Technological advances over the past decade have made it possible for academics to make progress in designing so-called OTP (one-time programs).
OTPs were initially proposed by researchers Goldwasser, Kalai, and Rothblum. OTPs, originally presented at the Crypto’08 conference were described as a type of cryptographically obfuscated computer program that can only be run once. This significant property makes them useful for numerous applications.
The basic concept is that "Alice" could send "Bob" a computer program that was encrypted in a way that:
1. Bob can run the program on any computer with any valid inputs and obtain a correct result. Bob cannot rerun the program with different inputs.
2. Bob can learn nothing about the secret program by running it.
The run-only-once requirements encounter difficulties because it would be an easier task to install a run-once-only program on multiple virtual machines, trying different inputs on each one of them. Consequently, this would violate the entire premise of the technology.
The original idea for thwarting this (fairly obvious) hack was to only allow the secret program to run if accompanied by a physical token that somehow enforced the one-time rule for running the copy of the secret program that Alice had sent to Bob.
No such tokens were ever made, so the whole idea has lain dormant for more than a decade.
OTP revived:
Recently, a team of computer scientists from Johns Hopkins University and NTT Research have established the basis of how it might be possible to create one-time programs using a combination of the functionality found in the chips found in mobile phones and cloud-based services.
They have hacked ‘counter lockbox’ technology and utilized the same for an unintended purpose. Counter lockboxes secure an encryption key under a user-specified password, administering a limited number of incorrect password guesses (usually 10) before having the protected information erased.
The hardware security module in iPhones or Android smartphones provides the needed base functionality, but it needs to be wrapped around technology that prevents Bob from attempting to deceive the system – the focus of the research.
Garbled circuits:
The research works show how multiple counter lockboxes might be linked together in order to form ‘garbled circuits’, i.e. a construction that might be utilized to build OTPs.
A paper illustrating this research, entitled ‘One-Time Programs from Commodity Hardware’ is due to be presented at the upcoming Theory of Cryptography Conference (TCC 2022).
Hardware-route discounted:
One alternative means of constructing one-time programs, considered in the research, is using tamper-proof hardware, although it would require a “token with a very powerful and expensive (not to mention complex) general-purpose CPU”, as explained in a blog post by cryptographer Mathew, a professor at Johns Hopkins University and one of the co-authors of the paper.
“This would be costly and worse, [and] would embed a large attack software and hardware attack surface – something we have learned a lot about recently thanks to Intel’s SGX, which keeps getting broken by researchers,” explains Green.
Rather than relying on hardware or the potential use of blockchain plus cryptographic tool-based technology, the Johns Hopkins’ researchers have built a form of memory device or token that spits out and erases secret keys when asked. It takes hundreds of lockboxes to make this construction – at least 256 for a 128-bit secret, a major drawback that the researchers are yet to overcome.
A bastion against brute-force attacks:
Harry Eldridge, from Johns Hopkins University, lead author of the paper, told The Daily Swig that one-time programs could have multiple uses.
“The clearest application of a one-time program (OTP) is preventing brute-force attacks against passwords […] For example, rather than send someone an encrypted file, you could send them an OTP that outputs the file if given the correct password. Then, the person on the other end can input their password to the OTP and retrieve the file.” Eldridge explained. “However, because of the one-time property of the OTP, a malicious actor only gets one chance to guess the password before being locked out forever, meaning that much weaker passwords [such as a four-digit PIN] can actually be pretty secure.”
Furthermore, this could as well be applied to other forms of authentication – for instance, if you wanted to protect a file using some sort of biometric match like a fingerprint or face scan.
‘Autonomous’ Ransomware Risk
One of the drawbacks led via the approach is that threat actors might utilize the technique to develop ‘autonomous’ ransomware.
“Typically, ransomware needs to ‘phone home’ somehow in order to fetch the decryption keys after the bounty has been paid, which adds an element of danger to the group perpetrating the attack,” according to Eldridge. “If they were able to use one-time programs, however, they could include with the ransomware an OTP that outputs the decryption keys when given proof that an amount of bitcoin has been paid to a certain address, completely removing the need to phone home at all.”
Although, the feedback on the work so far has been “generally positive”, according to Eldridge.
“[Most agree] with the motivation that OTPs are an interesting but mostly unrealized cryptographic idea, with the most common criticism being that the number of lockboxes required by our construction is still rather high. There is possibly a way to more cleverly use lockboxes that would allow for fewer of them to be used.”