IACR News
Here you can see all recent updates to the IACR webpage. These updates are also available:
03 January 2023
Mick G.D. Remmerswaal, Lichao Wu, Sébastien Tiran, Nele Mentens
ePrint Report
Template attacks~(TAs) are one of the most powerful Side-Channel Analysis~(SCA) attacks. The success of such attacks relies on the effectiveness of the profiling model in modeling the leakage information. A crucial step for TA is to select relevant features from the measured traces, often called Points Of Interest~(POIs), to extract the leakage information. Previous research indicates that properly selecting the input leaking features could significantly increase the attack performance. However, due to the presence of SCA countermeasures and advancements in technology nodes, such features become increasingly difficult to extract with conventional approaches such as Principle Component Analysis (PCA) and the Sum Of Squared pairwise T-differences based method (SOST).
This work proposes a framework, AutoPOI, based on proximal policy optimization to automatically find, select, and scale down features. The input raw features are first grouped into small regions. The best candidates selected by the framework are further scaled down with an online-optimized dimensionality reduction neural network. Finally, the framework rewards the performance of these features with the results of TA. Based on the experimental results, the proposed framework can extract features automatically that lead to comparable state-of-the-art performance on several commonly used datasets.
This work proposes a framework, AutoPOI, based on proximal policy optimization to automatically find, select, and scale down features. The input raw features are first grouped into small regions. The best candidates selected by the framework are further scaled down with an online-optimized dimensionality reduction neural network. Finally, the framework rewards the performance of these features with the results of TA. Based on the experimental results, the proposed framework can extract features automatically that lead to comparable state-of-the-art performance on several commonly used datasets.
Haodong Jiang, Zhi Ma, Zhenfeng Zhang
ePrint Report
Recently, in post-quantum cryptography migration, it has been shown that an IND-1-CCA-secure key encapsulation mechanisms (KEM) is required for replacing an ephemeral Diffie-Hellman (DH) in widely-used protocols, e.g., TLS, Signal, and Noise. IND-1-CCA security is a notion similar to the traditional IND-CCA security except that the adversary is restricted to one single decapsulation query. At EUROCRYPT 2022, based on CPA-secure public-key encryption (PKE), Huguenin-Dumittan and Vaudenay presented two IND-1-CCA KEM constructions called $T_{CH}$ and $T_H$, which are much more efficient than the widely-used IND-CCA-secure Fujisaki-Okamoto (FO) KEMs. The security of $T_{CH}$ was proved in both random oracle model (ROM) and quantum random oracle model (QROM). However, the QROM proof of $T_{CH}$ requires that the ciphertext size of the resulting KEM is twice as large as the one of the underlying PKE. While, the security of $T_H$ was only proved in the ROM, and the QROM proof is left open.
In this paper, we present an IND-1-CCA KEM construction $T_{RH}$, which can be seen as an implicit variant $T_H$, and is as efficient as $T_H$. We prove the security of $T_{RH}$ in both ROM and QROM with much tighter reductions than Huguenin-Dumittan and Vaudenay's work. In particular, our proof will not lead to ciphertext expansion. Moreover, for $T_{RH}$, $T_H$ and $T_{CH}$, we also show that a $O(1/q)$ ($O(1/q^2)$, resp.) reduction loss is unavoidable in the ROM (QROM, resp.), and thus claim that our ROM proof is optimal in tightness. Finally, we make a comprehensive comparison among the relative strengths of IND-1-CCA and IND-CCA in the ROM and QROM.
In this paper, we present an IND-1-CCA KEM construction $T_{RH}$, which can be seen as an implicit variant $T_H$, and is as efficient as $T_H$. We prove the security of $T_{RH}$ in both ROM and QROM with much tighter reductions than Huguenin-Dumittan and Vaudenay's work. In particular, our proof will not lead to ciphertext expansion. Moreover, for $T_{RH}$, $T_H$ and $T_{CH}$, we also show that a $O(1/q)$ ($O(1/q^2)$, resp.) reduction loss is unavoidable in the ROM (QROM, resp.), and thus claim that our ROM proof is optimal in tightness. Finally, we make a comprehensive comparison among the relative strengths of IND-1-CCA and IND-CCA in the ROM and QROM.
Thomas Marquet, Elisabeth Oswald
ePrint Report
This paper investigates different ways of applying multi-task learning in the context of two masked AES implementations (via the ASCADv1 and ASCADv2 databases). We propose novel ideas: jointly using multiple single-task models (aka multi-target learning), custom layers (enabling the use of multi-task learning without the need for information about randomness), and hierarchical multi-task models (owing to the idea of encoding the hierarchy flow directly into a multi-task learning model). Our work provides comparisons with existing approaches to deep learning and delivers a first attack using multi-task models without randomness during training, and a new best attack for the ASCADv2 dataset.
Shuai Cheng, Shengke Zeng, Haoyu Zeng, Yawen Feng, Jixiang Xiao
ePrint Report
The redundant of multimedia data made an unnecessary waste in encrypted cloud storage, unlike text with completely consistent content, multimedia data allows a certain degree of similarity in deduplication, In this work, we focus on the multimedia data which takes a seriously proportion of storage in scenarios such as data outsourcing to propose secure fuzzy deduplication without the additional servers based on Convergent Encryption(CE), say the Single-server Fuzzy Deduplication (SSFD). Compared to the related fuzzy deduplication, SSFD is strong at resisting brute-force attacks caused by server-server collusion, moreover, we also put server-client collusion attacks into security solutions. Additionally, to enhance the security of data, the proposed scheme provides both protection against replay attacks and verification of label consistency and adds no extra communication such as Proof of Ownership(PoW) in interaction. We separately presented a formal security analysis and performed performance at last to prove security solutions and evaluate the experimental results, it shows SSFD provides both a reliable fuzzy images secure deduplication protocol and a computationally feasible solution.
Grad Vodice, Croatia, 5 June - 9 June 2023
Event Calendar
Event date: 5 June to 9 June 2023
Submission deadline: 22 January 2023
Notification: 30 January 2023
Submission deadline: 22 January 2023
Notification: 30 January 2023
02 January 2023
Chicago, USA, 2 July - 8 July 2023
Event Calendar
Event date: 2 July to 8 July 2023
Submission deadline: 12 February 2023
Notification: 2 April 2023
Submission deadline: 12 February 2023
Notification: 2 April 2023
Melbourne, Australia, 11 July - 14 July 2023
Event Calendar
Event date: 11 July to 14 July 2023
Submission deadline: 27 March 2023
Notification: 28 May 2023
Submission deadline: 27 March 2023
Notification: 28 May 2023
Melbourne, Australia, 10 July 2023
Event Calendar
Event date: 10 July 2023
Submission deadline: 15 February 2023
Notification: 31 March 2023
Submission deadline: 15 February 2023
Notification: 31 March 2023
Aarhus, Denmark, 6 June - 8 June 2023
Event Calendar
Event date: 6 June to 8 June 2023
Submission deadline: 6 February 2023
Notification: 17 April 2023
Submission deadline: 6 February 2023
Notification: 17 April 2023
Kyoto, Japan, 19 June - 22 June 2023
Event Calendar
Event date: 19 June to 22 June 2023
Submission deadline: 15 March 2023
Notification: 19 April 2023
Submission deadline: 15 March 2023
Notification: 19 April 2023
Kyoto, Japan, 19 June - 22 June 2023
Event Calendar
Event date: 19 June to 22 June 2023
Submission deadline: 20 March 2023
Notification: 19 April 2023
Submission deadline: 20 March 2023
Notification: 19 April 2023
Florida Atlantic University
Job Posting
The Department of Mathematical Sciences at Florida Atlantic University has availability for a postdoc position to work in various areas of mathematical cryptology, including but not limited to:
http://www.math.fau.edu/mathdepartment/crypto.php
- post-quantum cryptography
- lattice-based cryptography
- code-based cryptography
- cryptanalysis
- elliptic curves and isogenies
- zero-knowledge proofs
- ...
http://www.math.fau.edu/mathdepartment/crypto.php
Closing date for applications:
Contact: Edoardo Persichetti (epersichetti@fau.edu); Shi Bai (sbai@fau.edu); Francesco Sica (sicaf@fau.edu); Veronika Kuchta (vkuchta@fau.edu)
University of Luxembourg
Job Posting
The successful candidate will join the CryptoLux team led by Prof. Alex Biryukov. He or she will contribute to a research project entitled "Advanced Cryptography for Finance and Privacy (CryptoFin)", which is funded by the Luxembourgish Fonds National de la Recherche (FNR) through the CORE program. Candidates with research interests in one or more of the following areas are particularly encouraged to apply:
• Applied or symmetric cryptography
• Cryptofinance, cryptoeconomics, blockchains
• Anonymity and privacy on the Internet
The main responsibility of the successful candidate would be to:
• Conduct, publish and present research results at conferences
• Provide guidance to the two Ph.D. students of the project
• Attract funding in cooperation with academic and industrial partners
Closing date for applications:
Contact: For inquiries, please contact Prof. Alex Biryukov by e-mail: first name dot family name (at) uni.lu
More information: http://emea3.mrted.ly/3agad
Hyunji Kim, Sejin Lim, Aubhab Baksi, Dukyoung Kim, Seyoung Yoon, Kyungbae Jang, Hwajeong Seo
ePrint Report
With the recent development of quantum computers, various studies on quantum artificial intelligence technology are being conducted. Quantum artificial intelligence can improve performance in terms of accuracy and memory usage compared to deep learning on classical computers. In this work, we proposed an attack technique that recovers keys by learning patterns in cryptographic algorithms by applying quantum artificial intelligence to cryptanalysis. Cryptanalysis was performed in the current practically usable quantum computer environment, and this is the world's first study to the best of our knowledge.
As a result, we reduced 70 epochs and reduced the parameters by 19.6%. In addition, higher average BAP (Bit Accuracy Probability) was achieved despite using fewer epochs and parameters. For the same epoch, the method using a quantum neural network achieved a 2.8% higher BAP with fewer parameters.
In our approach, quantum advantages in accuracy and memory usage were obtained with quantum neural networks. It is expected that the cryptanalysis proposed in this work will be better utilized if a larger-scale stable quantum computer is developed in the future.
Yan-Cheng Chang
ePrint Report
Sigstore is a Linux Foundation project aiming to become the new standard for signing software artifacts. It consists of a free certificate authority called Fulcio, a tamper-resistant public log called Rekor, and an optional federated OIDC identity provider called Dex, where Rekor also acts as the timestamping service. Several command line interfaces (CLIs), written in different languages, are available to interact with it for signing software artifacts.
Ironically, we will show in this paper the design of Sigstore eliminates the need of Sigstore, i.e., the key components mentioned above are inessential. Specifically, we will first show how to remove the dependency on Fulcio from existing CLIs while keeping the CLIs work. Next, we will show how to remove the dependency on Rekor from the CLIs. Last, we will explain why relying on Dex, an optional black box with too much power, should be avoided.
As none of Fulcio, Rekor, and Dex is essential to making existing CLIs work, we conclude that they are unnecessary trusted third parties which the open source community should avoid employing. Instead, existing CLIs can be easily adapted to remove the dependency on them while providing the same functionality and user experience. The design of Sigstore is an example of solving a problem with a method which requires the solution as the input.
Ironically, we will show in this paper the design of Sigstore eliminates the need of Sigstore, i.e., the key components mentioned above are inessential. Specifically, we will first show how to remove the dependency on Fulcio from existing CLIs while keeping the CLIs work. Next, we will show how to remove the dependency on Rekor from the CLIs. Last, we will explain why relying on Dex, an optional black box with too much power, should be avoided.
As none of Fulcio, Rekor, and Dex is essential to making existing CLIs work, we conclude that they are unnecessary trusted third parties which the open source community should avoid employing. Instead, existing CLIs can be easily adapted to remove the dependency on them while providing the same functionality and user experience. The design of Sigstore is an example of solving a problem with a method which requires the solution as the input.
Jeffrey Burdges, Handan Kılınç Alper, Alistair Stewart, Sergey Vasilyev
ePrint Report
We introduce a new cryptographic primitive, aptly named ring verifiable random functions (ring VRF), which provides an array of uses, especially in anonymous credentials. Ring VRFs are (anonymized) ring signatures that prove correct evaluation of an authorized signer's PRF, while hiding the specific signer's identity within some set of possible signers, known as the ring.
We discover a family of ring VRF protocols with surprisingly efficient instantiations, thanks to our novel zero-knowledge continuation technique. Intuitively our ring VRF signers generate two linked proofs, one for PRF evaluation and one for ring membership. An evaluation proof needs only a cheap Chaum-Pedersen DLEQ proof, while ring membership proof depends only upon the ring itself. We reuse this ring membership proof across multiple inputs by expanding a Groth16 trusted setup to rehide public inputs when rerandomizing the Groth16. Incredibly, our fastest amortized ring VRF needs only eight G_1 and two G_2 scalar multiplications, making it the only ring signature with performance competitive with group signatures.
We discuss applications that range across the anonymous credential space:
As in Bryan Ford's proof-of-personhood work, a ring VRF output acts like a unique pseudo-nonymous identity within some desired context, given as the ring VRF input, but remains unlinkable between different contexts. These unlinkable but unique pseudonyms provide a better balance between user privacy and service provider or social interests than attribute based credentials like IRMA credentials.
Ring VRFs support anonymously rationing or rate limiting resource consumption that winds up vastly more flexible and efficient than purchases via money-like protocols.
We define the security of ring VRFs in the universally composable (UC) model and show that our protocol is UC secure.
We discover a family of ring VRF protocols with surprisingly efficient instantiations, thanks to our novel zero-knowledge continuation technique. Intuitively our ring VRF signers generate two linked proofs, one for PRF evaluation and one for ring membership. An evaluation proof needs only a cheap Chaum-Pedersen DLEQ proof, while ring membership proof depends only upon the ring itself. We reuse this ring membership proof across multiple inputs by expanding a Groth16 trusted setup to rehide public inputs when rerandomizing the Groth16. Incredibly, our fastest amortized ring VRF needs only eight G_1 and two G_2 scalar multiplications, making it the only ring signature with performance competitive with group signatures.
We discuss applications that range across the anonymous credential space:
As in Bryan Ford's proof-of-personhood work, a ring VRF output acts like a unique pseudo-nonymous identity within some desired context, given as the ring VRF input, but remains unlinkable between different contexts. These unlinkable but unique pseudonyms provide a better balance between user privacy and service provider or social interests than attribute based credentials like IRMA credentials.
Ring VRFs support anonymously rationing or rate limiting resource consumption that winds up vastly more flexible and efficient than purchases via money-like protocols.
We define the security of ring VRFs in the universally composable (UC) model and show that our protocol is UC secure.
Mohammad Hashemi, Domenic Forte, Fatemeh Ganji
ePrint Report
With the advent of secure function evaluation, distrustful parties can jointly compute on their private inputs without disclosing anything besides the results.
Yao's garbled circuit protocols have become an integral part of secure computation thanks to considerable efforts made to make it feasible, practical, and more efficient.
These efforts have resulted in multiple optimizations on this primitive to enhance its performance by orders of magnitude over the last years.
Such improvement targets have been defined to primarily reduce the cost of garbling in terms of computation and communication required for the creation, transfer, and evaluation of the garbled tables.
The advancement in protocols has also led to the development of general-purpose compilers and tools made available to academia and industry.
For decades, the security of protocols offered in those tools has been assured with regard to sound proofs and the promise that during the computation, no information on parties' input would be leaking.
In a parallel effort, however, side-channel analysis has gained momentum in connection with the real-world implementation of cryptographic primitives. Timing side-channel attacks have proven themselves effective in retrieving secrets from implementations, even through remote access to them. Nevertheless, the vulnerability of garbled circuit constructions, in particular, the optimized one to timing attacks, has, surprisingly, never been discussed in the literature. This paper introduces Goblin, the first timing attack against two commonly employed optimized garbled circuit constructions, namely free-XOR and half-gates. Goblin is a machine learning-assisted, non-profiling, single-trace timing attack, which successfully recovers the garbler's input during the computation. As the first step, Goblin targets the TinyGarble family and its core garbling tool, JustGarble. In this regard, Goblin hopefully paves the way for further research.
In a parallel effort, however, side-channel analysis has gained momentum in connection with the real-world implementation of cryptographic primitives. Timing side-channel attacks have proven themselves effective in retrieving secrets from implementations, even through remote access to them. Nevertheless, the vulnerability of garbled circuit constructions, in particular, the optimized one to timing attacks, has, surprisingly, never been discussed in the literature. This paper introduces Goblin, the first timing attack against two commonly employed optimized garbled circuit constructions, namely free-XOR and half-gates. Goblin is a machine learning-assisted, non-profiling, single-trace timing attack, which successfully recovers the garbler's input during the computation. As the first step, Goblin targets the TinyGarble family and its core garbling tool, JustGarble. In this regard, Goblin hopefully paves the way for further research.
31 December 2022
Ran Canetti, Suvradip Chakraborty, Dakshita Khurana, Nishanth Kumar, Oxana Poburinnaya, Manoj Prabhakaran
ePrint Report
We put forth a new paradigm for program obfuscation, where obfuscated programs are endowed with proofs of ``well-formedness.'' In addition to asserting existence of an underlying plaintext program with an attested structure and functionality, these proofs also prevent mauling attacks, whereby an adversary surreptitiously creates an obfuscated program based on secrets which are embedded in a given obfuscated program.
We call this new guarantee Chosen Obfuscation Attack (COA) security.
We define and construct general-purpose COA-secure Probabilistic Indistinguishability Obfuscators for circuits, assuming sub-exponential IO for circuits and CCA commitments. To demonstrate the power of the new notion, we use it to realize, in the plain model: - Structural Watermarking, which is a new form of software watermarking that provides significantly broader protection than current schemes and features a keyless, public verification process. - Completely CCA encryption, which is a strengthening of completely non-malleable encryption.
We also show, based on the same assumptions, a generic method for enhancing any obfuscation mechanism that guarantees any semantic-style form of hiding to one that provides also COA security.
We define and construct general-purpose COA-secure Probabilistic Indistinguishability Obfuscators for circuits, assuming sub-exponential IO for circuits and CCA commitments. To demonstrate the power of the new notion, we use it to realize, in the plain model: - Structural Watermarking, which is a new form of software watermarking that provides significantly broader protection than current schemes and features a keyless, public verification process. - Completely CCA encryption, which is a strengthening of completely non-malleable encryption.
We also show, based on the same assumptions, a generic method for enhancing any obfuscation mechanism that guarantees any semantic-style form of hiding to one that provides also COA security.
Cezary Glowacz
ePrint Report
In [2] we studied collision side-channel attacks, and derived an optimal distinguisher for key ranking. In this note we propose a heuristic estimation procedure for key ranking based on this distinguisher, and provide estimates of lower bounds for secret key ranks in collision side-channel attacks. The procedure employs nonuniform sampling introduced in [1], and it is more efficient than the subset uniform sampling procedure [3].
[1] MCRank: Monte Carlo Key Rank Estimation for Side-Channel Security Evaluations. [2] Optimal Collision Side-Channel Attacks. [3] A Note on Key Ranking for Optimal Collision Side-Channel Attacks.
[1] MCRank: Monte Carlo Key Rank Estimation for Side-Channel Security Evaluations. [2] Optimal Collision Side-Channel Attacks. [3] A Note on Key Ranking for Optimal Collision Side-Channel Attacks.
Shravan Srinivasan, Ioanna Karantaidou, Foteini Baldimtsi, Charalampos Papamanthou
ePrint Report
An accumulator is a cryptographic primitive that allows a prover to succinctly commit to a set of values while being able to provide proofs of (non-)membership. A batch proof is an accumulator proof that can be used to prove (non-)membership of multiple values simultaneously.
In this work, we present a zero-knowledge batch proof with constant proof size and constant verification in the Bilinear Pairings (BP) setting. Our scheme is 16x to 42x faster than state-of-the-art SNARK-based zero-knowledge batch proofs in the RSA setting. Additionally, we propose protocols that allow a prover to aggregate multiple individual non-membership proofs, in the BP setting, into a single batch proof of constant size. Our construction for aggregation satisfies a strong soundness definition - one where the accumulator value can be chosen arbitrarily.
We evaluate our techniques and systematically compare them with RSA-based alternatives. Our evaluation results showcase several scenarios for which BP accumulators are clearly preferable and can serve as a guideline when choosing between the two types of accumulators.
In this work, we present a zero-knowledge batch proof with constant proof size and constant verification in the Bilinear Pairings (BP) setting. Our scheme is 16x to 42x faster than state-of-the-art SNARK-based zero-knowledge batch proofs in the RSA setting. Additionally, we propose protocols that allow a prover to aggregate multiple individual non-membership proofs, in the BP setting, into a single batch proof of constant size. Our construction for aggregation satisfies a strong soundness definition - one where the accumulator value can be chosen arbitrarily.
We evaluate our techniques and systematically compare them with RSA-based alternatives. Our evaluation results showcase several scenarios for which BP accumulators are clearly preferable and can serve as a guideline when choosing between the two types of accumulators.