IACR News
Here you can see all recent updates to the IACR webpage. These updates are also available:
25 November 2016
Pascal Sasdrich, Amir Moradi, Tim Güneysu
ePrint ReportSteven Goldfeder, Melissa Chase, Greg Zaverucha
ePrint ReportOur construction is an efficient instantiation of the following design: the public key is $y=f(x)$ for preimage-resistant function $f$, and $x$ is the private key. A signature is a non-interactive zero-knowledge proof of $x$, that incorporates a message to be signed. Our security analysis uses recent results of Unruh (EUROCRYPT'12,'15,'16) that show how to securely convert an interactive sigma protocol to a non-interactive one in the quantum random oracle model (QROM). The Unruh construction is generic, and does not immediately yield compact proofs. However, when we specialize the construction to our application, we can reduce the size overhead of the QROM-secure construction to 1.6x, when compared to the Fiat-Shamir transform, which does not have a rigorous post-quantum security analysis. Our implementation results compare both instantiations, with multiple choices of $f$ for comparison. Our signature scheme proposal uses the block cipher LowMC for $f$, as it gives the shortest signatures. In addition to reducing the size of signatures with Unruh's construction, we also improve the size of proofs in the underlying sigma protocol (of Giacomelli et al., USENIX'16) by a factor of two. This is of independent interest as it yields more compact proofs for arbitrary choices of $f$ in the classical case as well. Further, this reduction in size comes at no additional computational cost.
Tobias Oder, Tobias Schneider, Thomas Pöppelmann, Tim Güneysu
ePrint ReportGuozhen Liu, Mohona Ghosh, Song Ling
ePrint ReportYi Deng
ePrint Report\begin{itemize} \item (Infinitely-often) Public-key encryption and key agreement can be based on injective one-way functions; \item For every inverse polynomial $\epsilon$, the 4-round protocol from [Feige and Shamir, STOC 90] is distributional concurrent zero knowledge for any efficiently samplable distribution over any OR NP-relations with distinguishability gap bounded by $\epsilon$. \end{itemize}
Both these statements have been shown to be unprovable [Impagliazzo and Rudich, STOC 89; Canetti et. al., STOC 01] via black-box reduction. Our win-win result also establishes an unexpected connection between the complexity of public-key encryption and the round-complexity of concurrent zero knowledge.
As the main technical contribution, we introduce a dissection procedure for concurrent adversaries, which enables us to show that, if there is a magic concurrent adversary that breaks the $\epsilon$-distributional concurrent zero knowledge of the Feige-Shamir protocol for some OR NP-relations, for efficiently samplable distribution on an NP relation of an OR-language, then we transform it to an (infinitely-often) public-key encryption and key agreement based on injective one-way functions. If it could be proved that the reduction from injective one-way functions to public-key encryption does not exist, then our dissection reveals that all possible concurrent verifiers for the Feige-Shamir protocol share a common structure in their computation.
This dissection of adversary algorithms also gives insight into the fundamental gap between the known \emph{universal} security reduction that works for \emph{any} adversaries, and the security definition (of almost all cryptographic primitives/protocols), which switches the order of qualifiers and only requires that for every adversary there \emph{exists} an \emph{individual} reduction.
Abu Dhabi, UAE, 1 April 2017
Event CalendarSubmission deadline: 8 December 2016
Notification: 25 January 2017
24 November 2016
University of Bristol, UK
Job Posting- practical attacks (i.e. the hands on aspects of physical attacks),
- developing efficient attacks (based on parallel implementations building on our existing HPC framework)
- utilising compilers to detect and mitigate side channel leaks (timing, cache, as well as physical leaks)
- working with open source processors and hardware implementations
- statistical aspects of side channel analysis
The lab has state-of-the-art equipment, access to a high performance computing platform, and is integrated in the vibrant Crypto group. You are encouraged to engage with the wider group (and indeed Computer Science department) and, assuming sufficient seniority, take responsibility for your research direction. There are opportunities to contribute to teaching and to network in the context of the project with industrial partners and so to move more towards industry.
There are multiple positions available and we will recruit until all positions are filled. Posts are on either the Research associate level (typically this is for people who are close to finishing their PhD), or, on Senior Research Associate level. The salary for Research associates is between £31656-35609 (Grade I), and for Senior Research Associates it is between £35609-40082 (Grade J). PhD students will benefit from an enhanced stipend (fees will be covered, and the stipend is just under 20000 on which no tax is payable). All grants have ample resources for trips, professional training, and internships.
We consider all applicants that have a background in either computer science, electrical engineering, or mathematics (or any combination thereof). We do not require you to have prior experience in side channel attacks, but expect you are keen to learn and explore.
Closing date for applications: 31 January 2017
Contact: Please contact Prof. Elisabeth Oswald (elisabeth.oswaldATbristol.ac.uk) for further information.
Hong Kong Applied Science and Technology Research Institute Company Limited
Job PostingJob Responsibilities:
•To design and develop cryptographic protocols and schemes
•To design, analyze and implement cryptographic systems and related systems such as blockchain
•To study the latest cryptographic algorithms and protocols
Requirements:
•Master degree in computer science, electronic engineering or other relevant disciplines with 3+ years experience; less experience for PhD holders.
•Experience on cryptographic system design and cryptanalysis
•Deep knowledge on number theory and security proofs
•Hands-on experience with C/C++ and Java
•Preferably having experiences on using cryptographic libraries such as OpenSSL, MIRACL, PBC, etc.
•Experience on developing cloud computing systems an advantage, but not a must
•Strong interpersonal and communications skills
•Good command of both written and spoken English and Chinese
Closing date for applications: 30 November 2016
Contact: charlenechoo (at) astri.org
More information: http://www.astri.org/careers/work-at-astri/jobs/senior-software-engineer-software-engineer-applied-cryptography-4/
23 November 2016
Romain Gay
ePrint ReportMiguel Ambrona, Gilles Barthe, Benedikt Schmidt
ePrint ReportCarmen Elisabetta Zaira Baltico, Dario Catalano, Dario Fiore
ePrint ReportThe scheme is proved secure under the standard (adaptive) indistinguishability based security notion of Boneh, Sahai and Waters (TCC 2011). The proof is rather convoluted and relies on the so-called generic bilinear group model. Specifically, our proof comes in two main stages. In a preliminary step, we put forward and prove a new master theorem to argue hardness in the generic bilinear group model of a broad family of interactive decisional problems, which includes the indistinguishability-based security game for our functional encryption scheme. Next, the more technically involved part of the proof consists in showing that our scheme actually fits the requirements of our master theorem.
Debrup Chakraborty, Sebati Ghosh, Palash Sarkar
ePrint ReportAlfred Menezes, Palash Sarkar, Shashank Singh
ePrint ReportLing Sun, Wei Wang, Ru Liu, Meiqin Wang
ePrint ReportQuentin Alam\'{e}lou, Paul-Edmond Berthier, St\'{e}phane Cauchie, Philippe Gaborit
ePrint ReportIn this work, we propose a new and generic framework to solve the reusability problem. Our approach is simple, reaps benefits of any nonreusable fuzzy extractor and naturally applies to set difference metric. When the universe size is polynomial in the set size, our work permits to handle, in polynomial time, the case where the number of errors is linear in the length of the code, when the recent work of Canetti et al. can only handle a sublinear number of errors in polynomial time. This last point makes our construction more efficient than previous constructions since the practical efficiency of a fuzzy extractor depends on its capacity to handle errors. Our scheme has also benefits better storing capacities. Now when the universe size is superpolynomial in the set size, our work enjoys satisfying complexities of existing and efficient nonreusable Fuzzy Extractors while the approach of Canetti et al. does not apply.
Besides considering the reusability issue, we also propose the field of browser and device fingerprinting as a new and promising playground for Fuzzy Extractors. Philosophically close to biometrics, this burgeoning field of fingerprinting mainly considers list of features but comes with deeper variations over time while still enabling users' identification. We then define Adaptive Fuzzy Extractors, meant to handle these changes. More precisely, such a Fuzzy Extractor enables to recover a key R from a reading w' as long as w' has naturally drifted from w.
22 November 2016
Arjun Chopra
ePrint ReportWe recommend new Ring-TESLA parameters that target more security levels and provide for correct, secure, and efficient instantiation. We describe the necessary preliminaries, recap the Ring-TESLA scheme, and present our parameter recommendations, selection methodology, and analysis.
Zhiyuan Guo, Wenling Wu, Renzhang Liu, Liting Zhang
ePrint ReportAs applications, we utilize our techniques to analyze the authenticated encryption algorithm Minalpher (a second-round candidate of CAESAR) and OPP (proposed at EUROCRYPT 2016) in the multi-key setting. First, we present our known-plaintext attacks on Minalpher and OPP without nonce misuse, which enable us to recover almost all $O(2^{(n/3)})$ independent equivalent keys by making $O(2^{(n/3)})$ queries per key and costing $O(2^{(2n/3)})$ memory overall. Moreover, after defining appropriate iterated functions and accordingly changing the mode of creating chains, we improve the basic blockwise-adaptive chosen-plaintext attack to make it applicable for the nonce-respecting setting.
While our attacks do not contradict the security proofs of Minalpher and OPP in the classical setting, nor pose an immediate threat to their uses, our results demonstrate their security margins in the multi-user setting should be carefully considered. We emphasize this is the very first third-party analysis on Minalpher and OPP.
Prabhanjan Ananth, Amit Sahai
ePrint ReportWe give a degree-preserving construction of PAFE from multilinear maps. That is, we show how to achieve PAFE for arithmetic circuits of degree d using only degree-d multilinear maps. Our construction is based on an assumption over such multilinear maps, that we justify in a generic model. We then turn to applying our notion of PAFE to one of the most pressing open problems in the foundations of cryptography: building secure indistinguishability obfuscation (iO) from simpler building blocks.
iO from degree-5 multilinear maps. Recently, the works of Lin [Eurocrypt 2016] and Lin-Vaikuntanathan [FOCS 2016] showed how to build iO from constant-degree multilinear maps. However, no explicit constant was given in these works, and an analysis of these published works shows that the degree requirement would be in excess of 30. The ultimate "dream" goal of this line of work would be to reduce the degree requirement all the way to 2, allowing for the use of well-studied bilinear maps, or barring that, to a low constant that may be supportable by alternative secure low-degree multilinear map candidates. We make substantial progress toward this goal by showing how to leverage PAFE for degree-5 arithmetic circuits to achieve iO, thus yielding the first iO construction from degree-5 multilinear maps.
Huijia Lin
ePrint Report1. asymmetric $L$-linear maps [Boneh and Silverberg, Eprint 2002] with subexponential Decisional Diffie-Hellman (DDH) assumption,
2. locality-$L$ polynomial-stretch pseudorandom generators (PRG) with subexponential security, and
3. the subexponential hardness of Learning With Errors (LWE).
When plugging in a candidate PRG with locality-$5$ (eg, [Goldreich, ECCC 2010, O'Donnell and Witmer, CCC 2014]), we obtain a construction of IO from subexponential DDH on 5-linear maps and LWE. Previous IO constructions rely on multilinear maps or graded encodings with higher degrees (at least larger than 30), more complex functionalities (eg, graded encodings with complex label structures), and stronger assumptions (eg, the joint-SXDH assumption).