IACR News
Updates on the COVID-19 situation are on the
Announcement channel.
Here you can see all recent updates to the IACR webpage. These updates are also available:
17 March 2021
Dmitry Kogan, Henry Corrigan-Gibbs
ePrint Report
This paper presents Checklist, a system for private blocklist lookups. In Checklist, a client can determine whether a particular string appears on a server-held list of blocklisted strings, without leaking its string to the server. Checklist is the first blocklist-lookup system that (1) leaks no information about the client’s string to the server and (2) allows the server to respond to the client’s query in time sublinear in the blocklist size. To make this possible, we construct a new two-server private-information-retrieval protocol that is both asymptotically and concretely faster, in terms of server-side time, than those of prior work. We evaluate Checklist in the context of Google’s “Safe Browsing” blocklist, which all major browsers use to prevent web clients from visiting malware-hosting URLs. Today, lookups to this blocklist leak partial hashes of a subset of clients’ visited URLs to Google’s servers. We have modified Firefox to perform Safe-Browsing blocklist lookups via Checklist servers, which eliminate the leakage of partial URL hashes from the Firefox client to the blocklist servers. This privacy gain comes at the cost of increasing communication by a factor of 3.3×, and the server-side compute costs by 9.8×. Use of our new PIR protocol reduces server-side costs by 6.7×, compared to what would be possible prior state-of-the-art two-server PIR.
Dario Catalano, Dario Fiore, Emanuele Giunta
ePrint Report
Single Secret Leader Election (SSLE) protocols allow a set of users to elect a leader among them so that the identity of the winner remains secret until she decides to reveal herself. This notion was formalized and implemented in a recent result by Boneh, et al. (ACM Advances on Financial Technology 2020) and finds important applications in the area of Proof of Stake blockchains.
In this paper we propose new solutions to the problem that advance the state of the art both from a theoretical and a practical perspective.
On the theoretical front, we propose a definition of SSLE in the universal composability framework. We believe this to be the right setting for highly concurrent contexts such as those of many blockchain-related applications. Next, we propose a UC-realization of SSLE from public key encryption with keyword search (PEKS) and based on the ability of distributing the PEKS key generation and encryption algorithms. Finally, we present an efficient MPC-friendly PEKS that allows us to efficiently instantiate the abstract scheme.
Our concrete construction compares favorably with previous work (both in terms of computational costs and in terms of overall communication overhead) while guaranteeing much stronger composability guarantees.
Rishab Goyal, Jiahui Liu, Brent Waters
ePrint Report
One of the primary research challenges in Attribute-Based Encryption
(ABE) is constructing and proving cryptosystems that are adaptively
secure. To date the main paradigm for achieving adaptive security in
ABE is dual system encryption. However, almost all such solutions in
bilinear groups rely on (variants of) either the subgroup decision
problem over composite order groups or the decision linear assumption.
Both of these assumptions are decisional rather than search
assumptions and the target of the assumption is a source or bilinear
group element. This is in contrast to earlier selectively secure ABE
systems which can be proven secure from either the decisional or
search Bilinear Diffie-Hellman assumption. In this work we make
progress on closing this gap by giving a new ABE construction for the
subset functionality and prove security under the Search Bilinear
Diffie-Hellman assumption.
We first provide a framework for proving adaptive security in Attribute-Based Encryption systems. We introduce a concept of ABE with deletable attributes where any party can take a ciphertext encrypted under the attribute string $x \in \{0, 1\}^n$ and modify it into a ciphertext encrypted under any string $x' \in \{0, 1, \bot\}^n$ where $x'$ is derived by replacing any bits of $x$ with $\bot$ symbols (i.e. ``deleting" attributes of $x$). The semantics of the system are that any private key for a circuit $C$ can be used to decrypt a ciphertext associated with $x'$ if none of the input bits read by circuit $C$ are $\bot$ symbols and $C(x') = 1$.
We show a pathway for combining ABE with deletable attributes with constrained psuedorandom functions to obtain adaptively secure ABE building upon the recent work of Tsabary. Our new ABE system will be adaptively secure and be a ciphertext-policy ABE that supports the same functionality as the underlying constrained PRF as long as the PRF is ``deletion conforming". Here we also provide a simple constrained PRF construction that gives subset functionality.
Our approach enables us to access a broader array of Attribute-Based Encryption schemes support deletion of attributes. For example, we show that both the Goyal~et al.~(GPSW) and Boyen ABE schemes can trivially handle a deletion operation. And, by using a hardcore bit variant of GPSW scheme we obtain an adaptively secure ABE scheme under the Search Bilinear Diffie-Hellman assumption in addition to pseudo random functions in NC1. This gives the first adaptively secure ABE from a search assumption as all prior work relied on decision assumptions over source group elements.
We first provide a framework for proving adaptive security in Attribute-Based Encryption systems. We introduce a concept of ABE with deletable attributes where any party can take a ciphertext encrypted under the attribute string $x \in \{0, 1\}^n$ and modify it into a ciphertext encrypted under any string $x' \in \{0, 1, \bot\}^n$ where $x'$ is derived by replacing any bits of $x$ with $\bot$ symbols (i.e. ``deleting" attributes of $x$). The semantics of the system are that any private key for a circuit $C$ can be used to decrypt a ciphertext associated with $x'$ if none of the input bits read by circuit $C$ are $\bot$ symbols and $C(x') = 1$.
We show a pathway for combining ABE with deletable attributes with constrained psuedorandom functions to obtain adaptively secure ABE building upon the recent work of Tsabary. Our new ABE system will be adaptively secure and be a ciphertext-policy ABE that supports the same functionality as the underlying constrained PRF as long as the PRF is ``deletion conforming". Here we also provide a simple constrained PRF construction that gives subset functionality.
Our approach enables us to access a broader array of Attribute-Based Encryption schemes support deletion of attributes. For example, we show that both the Goyal~et al.~(GPSW) and Boyen ABE schemes can trivially handle a deletion operation. And, by using a hardcore bit variant of GPSW scheme we obtain an adaptively secure ABE scheme under the Search Bilinear Diffie-Hellman assumption in addition to pseudo random functions in NC1. This gives the first adaptively secure ABE from a search assumption as all prior work relied on decision assumptions over source group elements.
Weikeng Chen, Ryan Deng, Raluca Ada Popa
ePrint Report
Decentralizing trust is a prominent principle in the design of end-to-end encryption and cryptocurrency systems. A common issue in these applications is that users possess critical secrets, and users can lose precious data or assets if these secrets are lost. This issue remains a pain-point in the adoption of these systems. Existing approaches to solve this issue such as backing up user secrets through a centralized service or distributing them across N mutually distrusting servers to preserve decentralized trust are either introducing a central point of attack or face usability issues by requiring users to authenticate N times---once to each of the N servers.
We present N-for-1 Auth, a system that enables a user to authenticate to N servers independently, with the work of only one authentication. N-for-1 Auth provides the same user experience in the distributed trust setting to the user experience in a typical centralized system.
We present N-for-1 Auth, a system that enables a user to authenticate to N servers independently, with the work of only one authentication. N-for-1 Auth provides the same user experience in the distributed trust setting to the user experience in a typical centralized system.
Takashi Sato, Yuki Tanaka, Song Bian
ePrint Report
While numerous physically unclonable functions (PUFs) were proposed in recent years, the conventional PUF-based authentication model is centralized by the data of challenge-response pairs (CRPs), particularly when $n$-party authentication is required. In this work, we propose a novel concept of clonable PUF (CPUF), wherein two or more PUFs having
equivalent responses are manufactured to facilitate decentralized authentication. By design, cloning is only possible in the fabrication period and the responses are determined based on the variability induced during the fabrication. We establish the usage model and the circuit design of CPUFs. Numerical experiments using a circuit simulator show an ideal matching rate of responses between the CPUFs.
Bolton Bailey, Suryanarayana Sankagiri
ePrint Report
The ever-growing size of the Bitcoin UTXO state is a factor preventing nodes with limited storage capacity from validating transactions. Cryptographic accumulators, such as Merkle trees, offer a viable solution to the problem. Full nodes create a Merkle tree from the UTXO set, while stateless nodes merely store the root of the Merkle tree. When provided with a proof, stateless nodes can verify that a transaction's inputs belong to the UTXO set. In this work, we present a systematic study of Merkle tree based accumulators, with a focus on factors that reduce the proof size. Based on the observation that UTXOs typically have a short lifetime, we propose that recent UTXOs be co-located in the tree. When proofs for different transactions are batched, such a design reduces the per-transaction proof size. We provide details of our implementation of this idea, describing certain optimizations that further reduce the proof size in practice. On Bitcoin data before August 2019, we show that our design achieves a 4.6x reduction in proof size vis-a-vis UTREEXO [Dryja 2019], which is a different Merkle-tree based system designed to support stateless nodes.
Jens Groth
ePrint Report
We present a non-interactive publicly verifiable secret sharing scheme where a dealer can construct a Shamir secret sharing of a field element and confidentially yet verifiably distribute shares to multiple receivers. We also develop a non-interactive publicly verifiable resharing scheme where existing share holders of a Shamir secret sharing can create a new Shamir secret sharing of the same secret and distribute it to a set of receivers in a confidential, yet verifiable manner.
A public key may be associated with the secret being shared in the form of a group element raised to the secret field element. We use our verifiable secret sharing scheme to construct a non-interactive distributed key generation protocol that creates such a public key together with a secret sharing of the discrete logarithm. We also construct a non-interactive distributed resharing protocol that preserves the public key but creates a fresh secret sharing of the secret key and hands it to a set of receivers, which may or may not overlap with the original set of share holders.
Our protocols build on a new pairing-based CCA-secure public-key encryption scheme with forward secrecy. As a consequence our protocols can use static public keys for participants but still provide compromise protection. The scheme uses chunked encryption, which comes at a cost, but the cost is offset by a saving gained by our ciphertexts being comprised only of source group elements and no target group elements. A further efficiency saving is obtained in our protocols by extending our single-receiver encryption scheme to a multi-receiver encryption scheme, where the ciphertext is up to a factor 5 smaller than just having single-receiver ciphertexts.
The non-interactive key management protocols are deployed on the Internet Computer to facilitate the use of threshold BLS signatures. The protocols provide a simple interface to remotely create secret-shared keys to a set of receivers, to refresh the secret sharing whenever there is a change of key holders, and provide proactive security against mobile adversaries.
A public key may be associated with the secret being shared in the form of a group element raised to the secret field element. We use our verifiable secret sharing scheme to construct a non-interactive distributed key generation protocol that creates such a public key together with a secret sharing of the discrete logarithm. We also construct a non-interactive distributed resharing protocol that preserves the public key but creates a fresh secret sharing of the secret key and hands it to a set of receivers, which may or may not overlap with the original set of share holders.
Our protocols build on a new pairing-based CCA-secure public-key encryption scheme with forward secrecy. As a consequence our protocols can use static public keys for participants but still provide compromise protection. The scheme uses chunked encryption, which comes at a cost, but the cost is offset by a saving gained by our ciphertexts being comprised only of source group elements and no target group elements. A further efficiency saving is obtained in our protocols by extending our single-receiver encryption scheme to a multi-receiver encryption scheme, where the ciphertext is up to a factor 5 smaller than just having single-receiver ciphertexts.
The non-interactive key management protocols are deployed on the Internet Computer to facilitate the use of threshold BLS signatures. The protocols provide a simple interface to remotely create secret-shared keys to a set of receivers, to refresh the secret sharing whenever there is a change of key holders, and provide proactive security against mobile adversaries.
Diego F. Aranha, Carsten Baum, Kristian Gjøsteen, Tjerand Silde, Thor Tunge
ePrint Report
A verifiable shuffle of known values is a method for proving that a collection of commitments opens to a given collection of known messages, without revealing a correspondence between commitments and messages. We propose the first practical verifiable shuffle of known values for lattice-based commitments.
Shuffles of known values have many applications in cryptography, and in particular in electronic voting. We use our verifiable shuffle of known values to build a practical lattice-based cryptographic voting system that supports complex ballots. Our scheme is also the first construction from candidate post-quantum secure assumptions to defend against compromise of the voter's computer using return codes.
We implemented our protocol and present benchmarks of its computational runtime. The size of the verifiable shuffle is $17 \tau$ KB and takes time $33 \tau$ ms for $\tau$ voters. This is around $5$ times faster and at least $50$ % smaller per vote than the lattice-basedvoting scheme by del Pino et al. (ACM CCS 2017), which can only handle yes/no-elections.
Shuffles of known values have many applications in cryptography, and in particular in electronic voting. We use our verifiable shuffle of known values to build a practical lattice-based cryptographic voting system that supports complex ballots. Our scheme is also the first construction from candidate post-quantum secure assumptions to defend against compromise of the voter's computer using return codes.
We implemented our protocol and present benchmarks of its computational runtime. The size of the verifiable shuffle is $17 \tau$ KB and takes time $33 \tau$ ms for $\tau$ voters. This is around $5$ times faster and at least $50$ % smaller per vote than the lattice-basedvoting scheme by del Pino et al. (ACM CCS 2017), which can only handle yes/no-elections.
Zi-Yuan Liu, Yi-Fan Tseng, Raylin Tso, Yu-Chi Chen, Masahiro Mambo
ePrint Report
In the era of cloud computing, massive quantities of data are encrypted and uploaded to the cloud to realize a variety of applications and services while protecting user confidentiality. Accordingly, the formulation of methods for efficiently searching encrypted data has become a critical problem. Public-key encryption with keyword search is an efficient solution that allows the data owner to generate encrypted keywords for a given document while also allowing the data user to generate the corresponding trapdoor for searching. Huang and Li proposed a public-key authenticated encryption with keyword search (PAEKS) scheme to resist keyword guessing attacks, where the data owner not only encrypts keywords but also authenticates them.However, existing PAEKS-related schemes carry a trade-off between efficiency, storage cost, and security.In this paper, we introduce a novel framework, called identity-certifying authority-aided identity-based searchable encryption, which has the advantage of reducing storage space while remaining the efficiency and security.We formally define the system model and desired security requirements to represent attacks in a real scenario. In addition, we propose a provably secure scheme based on the gap bilinear Diffie--Hellman assumption and experimentally evaluate our scheme in terms of its performance and theoretical features against its state-of-the-art counterparts.
Nicolas T. Courtois, Matteo Abbondati, Hamy Ratoanina, Marek Grajek
ePrint Report
In this article we look at the question of the security of Data Encryption Standard (DES) against non-linear polynomial invariant attacks. Is this sort of attack also possible for DES? We present a simple proof of concept attack on DES where a product of 5 polynomials is an invariant for 2 rounds of DES. Furthermore we present numerous additional examples of invariants with higher degrees. We analyse the success probability when the Boolean functions are chosen at random and compare to DES S-boxes. For more complex higher degree attacks the difficulties disappear progressively and up to 100 % of all Boolean functions in 6 variables are potentially vulnerable. A major limitation for all our attacks, is that they work only for a fraction of the key space.
However in some cases, this fraction of the key space is very large for the full 16-round DES.
Ohad Amon, Orr Dunkelman, Nathan Keller, Eyal Ronen, Adi Shamir
ePrint Report
Format-Preserving Encryption (FPE) schemes accept plaintexts from any finite set of values (such as social security numbers or birth dates) and produce ciphertexts that belong to the same set. They are extremely useful in practice since they make it possible to encrypt existing databases or communication packets without changing their format. Due to industry demand, NIST had standardized in 2016 two such encryption schemes called FF1 and FF3. They immediately attracted considerable cryptanalytic attention with decreasing attack complexities. The best currently known attack on the Feistel construction FF3 has data and memory complexity of ${O}(N^{11/6})$ and time complexity of ${O}(N^{17/6})$, where the input belongs to a domain of size $N \times N$.
In this paper, we present and experimentally verify three improved attacks on FF3. Our best attack achieves the tradeoff curve $D=M=\tilde{O}(N^{2-t})$, $T=\tilde{O}(N^{2+t})$ for all $t \leq 0.5$. In particular, we can reduce the data and memory complexities to the more practical $\tilde{O}(N^{1.5})$, and at the same time, reduce the time complexity to $\tilde{O}(N^{2.5})$.
We also identify another attack vector against FPE schemes, the related-domain attack. We show how one can mount powerful attacks when the adversary is given access to the encryption under the same key in different domains, and show how to apply it to efficiently distinguish FF3 and FF3-1 instances.
In this paper, we present and experimentally verify three improved attacks on FF3. Our best attack achieves the tradeoff curve $D=M=\tilde{O}(N^{2-t})$, $T=\tilde{O}(N^{2+t})$ for all $t \leq 0.5$. In particular, we can reduce the data and memory complexities to the more practical $\tilde{O}(N^{1.5})$, and at the same time, reduce the time complexity to $\tilde{O}(N^{2.5})$.
We also identify another attack vector against FPE schemes, the related-domain attack. We show how one can mount powerful attacks when the adversary is given access to the encryption under the same key in different domains, and show how to apply it to efficiently distinguish FF3 and FF3-1 instances.
Alessandro Chiesa, Fermi Ma, Nicholas Spooner, Mark Zhandry
ePrint Report
We prove that Kilian's four-message succinct argument system is post-quantum secure in the standard model when instantiated with any probabilistically checkable proof and any collapsing hash function (which in turn exist based on the post-quantum hardness of Learning with Errors).
At the heart of our proof is a new "measure-and-repair" quantum rewinding procedure that achieves asymptotically optimal knowledge error.
At the heart of our proof is a new "measure-and-repair" quantum rewinding procedure that achieves asymptotically optimal knowledge error.
Boston, United States, 26 September - 28 September 2021
Event Calendar
Event date: 26 September to 28 September 2021
Submission deadline: 27 May 2021
Notification: 3 August 2021
Submission deadline: 27 May 2021
Notification: 3 August 2021
Virtual event, Anywhere on Earth, 6 September 2021
Event Calendar
Event date: 6 September 2021
Submission deadline: 21 May 2021
Notification: 2 July 2021
Submission deadline: 21 May 2021
Notification: 2 July 2021
Amsterdam, The Netherlands, 10 January - 12 January 2022
Real World Crypto
Event date: 10 January to 12 January 2022
Submission deadline: 1 September 2021
Notification: 1 November 2021
Submission deadline: 1 September 2021
Notification: 1 November 2021
16 March 2021
Koç University, İstanbul, Turkey
Job Posting
Cryptography, Security & Privacy Research Group at Koç University has one opening at the post-doctoral researcher level. Accepted applicants may receive competitive salary, housing (accommodation) support, health insurance, computer, travel support, and lunch meal card.
Your duties include performing research on cryptography, security, and privacy in line with our research group's focus, as well as directing graduate and undergraduate students in their research and teaching. The project funding is related to cryptography, game theory and mechanism design, and blockchain technologies.
Applicants are expected to have already obtained their Ph.D. degrees in Computer Science or related discipline with a thesis topic related to the duties above.
For more information about joining our group and projects, visit
https://crypto.ku.edu.tr/work-with-us/
Submit your application via email including
Your duties include performing research on cryptography, security, and privacy in line with our research group's focus, as well as directing graduate and undergraduate students in their research and teaching. The project funding is related to cryptography, game theory and mechanism design, and blockchain technologies.
Applicants are expected to have already obtained their Ph.D. degrees in Computer Science or related discipline with a thesis topic related to the duties above.
For more information about joining our group and projects, visit
https://crypto.ku.edu.tr/work-with-us/
Submit your application via email including
- full CV,
- 1-3 sample publications where you are the main author,
- a detailed research proposal,
- and 2-3 reference letters sent directly by the referees.
Closing date for applications:
Contact: Assoc. Prof. Alptekin Küpçü
https://member.acm.org/~kupcu
More information: https://crypto.ku.edu.tr/work-with-us/
Koç University, İstanbul, Turkey
Job Posting
Cryptography, Security & Privacy Research Group at Koç University has multiple openings at every level. Accepted Computer Science and Engineering applicants may receive competitive scholarships including monthly stipend, tuition waiver, housing (accommodation) support, health insurance, computer, travel support, and lunch meal card.
Your duties include performing research on cryptography, security, and privacy in line with our research group's focus, assist teaching, as well as collaborating with other graduate and undergraduate students. Computer Science, Mathematics, Cryptography, or related background is necessary.
For applying online, and questions about the application-process for M.Sc. and Ph.D. positions, visit
https://gsse.ku.edu.tr/en/admissions/application-requirements
All applications must be completed online. Applications with missing documents will not be considered. Applications via e-mail will not be considered. Application Requirements:
We also have non-thesis Cyber Security M.Sc. program:
https://cybersecurity.ku.edu.tr/tuition/
For more information about joining our group and projects, visit
https://crypto.ku.edu.tr/work-with-us/
Your duties include performing research on cryptography, security, and privacy in line with our research group's focus, assist teaching, as well as collaborating with other graduate and undergraduate students. Computer Science, Mathematics, Cryptography, or related background is necessary.
For applying online, and questions about the application-process for M.Sc. and Ph.D. positions, visit
https://gsse.ku.edu.tr/en/admissions/application-requirements
All applications must be completed online. Applications with missing documents will not be considered. Applications via e-mail will not be considered. Application Requirements:
- CV
- Recommendation Letters (2 for MSc, 3 for PhD)
- TOEFL (for everyone whose native language is not English, Internet Based: Minimum Score 80)
- GRE scores (required from non-Turkish nationals)
- Official transcripts from all the universities attended
- Statement of Purpose
- Area of Interest Form filled online
We also have non-thesis Cyber Security M.Sc. program:
https://cybersecurity.ku.edu.tr/tuition/
For more information about joining our group and projects, visit
https://crypto.ku.edu.tr/work-with-us/
Closing date for applications:
Contact: https://gsse.ku.edu.tr/en/admissions/how-to-apply/
More information: https://gsse.ku.edu.tr/en/admissions/application-requirements
Koç University, İstanbul, Turkey
Job Posting
Cryptography, Security & Privacy Research Group at Koç University has multiple openings for summer research interns (at both undergraduate and graduate level). Apply via:
http://kusrp.ku.edu.tr
For more information about joining our group and projects, visit
https://crypto.ku.edu.tr/work-with-us/
All applications must be completed online. Applications with missing documents will not be considered. Applications via e-mail will not be considered. Application Requirements:
http://kusrp.ku.edu.tr
For more information about joining our group and projects, visit
https://crypto.ku.edu.tr/work-with-us/
All applications must be completed online. Applications with missing documents will not be considered. Applications via e-mail will not be considered. Application Requirements:
- CV
- 2 Recommendation Letters
- Official transcripts from all the universities attended
- Statement of Purpose
- Application Form filled online
Closing date for applications:
Contact: http://kusrp.ku.edu.tr
More information: http://kusrp.ku.edu.tr
14 March 2021
Jonathan Bootle, Alessandro Chiesa, Katerina Sotiraki
ePrint Report
We introduce a class of interactive protocols, which we call sumcheck arguments, that establishes a novel connection between the sumcheck protocol (Lund et al. JACM 1992) and folding techniques for Pedersen commitments (Bootle et al. EUROCRYPT 2016).
Informally, we consider a general notion of bilinear commitment over modules, and show that the sumcheck protocol applied to a certain polynomial associated with the commitment scheme yields a succinct argument of knowledge for openings of the commitment. Building on this, we additionally obtain succinct arguments for the NP-complete language R1CS over certain rings.
Sumcheck arguments enable us to recover as a special case numerous prior works in disparate cryptographic settings (such as discrete logarithms, pairings, groups of unknown order, lattices), providing one abstract framework to understand them all. Further, we answer open questions raised in prior works, such as obtaining a lattice-based succinct argument from the SIS assumption for satisfiability problems over rings.
Informally, we consider a general notion of bilinear commitment over modules, and show that the sumcheck protocol applied to a certain polynomial associated with the commitment scheme yields a succinct argument of knowledge for openings of the commitment. Building on this, we additionally obtain succinct arguments for the NP-complete language R1CS over certain rings.
Sumcheck arguments enable us to recover as a special case numerous prior works in disparate cryptographic settings (such as discrete logarithms, pairings, groups of unknown order, lattices), providing one abstract framework to understand them all. Further, we answer open questions raised in prior works, such as obtaining a lattice-based succinct argument from the SIS assumption for satisfiability problems over rings.
Yuri Borissov, Miroslav Markov
ePrint Report
We elaborate an approach for determining the order of an elliptic curve from the family $\mathcal{E}_p = \{E_a: y^2 = x^3 + a \pmod p, a \not = 0\}$ where $p$ is a prime number $> 3$. The essence of this approach consists in combining the well-known Hasse bound with an explicit formula for that order reduced to modulo $p$. It allows to advance an efficient technique of complexity $O(\log^2 p)$ for computing simultaneously the six orders associated with the family $\mathcal{E}_p$ when $p \equiv 1 \pmod 3$, thus improving the best known algorithmic solution for that problem with an order of magnitude.