over the Internet. In this paper, we initiate the study of hybrid encryption in preprocessing model which assumes access to initial correlated variables by all parties (including the eavesdropper). We define information-theoretic KEM (iKEM) that, together with a (computationally) secure DEM, results in a hybrid encryption scheme in preprocessing model. We define the security of each building block, and prove a composition theorem that guarantees (computational) qe-chosen plaintext (CPA) security of the hybrid encryption system if the iKEM and the DEM satisfy qe-chosen encapculation attack and one-time security, respectively. We show that iKEM can be realized by a one-way SKA (OW-SKA) protocol with a revised security definition. Using an OW-SKA that satisfies this revised definition of security effectively allows the secret key that is generated by the OW-SKA to be used with a one-time symmetric key encryption system such as XORing a pseudorandom string with the message, and provide qe-CPA security for the hybrid encryption system.We discuss our results and directions for future work.

Alireza Poostindouz, Reihaneh Safavi-Naini

Information theoretic secret key agreement is impossible without making initial assumptions. One type of initial assumption is correlated random variables that are generated by using a noisy channel that connects the terminals. Terminals use the correlated random variables and communication over a reliable public channel to arrive at a shared secret key. Previous channel models assume that each terminal either controls one input to the channel, or receives one output variable of the channel. In this paper, we propose a new channel model of transceivers where each terminal simultaneously controls an input variable and observes an output variable of the (noisy) channel. We give upper and lower bounds for the secret key capacity (i.e., highest achievable key rate) of this transceiver model, and prove the secret key capacity under the conditions that the public communication is noninteractive and input variables of the noisy channel are independent.

Yanhong Xu, Reihaneh Safavi-Naini, Khoa Nguyen et al.

Policy-based signatures (PBS) were proposed by Bellare and Fuchsbauer (PKC 2014) to allow an {\em authorized} member of an organization to sign a message on behalf of the organization. The user's authorization is determined by a policy managed by the organization's trusted authority, while the signature preserves the privacy of the organization's policy. Signing keys in PBS do not include user identity information and thus can be passed to others, violating the intention of employing PBS to restrict users' signing capability. In this paper, we introduce the notion of {\em traceability} for PBS by including user identity in the signing key such that the trusted authority will be able to open a suspicious signature and recover the signer's identity should the needs arise. We provide rigorous definitions and stringent security notions of traceable PBS (TPBS), capturing the properties of PBS suggested by Bellare-Fuchsbauer and resembling the "full traceability" requirement for group signatures put forward by Bellare-Micciancio-Warinschi (Eurocrypt 2003). As a proof of concept, we provide a modular construction of TPBS, based on a signature scheme, an encryption scheme and a zero-knowledge proof system. Furthermore, to demonstrate the feasibility of achieving TPBS from concrete, quantum-resistant assumptions, we give an instantiation based on lattices.

Sepideh Avizheh, Reihaneh Safavi-Naini, Shuai Li

Logging systems are an essential component of security systems and their security has been widely studied. Recently (2017) it was shown that existing secure logging protocols are vulnerable to crash attack in which the adversary modifies the log file and then crashes the system to make it indistinguishable from a normal system crash. The attacker was assumed to be non-adaptive and not be able to see the file content before modifying and crashing it (which will be immediately after modifying the file). The authors also proposed a system called SLiC that protects against this attacker. In this paper, we consider an (insider) adaptive adversary who can see the file content as new log operations are performed. This is a powerful adversary who can attempt to rewind the system to a past state. We formalize security against this adversary and introduce a scheme with provable security. We show that security against this attacker requires some (small) protected memory that can become accessible to the attacker after the system compromise. We show that existing secure logging schemes are insecure in this setting, even if the system provides some protected memory as above. We propose a novel mechanism that, in its basic form, uses a pair of keys that evolve at different rates, and employ this mechanism in an existing logging scheme that has forward integrity to obtain a system with provable security against adaptive (and hence non-adaptive) crash attack. We implemented our scheme on a desktop computer and a Raspberry Pi, and showed in addition to higher security, a significant efficiency gain over SLiC.

Setareh Sharifian, Alireza Poostindouz, Reihaneh Safavi-Naini

Information-theoretic secret key agreement (SKA) protocols are a fundamental cryptographic primitive that are used to establish a shared secret key between two or more parties. In a two-party SKA in source model, Alice and Bob have samples of two correlated variables, that are partially leaked to Eve, and their goal is to establish a shared secret key by communicating over a reliable public channel. Eve must have no information about the established key. In this paper, we study the problem of one-message secret key agreement where the key is established by Alice sending a single message to Bob. We propose a one-message SKA (OM-SKA) protocol, prove that it achieves the one-way secret key capacity, and derive finite blocklength approximations of the achievable secret key length. We compare our results with existing OM-SKAs and show the protocol has a unique combination of desirable properties.

Alireza Poostindouz, Reihaneh Safavi-Naini

We consider the problem of multiterminal secret key agreement (SKA) in wiretapped source model where terminals have access to samples of correlated random variables from a publicly known joint probability distribution. The adversary has access to a side information variable, that is correlated with terminals' variables. We focus on a special type of terminal variables in this model, known as Tree-PIN, where the relation between variables of the terminals can be represented by a tree. The study of Tree-PIN source model is of practical importance as it can be realized in wireless network environments. We derive the wiretap secret key capacity of Tree-PIN with independent leakage, and give lower and upper bounds on the maximum achievable secret key length in finite-length regime. We then prove an upper bound and a lower bound for the wiretap secret key capacity of a wiretapped PIN and give two conditions for which these bounds are tight. We also extend our main result to two other related models and prove their corresponding capacities. At the end, we argue how our analysis suggests that public interaction is required for achieving the multiterminal WSK capacity.

Fuchun Lin, Mahdi Cheraghchi, Venkatesan Guruswami et al.

Non-malleable secret sharing was recently proposed by Goyal and Kumar in independent tampering and joint tampering models for threshold secret sharing (STOC18) and secret sharing with general access structure (CRYPTO18). The idea of making secret sharing non-malleable received great attention and by now has generated many papers exploring new frontiers in this topic, such as multiple-time tampering and adding leakage resiliency to the one-shot tampering model. Non-compartmentalized tampering model was first studied by Agrawal et.al (CRYPTO15) for non-malleability against permutation composed with bit-wise independent tampering, and shown useful in constructing non-malleable string commitments. We initiate the study of leakage-resilient secret sharing in the non-compartmentalized model. The leakage adversary can corrupt several players and obtain their shares, as in normal secret sharing. The leakage adversary can apply arbitrary affine functions with bounded total output length to the full share vector and obtain the outputs as leakage. These two processes can be both non-adaptive and do not depend on each other, or both adaptive and depend on each other with arbitrary ordering. We construct such leakage-resilient secret sharing schemes and achieve constant information ratio (the scheme for non-adaptive adversary is near optimal). We then explore making the non-compartmentalized leakage-resilient secret sharing also non-malleable against tampering. We consider a tampering model, where the adversary can use the shares obtained from the corrupted players and the outputs of the global leakage functions to choose a tampering function from a tampering family F. We give two constructions of such leakage-resilient non-malleable secret sharing for the case F is the bit-wise independent tampering and, respectively, for the case F is the affine tampering functions.

Fuchun Lin, Mahdi Cheraghchi, Venkatesan Guruswami et al.

Shamir's celebrated secret sharing scheme provides an efficient method for encoding a secret of arbitrary length $\ell$ among any $N \leq 2^\ell$ players such that for a threshold parameter $t$, (i) the knowledge of any $t$ shares does not reveal any information about the secret and, (ii) any choice of $t+1$ shares fully reveals the secret. It is known that any such threshold secret sharing scheme necessarily requires shares of length $\ell$, and in this sense Shamir's scheme is optimal. The more general notion of ramp schemes requires the reconstruction of secret from any $t+g$ shares, for a positive integer gap parameter $g$. Ramp secret sharing scheme necessarily requires shares of length $\ell/g$. Other than the bound related to secret length $\ell$, the share lengths of ramp schemes can not go below a quantity that depends only on the gap ratio $g/N$. In this work, we study secret sharing in the extremal case of bit-long shares and arbitrarily small gap ratio $g/N$, where standard ramp secret sharing becomes impossible. We show, however, that a slightly relaxed but equally effective notion of semantic security for the secret, and negligible reconstruction error probability, eliminate the impossibility. Moreover, we provide explicit constructions of such schemes. One of the consequences of our relaxation is that, unlike standard ramp schemes with perfect secrecy, adaptive and non-adaptive adversaries need different analysis and construction. For non-adaptive adversaries, we explicitly construct secret sharing schemes that provide secrecy against any $τ$ fraction of observed shares, and reconstruction from any $ρ$ fraction of shares, for any choices of $0 \leq τ< ρ\leq 1$. Our construction achieves secret length $N(ρ-τ-o(1))$, which we show to be optimal. For adaptive adversaries, we construct explicit schemes attaining a secret length $Ω(N(ρ-τ))$.

Sepideh Avizheh, Reihaneh Safavi-Naini, Siamak F. Shahandashti

BIP70 is the Bitcoin payment protocol for communication between a merchant and a pseudonymous customer. McCorry et al. (FC~2016) showed that BIP70 is prone to refund attacks and proposed a fix that requires the customer to sign their refund request. They argued that this minimal change will provide resistance against refund attacks. In this paper, we point out the drawbacks of McCorry et al.'s fix and propose a new approach for protection against refund attacks using the Bitcoin multi-signature mechanism. Our solution does not rely on merchants storing refund requests, and unlike the previous solution, allows updating refund addresses through email. We discuss the security of our proposed method and compare it with the previous solution. We also propose a novel application of our refund mechanism in providing anonymity for payments between a payer and payee in which merchants act as mixing servers. We finally discuss how to combine the above two mechanisms in a single payment protocol to have an anonymous payment protocol secure against refund attacks.

Lakshya Tandon, Philip W. L. Fong, Reihaneh Safavi-Naini

Permissions are highly sensitive in Internet-of-Things (IoT) applications, as IoT devices collect our personal data and control the safety of our environment. Rather than simply granting permissions, further constraints shall be imposed on permission usage so as to realize the Principle of Least Privilege. Since IoT devices are physically embedded, they are often accessed in a particular sequence based on their relative physical positions. Monitoring if such sequencing constraints are honoured when IoT devices are accessed provides a means to fence off malicious accesses. This paper proposes a history-based capability system, HCAP, for enforcing permission sequencing constraints in a distributed authorization environment. We formally establish the security guarantees of HCAP, and empirically evaluate its performance.

Fuchun Lin, Reihaneh Safavi-Naini, Mahdi Cheraghchi et al.

Non-malleable codes are randomized codes that protect coded messages against modification by functions in a tampering function class. These codes are motivated by providing tamper resilience in applications where a cryptographic secret is stored in a tamperable storage device and the protection goal is to ensure that the adversary cannot benefit from their tamperings with the device. In this paper we consider non-malleable codes for protection of secure communication against active physical layer adversaries. We define a class of functions that closely model tampering of communication by adversaries who can eavesdrop on a constant fraction of the transmitted codeword, and use this information to select a vector of tampering functions that will be applied to a second constant fraction of codeword components (possibly overlapping with the first set). We derive rate bounds for non-malleable codes for this function class and give two modular constructions. The first construction adapts and provides new analysis for an existing construction in the new setting. The second construction uses a new approach that results in an explicit construction of non-malleable codes. We show applications of our results in securing message communication against active physical layer adversaries in two settings: wiretap II with active adversaries and Secure Message Transmission (SMT) in networks. We discuss our results and directions for future work.

Reihaneh Safavi-Naini, Pengwei Wang

Key agreement is a fundamental cryptographic primitive. It has been proved that key agreement protocols with security against computationally unbounded adversaries cannot exist in a setting where Alice and Bob do not have dependent variables and communication between them is fully public, or fully controlled by the adversary. In this paper we consider this problem when the adversary can "partially" control the channel. We motivate these adversaries by considering adversarial corruptions at the physical layer of communication, give a definition of adversaries that can "partially" eavesdrop and "partially" corrupt the communication. We formalize security and reliability of key agreement protocols, derive bounds on the rate of key agreement, and give constructions that achieve the bound. Our results show that it is possible to have secret key agreement as long as some of the communicated symbols remain private and unchanged by the adversary. We relate our results to the previous known results, and discuss future work.

Pengwei Wang, Reihaneh Safavi-Naini

Wyner's elegant model of wiretap channel exploits noise in the communication channel to provide perfect secrecy against a computationally unlimited eavesdropper without requiring a shared key. We consider an adversarial model of wiretap channel proposed in [18,19] where the adversary is active: it selects a fraction $ρ_r$ of the transmitted codeword to eavesdrop and a fraction $ρ_w$ of the codeword to corrupt by "adding" adversarial error. It was shown that this model also captures network adversaries in the setting of 1-round Secure Message Transmission [8]. It was proved that secure communication (1-round) is possible if and only if $ρ_r + ρ_w <1$. In this paper we show that by allowing communicants to have access to a public discussion channel (authentic communication without secrecy) secure communication becomes possible even if $ρ_r + ρ_w >1$. We formalize the model of \awtppd protocol and for two efficiency measures, {\em information rate } and {\em message round complexity} derive tight bounds. We also construct a rate optimal protocol family with minimum number of message rounds. We show application of these results to Secure Message Transmission with Public Discussion (SMT-PD), and in particular show a new lower bound on transmission rate of these protocols together with a new construction of an optimal SMT-PD protocol.

Hadi Ahmadi, Reihaneh Safavi-Naini

Sending private messages over communication environments under surveillance is an important challenge in communication security and has attracted attentions of cryptographers through time. We believe that resources other than cryptographic keys can be used for communication privacy. We consider private message transmission (PMT) in an abstract multipath communication model between two communicants, Alice and Bob, in the presence of an eavesdropper, Eve. Alice and Bob have pre-shared keys and Eve is computationally unbounded. There are a total of $n$ paths and the three parties can have simultaneous access to at most $t_a$, $t_b$, and $t_e$ paths. The parties can switch their paths after every $λ$ bits of communication. We study perfect (P)-PMT versus asymptotically-perfect (AP)-PMT protocols. The former has zero tolerance of transmission error and leakage, whereas the latter allows for positive error and leakage that tend to zero as the message length increases. We derive the necessary and sufficient conditions under which P-PMT and AP-PMT are possible. We also introduce explicit P-PMT and AP-PMT constructions. Our results show AP-PMT protocols attain much higher information rates than P-PMT ones. Interestingly, AP-PMT is possible even in poorest condition where $t_a=t_b=1$ and $t_e=n-1$. It remains however an open question whether the derived rates can be improved by more sophisticated AP-PMT protocols. We study applications of our results to private communication over the real-life scenarios of multiple-frequency links and multiple-route networks. We show practical examples of such scenarios that can be abstracted by the multipath setting: Our results prove the possibility of keyless information-theoretic private message transmission at rates $17\%$ and $20\%$ for the two example scenarios, respectively. We discuss open problems and future work at the end.

Pengwei Wang, Reihaneh Safavi-Naini

In wiretap model of secure communication the goal is to provide (asymptotic) perfect secrecy and reliable communication over a noisy channel that is eavesdropped by an adversary with unlimited computational power. This goal is achieved by taking advantage of the channel noise and without requiring a shared key. The model has attracted attention in recent years because it captures eavesdropping attack in wireless communication. The wiretap adversary is a passive eavesdropping adversary at the physical layer of communication. In this paper we propose a model for adversarial wiretap (AWTP) channel that models active adversaries at this layer. We consider a $(ρ_r, ρ_w)$ wiretap adversary who can see a fraction $ρ_r$, and modify a fraction $ρ_w$, of the sent codeword. The code components that are read and/or modified can be chosen adaptively, and the subsets of read and modified components in general, can be different. AWTP codes provide secrecy and reliability for communication over these channels. We give security and reliability definitions and measures for these codes, and define secrecy capacity of an AWTP channel that represents the secrecy potential of the channel. The paper has two main contributions. First, we prove a tight upper bound on the rate of AWTP codes with perfect secrecy for $(ρ_r, ρ_w)$-AWTP channels, and use the bound to derive the secrecy capacity of the channel. We prove a similar bound for $ε$-secure codes also, but in this case the bound is not tight. Second, we give an explicit construction for a capacity achieving AWTP code family, and prove its security and efficiency properties. We show that AWTP model is a natural generalization of Wyner's wiretap models and somewhat surprisingly, also provides a direct generalization for a seemingly unrelated cryptographic primitive, Secure Message Transmission (SMT).

Hadi Ahmadi, Reihaneh Safavi-Naini

We consider the problem of distance bounding verification (DBV), where a proving party claims a distance and a verifying party ensures that the prover is within the claimed distance. Current approaches to "secure" distance estimation use signal's time of flight, which requires the verifier to have an accurate clock. We study secure DBV using physical channel properties as an alternative to time measurement. We consider a signal propagation environment that attenuates signal as a function of distance, and then corrupts it by an additive noise. We consider three attacking scenarios against DBV, namely distance fraud (DFA), mafia fraud (MFA) and terrorist fraud (TFA) attacks. We show it is possible to construct efficient DBV protocols with DFA and MFA security, even against an unbounded adversary; on the other hand, it is impossible to design TFA-secure protocols without time measurement, even with a computationally-bounded adversary. We however provide a TFA-secure construction under the condition that the adversary's communication capability is limited to the bounded retrieval model (BRM). We use numerical analysis to examine the communication complexity of the introduced DBV protocols. We discuss our results and give directions for future research.