IACR News
If you have a news item you wish to distribute, they should be sent to the communications secretary. See also the events database for conference announcements.
Here you can see all recent updates to the IACR webpage. These updates are also available:
02 April 2020
Kaushik Nath, Palash Sarkar
      In this work we propose three new algorithms for 4-way vectorization of the well known Montgomery ladder. The first algorithm requires three multiplication rounds which is optimal. The computation of the Montgomery ladder includes a multiplication by a constant which is small for curves that are used in practice. In this case, using the round optimal algorithm is not the best choice. Our second algorithm requires two multiplication rounds, a squaring round and a round for the multiplication by the constant. This provides an improvement over the first algorithm. The third algorithm improves upon the first two for fixed base scalar multiplication, where the base point is small. The well known Montgomery curves Curve25519 and Curve448 are part of the TLS protocol, version~1.3. For these two curves, we provide constant time assembly implementations of the shared secret computation phase of the Diffie-Hellman key agreement protocol. Timing results on the Haswell and Skylake processors show significant speed improvements in comparison to best known existing implementations corresponding to previously published works.
          
  Samuel Dittmer, Rafail Ostrovsky
      Oblivious compaction is a crucial building block for hash-based oblivious RAM. Asharov et al. recently gave a O(n) algorithm for oblivious tight compaction. Their algorithm is deterministic and asymptotically optimal, but it is not practical to implement because the implied constant is $\gg 2^{38}$. We give a new algorithm for oblivious tight compaction that runs in time $< 16014.54n$. As part of our construction, we give a new result in the bootstrap percolation of random regular graphs.
          
  Sarah Bordage, Julien Lavauzelle
      We show that the single-server computational PIR protocol proposed by Holzbaur, Hollanti and Wachter-Zeh in 2020 is not private, in the sense that the server can recover in polynomial time the index of the desired file with very high probability. The attack relies on the following observation. Removing rows of the query matrix corresponding to the desired file yields a large decrease of the dimension over $\mathbb{F}_q$ of the vector space spanned by the rows of this punctured matrix. Such a dimension loss only shows up with negligible probability when rows unrelated to the requested file are deleted.
          
  Leonie Reichert, Samuel Brack, Björn Scheuermann
      The currentCovid-19 pandemic shows that our modern globalized world can be heavily  affected  by  a  quickly  spreading,  highly  infectious,  deadly  virus  in  a  matter of  weeks.   It  became  apparent  that  manual  contact  tracing  and  quarantining  of suspects can only be effective in the first days of the spread before the exponential growth overwhelms the health authorities.By  automating  tracing  processes  and  quarantining  everyone  who  came  in  contactwith  infected  people,  as  well  as  arriving  travelers,  it  should  be  possible  to  quickly loosen  lockdown  measures.   Countries  like  China,  Singapore  and  Israel  hastily  developed privacy-endangering schemes to computationally trace contacts using user-generated  location  histories  or  mass  surveillance  data  [2].   For  instance,  there  are already reports of deanonymizations of South Korean citizens from their published anonymized data set of infected people [3]. To  approach  this  conflict  of  interests  we  propose  to  evaluate  a  privacy-preserving contact tracing system.
Our main contributions are:
* Identification and formulation of privacy risks of contact tracing. 
* Design of a privacy-preserving approach to contact tracing.
Our preliminary evaluation shows that the proposed approach is feasible indifferent scenarios derived from real-world case studies.
  Our preliminary evaluation shows that the proposed approach is feasible indifferent scenarios derived from real-world case studies.
Megan Chen, Carmit Hazay, Yuval Ishai, Yuriy Kashnikov, Daniele Micciancio, Tarik Riviere, abhi shelat, Muthu Venkitasubramaniam, Ruihan Wang
      In this work, we design and implement the first protocol for RSA modulus construction that can support thousands of parties and offers security against an arbitrary number of corrupted parties.
In a nutshell, we design the ``best'' protocol for this scale that is secure against passive corruption, then amplify it to obtain active security using efficient non-interactive zero-knowledge arguments. Our protocol satisfies a stronger security guarantee where a deviating party can be identified when the protocol aborts (referred to as security with identifiable-abort) and allows for ``public verifiability''.
Our passively secure protocol extends the recent work of Chen et al. that, in turn, is based on the blueprint introduced in the original work of Boneh-Franklin protocol (CRYPTO 1997, J. ACM, 2001). Specifically, we reduce the task of sampling a modulus to secure distributed multiplication, which we implement via an efficient threshold additively homomorphic encryption (AHE) scheme based on the Ring-LWE assumption. This results in a protocol where the amortized per-party communication cost grows logarithmically in the number of parties. In order to keep the parties lightweight, we employ an ``untrusted'' coordinator that is connected to all parties and performs all public and broadcast operations.
We amplify this protocol to obtain active security (with identifiable-abort) by attaching zero-knowledge proofs. We instantiate our ZK proof system by composing two different types of ZK proof systems: (1) the Ligero sub-linear zero-knowledge proof system (Ames et al., CCS 2017), and (2) $$\Sigma$$-protocol for proving the knowledge of a discrete logarithm in unknown order groups (Shoup, Eurocrypt 2000).
We implemented both the passive and the active variants of our protocol and ran experiments using 2 to 4,000 parties. This is the first such implementation of any MPC protocol that can scale to more than 1,000 parties. For generating a 2048-bit modulus among 1,000 parties, our passive protocol executed in under 4 minutes and the active variant ran in 22 minutes.
  In a nutshell, we design the ``best'' protocol for this scale that is secure against passive corruption, then amplify it to obtain active security using efficient non-interactive zero-knowledge arguments. Our protocol satisfies a stronger security guarantee where a deviating party can be identified when the protocol aborts (referred to as security with identifiable-abort) and allows for ``public verifiability''.
Our passively secure protocol extends the recent work of Chen et al. that, in turn, is based on the blueprint introduced in the original work of Boneh-Franklin protocol (CRYPTO 1997, J. ACM, 2001). Specifically, we reduce the task of sampling a modulus to secure distributed multiplication, which we implement via an efficient threshold additively homomorphic encryption (AHE) scheme based on the Ring-LWE assumption. This results in a protocol where the amortized per-party communication cost grows logarithmically in the number of parties. In order to keep the parties lightweight, we employ an ``untrusted'' coordinator that is connected to all parties and performs all public and broadcast operations.
We amplify this protocol to obtain active security (with identifiable-abort) by attaching zero-knowledge proofs. We instantiate our ZK proof system by composing two different types of ZK proof systems: (1) the Ligero sub-linear zero-knowledge proof system (Ames et al., CCS 2017), and (2) $$\Sigma$$-protocol for proving the knowledge of a discrete logarithm in unknown order groups (Shoup, Eurocrypt 2000).
We implemented both the passive and the active variants of our protocol and ran experiments using 2 to 4,000 parties. This is the first such implementation of any MPC protocol that can scale to more than 1,000 parties. For generating a 2048-bit modulus among 1,000 parties, our passive protocol executed in under 4 minutes and the active variant ran in 22 minutes.
Huanyu Wang, Elena Dubrova
      The majority of recently demonstrated deep-learning side-channel attacks use a single neural network classifier to recover the key. The potential benefits of combining multiple classifiers have not been explored yet in the side-channel attack's context. In this paper, we show that, by combining several CNN classifiers which use different attack points, it is possible to considerably reduce (more than 40% on average) the number of traces required to recover the key from an FPGA implementation of AES by power analysis. We also show that not all combinations of classifiers improve the attack efficiency.
          
  Claude Carlet
      Given a vectorial function $F:\mathbb{F}_2^n \mapsto \mathbb{F}_2^m$, the indicator $1_{{\cal G}_F}$ of its graph ${\cal G}_F=\{(x,F(x)); x\in \mathbb{F}_2^n\}$ allows to express the algebraic degree of $F$ in a simple way. Exploiting the formula, obtained in a previous paper, for the graph indicator of a composite function $G\circ F$, that involves only a sum of products of $1_{{\cal G}_F}$ and $1_{{\cal G}_G}$, we deduce bounds on the algebraic degree of $G\circ F$, whose efficiency comes from the fact that the algebraic degree of the product of two Boolean functions is bounded above by the sum of their algebraic degrees, while for a composition, it is bounded above by their product. One of these bounds, that depends on the algebraic degrees of $G$ and $1_{{\cal G}_F}$, is tight, general, simple, and most often efficient (for the case where it is not efficient, we give an improved bound, that is a little more complex). As far as we know, it is the first efficient upper bound ever found, that works without any condition on the vectorial functions. It provides a new criterion for the choice of S-boxes in block ciphers. It implies as a corollary a known bound assuming the divisibility of the Walsh transform values by a power of 2. It gives a better view why this latter bound works. Our results nicely generalize to more than two functions. \\
When $F$ is a permutation, our expression of the algebraic degree of $G\circ F$ simplifies into a formula involving the algebraic degrees of the products of a coordinate function of $G$ and coordinate functions of $F^{-1}$. This implies and improves another known bound showing that the algebraic degree of $F^{-1}$ has more impact on that of $G\circ F$ than that of $F$ itself, and providing a criterion for the choice of S-boxes in block ciphers when they are permutations: both algebraic degrees of $F$ and $F^{-1}$ should be as large a possible. Our approach by graph indicators gives an explanation to this interesting fact. Our results include all the known efficient bounds as particular cases, and clarify the reasons why they work. We also deduce the exact expression of the algebraic degree of the composition of three functions, leading to a bound that is much more efficient than what we obtain by applying the known bound two times. We also obtain two bounds on the algebraic degree of $G \circ F$, given the divisibility by powers of 2 of coefficients in the numerical normal forms of component functions of $F^{-1}$, and their sums with a coordinate function of $G$. We study their consequences and generalizations.
          
  Matthias J. Kannwischer, Peter Pessl, Robert Primas
      Since its selection as the winner of the SHA-3 competition, Keccak, with all its variants, has found a large number of applications. It is, for instance, a common building block in schemes submitted to NIST's post-quantum cryptography project. In many of these applications, Keccak processes ephemeral secrets. In such a setting, side-channel adversaries are limited  to a single observation, meaning that differential attacks are inherently prevented. If, however, such a single trace of Keccak can already be sufficient for key recovery has so far been unknown.
In this paper, we change the above by presenting the first single-trace attack targeting Keccak. Our method is based on soft-analytical side-channel attacks and, thus, combines template matching with message passing in a graphical model of the attacked algorithm. As a straight-forward model of Keccak does not yield satisfactory results, we describe several optimizations for the modeling and the message-passing algorithm. Their combination allows attaining high attack performance in terms of both success rate as well as computational runtime.
We evaluate our attack assuming generic software (microcontroller) targets and thus use simulations in the generic noisy Hamming-weight leakage model. Hence, we assume relatively modest profiling capabilities of the adversary. Nonetheless, the attack can reliably recover secrets in a large number of evaluated scenarios at realistic noise levels. Consequently, we demonstrate the need for countermeasures even in settings where DPA is not a threat.
  In this paper, we change the above by presenting the first single-trace attack targeting Keccak. Our method is based on soft-analytical side-channel attacks and, thus, combines template matching with message passing in a graphical model of the attacked algorithm. As a straight-forward model of Keccak does not yield satisfactory results, we describe several optimizations for the modeling and the message-passing algorithm. Their combination allows attaining high attack performance in terms of both success rate as well as computational runtime.
We evaluate our attack assuming generic software (microcontroller) targets and thus use simulations in the generic noisy Hamming-weight leakage model. Hence, we assume relatively modest profiling capabilities of the adversary. Nonetheless, the attack can reliably recover secrets in a large number of evaluated scenarios at realistic noise levels. Consequently, we demonstrate the need for countermeasures even in settings where DPA is not a threat.
Megan Chen, Ran Cohen, Jack Doerner, Yashvanth Kondi, Eysa Lee, Schuyler Rosefield, abhi shelat
      We present a new multiparty protocol for the distributed generation of biprime RSA moduli, with security against any subset of maliciously colluding parties assuming oblivious transfer and the hardness of factoring.
Our protocol is highly modular, and its uppermost layer can be viewed as a template that generalizes the structure of prior works and leads to a simpler security proof. We introduce a combined sampling-and-sieving technique that eliminates both the inherent leakage in the approach of Frederiksen et al. (Crypto'18), and the dependence upon additively homomorphic encryption in the approach of Hazay et al. (JCrypt'19). We combine this technique with an efficient, privacy-free check to detect malicious behavior retroactively when a sampled candidate is not a biprime, and thereby overcome covert rejection-sampling attacks and achieve both asymptotic and concrete efficiency improvements over the previous state of the art.
  Our protocol is highly modular, and its uppermost layer can be viewed as a template that generalizes the structure of prior works and leads to a simpler security proof. We introduce a combined sampling-and-sieving technique that eliminates both the inherent leakage in the approach of Frederiksen et al. (Crypto'18), and the dependence upon additively homomorphic encryption in the approach of Hazay et al. (JCrypt'19). We combine this technique with an efficient, privacy-free check to detect malicious behavior retroactively when a sampled candidate is not a biprime, and thereby overcome covert rejection-sampling attacks and achieve both asymptotic and concrete efficiency improvements over the previous state of the art.
David Knichel, Thorben Moos, Amir Moradi
      Side-channel analysis (SCA) attacks  especially
power analysis  are powerful ways to extract the secrets stored
in and processed by cryptographic devices. In recent years,
researchers have shown interest in utilizing on-chip measurement
facilities to perform such SCA attacks remotely. It was shown
that simple voltage-monitoring sensors can be constructed from
digital elements and put on multi-tenant FPGAs to perform
remote attacks on neighbouring cryptographic co-processors. A
similar threat is the unsuspecting integration of third-party IPCores
into an IC design. Even if the function of an acquired
IP-Core is not security critical by itself, it may contain an onchip
sensor as a Trojan that can eavesdrop on cryptographic
operations across the whole device. In contrast to all FPGAbased
investigations reported in the literature so far, we examine
the efficiency of such on-chip sensors as a source of information
leakage in an ASIC-based case study for the first time. To this
end, in addition to a cryptographic core (lightweight block cipher
PRESENT) we designed and implemented a voltage-monitoring
sensor on an ASIC fabricated by a 40nm commercial standard
cell library. Despite the physical distance between the sensor and
the PRESENT core, we show the possibility of fully recovering
the secret key of the PRESENT core by processing the sensors
output. Our results imply that the hidden insertion of such a
sensor  for example by a malicious third party IP-Core vendor
 can endanger the security of embedded systems which deal
with sensitive information, even if the device cannot be physically
accessed by the adversary.
          
  Dorian Amiet, Andreas Curiger, Lukas Leuenberger, Paul Zbinden
      The key encapsulation method NewHope allows two parties to agree on a secret key. The scheme includes a private and a public key. While the public key is used to encipher a random shared secret, the private key enables to decipher the ciphertext. NewHope is a candidate in the NIST post-quantum project, whose aim is to standardize cryptographic systems that are secure against attacks originating from both quantum and classical computers. While NewHope relies on the theory of quantum-resistant lattice problems, practical implementations have shown vulnerabilities against side-channel attacks targeting the extraction of the private key. In this paper, we demonstrate a new attack on the shared secret. The target consists of the C reference implementation as submitted to the NIST contest, being executed on a Cortex-M4 processor. Based on power measurement, the complete shared secret can be extracted from data of one single trace only. Further, we analyze the impact of different compiler directives. When the code is compiled with optimization turned off, the shared secret can be read from an oscilloscope display directly with the naked eye. When optimizations are enabled, the attack requires some more sophisticated techniques, but the attack still works on single power traces.
          
  Marcel Tiepelt, Jan-Pieter D'Anvers
      Mersenne number schemes are a new strain of potentially quantum-safe cryptosystems that use sparse integer arithmetic modulo a Mersenne prime to encrypt messages. Two Mersenne number based schemes were submitted to the NIST post-quantum standardization process: Ramstake and Mersenne-756839. Typically, these schemes admit a low but non-zero probability that ciphertexts fail to decrypt correctly.  
In this work we show that the information leaked from failing ciphertexts can be used to gain information about the secret key. We present an attack exploiting this information to break the IND-CCA security of Ramstake. First, we introduce an estimator for the bits of the secret key using decryption failures. Then, our estimates can be used to apply the Slice-and-Dice attack due to Beunardeau et al. at significantly reduced complexity to recover the full secret.
We implemented our attack on a simplified version of the code submitted to the NIST competition. Our attack is able to extract a good estimate of the secrets using $2^{12}$ decryption failures, corresponding to $2^{74}$~failing ciphertexts in the original scheme. Subsequently the exact secrets can be extracted in $O(2^{46})$ quantum computational steps.
  We implemented our attack on a simplified version of the code submitted to the NIST competition. Our attack is able to extract a good estimate of the secrets using $2^{12}$ decryption failures, corresponding to $2^{74}$~failing ciphertexts in the original scheme. Subsequently the exact secrets can be extracted in $O(2^{46})$ quantum computational steps.
Hangwei Lu, Dhwani Mehta, Olivia Paradis, Navid Asadizanjani, Mark Tehranipoor, Damon L. Woodard
      Over the years, the computer vision and machine learning disciplines have considerably advanced the field of automated visual inspection for Printed Circuit Board (PCB) assurance. However, in practice, the capabilities and limitations of these advancements remain unknown because there are few publicly accessible datasets for PCB visual inspection and even fewer that contain images that simulate realistic application scenarios. To address this need, we propose a publicly available dataset, FICS-PCB, to facilitate the development of robust methods for automated PCB visual inspection. The proposed dataset includes challenging cases from four variable aspects: PCB manufacturing, illumination, scale, and image sensor. The FICS-PCB dataset consists of 8,685 images of 31 PCB samples and contains 75,965 annotated components. This paper reviews the existing datasets and methodologies used for PCB visual inspection, discusses problem challenges, describes the proposed dataset, and presents baseline performances using feature-based and deep learning methods for automated PCB component visual inspection.
          
  Sankhanil Dey, Amlan Chakrabarti, Ranjan Ghosh
      Search for monic irreducible polynomials (IPs) over extended Galois field GF(p^q) for a large value of the prime moduli p and a large extension to the Galois Field q is a well needed solution in the field of cryptography. In this paper a new algorithm to obtain monic IPs over extended Galois field GF(p^q) for the large values of p and q is introduced. Here in this paper the positional arithmetic is used to multiply all possible two monic elemental polynomials (EPs) with their Galois field number (GFN) to generate all the monic reducible polynomials (RPs). All the monic RPs are cancelled out from the list of monic basic polynomials (BPs) leaving behind all the monic IPs. Time complexity analysis of the said algorithm is also executed that ensures the algorithm to be less time consuming.
          
  01 April 2020
Guildford, United Kingdom, 18 September 2020
      Event date: 18 September 2020
Submission deadline: 25 June 2020
Notification: 30 July 2020
  Submission deadline: 25 June 2020
Notification: 30 July 2020
Amsterdam, The Netherlands, 11 January - 13 January 2021
      Event date: 11 January to 13 January 2021
Submission deadline: 1 September 2020
Notification: 1 November 2020
  Submission deadline: 1 September 2020
Notification: 1 November 2020
31 March 2020
      After further consideration, the IACR board together with the EUROCRYPT 2020 general chairs have decided that EUROCRYPT 2020, which was originally scheduled to be held in Croatia during 10-14 May 2020, will now be converted into an all-digital event, with dates to be decided. The conference proceedings will be published according to the original schedule. 
The dates and details of the new all-digital event will be communicated at a later time via the IACR news system, the conference website, and other appropriate communication channels.
The locations and dates of EUROCRYPT 2021 and EUROCRYPT 2022 have also changed as follows:
The board wishes safety and health to all our members during these challenging times.
          
  The dates and details of the new all-digital event will be communicated at a later time via the IACR news system, the conference website, and other appropriate communication channels.
The locations and dates of EUROCRYPT 2021 and EUROCRYPT 2022 have also changed as follows:
- EUROCRYPT 2021 will take place in Zagreb, Croatia, during May 3-6, 2021;
- EUROCRYPT 2022 will take place in Trondheim, Norway.
The board wishes safety and health to all our members during these challenging times.
28 March 2020
Behzad Abdolmaleki, Daniel Slamanig
      Quasi-adaptive non-interactive zero-knowledge (QA-NIZK) proofs are NIZK proofs where the common reference string (CRS) is allowed to depend on the language and they can be very efficient for specific languages. Thus, they are for instance used within the LegoSNARK toolbox (Campanelli et. al ACM CCS'19) as SNARKs for linear subspace languages. Recently, there has been an increasing interest to reduce trust in the generator of the CRS, as a fully trusted party is usually hard to find for real-world applications. One important line of work in this direction is subversion zero-knowledge (Bellare et al. ASIACRYPT'16), where the zero-knowledge property even holds when the CRS is generated maliciously. 
In this paper, we investigate QA-NIZKs in the aforementioned setting. First, we analyze the security of the most efficient QA-NIZK constructions of Kiltz and Wee (EUROCRYPT'15) and the asymmetric QA-NIZKs by Gonzalez et al. (ASIACRYPT'15) when the CRS is subverted and propose subversion versions of them. Secondly, for the first time, we construct l-time simulation sound and unbounded simulation sound subversion QA-NIZK. Thirdly, we show how to integrate our subversion QA-NIZKs into the LegoSNARK toolbox, where subversion resistance is not yet considered. Our results together with recent subversion zk-SNARKS (Abdolmaleki et al. ASIACRYPT'17; Fuchsbauer PKC'18, Lipmaa EPRINT'19), are an important step towards a subversion variant of the LegoSNARK toolbox. Finally, we believe that our (SS) subversion QA-NIZKs will be of interest beyond the aforementioned application.
  In this paper, we investigate QA-NIZKs in the aforementioned setting. First, we analyze the security of the most efficient QA-NIZK constructions of Kiltz and Wee (EUROCRYPT'15) and the asymmetric QA-NIZKs by Gonzalez et al. (ASIACRYPT'15) when the CRS is subverted and propose subversion versions of them. Secondly, for the first time, we construct l-time simulation sound and unbounded simulation sound subversion QA-NIZK. Thirdly, we show how to integrate our subversion QA-NIZKs into the LegoSNARK toolbox, where subversion resistance is not yet considered. Our results together with recent subversion zk-SNARKS (Abdolmaleki et al. ASIACRYPT'17; Fuchsbauer PKC'18, Lipmaa EPRINT'19), are an important step towards a subversion variant of the LegoSNARK toolbox. Finally, we believe that our (SS) subversion QA-NIZKs will be of interest beyond the aforementioned application.
Qianhong Wan, Longjiang Qu, Chao Li
      Constructions and equivalence of APN functions play a significant role in the research of cryptographic functions. On finite fields of characteristic 2, 6 families of power APN functions and 14 families of polynomial APN functions have been constructed in the literature. However, the study on the equivalence among the aforementioned APN functions is rather limited to the equivalence in the power APN functions. Meanwhile, the theoretical analysis on the equivalence between the polynomial APN functions and the power APN functions, as well as the equivalence in the polynomial APN functions themselves, is far less studied. In this paper, we give the theoretical analysis on the inequivalence in 8 known families of polynomial APN functions and power APN functions.
          
  Yongge Wang
      Ethereum Research team has proposed a family of Casper blockchain consensus protocols. It has been shown
in the literature that the Casper Friendly Finality Gadget (Casper FFG) cannot achieve liveness property in partially synchronous networks such as  the Internet environment.  The ``Correct-by-Construction'' family of Casper blockchain 
consensus protocols (CBC Casper) has been proposed as a finality gadget for the future Proof-of-Stake (PoS) 
based Ethereum blockchain. Unfortunately,  no satisfactory/constructive finality rules have been proposed 
for CBC Casper and no satisfactory liveness property has been obtained for CBC Casper. 
Though it is commonly/widely believed in the community that CBC Casper could not 
achieve liveness property in asynchronous networks, this paper provides a surprising result
by proposing the first CBC Casper protocol that achieves liveness property against t=n/5
Byzantine participants in completely asynchronous networks. Our protocol can also be considered 
as an improvement of the seminal work by Ben-Or. That is, Ben-Or's BFT protocol
converges in exponential steps in asynchronous networks. Our result show that the revised Ben-Or's BFT protocol
could converge in constant steps with the identical Byzantine fault tolerance threshold.
          
  