IACR News
Here you can see all recent updates to the IACR webpage. These updates are also available:
27 February 2023
Yingxin Li, Fukang Liu, Gaoli Wang
ePrint ReportSomnath Panja, Nikita Tripathi, Shaoquan Jiang, Reihaneh Safavi-Naini
ePrint ReportKe Wu, Elaine Shi, Hao Chung
ePrint ReportIn this paper, we show that if we make a mildly stronger reasonable-world assumption than prior works, we can circumvent the known limitations on miner revenue, and design auctions that generate optimal miner revenue. We also systematically explore the mathematical landscape of transaction fee mechanism design under the new reasonable-world and demonstrate how such assumptions can alter the feasibility and infeasibility landscape.
Andrea Coladangelo
ePrint ReportZhenkun Yang, Wen Wang, Jeremy Casas, Pasquale Cocchini, Jin Yang
ePrint ReportFrancesco D'Amato, Luca Zanolini
ePrint ReportCurrently, Gasper takes between 64 and 95 slots to finalize blocks. Because of that, a significant portion of the chain is susceptible to reorgs. The possibility to capture MEV (Maximum Extractable Value) through such reorgs can then disincentivize honestly following the protocol, breaking the desired correspondence of honest and rational behavior. Moreover, the relatively long time to finality forces users to choose between economic security and faster transaction confirmation. This motivates the study of the so-called single slot finality protocols: consensus protocols that finalize a block in each slot and, more importantly, that finalize the block proposed at a given slot within such slot.
In this work we propose a simple, non-blackbox protocol that combines a synchronous dynamically available protocol with a finality gadget, resulting in a secure ebb-and-flow protocol that can finalize one block per slot, paving the way to single slot finality within Ethereum. Importantly, the protocol we present can finalize the block proposed in a slot, within such slot.
Francesco D'Amato, Luca Zanolini
ePrint ReportNeu, Tas, and Tse (S&P 2021) show that LMD-GHOST, the dynamic availability component of Gasper, is actually not secure even in a context of full-participation, i.e., with all the validators online. Mitigations have shortly after been developed to cope with its problems, but the resulting protocol still falls short of achieving dynamic availability, motivating the research of more secure dynamically available protocols.
In this work we present RLMD-GHOST, a synchronous dynamically available protocol that does not lose safety during bounded periods of asynchrony. This protocol results appealing especially for practical systems, where strict synchrony assumptions might not always hold, contrary to what is generally assumed with standard synchronous protocols. Moreover, we introduce the generalized sleepy model, in which our results will be proved. This model takes up from the original sleepy model presented by Pass and Shi and extends it with more generalized and stronger constraints in the corruption and sleepiness power of the adversary. This allows us to explore a broad space of dynamic participation regimes which falls between complete dynamic participation and no dynamic participation, i.e., with every participant online, offering a foundation for the analysis of dynamic available protocols.
Hongrui Cui, Xiao Wang, Kang Yang, Yu Yu
ePrint Report1. The recent compression technique by Dittmer et al. (Crypto 2022) shows that a relaxed preprocessing is sufficient for authenticated garbling that does not reveal masked wire values to the garbler. We introduce a new form of authenticated bits and propose a new technique of generating authenticated AND triples to reduce the one-way communication of preprocessing from $5\rho+1$ bits to $2$ bits per AND gate for $\rho$-bit statistical security.
2. Unfortunately, the above compressing technique is only compatible with a less compact authenticated garbled circuit of size $2\kappa+3\rho$ bits per AND gate. We designed a new authenticated garbling that does not use information theoretic MACs but rather dual execution without leakage to authenticate wire values in the circuit. This allows us to use a more compact half-gates based authenticated garbled circuit of size $2\kappa+1$ bits per AND gate, and meanwhile keep compatible with the compression technique. Our new technique can achieve one-way communication of $2\kappa+5$ bits per AND gate.
Our technique of yielding authenticated AND triples can also be used to optimize the two-way communication (i.e., the total communication) by combining it with the authenticated garbled circuits by Dittmer et al., which results in an actively secure 2PC protocol with two-way communication of $2\kappa+3\rho+4$ bits per AND gate.
Fukang Liu, Gaoli Wang, Santanu Sarkar, Ravi Anand, Willi Meier, Yingxin Li, Takanori Isobe
ePrint ReportStefano Tessaro, Chenzhi Zhu
ePrint ReportWe obtain our constructions by generalizing the most efficient discrete- logarithm based schemes, MuSig2 (Nick, Ruffing, and Seurin, CRYPTO ’21) and FROST (Komlo and Goldberg, SAC ’20), to work with suitably defined linear hash functions. While the original schemes rely on the stronger and more controversial one-more discrete logarithm assumption, we show that suitable instantiations of the hash functions enable security to be based on either the plain discrete logarithm assumption or on RSA. The signatures produced by our schemes are equivalent to those obtained from Okamoto’s identification schemes (CRYPTO ’92).
More abstractly, our results suggest a general framework to transform schemes secure under OMDL into ones secure under the plain DL assumption and, with some restrictions, under RSA.
Stefano Tessaro, Chenzhi Zhu
ePrint ReportBBS+ signatures consist of one group element and two scalars. As our first contribution, we prove that a variant of BBS+ producing shorter signatures, consisting only of one group element and one scalar, is also secure. The resulting scheme is essentially the original BBS proposal, which was lacking a proof of security. Here we show it satisfies, under the q-SDH assumption, the same provable security guarantees as BBS+. We also provide a complementary tight analysis in the algebraic group model, which heuristically justifies instantiations with potentially shorter signatures. Furthermore, we devise simplified and shorter zero-knowledge proofs of knowledge of a BBS message-signature pair that support partial disclosure of the message. Over the BLS12-381 curve, our proofs are 896 bits shorter than the prior proposal by Camenisch, Drijvers, and Lehmann (TRUST ’16), which is also adopted by the RFC draft.
Finally, we show that BBS satisfies one-more unforgeability in the algebraic group model in a scenario, arising in the context of credentials, where the signer can be asked to sign arbitrary group elements, meant to be commitments, without seeing their openings.
Kelong Cong, Debajyoti Das, Georgio Nicolas, Jeongeun Park
ePrint ReportJosh Beal, Ben Fisch
ePrint ReportBertram Poettering, Simon Rastikian
ePrint ReportWe hence investigate generalizations of the KEM abstraction that allow a considerably simplified construction of the above primitives. In particular, we study VKEMs and KDFEMs, which augment classic KEMs by label inputs, encapsulation handle outputs, and key derivation features, and we demonstrate that they can be transformed into KEM combiners and key transport schemes without requiring auxiliary components. We finally show that all four finalist KEMs of the NIST competition are effectively KDFEMs. Our conclusion is that only very mild adjustments are necessary to significantly increase their versatility.
Phillip Gajland, Bor de Kock, Miguel Quaresma, Giulio Malavolta, Peter Schwabe
ePrint ReportIn this work, we provide the first evidence against this folklore belief. We construct a practical lattice-based NIKE whose security is based on the standard module learning with errors (M-LWE) problem in the quantum random oracle model. Our scheme is obtained in two steps: (i) A passively-secure construction that achieves a strong notion of correctness, coupled with (ii) a generic compiler that turns any such scheme into an actively secure one. To substantiate our efficiency claim, we present an optimised implementation of our construction in Rust and Jasmin, demonstrating its applicability to real-world scenarios. For this we obtain public keys of approximately 220 KBs and the computation of shared keys takes than 12 million cycles on an Intel Skylake CPU at a post-quantum security level of more than 120 bits.
24 February 2023
osaka, Japan, 23 March 2023
Event CalendarSubmission deadline: 25 March 2023
Notification: 25 April 2023
Messina, Italy, 2 July - 8 July 2023
Event CalendarSubmission deadline: 5 March 2023
Notification: 23 April 2023
CSEM, Neuchâtel, Switzerland
Job PostingAs part of an experienced team in security and software, you will contribute to the development of security features for future generation of sustainable IoT applications leveraging distributed architectures, edge AI capabilities and advanced cryptography (e.g. post quantum, threshold cryptography). You will be working closely with a diverse team of engineers and researchers, and you will take a leading role in transforming a vision into tangible IPs.
Your responsibilities- Implement cryptography and security primitives for embedded devices.
- Develop Proof of concepts based on advanced cryptography topics.
- Harden the security modules against side channel attacks, software attacks and other relevant threats.
- Adopt a holistic approach to design robust (end to end) security features.
- Propose innovative security IPs and challenge them against state of the art and review them with peers.
- Build demonstrators and share results/knowledge with your colleagues.
- Continuously keep aware of the state of the art.
- Contribute to the supervision of interns.
You are a PhD graduate or an MSc graduate with >=2 years experience. You have background in applied cryptography or embedded security and experience in embedded development. You are motivated to progress within applied cryptography and embedded security. Programming languages: C, Python. ML frameworks, VHDL would be an advantage.
Closing date for applications:
Contact: To apply, please follow the link to the job description by clicking on the job title above. (If not working, paste https://www.csem.ch/en/jobs/cryptography-engineer to your browser.)
More information: https://www.csem.ch/en/jobs/cryptography-engineer
23 February 2023
Benny Applebaum, Niv Konstantini
ePrint ReportAlong the way, we construct a highly-efficient Vector Oblivious Linear Evaluation (VOLE) protocol and present several practical and theoretical optimizations, as well as a prototype implementation. Our most efficient variant can achieve an asymptotic rate of $1/4$ (i.e., for vectors of length $w$ we send roughly $4w$ elements of $F$), which is only slightly worse than the passively-secure protocol whose rate is $1/3$. The protocol seems to be practically competitive over fast networks, even for relatively small fields $F$ and relatively short vectors. Specifically, our VOLE protocol has 3 rounds, and even for 10K-long vectors, it has an amortized cost per entry of less than 4 OT's and less than 300 arithmetic operations. Most of these operations (about 200) can be pre-processed locally in an offline non-interactive phase. (Better constants can be obtained for longer vectors.) Some of our optimizations rely on a novel intractability assumption regarding the non-malleability of noisy linear codes that may be of independent interest.
Our technical approach employs two new ingredients. First, we present a new information-theoretic construction of Conditional Disclosure of Secrets (CDS) and show how to use it in order to immunize the VOLE protocol of Applebaum et al. against active adversaries. Second, by using elementary properties of low-degree polynomials, we show that, for some simple arithmetic functionalities, one can easily upgrade Yao's garbled-circuit protocol to the active setting with a minor overhead while preserving the round complexity.