IACR News
Here you can see all recent updates to the IACR webpage. These updates are also available:
09 March 2021
Thomas Attema, Ronald Cramer, Lisa Kohl
ePrint ReportWe start from compressed $\Sigma$-protocol theory (CRYPTO 2020), which is built around basic $\Sigma$-protocols for opening an arbitrary linear form on a long secret vector that is compactly committed to. These protocols are first compressed using a recursive ``folding-technique'' adapted from Bulletproofs, at the expense of logarithmic rounds. Proving in ZK that the secret vector satisfies a given constraint -- captured by a circuit -- is then by (blackbox) reduction to the linear case, via arithmetic secret-sharing techniques adapted from MPC. Commit-and-prove is also facilitated, i.e., when commitment(s) to the secret vector are created ahead of any circuit-ZK proof. On several platforms (incl. DL) this leads to logarithmic communication. Non-interactive versions follow from Fiat-Shamir.
This abstract modular theory strongly suggests that it should somehow be supported by a lattice-platform as well. However, when going through the motions and trying to establish low communication (on an SIS-platform), a certain significant lack in current understanding of multi-round protocols is exposed.
Namely, as opposed to the DL-case, the basic $\Sigma$-protocol in question typically has poly-small challenge space. Taking into account the compression-step -- which yields non-constant rounds -- and the necessity for parallelization to reduce error, there is no known tight result that the compound protocol admits an efficient knowledge extractor. We resolve the state of affairs here by a combination of two novel results which are fully general and of independent interest. The first gives a tight analysis of efficient knowledge extraction in case of non-constant rounds combined with poly-small challenge space, whereas the second shows that parallel repetition indeed forces rapid decrease of knowledge error.
Moreover, in our present context, arithmetic secret sharing is not defined over a large finite field but over a quotient of a number ring and this forces our careful adaptation of how the linearization techniques are deployed.
We develop our protocols in an abstract framework that is conceptually simple and can be flexibly instantiated. In particular, the framework applies to arbitrary rings and norms.
As a byproduct, our compressed $\Sigma$-protocol can double as a PoK for an SIS preimage. In this mode of operation, it improves the communication-efficiency of the PoK by Bootle et al. (CRYPTO 2020).
Shuichi Katsumata, Ryo Nishimaki, Shota Yamada, Takashi Yamakawa
ePrint ReportIn this work, we provide an affirmative answer to this problem and construct the first round-optimal blind signature scheme in the plain model from standard polynomial-time assumptions. Our construction is based on various standard cryptographic primitives and also on new primitives that we introduce in this work, all of which are instantiable from classical and post-quantum standard polynomial-time assumptions. The main building block of our scheme is a new primitive called a blind-signature-conforming zero-knowledge (ZK) argument system. The distinguishing feature is that the ZK property holds by using a quantum polynomial-time simulator against non-uniform classical polynomial-time adversaries. Syntactically one can view this as a delayed-input three-move ZK argument with a reusable first message, and we believe it would be of independent interest.
Bertram Poettering, Paul Rösler, Jörg Schwenk, Douglas Stebila
ePrint ReportIn this systematization of knowledge we bring the formal modeling of GKE security to the fore by revisiting the intuitive goals of GKE, critically evaluating how these goals are reflected (or not) in the established models, and how they would be best considered in new models. We classify and compare characteristics of a large selection of game-based GKE models that appear in the academic literature, including those proposed for GKE with post-compromise security. We observe a range of shortcomings in some of the studied models, such as dependencies on overly restrictive syntactical constrains, unrealistic adversarial capabilities, or simply incomplete definitions. Our systematization enables us to identify a coherent suite of desirable characteristics that we believe should be represented in all general purpose GKE models. To demonstrate the feasibility of covering all these desirable characteristics simultaneously in one concise definition, we conclude with proposing a new generic reference model for GKE.
Xavier Boyen, Thomas Haines, Johannes Mueller
ePrint ReportUnfortunately, it turns out to be very challenging to pursue these properties simultaneously, especially when the latter must be future-proofed against the rise of quantum computers. In this work, we show, for the first time, a practical approach to do this.
We present Epoque, the first end-to-end verifiable, voter-private, post-quantum-secure homomorphic e-voting protocol. It achieves its properties through the combination of practical lattice-based cryptographic primitives only, in a novel way. We formally prove all our security claims under common trust and hardness assumptions.
At the core of Epoque lies an efficient identity-based encryption (IBE) scheme with blazingly fast master-key decryption. It is the component that makes the efficient tallying of thousands or millions of ballots a practical possibility. In order to demonstrate its practicality, we fully implemented it and provide detailed benchmarks; we believe this latter contribution is of independent interest beyond the specific e-voting application.
S. Dov Gordon, Daniel Starin, Arkady Yerukhimovich
ePrint ReportMaxime Buser, Rafael Dowsley, Muhammed F. Esgin, Shabnam Kasra Kermanshahi, Veronika Kuchta, Joseph K. Liu, Raphael Phan, Zhenfei Zhang
ePrint ReportDmitrii Koshelev
ePrint ReportNikolay Kaleyski
ePrint ReportMuhammad Saad, Afsah Anwar, Srivatsan Ravi, David Mohaisen
ePrint ReportBhupendra Singh, G. Athithan, Rajesh Pillai
ePrint Report07 March 2021
Wien, Austria, 17 March - 20 March 2021
Event CalendarSubmission deadline: 25 March 2021
University of South-Eastern Norway (USN)
Job PostingThe University of South-Eastern Norway (USN) seeks a dedicated an able phd fellow for work in cybersecurity for the 5G core networks. The context is for critical communications and specifically for emergency services, which in Norway will be migrating from Tetra to 4G/5G commercial networks during the next 5-6 years. This is a paid position and the duration is 3 years fulltime work. The phd fellow will join the Secure Distributed Systems reach group, and the research will be done in the context of the Raksha research project. Raksha is a RCN funded joint project with SINTEF Digital as the leading partner; Other partners and advisors include the University of Oslo, SimulaMet and the Norwegian Communications Authority, the Norwegian Security Authority, etc.
Special conditions: Due to the sensitive nature of the research topic, it is a requirement the applicant must be an EU national or come form a NATO country. Additionally, citizens from Australia or New Zealand may apply. (Background: A Norwegian security clearance may be required.) This is an absolute requirement.
NOTE: Students that will complete their master’s degree no later than June 2021 may apply.
A (rough and unofficial) English translation of the Norwegian-only announcement can be requested.
Closing date for applications:
Contact: Professor Geir M. Køien
More information: https://www.jobbnorge.no/ledige-stillinger/stilling/193704/stipendiat-i-cybersikkerhet-5g
Vienna, Austria, 17 August - 20 August 2021
Event CalendarSubmission deadline: 30 April 2021
Notification: 3 June 2021
06 March 2021
Konstantinos Chalkias, Shir Cohen, Kevin Lewi, Fredric Moezinia, Yolan Romailler
ePrint ReportJan Richter-Brockmann, Pascal Sasdrich, Tim Güneysu
ePrint ReportHowever, the validation of proposed countermeasures is mostly performed on custom adversary models that are often not tightly coupled with the actual physical behavior of available fault injection mechanisms and techniques and, hence, fail to model the reality accurately. Furthermore, using custom models complicates comparison between different designs and evaluation results. As a consequence, we aim to close this gap by proposing a simple, generic, and consolidated fault injection adversary model in this work that can be perfectly tailored to existing fault injection mechanisms and their physical behavior in hardware. To demonstrate the advantages of our adversary model, we apply it to a cryptographic primitive (i.e., an ASCON S-box) and evaluate it based on different attack vectors. We further show that our proposed adversary model can be used and integrated into the state-of-the-art fault verification tool VerFI. Finally, we provide a discussion on the benefits and differences of our approach compared to already existing evaluation methods and briefly discuss limitations of current available verification tools.
Michael Zuzak, Ankur Srivastava
ePrint ReportMarco Baldi, Franco Chiaraluce, Paolo Santini
ePrint ReportNicolas Bordes, Joan Daemen, Daniël Kuijsters, Gilles Van Assche
ePrint ReportAkinori Hosoyamada, Yu Sasaki
ePrint ReportGuilhem Castagnos, Dario Catalano, Fabien Laguillaumie, Federico Savasta, Ida Tucker
ePrint ReportIn the past few months, a range of protocols have been published, allowing for a non interactive -- and hence extremely efficient -- signing protocol; providing new features, such as identifiable aborts (parties can be held accountable if they cause the protocol to fail), fairness in the honest majority setting (all parties receive output or nobody does) and other properties. In some cases, security is proven in the strong simulation based model.
We combine ideas from the aforementioned articles with the suggestion of Castagnos \textit{et al.} (PKC 2020) to use the class group based $\mathsf{CL}$ framework so as to drastically reduce bandwidth consumption.
Building upon this latter protocol we present a new, maliciously secure, full threshold ECDSA protocol that achieving additional features without sacrificing efficiency. Our most basic protocol boasts a non interactive signature algorithm and identifiable aborts. We also propose a more advanced variant that also achieves adaptive security (for the $n$-out-of-$n$ case) and proactive security. Our resulting constructions improve upon state of the art Paillier's based realizations achieving similar goals by up to a 10 factor in bandwidth consumption.