IACR News
Here you can see all recent updates to the IACR webpage. These updates are also available:
21 September 2020
SICPA - international company with HQ in Lausanne, Switzerland
Job PostingWHAT YOU WILL DO
Shape new concepts and ideas, quickly and iteratively, through prototyping.
Have meaningful impact on the crafting and delivery in the early stages of the idea, and product life cycles.
Collaborate closely with our development team to craft solid foundation for future product development.
Deliver, as part of the team, a prototype.
Deliver a functioning sandbox environment, with goal to identify competitive advantage and help implement that in practice.
Drive cooperation with platform and lab teams.
WHAT WE NEED FROM YOUYou have relevant technical skills gained via formal education (PhD preferred), and/or red/blue team experience.
You have expertise in applied cryptography, long-term security, Multi-Party Computation (MPC), key rotation schemes, SoC, SE, TEE, solving difficult challenges for systems in highly adversarial environments.
Also, you master cryptographic protocols and standards (FIPS, AAL, PKI, NIST, ISO/IEC 27001).
You are curious to solve hard problems, oftentimes with competing priorities, using smartly assembled primitives, protocols and solutions, as well as advise on choice tradeoffs.
Besides being a great listener, you are an educator that acts as an advisor and mentor to team members on your domain of expertise.
You thrive in asynchronous communication environments and can express clearly your ideas and thinking, in writing.
You have a natural ability to explain, communicate and influence a broad audience (from highly technical to managerial), seek and engage in external collaboration with academia or red teams.
Read the full job ad here: https://jobs.sicpa.com/job/Prilly_Floris-%28CH01%29-Senior-Cryptographer/616
Closing date for applications:
Contact: Mrs Iuliana Petcu Talent Acquisition Manager hrrecruitment@sicpa.com
More information: https://jobs.sicpa.com/job/Prilly_Floris-%28CH01%29-Senior-Cryptographer/616737401/
Siemen Dhooghe, Svetla Nikova
ePrint ReportAs tiled models use multi-party computation techniques, countermeasures are typically expensive for software/hardware. This work investigates a tiled countermeasure based on the ISW methodology which is shown to perform significantly better than CAPA for practical parameters.
Wonseok Choi, Byeonghak Lee, Yeongmin Lee, Jooyoung Lee
ePrint ReportThe second result is to prove the security of PRF-based $\mathsf{nEHtM}$; when $\mathsf{nEHtM}$ is based on an $n$-to-$s$ bit random function for a fixed size $s$ such that $1\leq s\leq n$, it is proved to be secure up to any number of MAC queries and $2^s$ verification queries, if (1) $s=n$ and $\mu<2^{\frac{n}{2}}$ or (2) $\frac{n}{2}<s<2^{n-s}$ and $\mu<\max\{2^{\frac{s}{2}},2^{n-s}\}$, or (3) $s\leq \frac{n}{2}$ and $\mu<2^{\frac{n}{2}}$. This result leads to the security proof of truncated $\mathsf{nEHtM}$ that returns only $s$ bits of the original tag since a truncated permutation can be seen as a pseudorandom function. In particular, when $s\leq\frac{2n}{3}$, the truncated $\mathsf{nEHtM}$ is secure up to $2^{n-\frac{s}{2}}$ MAC queries and $2^s$ verification queries as long as $\mu<\min\{2^{\frac{n}{2}},2^{n-s}\}$. For example, when $s=\frac{n}{2}$ (resp. $s=\frac{n}{4}$), the truncated $\mathsf{nEHtM}$ is secure up to $2^{\frac{3n}{4}}$ (resp. $2^{\frac{7n}{8}}$) MAC queries. So truncation might provide better provable security than the original $\mathsf{nEHtM}$ with respect to the number of MAC queries.
Lior Rotem, Gil Segev
ePrint ReportWe put forward the notion of algebraic distinguishers, strengthening the algebraic group model by enabling it to capture decisional problems. Within our framework we then reveal new insights on the algebraic interplay between a wide variety of decisional assumptions. These include the decisional Diffie-Hellman assumption, the family of Linear assumptions in multilinear groups, and the family of Uber assumptions in bilinear groups.
Our main technical results establish that, from an algebraic perspective, these decisional assumptions are in fact all polynomially equivalent to either the most basic discrete logarithm assumption or to its higher-order variant, the $q$-discrete logarithm assumption. On the one hand, these results increase the confidence in these strong decisional assumptions, while on the other hand, they enable to direct cryptanalytic efforts towards either extracting discrete logarithms or significantly deviating from standard algebraic techniques.
Alan Szepieniec, Tomer Ashur, Siemen Dhooghe
ePrint ReportZhengjun Cao , Lihua Liu
ePrint ReportDaniele Di Tullio, Manoj Gyawali
ePrint ReportYongjune Kim, Cyril Guyot, Young-Sik Kim
ePrint ReportHuijia Lin, Ji Luo
ePrint ReportOur schemes are obtained through a general and modular approach that combines a public-key inner product functional encryption satisfying a new security notion called gradual simulation security and an information-theoretic randomized encoding scheme called arithmetic key garbling scheme.
Florian Weber, Andreas Hülsing
ePrint ReportLennart Braun, Daniel Demmler, Thomas Schneider, Oleksandr Tkachenko
ePrint ReportWe instantiate our framework with protocols for $N$ parties and security against up to $N-1$ passive corruptions: the MPC protocols of Goldreich-Micali-Wigderson (GMW) in its arithmetic and Boolean version and oblivious transfer (OT)-based BMR (Ben-Efraim et al., CCS'16), as well as novel and highly efficient conversions between them, including a non-interactive conversion from BMR to arithmetic GMW. Moreover, we design a novel garbling technique that saves 20% of communication in the BMR protocol.
MOTION is highly efficient, which we demonstrate in our experiments by measuring its run-times in various network settings with different numbers of parties. For secure evaluation of AES-128 with $N=3$ parties in the high-latency network setting from the OT-based BMR paper, we achieve a 16x better throughput of 16 AES/s using BMR. This shows that the BMR protocol is much more competitive than previously assumed. For $N=3$ parties and full-threshold protocols in the LAN setting, MOTION is 10x-18x faster than the previous best passively secure implementation from the MP-SPDZ framework, and 190x-586x faster than the actively secure SCALE-MAMBA framework. Finally, we show that our framework is highly efficient for privacy preserving neural network inference.
Han Wu, Guangwu Xu
ePrint ReportFor prime $p\equiv 2 \pmod 3$, it is shown that $E_b(\mathbb{F}_p)\cong \mathbb{Z}_{p+1}$. Two efficiently computable isomorphisms are described within the single isomorphism class of groups for representatives $E_1(\mathbb{F}_p)$ and $E_{-3}(\mathbb{F}_p)$
The explicit formulas $\#E_b(\mathbb{F}_p)$ for $p\equiv 1 \pmod p$ are used in searching prime (or almost prime) order Koblitz curves over prime fields. An efficient procedure is described and analyzed. The procedure is proved to be deterministic polynomial time, assuming the Generalized Riemann Hypothesis.
Several tools that are useful in computing cubic residues are also developed in this paper.
Shuichi Katsumata, Ryo Nishimaki, Shota Yamada, Takashi Yamakawa
ePrint ReportIn this work, we propose the first adaptively secure IPE based on the learning with errors (LWE) assumption with sub-exponential modulus size (without resorting to complexity leveraging). Concretely, our IPE supports inner-products over the integers $\mathbb{Z}$ with polynomial sized entries and satisfies adaptively weakly-attribute-hiding security. We also show how to convert such an IPE to an IPE supporting inner-products over $\mathbb{Z}_p$ for a polynomial-sized $p$ and a fuzzy identity-based encryption (FIBE) for small and large universes. Our result builds on the ideas presented in Tsabary (CRYPTO'19), which uses constrained pseudorandom functions (CPRF) in a semi-generic way to achieve adaptively secure ABEs, and the recent lattice-based adaptively secure CPRF for inner-products by Davidson et al. (CRYPTO'20). Our main observation is realizing how to weaken the conforming CPRF property introduced in Tsabary (CRYPTO'19) by taking advantage of the specific linearity property enjoyed by the lattice evaluation algorithms by Boneh et al. (EUROCRYPT'14).
Yoo-Seung Won, Xiaolu Hou, Dirmanto Jap, Jakub Breier, Shivam Bhasin
ePrint ReportLing Song, Yi Tu, Danping Shi, Lei Hu
ePrint ReportIlan Komargodski, Wei-Kai Lin
ePrint ReportWe observe that there is a very natural setting of parameters in which no non-trivial lower bound is known, even not ones in restricted models of computation (like the so called balls and bins model). Let $N$ and ${\boldsymbol w}$ be the number of cells and bit-size of cells, respectively, in the RAM that we wish to simulate obliviously. Denote by ${\boldsymbol b}$ the cell bit-size of the ORAM. All previous ORAM lower bounds have a multiplicative ${\boldsymbol w}/{\boldsymbol b}$ factor which makes them trivial in many settings of parameters of interest.
In this work, we prove a new ORAM lower bound that captures this setting (and in all other settings it is at least as good as previous ones, quantitatively). We show that any ORAM must make (amortized) $$ \Omega\left(\log \left(\frac{N{\boldsymbol w}}{m}\right)/\log\left(\frac{{\boldsymbol b}}{{\boldsymbol w}}\right)\right) $$ memory probes for every logical operation. Here, $m$ denotes the bit-size of the local storage of the ORAM. Our lower bound implies that logarithmic overhead in accesses is necessary, even if $ {\boldsymbol b} \gg {\boldsymbol w}$. Our lower bound is tight for all settings of parameters, up to the $\log({\boldsymbol b}/{\boldsymbol w})$ factor. Our bound also extends to the non-colluding multi-server setting.
As an application, we derive the first (unconditional) separation between the overhead needed for ORAMs in the online vs. offline models. Specifically, we show that when ${\boldsymbol w}=\log N$ and ${\boldsymbol b},m \in \mathsf{poly}\log N$, there exists an offline ORAM that makes (on average) $o(1)$ memory probes per logical operation while every online one must make $\Omega(\log N/\log\log N)$ memory probes per logical operation. No such previous separation was known for any setting of parameters, not even in the balls and bins model.
Enes Pasalic, René Rodríguez, Fengrong Zhang, Yongzhuang Wei
ePrint ReportMark Abspoel, Daniel Escudero, Nikolaj Volgushev
ePrint ReportOur starting point is to apply an existing generic MPC protocol to a standard decision tree learning algorithm, which we then optimize in several ways. We exploit the fact that even if we allow the data to have continuous values, which a priori might require fixed or floating point representations, the output of the tree learning algorithm only depends on the relative ordering of the data. By obliviously sorting the data we reduce the number of comparisons needed per node to $O(N \log^2 N)$ from the naive $O(N^2)$, where $N$ is the number of training records in the dataset, thus making the algorithm feasible for larger datasets. This does however introduce a problem when duplicate values occur in the dataset, but we manage to overcome this problem with a relatively cheap subprotocol. We show a procedure to convert a sorting network into a permutation network of smaller complexity, resulting in a round complexity of $O(\log N)$ per layer in the tree.
We implement our algorithm in the MP-SPDZ framework and benchmark our implementation for both passive and active three-party computation using arithmetic modulo $2^{64}$. We apply our implementation to a large scale medical dataset of $\approx 290\,000$ rows using random forests, and thus demonstrate practical feasibility of using MPC for privacy-preserving machine learning based on decision trees for large datasets.