IACR News
Updates on the COVID-19 situation are on the
Announcement channel.
Here you can see all recent updates to the IACR webpage. These updates are also available:
06 December 2019
Francesco Berti, Chun Guo, Olivier Pereira, Thomas Peters, François-Xavier Standaert
ePrint Report
Authenticity can be compromised by information leaked via side-channels (e.g., power consumption). Examples of attacks include direct key recoveries and attacks against the tag verification which may lead to forgeries. At FSE 2018, Berti et al. described two authenticated encryption schemes which provide authenticity assuming a “leak-free implementation” of a Tweakable Block Cipher (TBC). Precisely, security is guaranteed even if all the intermediate computations of the target implementation are leaked in full but the TBC long-term key. Yet, while a leak-free implementation reasonably models strongly protected implementations of a TBC, it remains an idealized physical assumption that may be too demanding in many cases, in particular, if hardware engineers mitigate the leakage to a good extent but (due to performance constraints) do not reach leak-freeness. In this paper, we get rid of this important limitation by introducing the notion of “Strong Unpredictability with Leakage” for BC's and TBC's. It captures the hardness for an adversary to provide a fresh and valid input/output pair for a (T)BC, even having oracle access to the (T)BC, its inverse and their leakages. This definition is game-based and may be verified/falsified by laboratories. Based on it, we then provide two Message Authentication Codes (MAC) which are secure if the (T)BC on which they rely are implemented in a way that maintains a sufficient unpredictability. Thus, we improve the theoretical foundations of leakage-resilient MAC and extend them towards engineering constraints that are easier to achieve in practice.
Augustin P. Sarr
ePrint Report
At ESORICS 2017, Buldas et al. proposed an efficient (software only) server supported signature scheme, geared to mobile devices, termed Smart-ID. A major component
of their design is a clone detection mechanism, which allows a server to detect the existence of clones of
a client's private key share.
We point out a flaw in this mechanism.
We show that, under a realistic race condition, an attacker which holds
a password camouflaged private share can lunch an online dictionary attack
such that
(i)if all its password guesses are wrong, it is very likely that the attack will not be detected, and
(ii) if one of its guesses is correct, it can generate signatures on messages of its choice, and the attack will \emph{not} be detected.
We propose an improvement of Smart-ID to thwart the attack we present.
James Howe, Thomas Prest, Thomas Ricosset, Mélissa Rossi
ePrint Report
Gaussian sampling over the integers is a crucial tool in lattice-based cryptography, but has proven over the recent years to be surprisingly challenging to perform in a generic, efficient and provable secure manner. In this work, we present a modular framework for generating discrete Gaussians with arbitrary center and standard deviation. Our framework is extremely simple, and it is precisely this simplicity that allowed us to make it easy to implement, provably secure, portable, efficient, and provably resistant against timing attacks. Our sampler is a good candidate for any trapdoor sampling and it is actually the one that has been recently implemented in the Falcon signature scheme. Our second contribution aims at systematizing the detection of implementation errors in Gaussian samplers. We provide a statistical testing suite for discrete Gaussians called SAGA (Statistically Acceptable GAussian). In a nutshell, our two contributions take a step towards trustable and robust Gaussian sampling real-world implementations.
05 December 2019
Kaushik Nath, Palash Sarkar
ePrint Report
The Montgomery ladder has a conditional statement. Existing constant time implementations of the Montgomery ladder are based on constant time conditional swaps or conditional selection of field elements. Implementations of the underlying field arithmetic require a multi-limb representation of the field elements. So, a swap or a selection of two field elements require a number of data movement operations which is proportional to the number of limbs. In this work, we introduce a new method for constant time implementation of the conditional statement. Our method does not require any swap or selection of field elements. Further, the number of involved data movement operations in our method is independent of the size of the underlying field. This leads to substantial savings in the number of data movement operations required for Montgomery ladder computation. We have implemented the new idea using 64-bit arithmetic for Curve25519 and Curve448, two elliptic curves which have been proposed in the Transport Layer Security, Version 1.3. Timing measurements on the Skylake and the Kaby Lake processors of Intel show that for Curve25519 about $11\%$ and for Curve448 about $13\%$ speed-ups are achieved.
Gareth T. Davies, Herman Galteland, Kristian Gjøsteen, Yao Jiang
ePrint Report
In cloud-based outsourced storage systems, many users wish to securely store their files for later retrieval, and additionally to share them with other users. These retrieving users may not be online at the point of the file upload, and in fact they may never come online at all. In this asynchoronous environment, key transport appears to be at odds with any demands for forward secrecy. Recently, Boyd et al. (ISC 2018) presented a protocol that allows an initiator to use a modified key encapsulation primitive, denoted a blinded KEM (BKEM), to transport a file encryption key to potentially many recipients via the (untrusted) storage server, in a way that gives some guarantees of forward secrecy. Until now all known constructions of BKEMs are built using RSA and DDH, and thus are only secure in the classical setting.
We further the understanding of secure key transport protocols in two aspects. First, we show how to generically build blinded KEMs from homomorphic encryption schemes with certain prop- erties. Second, we construct the first post-quantum secure blinded KEMs, and the security of our constructions are based on hard lattice problems.
Aleksandr Kutsenko
ePrint Report
A bent function is a Boolean function in even number of variables which is on the maximal Hamming distance from the set of affine Boolean functions. It is called self-dual if it coincides with its dual. It is called anti-self-dual if it is equal to the negation of its dual. A mapping of the set of all Boolean functions in n variables to itself is said to be isometric if it preserves the Hamming distance. In this paper we study isometric mappings which preserve self-duality and anti-self-duality of a Boolean bent function. The complete characterization of these mappings is obtained for n>2. Based on this result, the set of isometric mappings which preserve the Rayleigh quotient of the Sylvester Hadamard matrix, is characterized. The Rayleigh quotient measures the Hamming distnace between bent function and its dual, so as a corollary, all isometric mappings which preserve bentness and the Hamming distance between bent function and its dual are described.
Moni Naor, Omer Paneth, Guy N. Rothblum
ePrint Report
If I commission a long computation, how can I check that the result is correct without re-doing the computation myself? This is the question that efficient verifiable computation deals with. In this work, we address the issue of verifying the computation as it unfolds. That is, at any intermediate point in the computation, I would like to see a proof that the current state is correct. Ideally, these proofs should be short, non-interactive, and easy to verify. In addition, the proof at each step should be generated efficiently by updating the previous proof, without recomputing the entire proof from scratch. This notion, known as incrementally verifiable computation, was introduced by Valiant [TCC 08] about a decade ago. Existing solutions follow the approach of recursive proof composition and can be based on strong and non-falsifiable cryptographic assumptions (so-called ``knowledge assumptions'').
In this work, we present a new framework for constructing incrementally verifiable computation schemes in both the publicly verifiable and designated-verifier settings. Our designated-verifier scheme is based on somewhat homomorphic encryption (which can be based on Learning with Errors) and our publicly verifiable scheme is based on the notion of zero-testable homomorphic encryption, which can be constructed from ideal multi-linear maps [Paneth and Rothblum, TCC 17].
Our framework is anchored around the new notion of a probabilistically checkable proof (PCP) with incremental local updates. An incrementally updatable PCP proves the correctness of an ongoing computation, where after each computation step, the value of every symbol can be updated locally without reading any other symbol. This update results in a new PCP for the correctness of the next step in the computation. Our primary technical contribution is constructing such an incrementally updatable PCP. We show how to combine updatable PCPs with recently suggested (ordinary) verifiable computation to obtain our results.
In this work, we present a new framework for constructing incrementally verifiable computation schemes in both the publicly verifiable and designated-verifier settings. Our designated-verifier scheme is based on somewhat homomorphic encryption (which can be based on Learning with Errors) and our publicly verifiable scheme is based on the notion of zero-testable homomorphic encryption, which can be constructed from ideal multi-linear maps [Paneth and Rothblum, TCC 17].
Our framework is anchored around the new notion of a probabilistically checkable proof (PCP) with incremental local updates. An incrementally updatable PCP proves the correctness of an ongoing computation, where after each computation step, the value of every symbol can be updated locally without reading any other symbol. This update results in a new PCP for the correctness of the next step in the computation. Our primary technical contribution is constructing such an incrementally updatable PCP. We show how to combine updatable PCPs with recently suggested (ordinary) verifiable computation to obtain our results.
Tassos Dimtiriou
ePrint Report
Most electronic voting systems today satisfy the basic requirements of privacy, unreusability, eligibility and fairness in a natural and rather straightforward way. However, receipt-freeness, incoercibility and universal verifiability are much harder to implement and in many cases they require a large amount of computation and communication overhead. In this work, we propose a blockchain-based voting system which achieves all the properties expected from secure elections without requiring too much from the voter. Coercion resistance and receipt-freeness are ensured by means of a randomizer token -- a tamper-resistance source of randomness which acts as a black box in constructing the ballot for the user. Universal verifiability is ensured by the append-only structure of the blockchain, thus minimizing the trust placed in election authorities. Additionally, the system has linear overhead when tallying the votes, hence it is scalable and practical for large scale elections.
Houssem Maghrebi, Davide Alessio
ePrint Report
White-box cryptography was first introduced by Chow et al. in $2002$ as a software technique for implementing cryptographic algorithms
in a secure way that protects secret keys in an untrusted environment.
Ever since, Chow et al.'s design has been subject to the well-known Differential Computation Analysis (DCA). To resist DCA, a natural approach that white-box designers investigated is to apply the common side-channel countermeasures such as masking. In this paper, we suggest applying the well-studied leakage detection methods to assess the security of masked white-box implementations. Then, we extend some well-known side-channel attacks (i.e. the bucketing computational analysis, the mutual information analysis, and the collision attack) to the higher-order case to defeat higher-order masked white-box implementations. To illustrate the effectiveness of these attacks, we perform a practical evaluation against a first-order masked white-box implementation. The obtained results have demonstrated the practicability of these attacks in a real-world scenario.
Wouter Castryck, Thomas Decru
ePrint Report
For primes \(p \equiv 3 \bmod 4\), we show that setting up CSIDH on the surface, i.e., using supersingular elliptic curves with endomorphism ring \(Z[(1 + \sqrt{-p})/2]\), amounts to just a few sign switches in the underlying arithmetic. If \(p \equiv 7 \bmod 8\) then the availability of very efficient horizontal 2-isogenies allows for a noticeable speed-up, e.g., our resulting CSURF-512 protocol runs about 5.68% faster than CSIDH-512. This improvement is completely orthogonal to all previous speed-ups, constant-time measures and construction of cryptographic primitives that have appeared in the literature so far. At the same time, moving to the surface gets rid of the redundant factor \(Z_3\) of the acting ideal-class group, which is present in the case of CSIDH and offers no extra security.
04 December 2019
Queen's University Belfast, Centre for Secure Information Technologies, Belfast, UK
Job Posting
We currently have four open research fellow positions at the Centre for Secure Information Technologies (CSIT) in Queen’s University Belfast (QUB) in the areas of hardware security and cryptography:
Research Fellow in Post-Quantum Cryptography (3 years) to conduct research into the design and implementation of practical, robust and physically secure post-quantum cryptographic architectures, as part of the UK Quantum Communications Hub project.
Research Fellow in Side Channel Analysis (3 years) to conduct research into physical side channel attacks and countermeasures of post-quantum cryptographic architectures as part of the UK Quantum Communications Hub project.
Research Fellow in Hardware Trojan Detection (30 months) to conduct research into the application of advanced machine learning techniques for use in hardware Trojan detection, as part of the EPSRC-funded DeepSecurity project.
Research Fellow in Physical Unclonable Function (30 months)
to conduct research into software-based PUF designs for embedded microprocessors, as part of an international collaborative project, SIPP- Secure IoT Processor Platform with Remote Attestation.
These post-doctoral positions will be based at CSIT, which is recognised by NCSC as an Academic Centre of Excellence (ACE) in Cyber Security Research, and is also host to the UK Research Institute in Secure Hardware and Embedded Systems (RISE).
The successful applicants will have a 2:1 Honours degree in Electrical and Electronic Engineering/Computer Science/Mathematics (or related discipline), and have, or be about to obtain, a PhD in a relevant subject, as well as at least 3 years recent relevant research experience in one, or more, of the following areas: side channel analysis, FPGA/ASIC/Embedded systems design, hardware design or hardware/software co-design.
For further information and to apply please check out the QUB job vacancies website: http://www.qub.ac.uk/sites/QUBJobVacancies/ResearchJobs/
These post-doctoral positions will be based at CSIT, which is recognised by NCSC as an Academic Centre of Excellence (ACE) in Cyber Security Research, and is also host to the UK Research Institute in Secure Hardware and Embedded Systems (RISE).
The successful applicants will have a 2:1 Honours degree in Electrical and Electronic Engineering/Computer Science/Mathematics (or related discipline), and have, or be about to obtain, a PhD in a relevant subject, as well as at least 3 years recent relevant research experience in one, or more, of the following areas: side channel analysis, FPGA/ASIC/Embedded systems design, hardware design or hardware/software co-design.
For further information and to apply please check out the QUB job vacancies website: http://www.qub.ac.uk/sites/QUBJobVacancies/ResearchJobs/
Closing date for applications:
Contact: Ciara Rafferty (c.m.rafferty@qub.ac.uk)
More information: http://www.qub.ac.uk/sites/QUBJobVacancies/ResearchJobs/
Ingo Braun, Fabio Campos, Steffen Reith, Mand Marc Stöttinger
ePrint Report
We investigate multiple implementations of a hash-based digital signature scheme in software and hardware for a RISC-V processor. For this, different instantiations of XMSS by leveraging SHA-256 and SHA-3 are considered. Moreover, we propose various optimisations for accelerating the signature scheme on resource-constrained FPGAs.
Compared to the pure software version, the implemented hardware accelerators for SHA-256 and SHA-3 achieve a significant speedup of 25x and 87x respectively for generating 2^10 key pairs. Signing and verifying with such key pairs achieves a speedup of 17x and 10x in the case of SHA-256 and respectively 55x and 20x for SHA-3. Recently, Wang et al. presented an XMSS-specific software-hardware co-design, resulting in significant speedups. Our general-purpose hardware accelerator for SHA-256 further reduces the calculation cost for signing by 26%, and by 28% for verifying in comparison to results of Wang et al., and achieves as well a better time-area product for signing (3.3x) and verifying (2.5x).
Vincent HERBERT
ePrint Report
Lattice-based cryptography offers quantum-resistant cryptosystems but there is not yet official recommendations to choose parameters with standard security levels. Some of these cryptosystems permit secure computations and aim at a wider audience than cryptographic community. We focus on one of them, a leveled homomorphic cryptosystem (LHE): Brakersi/Fan-Vercauteren's (BFV) one. The family of LHE cryptosystems needs to be well-instantiated not only to protect input and output ciphertexts and to perform efficiently computations, but also, for them, parametrization constrains the quantity of homomorphic computations that can be performed with guarantee of correctness. It demands to choose parameters accordingly. In addition, each implementation brings external constraints to optimize performance. All of this makes it tedious for the non-expert user to choose parameters. To solve this, we have developed CinguParam to help user to instantiate implementations of BFV in different libraries: Cingulata, FV-NFLlib and Microsoft SEAL. CinguParam permits to generate an up-to-date database of parameter sets in function of computation budget, security parameters and implementation choices. This tool includes a notion of budget to ensure correct homomorphic computations and the one of BKZ reduction cost model to grasp the gap from concrete security, nowadays. It makes use of the LWE-Estimator to obtain up-to-date security estimations. CinguParam permits to select automatically a suitable parameter set with Cingulata and it can be used to generate code snippets to set parameters with FV-NFLlib and Microsoft SEAL.
SMChain: A Scalable Blockchain Protocol for Secure Metering Systems in Distributed Industrial Plants
Gang Wang, Zhijie Jerry Shi, Mark Nixon, Song Han
ePrint Report
Metering is a critical process in large-scale distributed industrial plants, which enables multiple plants to collaborate to offer mutual services without outside interference. When distributed plants measure the data from a shared common source, e.g., flow metering in an oil pipeline, trustworthiness and immutability must be guaranteed among them. In this paper, we propose a hierarchical and scalable blockchain-based secure metering system, \textit{SMChain}, to provide strong security, trustworthy guarantee, and immutable services. {\em SMChain} adopts a two-layer blockchain structure, consisting of independent local blockchains stored at individual plants and one state blockchain stored in the cloud. To deal with the scalability issues within each plant, we propose a novel scalable Byzantine Fault Tolerance (BFT) consensus protocol based on \textit{(k, n)}-threshold signature scheme to deal with the Byzantine faults and reduce the intra-plant communication complexity from $O(n^2)$ to $O(n)$. For the state blockchain, we use a cloud-based service to synchronize and integrate the local blockchains into one state blockchain, which can further be distributed back to each plant.
Assimakis Kattis, Konstantin Panarin, Alexander Vlasov
ePrint Report
We introduce an efficient transformation from univariate polynomial commitment based zk-SNARKs to their fully transparent counterparts. The transformation is achieved with the help of a new IOP primitive which we call a list polynomial commitment. This primitive is applicable for preprocessing zk-SNARKs over both prime and binary fields. We present the primitive itself along with a soundness analysis of the transformation and instantiate it with an existing universal proof system. We also present benchmarks for a proof of concept implementation alongside a comparison with a non-transparent alternative based on Kate commitments. Our results show competitive efficiency both in terms of proof size and generation times at large security levels.
Jan-Pieter D'Anvers, Mélissa Rossi, Fernando Virdia
ePrint Report
Lattice-based encryption schemes are often subject to the possibility of decryption failures, in which valid encryptions are decrypted incorrectly. Such failures, in large number, leak information about the secret key, enabling an attack strategy alternative to pure lattice reduction. Extending the failure boosting technique of D'Anvers et al. in PKC 2019, we propose an approach that we call directional failure boosting that uses previously found failing ciphertexts to accelerate the search for new ones. We analyse in detail the case where the lattice is defined over polynomial ring modules quotiented by $\langle X^{N} + 1 \rangle$ and demonstrate it on a simple Mod-LWE-based scheme parametrized à la Kyber768/Saber. We show that using our technique, the cost of searching for additional failing ciphertexts after one or more have already been found can be sped up dramatically, thus demonstrating that these schemes should be designed so that it is hard to even obtain one decryption failure.
Xiaoxia Jiang, Youliang Tian
ePrint Report
The inconsistency of Nash equilibrium of rational delegated computation scheme in the UC framework will lead to the lack of strict security proof of the protocols fundamentally. The consistency proof of Nash equilibrium between the ideal world and the real world has always been a challenge in the research field. In this paper, we analyze the Nash equilibrium according to the game model of rational delegated computation, and the ideal functionality for rational delegation of computation based on incentive-driven adversary is proposed, then we construct a rational delegated computation protocol for UC-realizing the ideal functionality. In a word, the proposed rational delegated computing protocol based on incentive-driven adversary has been proven to be secure in the universally composable framework, furthermore, we effectively solve the inconsistency problem of Nash equilibrium between the real world and the ideal world.
Gaëlle Candel, Rémi Géraud-Stewart, David Naccache
ePrint Report
Secret sharing splits a secret $s$ into $\ell$ shares in such a way that $k\leq \ell$ shares suffice to reconstruct $s$. Let $\rho_{i,j}$ be the probability that shareholder $i$ disclose their share to shareholder $j$, with $0 \leq i,j < n$.
Given $k \leq \ell \leq n$, to whom $\ell$ individuals should we hand shares, if we wish to minimize the probability that one of them reconstitutes $s$?
Given $k \leq \ell \leq n$, to whom $\ell$ individuals should we hand shares, if we wish to minimize the probability that one of them reconstitutes $s$?
Yasufumi Hashimoto
ePrint Report
A new multivariate cryptosystem based on a linear code was proposed by Smith-Tone and Tone quite recently.
This short note points out that it is a variant of UOV.
Daniel J. Bernstein, Tanja Lange
ePrint Report
Recent results have shown that some post-quantum cryptographic systems have encryption and decryption performance comparable to fast elliptic-curve cryptography (ECC) or even better. However, this performance metric is considering only CPU time and ignoring bandwidth and storage. High-confidence post-quantum encryption systems have much larger keys than ECC. For example, the code-based cryptosystem recommended by the PQCRYPTO project uses public keys of 1MB.
Fast key erasure (to provide ``forward secrecy'') requires new public keys to be constantly transmitted. Either the server needs to constantly generate, store, and transmit large keys, or it needs to receive, store, and use large keys from the clients. This is not necessarily a problem for overall bandwidth, but it is a problem for storage and computation time on tiny network servers. All straightforward approaches allow easy denial-of-service attacks.
This paper describes a protocol, suitable for today's networks and tiny servers, in which clients transmit their code-based one-time public keys to servers. Servers never store full client public keys but work on parts provided by the clients, without having to maintain any per-client state. Intermediate results are stored on the client side in the form of encrypted cookies and are eventually combined by the server to obtain the ciphertext. Requirements on the server side are very small: storage of one long-term private key, which is much smaller than a public key, and a few small symmetric cookie keys, which are updated regularly and erased after use. The protocol is highly parallel, requiring only a few round trips, and involves total bandwidth not much larger than a single public key. The total number of packets sent by each side is 971, each fitting into one IPv6 packet of less than 1280 bytes.
The protocol makes use of the structure of encryption in code-based cryptography and benefits from small ciphertexts in code-based cryptography.
Fast key erasure (to provide ``forward secrecy'') requires new public keys to be constantly transmitted. Either the server needs to constantly generate, store, and transmit large keys, or it needs to receive, store, and use large keys from the clients. This is not necessarily a problem for overall bandwidth, but it is a problem for storage and computation time on tiny network servers. All straightforward approaches allow easy denial-of-service attacks.
This paper describes a protocol, suitable for today's networks and tiny servers, in which clients transmit their code-based one-time public keys to servers. Servers never store full client public keys but work on parts provided by the clients, without having to maintain any per-client state. Intermediate results are stored on the client side in the form of encrypted cookies and are eventually combined by the server to obtain the ciphertext. Requirements on the server side are very small: storage of one long-term private key, which is much smaller than a public key, and a few small symmetric cookie keys, which are updated regularly and erased after use. The protocol is highly parallel, requiring only a few round trips, and involves total bandwidth not much larger than a single public key. The total number of packets sent by each side is 971, each fitting into one IPv6 packet of less than 1280 bytes.
The protocol makes use of the structure of encryption in code-based cryptography and benefits from small ciphertexts in code-based cryptography.