IACR News
Here you can see all recent updates to the IACR webpage. These updates are also available:
30 April 2020
University of Surrey, Department of Computer Science, Guildford, UK
Job PostingWe seek to appoint a lecturer in one or more of the following areas: machine learning, cloud computing, programming-languages principles, and the intersection of security and AI, which are already areas of research within the Department. We are also interested in candidates who have experience in data science, edge networks, social computing and DevOps security, in order to expand our research in new directions.
The Department is renowned for its security and artificial intelligence research, with publications in leading venues in artificial intelligence (TNNLS, TEVC, CBY, TSP, Machine Learning, Neural Computation, Bioinformatics, IJCAI, AAMAS), programming languages (FASE, PODC), security (CCS, S&P, Esorics, Euro S&P, CSF, TDSC, TIFS ), cryptography (Crypto, Eurocrypt), cloud computing and networking (InfoCOM, Trans. Networking), and web & social computing (WWW, ICWSM, and Web Science)
Notably,
We encourage ambitious post-docs and early career lecturers to apply.
Closing date for applications:
Contact: Professor Helen Treharne, Head of Department, (h.treharne@surrey.ac.uk)
More information: https://jobs.surrey.ac.uk/vacancy.aspx?ref=020820
Wasilij Beskorovajnov, Felix Dörre, Gunnar Hartung, Alexander Koch, Jörn Müller-Quade, Thorsten Strufe
ePrint ReportHowever, current decentralized protocols, including DP3T and the protocol by Canetti, Trachtenberg and Varia, do not sufficiently protect infected users from having their status revealed to their contacts, which may raise fear of stigmatization.
By taking a dual approach, we propose a new and practical solution with stronger privacy guarantees even against active adversaries. In particular, we solve the aforementioned problem with additional pseudorandom warning identities that are associated to the broadcasted public identity, but this association is only known to a non-colluding dedicated server, which does not learn to whom the public identity belongs. Then, only these anonymous warning identities are published.
Moreover, our solution allows warned contacts to prove that they have been in contact with infected users, an important feature in times of restricted testing capacities. Among other additional security measures, we detail how the use of secret sharing can prevent the unnecessary and potentially panic-inducing warning of contacts that have only been around the infected person for a very brief time period.
Vipul Goyal, Abhiram Kothapalli, Elisaweta Masserova, Bryan Parno, Yifan Song
ePrint ReportAaron Hutchinson, Koray Karabina
ePrint ReportSijia Zhao, Donal O'Mahony
ePrint ReportIvan Damgård, Thomas Pelle Jakobsen, Jesper Buus Nielsen, Jakob Illeborg Pagter, Michael Bæksvang Østergård
ePrint ReportWe propose a threshold ECDSA protocol secure against an active adversary in the honest majority model with abort. Our protocol is efficient in terms of both computation and bandwidth usage, and it allows the parties to pre-process parts of the signature, such that once the message to sign becomes known, they can compute a secret sharing of the signature very efficiently, using only local operations. We also show how to obtain fairness in the online phase at the cost of some additional work in the pre-processing, i.e., such that the protocol either aborts during the pre-processing phase, in which case nothing is revealed, or the signature is guaranteed to be delivered to all honest parties.
Lorenzo Grassi, Christian Rechberger, Markus Schofnegger
ePrint ReportQuite surprisingly, this direction has hardly been considered in the literature. For example, LowMC uses different linear layers in each round in order to avoid the problem, but this solution is quite expensive, both computationally and memory-wise. Zorro, another construction with an incomplete nonlinear layer, simply reuses the AES matrix, but this introduces weaknesses.
Working from an attacker's perspective and focusing on P-SPN ciphers, in this paper we present conditions which allow to set up attacks based on infinitely long invariant subspace trails -- even when using highly non-trivial linear layers. We also analyze the case in which the trail is not invariant, yet still an infinite number of rounds can be covered. In this paper, we consider two scenarios, namely active and inactive S-boxes. For the first case, we also provide a tool which is able to determine whether a given linear layer matrix is vulnerable against attacks based on our observations.
Finally, we point out that besides P-SPN ciphers, our results may also have a crucial impact on the HADES design strategy recently presented at Eurocrypt 2020, which mixes rounds with full S-box layers and rounds with partial S-box layers in order to guarantee security and achieve good performance in the target applications.
Benedikt Bünz, Alessandro Chiesa, Pratyush Mishra, Nicholas Spooner
ePrint ReportBowe, Grigg, and Hopwood (ePrint 2019/1021) outlined how a modified recursive composition may be applied to a particular SNARK construction which does not have a sublinear-time verifier. However, they omit details about this method and do not prove that it satisfies any security property. Nonetheless, schemes based on this idea have already been implemented in software.
In this work we present a collection of results that establish the theoretical foundations for a significant generalization of the above approach. We define an accumulation scheme for a non-interactive argument, and show that this suffices to construct PCD, even if the argument itself does not have a sublinear-time verifier. Moreover we give constructions of accumulation schemes for SNARKs, which yield PCD schemes with novel efficiency and security features.
Adam Gągol, Damian Straszak
ePrint ReportMichele Ciampi, Yun Lu, Vassilis Zikas
ePrint ReportIn this work we provide the first solution to collusion preserving computation which uses weaker and more common assumptions than the above, i.e., an authenticated broadcast functionality and access to honestly generated trusted hardware tokens. We prove that our protocol is collusion-preserving secure (in short, CP secure) as long as no parties abort. In the case of an aborting adversary our protocol loses CP security, but still achieves standard security---against monolithic adversaries---and additionally identifies a corrupted party.
Leveraging the above identifiability property, we augment our protocol with a collateral and compensation mechanism which ensures that it is not profitable to abort, thereby obtaining CP security against incentive driven adversaries. To define (and prove) this latter result, we combine the Rational Protocol Design (RPD) methodology by Garay et al. [FOCS 2013] with the CP framework of Alwen et al. [CRYPTO 2012] to derive a definition of security in the presence of incentive-driven local adversaries which can be of independent interest.
Similar to existing protocols in the CP/CF literature, our protocols preserve, as a fallback, the traditional security properties---i.e., security against monolithic adversaries---even when the setup (i.e., the hardware tokens) is compromised or corrupted.
Demba Sow, Léo Robert, Pascal Lafourcade
ePrint ReportKim Yong-Jin, Yon Yong-Ho, Jong Yu-Jin, Li Ok-Chol
ePrint Report28 April 2020
Rohit Chatterjee, Xiao Liang, Omkant Pandey
ePrint ReportAngel-based security can be achieved using non-black-box constructions in $\max(R_{\mathsf{OT}},\widetilde{O}(\log n))$ rounds where $R_{\mathsf{OT}}$ is the round-complexity of the semi-honest oblivious transfer. However, currently, the best known $\mathit{black\text{-}box}$ constructions under the same assumption require $\max(R_{\mathsf{OT}},\widetilde{O}(\log^2 n))$ rounds. If $R_{\mathsf{OT}}$ is a constant, the gap between non-black-box and black-box constructions can be a multiplicative factor $\log n$. We close this gap by presenting a $\max(R_{\mathsf{OT}},\widetilde{O}(\log n))$-round black-box construction. We achieve this result by constructing constant-round 1-1 CCA-secure commitments assuming only black-box access to one-way functions.
Gennaro Avitabile, Vincenzo Botta, Vincenzo Iovino, Ivan Visconti
ePrint ReportThe COVID-19 pandemic is currently affecting the freedom and life style of many citizens in the world. People are forced to stay home for several weeks, unemployment rates quickly increase, uncertainty and sadness generate an impelling desire to join any government effort in order to stop as soon as possible the spread of the virus.
Following recommendations of epidemiologists, governments are proposing the use of smartphone applications to allow automatic contact tracing of citizens. Such systems can be an effective way to defeat the spread of the SARS-CoV-2 virus since they allow to gain time in identifying potentially new infected persons that should therefore be in quarantine. This raises the natural question of whether this form of automatic contact tracing can be a subtle weapon for governments to violate the privacy of their citizens as part of new and more sophisticated mass surveillance programs.
In order to preserve privacy and at the same time to contribute to the containment of the pandemic, several research partnerships are proposing privacy-preserving contact-tracing systems where pseudonyms are updated periodically to avoid linkability attacks. A core component of such systems is Bluetooth low energy (BLE, for short) a technology that allows two smartphones to detect that they are in close proximity. Among such systems there are some proposals like DP-3T, PACT and the Apple&Google exposure notification system that through a decentralized approach guarantee better privacy properties compared to other centralized approaches (e.g., PEPP-PT-NTK, PEPP-PT-ROBERT). On the other hand, advocates of centralized approaches claim that centralization gives to epidemiologists more useful data, therefore allowing to take more effective actions to defeat the virus.
Motivated by Snowden's revelations about previous attempts of governments to realize mass surveillance programs, in this paper we first analyze mass surveillance attacks that leverage weaknesses of automatic contact systems. We focus in particular on the DP-3T system (still our analysis is significant also for PACT and Apple&Google systems) that has been endorsed by Apple&Google. The endorsement has the impact of integrating in the forthcoming update of Android and iOS special features like a synchronous rotation of the BLE MAC address of the smartphone with the update of the pseudonyms of the DP-3T system.
Based on recent literature and new findings, we discuss how a government can exploit the use of DP-3T to successfully mount privacy attacks as part of a mass surveillance program.
Interestingly, we also show that the privacy issues in DP-3T are not intrinsic in any BLE-based contact tracing system. Indeed, we propose a different system named $\textsf{Pronto-C2}$ that, in our view, enjoys a much better resilience with respect to mass surveillance attacks still relying on BLE. $\textsf{Pronto-C2}$ is based on a paradigm shift: instead of asking smartphones to send keys to the Big Brother (this corresponds to the approach of DP-3T), we construct a decentralized BLE-based ACT system where smartphones anonymously and confidentially talk to each other in the presence of the Big Brother.
$\textsf{Pronto-C2}$ can optionally be implemented using Blockchain technology, offering complete transparency and resilience through full decentralization, therefore being more appealing for citizens. Only through a large participation of citizens contact-tracing systems can be very useful to defeat COVID-19, and our proposal goes straight in this direction.
Ran Canetti, Nikolaos Makriyannis, Udi Peled
ePrint Report* Signature generation takes only 4 rounds (down from the current 8 rounds), with a comparable computational cost. Furthermore, 3 of these rounds can take place in a preprocessing stage before the signed message is known, lending to the first non-interactive threshold ECDSA protocol.
* The protocol withstands adaptive corruption of signatories. Furthermore, it includes a periodic refresh mechanism and offers full proactive security.
* The protocol realizes an ideal threshold signature functionality within the UC framework, in the global random oracle model, assuming Strong RSA, semantic security of Paillier encryption, and a somewhat enhanced variant of existential unforgeability of ECDSA.
These properties (low latency, compatibility with cold-wallet architectures, proactive security, and composable security) make the protocol ideal for threshold wallets for ECDSA-based cryptocurrencies.
Hilder Vitor Lima Pereira
ePrint ReportThomas Haines, Johannes Mueller
ePrint ReportVerifiable mix nets differ in many aspects, including their precise verifiability levels, possible trust assumptions, and required cryptographic primitives; unfortunately, these differences are often opaque, making comparison painful.
To shed light on this intransparent state of affairs, we provide the following contributions. For each verifiability technique proposed to date, we first precisely describe how the underlying basic mix net is to be extended and which (additional) cryptographic primitives are required, and then study its verifiability level, including possible trust assumptions, within one generic and expressive verifiability framework. Based on our uniform treatment, we are able to transparently compare all known verifiability techniques for mix nets, including their advantages and limitations.
Altogether, our work offers a detailed and expressive reference point for the design, employment, and comparison of verifiable mix nets.
Fraunhofer AISEC
ePrint ReportYongwoo Lee, Joonwoo Lee, Young-Sik Kim, Jong-Seon No
ePrint ReportEmmanouil Doulgerakis, Thijs Laarhoven, Benne de Weger
ePrint ReportTheoretically, under common heuristic assumptions we show how to solve SVP in dimension $d$ with a cost proportional to running a sieve in dimension $d - \Theta(d / \log d)$, resulting in a $2^{\Theta(d / \log d)}$ speedup and memory reduction compared to running a full sieve. Combined with techniques from [Ducas, Eurocrypt 2018] we can asymptotically get a total of $[\log(13/9) + o(1)] \cdot d / \log d$ dimensions \textit{for free} for solving SVP.
Practically, the main obstacles for observing a speedup in moderate dimensions appear to be that the leading constant in the $\Theta(d / \log d)$ term is rather small; that the overhead of the (batched) slicer may be large; and that competitive enumeration algorithms heavily rely on aggressive pruning techniques, which appear to be incompatible with our algorithms. These obstacles prevented this asymptotic speedup (compared to full sieving) from being observed in our experiments. However, it could be expected to become visible once optimized CVPP techniques are used in higher dimensional experiments.