IACR News
Here you can see all recent updates to the IACR webpage. These updates are also available:
14 October 2015
Nitesh Emmadi, Praveen Gauravaram, Harika Narumanchi, Habeeb Syed
Daniel J. Bernstein
However, a 2002 theorem by Galbraith, Malone-Lee, and Smart states that, for the classic Schnorr signature system, single-key security tightly implies multi-key security. Struik and then Hamburg, citing this theorem, argued that key prefixing was unnecessary for multi-user security and should not be standardized.
This paper identifies an error in the 2002 proof, and an apparently insurmountable obstacle to the claimed theorem. The proof idea does, however, lead to a different theorem, stating that single-key security of the classic Schnorr signature system tightly implies multi-key security of the key-prefixed variant of the system. This produces exactly the opposite conclusion regarding standardization.
Sanjam Garg, Omkant Pandey
We initiate a thorough investigation of {\\em incremental program obfuscation}. We show that the strong simulation-based notions of program obfuscation, such as ``virtual black-box\'\' and ``virtual grey-box\'\' obfuscation, cannot be incremental even for very simple functions such as point functions. We then turn to the indistinguishability-based notions, and present two security definitions of varying strength. To understand the overall strength of our definitions, we formulate the notion of {\\em incremental best-possible obfuscation} and show that it is equivalent to our (stronger) indistinguishability-based notion.
Finally, we present constructions for incremental program obfuscation satisfying both our security notions. We first give a construction achieving the weaker security notion based on the existence of general purpose indistinguishability obfuscation. Next, we present a generic transformation using {\\em oblivious RAM} to amplify security from weaker to stronger, while maintaining the incrementality property.
Paolo D\'Arco, Navid Nasr Esfahan, Douglas R. Stinson
Robert Granger, Philipp Jovanovic, Bart Mennink, Samuel Neves
13 October 2015
Mohamed Ahmed Abdelraheem, Javad Alizadeh, Hoda A. Alkhzaimi, Mohammad Reza Aref, Nasour Bagheri, Praveen Gaurav
linear cryptanalysis and present the best linear cryptanalytic results on these variants of reduced-round SIMON to date.
We propose a time-memory trade-off method that finds differential/linear trails for any permutation allowing
low Hamming weight differential/linear trails. Our method combines low Hamming weight trails found by the correlation matrix representing the target permutation with heavy Hamming weight trails
found using a Mixed Integer Programming model representing the target differential/linear trail. Our method enables us to find a 17-round linear approximation for
SIMON-48 which is the best current linear approximation for SIMON-48. Using only the correlation matrix method, we are able to find a 14-round linear approximation for SIMON-32 which is also the current best linear approximation for SIMON-32.
The presented linear approximations allow us to mount a 23-round key recovery attack on SIMON-32 and a 24-round Key recovery attack on SIMON-48/96 which are the current best results on SIMON-32 and SIMON-48. In addition we have an attack on 24 rounds of SIMON-32 with marginal complexity.
Ivan Damgård, Rasmus Winther Zakarias
In this paper we describe how to dedicate the pre-processing to the structure of AES, which improves significantly the throughput and latency of previous actively secure implementations. We get a latency of about 6 ms and amortised time about 0.4 ms per AES block,
which seems completely adequate for practical applications such as verification of 1-time passwords.
Geoffroy Couteau, Thomas Peters, David Pointcheval
Although ESP is a special kind of two-party computation protocol, it turns out that ESP implies general two-party computation under natural conditions. In particular, our new paradigm is tailored to the evaluation of functions over rings. Indeed, assuming the compatibility of two additively and multiplicatively homomorphic encryption schemes, switching ciphertexts makes it possible to efficiently reconcile the two internal laws.
Since no such pair of schemes appeared in the literature, except for the non-interactive case of fully homomorphic encryption which still remains prohibitive in practice, we build the first ElGamal-like encryption scheme over (Zn;x) as a complement to the Paillier encryption scheme over (Zn;+), where n is a strong RSA modulus. Eventually, we also instantiate secure ESP between the two schemes, in front of malicious adversaries. Thanks to a pre-processing step, we manage to get an online communication in terms of group elements which neither depends on the security parameter nor on the modulus n. This makes use of a new technique called refreshable twin-ciphertext pool that is of independent interest.
Mike Scott
Jinsu Kim, Sungwook Kim, Jae Hong Seo
In this paper, we propose a new integer-based multilinear map that has several advantages over previous schemes. In terms of security, we expect that our construction is resistant to the zeroizing attack. In terms of efficiency, the bit-size of an encoding grows sublinearly with $\\kappa$, more precisely $O((\\log_2\\kappa)^2)$.
To this end, we essentially utilize a technique of the multiplication procedure in {\\em scale-invariant} fully homomorphic encryption (FHE), which enables to achieve sublinear complexity in terms of multilinearity and at the same time security against the zeroizing attacks (EUROCRYPT 2015, IACR-Eprint 2015/934, IACR-Eprint 2015/941), which totally broke Coron, Lepoint, and Tibouchi\'s integer-based construction (CRYPTO 2013, CRYPTO2015). We find that the technique of scale-invariant FHE is not very well harmonized with previous approaches of making GES from (non-scale-invariant) FHE. Therefore, we first devise a new approach for approximate multilinear maps, called {\\em Ring Encoding System (RES)}, and prove that a multilinear map built via RES is generically secure. Next, we propose a new efficient scale-invariant FHE with special properties, and then construct a candidate RES based on a newly proposed scale-invariant FHE.
It is worth noting that, contrary to the CLT multilinear map (CRYPTO 2015), multiplication procedure in our construction does not add hidden constants generated by ladders of zero encodings, but mixes randoms in encodings in non-linear ways without using ladders of zero encodings. This feature is obtained by using the scale-invariant FHE and essential to prevent the Cheon et al.\'s zeroizing attack.
Daniel Apon, Xiong Fan, Feng-Hao Liu
In this work, we construct a bi-deniable inner product encryption (IPE) in the multi-distributional model without relying on obfuscation as a black box. Our techniques involve new ways of manipulating Gaussian noise, and lead to a significantly tighter analysis of noise growth in Dual Regev type encryption schemes. We hope these ideas can give insight into achieving deniability and related properties for further, advanced cryptographic constructions under standard assumptions.
Pei Luo, Liwei Zhang, Yunsi Fei, A. Adam Ding
Darmstadt, Germany, January 25 - January 29
Notification: 20 November 2015
From January 25 to January 29
Location: Darmstadt, Germany
More Information: https://www.crossing.tu-darmstadt.de/en/news-events/winter-school-2016/
University of Luxembourg, Cryptolux team
- cryptofinance, cryptocurrencies
- anonymity and privacy
- cybersecurity
Applicants interested in symmetric cryptography, authenticated encryption will be also considered.
Profile:
- An M.Sc. in Computer Science or Applied Mathematics (some background in Economics/Finance is a plus)
- GPA > 80%
- Fluent written and verbal communication skills in English are mandatory.
We offer international research environment and competitive salary. The position is already available. Applications will be considered upon receipt, therefore applying before the deadline is encouraged.
Yehuda Lindell, Ben Riva
We design a highly optimized protocol in the offline/online setting that makes use of all state-of-the-art techniques, along with several new techniques that we introduce. A crucial part of our protocol is a new technique for enforcing consistency of the inputs used by the party who garbles the circuits. This technique has both theoretical and practical advantages over \\mbox{previous methods.}
We present a prototype implementation of our new protocol, which is also the first implementation of the amortized cut-and-choose technique of Lindell and Riva (Crypto 2014).
Our prototype achieves a speed of just \\emph{$7$ ms in the online stage} and just $74$ ms in the offline stage per 2PC invoked, for securely computing AES in the presence of malicious adversaries (using 9 threads on two 2.9GHz machines located in the same Amazon region). We note that no prior work has gone below one second overall on average for the secure computation of AES for malicious adversaries (nor below 20ms in the online stage). Our implementation securely evaluates SHA-256 (which is a \\emph{much bigger circuit}) with $33$ ms online time and $206$ ms offline time, per 2PC invoked.
12 October 2015
Sihem Mesnager
In this note, we show that linear involutions (which are an important class of permutations) over finite fields give rise to bent functions in bivariate representations. In particular, we exhibit new constructions of bent functions involving binomial linear involutions whose dual functions are directly obtained without computation.
Ping Ngai Chung, Craig Costello, Benjamin Smith
This extends the work of L\\\'opez and Dahab, Okeya and Sakurai, and Brier and Joye to genus~2, and also to two-dimensional scalar multiplication.
Our results show that many existing fast pseudomultiplication implementations (hitherto limited to applications in Diffie--Hellman key exchange) can be wrapped with simple and efficient pre- and post-computations to yield competitive full scalar multiplication algorithms, ready for use in more general discrete logarithm-based cryptosystems, including signature schemes. This is especially interesting for genus~2, where Kummer surfaces can outperform comparable elliptic curve systems.
As an example, we construct an instance of the Schnorr signature scheme driven by Kummer surface arithmetic.
Koh-ichi Nagao
of ECDLP over $\\bF_{2^n}$, where $n$ is the input size, is
$O(2^{n^{1/2+o(1)}})$.
In his manuscript, the cost for solving equations system is $O((nm)^{4w})$,
where $m$ ($2 \\le m \\le n$) is the number of decomposition
and $w \\sim 2.7$ is the linear algebra constant.
It is remarkable that the cost for solving equations system under the
first fall degree assumption, is poly in input size $n$.
He uses normal factor base and the revalance of \"Probability that
the decomposition success\" and \"size of factor base\" is done.
%So that the result is induced.
Here, using disjoint factor base to his method,
\"Probability that the decomposition success becomes $ \\sim 1$ and
taking the very small size factor
base is useful for complexity point of view.
Thus we have the result that states \\\\
\"Under the first fall degree assumption,
the cost of ECDLP over $\\bF_{2^n}$, where $n$ is the input size, is $O(n^{8w+1})$.\"
Moreover, using the authors results,
in the case of the field characteristic $\\ge 3$, the first fall
degree of desired equation system is estimated by $\\le 3p+1$.
(In $p=2$ case, Semaev shows it is $\\le 4$. But it is exceptional.)
So we have similar result that states \\\\
\"Under the first fall degree assumption,
the cost of ECDLP over $\\bF_{p^n}$, where $n$ is the input size and (small) $p$ is a constant, is $O(n^{(6p+2)w+1})$.
Koh-ichi Nagao
$S_m(x_1,...,x_m)$ is $0$ or not, has constant(not depend on $m$ and $n$) first fall degree. So, under the first fall degree assumption, its complexity is poly in $n$ ($O(n^{Const})$).And so, suppose $P\\ne NP$, which almost all researcher assume this, it has a contradiction and we see that first fall degree assumption is not true.
Koster shows the NP-completeness from the group belonging problem, which is NP-complete, reduces to the problem for deciding whether the value of Semaev\'s formula $S_m(x_1,...,x_m)$ is $0$ or not, in polynomial time.
In this paper, from another point of view, we discuss this situation.
Here, we construct some equations system defined over arbitrary field $K$ and its first fall degree is small, from any 3SAT problem.
The cost for solving this equations system is polynomial times under the first fall degree assumption. So, 3SAT problem, which is NP-complete, reduced to the problem in P under the first fall degree assumption.
Almost all researcher assume $P \\ne NP$, and so, it concludes that the first fall degree assumption is not true. However, we can take $K=\\bR$(not finite field. It means that 3SAT reduces to solving multivariable equations system defined over $\\R$ and there are many method for solving this by numerical computation.
So, I must point out the very small possibility that NP complete problem is reduces to solving cubic equations equations system over $\\bR$ which can be solved in polynomial time.