International Association
for Cryptologic Research

Enumeration algorithms in lattices are a well-known technique for solving the Short Vector Problem (SVP) and improving blockwise lattice reduction algorithms. Here, we propose a new algorithm for enumerating lattice point in a ball of radius $1.156\lambda_1(\Lambda)$ in time $3^{n+o(n)}$, where $\lambda_1(\Lambda)$ is the length of the shortest vector in the lattice $\Lambda$. Then, we show how this method can be used for solving SVP and the Closest Vector Problem (CVP) with approximation factor $\gamma=1.993$ in a $n$-dimensional lattice in time $3^{n+o(n)}$. Previous algorithms for enumerating take super-exponential running time with polynomial memory. For instance, Kannan algorithm takes time $n^{n/(2e)+o(n)}$, however ours also requires exponential memory and we propose different time/memory tradeoffs.

Recently, Aggarwal, Dadush, Regev and Stephens-Davidowitz describe a randomized algorithm with running time $2^{n+o(n)}$ at STOC' 15 for solving SVP and approximation version of SVP and CVP at FOCS'15. However, it is not possible to use a time/memory tradeoff for their algorithms. Their main result presents an algorithm that samples an exponential number of random vectors in a Discrete Gaussian distribution with width below the smoothing parameter of the lattice. Our algorithm is related to the hill climbing of Liu, Lyubashevsky and Micciancio from RANDOM' 06 to solve the bounding decoding problem with preprocessing. It has been later improved by Dadush, Regev, Stephens-Davidowitz for solving the CVP with preprocessing problem at CCC'14. However the latter algorithm only looks for one lattice vector while we show that we can enumerate all lattice vectors in a ball. Finally, in these papers, they use a preprocessing to obtain a succinct representation of some lattice function. We show in a first step that we can obtain the same information using an exponential-time algorithm based on a collision search algorithm similar to the reduction of Micciancio and Peikert for the SIS problem with small modulus at CRYPTO' 13.

In this work we study communication with a party whose secrets have already been compromised. At first sight, it may seem impossible to provide any type of security in this scenario. However, under some conditions, practically relevant guarantees can still be achieved. We call such guarantees ``post-compromise security''.

We provide the first informal and formal definitions for post-compromise security, and show that it can be achieved in several scenarios. At a technical level, we instantiate our informal definitions in the setting of authenticated key exchange (AKE) protocols, and develop two new strong security models for two different threat models. We show that both of these security models can be satisfied, by proposing two concrete protocol constructions and proving they are secure in the models.

Our work leads to crucial insights on how post-compromise security can (and cannot) be achieved, paving the way for applications in other domains.

We show in this paper that the Gentry-Szydlo algorithm for cyclotomic orders, previously revisited by Lenstra-Silverberg, can be extended to complex-multiplication (CM) orders, and even to a more general structure. This algorithm allows to test equality over the polarized ideal class group, and finds a generator of the polarized ideal in polynomial time. Also, the algorithm allows to solve the norm equation over CM orders and the recent reduction of principal ideals to the real suborder can also be performed in polynomial time. Furthermore, we can also compute in polynomial time a unit of an order of any number field given a (not very precise) approximation of it. Our description of the Gentry-Szydlo algorithm is different from the original and Lenstra- Silverberg’s variant and we hope the simplifications made will allow a deeper understanding. Finally, we show that the well-known speed-up for enumeration and sieve algorithms for ideal lattices over power of two cyclotomics can be generalized to any number field with many roots of unity.

Kerberos is one of the most important cryptographic protocols, first because it is the basisc authentication protocol in Microsoft's Active Directory and shipped with every major operating system, and second because it served as a model for all Single-Sign-On protocols (e.g. SAML, OpenID, MS Cardspace, OpenID Connect). Its security has been confirmed with several Dolev-Yao style proofs, and attacks on certain versions of the protocol have been described.

However despite its importance, despite its longevity, and despite the wealth of Dolev-Yao-style security proofs, no reduction based security proof has been published until now. This has two reasons: (1) All widely accepted formal models either deal with two-party protocols, or group key agreement protocols (where all entities have the same role), but not with 3-party protocols where each party has a different role. (2) Kerberos uses timestamps and nonces, and formal security models for timestamps are not well understood up to now.

As a step towards a full security proof of Kerberos, we target problem (1) here: We propose a variant of the Kerberos protocol, where nonces are used instead of timestamps. This requires one additional protocol message, but enables a proof in the standard Bellare-Rogaway (BR) model. The key setup and the roles of the different parties are identical to the original Kerberos protocol.

For our proof, we only require that the authenticated encryption and the message authentication code (MAC) schemes are secure. Under these assumptions we show that the probability that a client or server process oracle accepts maliciously, and the advantage of an adversary trying to distinguish a real Kerberos session key from a random value, are both negligible.

One main idea in the proof is to model the Kerberos server a a public oracle, so that we do not have to consider the security of the connection client--Kerberos. This idea is only applicable to the communication pattern adapted by Kerberos, and not to other 3-party patterns (e.g. EAP protocols).

Recently we have defined Staircase-Generator codes (St-Gen codes) and their variant with a random split of the generator matrix of the codes. One unique property of these codes is that they work with arbitrary error sets. In this paper we give a brief overview of St-Gen codes and the list decoding algorithm for their decoding. We also analyze the semantic security against chosen plaintext attack (IND-CPA) and key-privacy i.e. indistinguishability of public keys under chosen plaintext attack (IK-CPA) of the encryption scheme with random split of St-Gen codes. In a similar manner as it was done by Nojima et al., and later by Yamakawa et al., we show that padding the plaintext with a random bit-string provides IND-CPA and IK-CPA in the standard model. The difference with McEliece scheme is that with our scheme the length of the padded random string is significantly shorter.

FIDO, German e-ID, Idemix and U-Prove constitute privacy-enhanced public-key infrastructures allowing users to authenticate in an anonymous way. This however hampers timely revocation in a privacy friendly way. From a legal perspective, revocation typically should be effective within 24 hours after user reporting. It should also be backward unlinkable, i.e. user anonymity cannot be removed after revocation. We describe a new, generic revocation mechanism based on pairing based encryption and apply it to supplement the systems mentioned. This allows for both flexible and privacy friendly revocation. Protocol execution takes less than a quarter of a second on modern smartcards. An additional property is that usage after revocation is linkable, allowing users to identify fraudulent usage after revocation. Our technique is the first Verifier Local Revocation scheme with backwards unlinkable revocation for the systems mentioned. This also allows for a setup resembling the well-known Online Certificate Status Protocol (OCSP). Here the service provider sends a pseudonym to a revocation provider that returns its status. As the information required for this is not secret the status service can be distributed over many cloud services. In addition to the status service our technique also supports the publication of a central revocation list.

In this paper, we propose a construction of fair and efficient mutual Private Set Intersection (mPSI) with linear communication and computation complexities, where the underlying group is of prime order. The main tools in our approach include: (i) ElGamal and Distributed ElGamal Cryptosystems as multiplicatively Homomorphic encryptions, (ii) Cramer-Shoup Cryptosystem as Verifiable encryption. Our mPSI is secure in standard model against malicious parties under Decisional Diffie-Hellman (DDH) assumption. Fairness is achieved using an off-line semi-trusted arbiter. Further, we extend our mPSI to mutual Private Set Intersection Cardinality (mPSI-CA) retaining all the security properties of mPSI. More interestingly, our mPSI-CA is the first fair mPSI-CA with linear complexity.

The security of homomorphic encryption over the integers and its variants depends on the hardness of the Approximate Common Divisor (ACD) problem. In this paper we review and compare existing algorithms to solve the ACD problem using lattices. In particular we consider the simultaneous Diophantine approximation method, the orthogonal lattice method, and a method based on multivariate polynomials and Coppersmith's algorithm that was studied in detail by Cohn and Heninger. We give a novel analysis of these algorithms that is appropriate for some of the recent variants of the ACD problem.

One of our main contributions is to compare the multivariate polynomial approach with other methods. We find that Cohn and Heninger made certain assumptions that give a misleading view of the best choices of parameters for that algorithm. Instead, the best parameters for practical cryptanalysis seem to be those for which the algorithm becomes the orthogonal lattice algorithm.

Another contribution is to consider a sample-amplification technique for ACD samples, and to consider a pre-processing algorithm similar to the Blum-Kalai-Wasserman (BKW) algorithm for learning parity with noise. We explain why, unlike in other settings, the BKW algorithm does not give an improvement over the lattice algorithms.

As the new SHA-3 standard, the security and reliability of Keccak have attracted a lot of attentions. Previous works already show that both software and hardware implementations of Keccak have strong side-channel power (electromagnetic) leakages, and these leakages can be easily used by attackers to recover secret key bits. Meanwhile, Keccak is vulnerable to random errors and injected faults, which will cause errors in the computation results. In this paper, we introduce a scheme based on the round rotation invariance property of Keccak to reduce the side-channel leakages while improve its reliability. The proposed scheme is resource friendly. Side-channel analysis results show that this method can efficiently reduce the side-channel leakages of Keccak implementations. Meanwhile, fault injection simulation results show that the proposed scheme can effectively improve the reliability of Keccak implementation, with error coverage almost 100%.

Zero-knowledge proofs have driven the field of cryptography since their conception over thirty years ago. It is well established that two-message zero-knowledge protocols for NP do not exist, and that four-message zero-knowledge arguments exist under the minimal assumption of one-way functions. Resolving the precise round complexity of zero-knowledge has been an outstanding open problem for far too long.

In this work, we present a three-message protocol with soundness against uniform cheating provers. The main component in our construction is the recent delegation protocol for RAM computations (Kalai and Paneth, ePrint 2015). Concretely, we rely on a 3-message variant of their protocol based on keyless collision-resistant hash functions against uniform adversaries and sub-exponentially-secure fully homomorphic encryption.

More generally, beyond uniform provers, our protocol provides a natural and meaningful security guarantee against real-world adversaries, which we formalize following Rogaway's ``human-ignorance" approach (VIETCRYPT 2006): in a nutshell, we give an explicit uniform reduction from any adversary breaking the soundness of our protocol to finding collisions in the underlying hash function.

In this work we provide low rank estimations for coordinate sequences of linear recurrent sequences (LRS) of maximal period (MP) over Galois ring $R=GR(p^n,r)$, $p\ge 5$, $r\ge2$, with numbers $s$ such that $s=kr+2$, $k\in \mathbb{N}_0$.

Many cryptographic algorithms are vulnerable to side channel analysis and several leakage models have been introduced to better understand these flaws. In 2003, Ishai, Sahai and Wagner introduced the d-probing security model, in which an attacker can observe at most d intermediate values during a processing. They also proposed an algorithm that securely performs the multiplication of 2 bits in this model, using only d(d + 1)/2 random bits to protect the computation. We study the randomness complexity of multiplication algorithms secure in the d-probing model. We propose several contributions: we provide new theoretical characterizations and constructions, new practical constructions and a new efficient algorithmic tool to analyze the security of such schemes. We start with a theoretical treatment of the subject: we propose an algebraic model for multiplication algorithms and exhibit an algebraic characterization of the security in the d-probing model. Using this characterization, we prove a linear (in d) lower bound and a quasi-linear (non-constructive) upper bound for this randomness cost. Then, we construct a new generic algorithm to perform secure multiplication in the d-probing model that only uses d + d^2 /4 random bits. From a practical point of view, we consider the important cases d ≤ 4 that are actually used in current real-life implementations and we build algorithms with a randomness complexity matching our theoretical lower bound for these small-order cases. Finally, still using our algebraic characterization, we provide a new dedicated verification tool, based on information set decoding, which aims at finding attacks on algorithms for fixed order d at a very low computational cost.

I survey some of the recent progress on software obfuscation spurred by the exciting paper of Garg, Gentry, Halevi, Raykova, Sahai and Waters (FOCS 2013). This is a preprint version of a review article~ appearing in the Communications of the ACM. That article was written for a general computing audience, and is also not up to date on the latest research in this fast-moving field since it was mostly written in 2014. Nevertheless, I thought it might still be of interest to cryptographers.

In this paper, we focus on the automatic differential cryptanalysis of ARX block ciphers with respect to XOR-difference, and develop Mouha et al.'s framework of finding differential characteristics by adding a new method for constructing long characteristics from short ones. The new method reduces the searching time a lot and makes it possible to search differential characteristics for ARX block ciphers with large word sizes. Also, we take the differential effect into consideration and find that the differential probability increases by a factor of $4\sim2^{10}$ when multiple characteristics are counted in. The efficiency of our method is demonstrated by improved attacks of SPECK and LEA, which cover 1, 1, 4 and 5 more rounds of SPECK48, SPECK64, SPECK96 and SPECK128, respectively, and 2 more rounds of LEA-128.

The Cryptography Research Team at Indian Institute of Technology Kharagpur (iitkgp.ac.in) invites strong PostDoc applications from highly motivated candidates working in the field of Cryptography. The candidate should be a PhD holder in Cryptography and/or related areas from a reputed institute. The candidate will be working in the Secured Embedded Architecture Laboratory http://cse.iitkgp.ac.in/resgrp/seal with a group of PhD students and faculty focused in the area of secured system design. The research will be aimed at developing efficient cryptographic protocols with applications in emerging fields such as Cloud computing and Internet of Things (IoT). Knowledge in public key, pairings, functional encryption, multi-party computation, and post-quantum cryptography topics is desirable. The candidate should have excellent publication track record in IACR conferences/workshops, as well as top journals (such as IEEE/ACM Transactions or IACR journals).

The candidate will be expected to collaborate with and lead a team of excellent and highly motivated PhD candidates for implementation of the protocols. The protocols designed would be tested wrt. side channels by a separate team of research associates. The candidate is expected to work in conjunction with them and also disseminate the necessary knowledge among the group via suitable course material, tutorials and regular group talks. Good communication skills are hence desirable.

The post-doc position will be partially funded under Information Security Education and Awareness Project, Ministry of Communication and Information Technology, Government of India. The candidate will be provided with a competitive salary (tax-free), along with highly subsidized housing, subsidized food in cafeteria, free healthcare at IIT hospital, travel support for international conferences, comprehensive funding for papers at top conferences like Crypto, performance based top up grants, and other perks and amenities.

Closing date for applications: 1 May 2016

Contact: Prof Debdeep Mukhopadhyay, Indian Institute of Technology, debdeep.mukhopadhyay (at) gmail.com, debdeep (at) cse.iitkgp.ernet.in

More information: http://cse.iitkgp.ac.in/resgrp/seal

Event date: 1 April to 2 April 2016
Submission deadline: 10 March 2016

The latest issue of the Journal of Cryptology has been published. IACR members can access the issue for free using this page.

Event date: 2 November to 3 November 2016
Submission deadline: 1 May 2016
Notification: 1 June 2016

Event date: 30 May to 3 June 2016

I am seeking a postdoctoral researcher to work in the cryptography group at U Michigan from Fall 2016, preferably in lattice-based cryptography or related topics.

Closing date for applications: 31 May 2016

Contact: Chris Peikert, cpeikert (at) umich.edu