Call November 2022

Trusted Execution Environments for Advanced Data Protection

This proposal resulted in the following thesis:

  • Ion Andy Ditu (Bachelor's Thesis, University of Trento, 2023)
    Leveraging Trusted Execution Environment for Efficient Revocation and Security in Cryptographic Access Control
    Supervisors: Silvio Ranise | Co-supervisors: Roberto Carbone, Stefano Berlato

Description:

Cryptographic Access Control (CAC) is often employed to protect the confidentiality of Cloud-hosted sensitive data from curious service providers while enforcing access control policies. Unfortunately, CAC usually incurs significant computational overhead that limits its applicability in real-world scenarios [1]. The main goal of this project is to investigate how Trusted Execution Environments (TEEs) such as Intel SGX [2] can synergize with CAC to relieve these computational overheads and efficiently guarantee advanced data protection.

Level: BSc/MSc

Supervisors: Silvio Ranise

Co-supervisor: Roberto Carbone, Stefano Berlato

Time frame: From February 2023

Prerequisites:

  • Basic knowledge of IT security
  • Basic knowledge of cryptography from cryptography-related courses
  • Basic knowledge of object-oriented programming languages (i.e., Kotlin)

Objectives:

  • Familiarization and study of the state of the art in the use of TEEs for advanced data protection.
  • Evaluation of available techniques and design of a solution joining CAC with TEEs to reduce the cryptographic computational overhead.
  • Implementation of the proposed approach in a tool [3] developed and actively maintained by the Security&Trust unit in FBK [4].

Topics: Access Control, Cryptography, TEE

References:

  1. W. C. Garrison, A. Shull, S. Myers and A. J. Lee, "On the Practicality of Cryptographically Enforcing Dynamic Access Control Policies in the Cloud," 2016 IEEE Symposium on Security and Privacy (SP), 2016, pp. 819-838, doi: 10.1109/SP.2016.54
  2. https://software.intel.com/content/www/us/en/develop/topics/software-guard-extensions.html
  3. stfbk/CryptoAC
  4. Stefano Berlato, Roberto Carbone, Silvio Ranise. Cryptographic Enforcement of Access Control Policies in the Cloud: Implementation and Experimental Assessment In 18th International Conference on Security and Cryptography (SECRYPT 2021)

Call November 2023

Enhancing Cryptographic Access Control with Predicates and Negative Permissions

This proposal resulted in the following thesis:

  • Simone Brunello (Bachelor's Thesis, University of Trento, 2024)
    Hybrid Enforcement for Role-based Cryptographic Access Control
    Supervisors: Silvio Ranise | Co-supervisors: Roberto Carbone, Stefano Berlato

Description:

Cryptographic Access Control (CAC) is often employed to protect the confidentiality of Cloud-hosted sensitive data from both external attackers and curious service providers while enforcing access control policies. In CAC, the sensitive data is encrypted, and the permission to access the encrypted data is embodied by the (secret) decrypting key. Unfortunately, CAC usually incurs significant computational overhead — mainly due to cryptographic computations — that limits its applicability in real-world scenarios. Moreover, by itself, CAC does not provide suitable abstractions for specifying additional information and constraints (e.g., on how much a user is trusted) that may instead be useful to relieve such a computational overhead. Put in the context of an already ongoing collaboration with the University of Pittsburgh, the main goal of this project is to enhance CAC by investigating one or more of the following ideas:

  1. Logic Predicates: express assumptions and requirements about users and resources;
  2. Negative Permissions: deny accesses explicitly through a careful distribution of cryptographic keys;
  3. Improved Performance: investigate other means (e.g., use of symmetric vs. asymmetric cryptography) to directly relieve the computational overhead of CAC.

Level: BScMSc

Supervisors: Silvio Ranise

Co-supervisor: Roberto Carbone, Stefano Berlato

Time frame: From October 2023

Prerequisites:

  • Basic knowledge of IT security.
  • Basic knowledge of cryptography from cryptography-related courses.
  • Basic knowledge of object-oriented programming languages (i.e., Kotlin).

Objectives:

  • Familiarization and study of the state of the art in the use of the CAC techniques for advanced data protection.
  • Evaluation of the aforementioned ideas and design of solutions to enhance the capabilities of CAC.
  • Implementation of the proposed solutions in a tool developed and actively maintained by the FBK's Center for Cybersecurity [1].

Topics: Access Control, Cryptography

Notes: The objectives may be weighted differently according to interest, availability, and the chosen topic.

References:

  1. stfbk/CryptoAC

Multi-Objective Microservice Orchestration

This proposal resulted in the following thesis:

  • Marco Soldera (Bachelor's Thesis, University of Trento, 2024)
    A Risk Assessment Methodology for VSNF Placement in Cloud Native Applications
    Supervisors: Domenico Siracusa | Co-supervisors: Stefano Berlato, Silvio Cretti

Description:

Microservices are the basic building blocks for modern Cloud-native applications. However, the orchestration — and especially the placement — of microservices should be aware of the functional and security requirements of the underlying applications. The main goal of this project revolves around the design of a methodology and a toolset for orchestrating (microservices in) Cloud-native applications to balance the minimization of risks due to the possible presence of security threats (e.g., malicious insider attackers, curious tenants) and the achievement of service performance requirements (e.g., expressed on computational resources, network throughput and latency).

Level: BScMSc

Supervisors: Domenico Siracusa

Co-supervisor: Stefano Berlato, Silvio Cretti

Prerequisites:

  • Basic knowledge of IT security.
  • Basic knowledge of object-oriented programming languages (i.e., Kotlin).
  • Knowledge of the microservice architectural paradigm and orchestrators (e.g., Kubernetes) would be highly advantageous.

Objectives:

  • Familiarization and study of the state of the art in the orchestration of microservices.
  • Study and elicitation of requirements for applications deployed in prominent use case scenarios.
  • Design and implementation of a methodology for the effective orchestration of microservices in a tool developed and actively maintained by the FBK's Center for Cybersecurity [1].

Topics: Cloud-native Applications, Security, Multi-Objective Optimization

References:

  1. stfbk/FogAtlas

Call January 2024

Cryptographic Access Control for Blockchain-based Applications

This proposal resulted in the following thesis:

  • Luca Claus (Bachelor's Thesis, University of Trento, 2024)
    End-to-End Protection for Data Sharing Among Organizations in Cloud-Managed Blockchain Applications
    Supervisors: Silvio Ranise | Co-supervisors: Stefano Berlato, Riccardo Longo

Description:

Given the limited trust and inherently centralized nature of Cloud-based applications, the blockchain emerges as the ideal solution to guarantee the integrity and the confidentiality of sensitive data in cross-organizational scenarios. However, the basic security properties offered by the blockchain should be coupled with fine-grained access control policies (e.g., role- and attribute-based access control) enforced through cryptography (e.g., hybrid cryptography, multi-authority attribute-based encryption) for best security. The main goal of this project is to investigate how cryptographic access control is and can be used in blockchain-based applications to enforce access control policies in complex cross-organizational scenarios.

Level: BScMSc

Supervisors: Silvio Ranise

Co-supervisor: Stefano Berlato, Riccardo Longo

Prerequisites:

  • Basic knowledge of IT security.
  • Basic knowledge of cryptography from cryptography-related courses.
  • Basic knowledge of object-oriented programming languages (i.e., Kotlin).

Objectives:

  • Familiarization and study of the state of the art in the use of the Blockchain for advanced data protection.
  • Evaluation of available techniques and design of a solution joining cryptographic access control with the Blockchain for high assurance of data integrity and confidentiality.
  • Implementation of the proposed approach in a tool developed and actively maintained by the FBK's Center for Cybersecurity [1].

Topics: Access Control, Cryptography, Blockchain

References:

  1. {"text"=>"CryptoAC", "links"=>[{"name"=>"Link", "url"=>"https://aleph.fbk.eu/tools/CryptoAC"}]}

Cryptographic Revocation

This proposal resulted in the following thesis:

  • Giorgia Gabardi (Bachelor's Thesis, University of Trento, 2024)
    Studio dei pattern di revoca nelle liste di revoca dei certificati digitali
    Supervisors: Domenico Siracusa, Alessandro Tomasi

Description:

There is a strong interest in privacy-enhancing technologies to satisfy the complex requirements of digital identity, in particular minimizing the personal data shared at each presentation and preventing others from correlating the activity of digital identity credential holders between presentations. Important use cases are the Mobile Driver's License (ISO 18013-5) and the European Digital Identity Wallet.
Cryptographic accumulators, e.g., [BdM93, N05, LLX07, BBF18, VB20] are efficient protocols to prove set (non-)membership that have been proposed as privacy-enhancing credential revocation mechanisms for digital credentials, e.g., [CL02].
During the internship, you will have an opportunity to consider theoretical and practical aspects of these technologies, to be agreed upon based on your interest and prior knowledge. We are particularly interested in a performance comparison of algorithms of interest, possibly using existing libraries (e.g., accumulator-rs).

Level: MSc

Supervisor: Domenico Siracusa, Alessandro Tomasi

Prerequisites:

  • An undergraduate course in cryptography is required for basic notions.
  • Knowledge of one or more of the following would be highly advantageous: RSA, elliptic curve cryptography, zero-knowledge proofs, programming in Python or Rust.
  • Knowledge of programming languages (i.e., Python, Rust) would be highly advantageous.

Objectives:

  • Summary of chosen technologies.
  • Comparison of technologies on metrics of interest for the chosen scenario, e.g., complexity (number of operations), proof size, and offline functionality.
  • Exploration of alternatives for cryptographic agility, e.g., other elliptic curves or hash functions.

Topics: Digital Identity, Cryptography, Privacy Enhancing Technologies

Notes: The objectives may be weighted differently according to interest, availability, and the chosen topic.

References:

  1. {"id"=>"BBF18", "text"=>"\"Batching Techniques for Accumulators with Applications to IOPs and Stateless Blockchains\". D Boneh, B Bünz, B Fisch. IACR 2018, CRYPTO 2019.", "links"=>[{"name"=>"DOI", "url"=>"https://doi.org/10.1007/978-3-030-26948-7_20"}, {"name"=>"Video", "url"=>"https://www.youtube.com/watch?v=gui-D_Og61w\""}]}
  2. {"id"=>"BdM93", "text"=>"\"One-way accumulators: a decentralized alternative to digital signatures.\" J C Benaloh, M de Mare, Eurocrypt 93.", "links"=>[{"name"=>"DOI", "url"=>"https://doi.org/10.1007/3-540-48285-7_24"}]}
  3. {"id"=>"CL02", "text"=>"\"Dynamic Accumulators and Application to Efficient Revocation of Anonymous Credentials.\" J Camenisch, A Lysyanskaya, CRYPTO 2002.", "links"=>[{"name"=>"DOI", "url"=>"https://10.1007/3-540-45708-9_5\""}]}
  4. {"id"=>"LLX07", "text"=>"\"Universal Accumulators with Efficient Nonmembership Proofs\". Li, J., Li, N., Xue, R., 2007.", "links"=>[{"name"=>"DOI", "url"=>"https://doi.org/10.1007/978-3-540-72738-5_17"}]}
  5. {"id"=>"N05", "text"=>"\"Accumulators from Bilinear Pairings and Applications.\" L Nguyen, CT-RSA 2005.", "links"=>[{"name"=>"DOI", "url"=>"https://doi.org/10.1007/978-3-540-30574-3_19"}]}
  6. {"id"=>"VB20", "text"=>"\"Dynamic Universal Accumulator with Batch Update over Bilinear Groups\". G. Vitto, A. Biryukov, IACR 2020, CT-RSA 2022.", "links"=>[{"name"=>"DOI", "url"=>"https://doi.org/10.1007/978-3-030-95312-6_17"}, {"name"=>"Video", "url"=>"https://www.youtube.com/watch?v=Zi9pJpZKHX0"}]}
  7. {"id"=>"CHAHC22", "text"=>"\"Curve Trees: Practical and Transparent Zero-Knowledge Accumulators.\" M Campanelli, M Hall-Andersen, S Holmgaard Kamp.", "links"=>[{"name"=>"Link", "url"=>"https://ia.cr/2022/756"}]}

Key Recovery

This proposal resulted in the following thesis:

  • Sara Montanari (Master's Thesis, University of Trento, 2024)
    Refreshable and Extensible Verifiable Decentralized Secret Sharing for Threshold Access Trees
    Supervisors: Alessio Meneghetti | Co-supervisors: Riccardo Longo

Description:

Safeguarding private keys presents many issues, especially for the general public. Private keys can be easily lost or forgotten, leading to the inaccessibility of the assets which they control. On the other hand, delegating full control of the keys to a third party for safekeeping is risky and may not be viable. We would like to implement and test a recently proposed cryptographic key recovery scheme [BLM22] based on a distributed secret sharing that allows some parties to be offline during the key-generation process.

Level: MSc

Supervisors: Alessio Meneghetti

Co-supervisor: Riccardo Longo

Prerequisites:

  • Knowledge of secret sharing and Elliptic Curve Cryptography.
  • Programming experience in Rust, C, Python, or equivalent.
  • Knowledge of Pedersen commitment is not required but would be beneficial.

Objectives:

  • Development of a cryptographic proof of concept software.
  • Performance evaluation and comparison.

Topics: Secret Sharing, Decentralization

References:

  1. {"text"=>"Aleph: e-voting", "links"=>[{"name"=>"Link", "url"=>"https://aleph.fbk.eu/projects/e-voting"}]}
  2. {"id"=>"BLM22", "text"=>"M Battagliola, R Longo, A Meneghetti: Extensible Decentralized Secret Sharing and Application to Schnorr Signatures.", "links"=>[{"name"=>"Link", "url"=>"https://eprint.iacr.org/2022/1551"}]}