IACR News
Updates on the COVID-19 situation are on the
Announcement channel.
Here you can see all recent updates to the IACR webpage. These updates are also available:
20 March 2017
Berk Gulmezoglu, Thomas Eisenbarth, Berk Sunar
ePrint Report
Cross-VM attacks have emerged as a major threat on commercial clouds. These attacks commonly exploit hardware level leakages on shared physical servers. A co-located machine can readily feel the presence of a co-located instance with a heavy computational load through performance degradation due to contention on shared resources. Shared cache architectures such as the last level cache (LLC) have become a popular leakage source to mount cross-VM attack. By exploiting LLC leakages, researchers have already shown that it is possible to recover fine grain information such as cryptographic keys from popular software libraries. This makes it essential to verify implementations that handle sensitive data across the many versions and numerous target platforms, a task too complicated, error prone and costly to be handled by human beings.
Here we propose a machine learning based technique to classify applications according to their cache access profiles. We show that with minimal and simple manual processing steps feature vectors can be used to train models using support vector machines to classify the applications with a high degree of success. The profiling and training steps are completely automated and do not require any inspection or study of the code to be classified. In native execution, we achieve a successful classification rate as high as 98\% (L1 cache) and 78\% (LLC) over 40 benchmark applications in the Phoronix suite with mild training. In the cross-VM setting on the noisy Amazon EC2 the success rate drops to 60\% for a suite of 25 applications. With this initial study we demonstrate that it is possible to train meaningful models to successfully predict applications running in co-located instances.
Here we propose a machine learning based technique to classify applications according to their cache access profiles. We show that with minimal and simple manual processing steps feature vectors can be used to train models using support vector machines to classify the applications with a high degree of success. The profiling and training steps are completely automated and do not require any inspection or study of the code to be classified. In native execution, we achieve a successful classification rate as high as 98\% (L1 cache) and 78\% (LLC) over 40 benchmark applications in the Phoronix suite with mild training. In the cross-VM setting on the noisy Amazon EC2 the success rate drops to 60\% for a suite of 25 applications. With this initial study we demonstrate that it is possible to train meaningful models to successfully predict applications running in co-located instances.
Mateus Borges, Quoc-Sang Phan, Antonio Filieri, Corina S. P\u{a}s\u{a}reanu
ePrint Report
Model counting is of central importance in quantitative reasoning about systems. Examples include computing the probability that a system successfully accomplishes its task without errors, and measuring the number of bits leaked by a system to an adversary in Shannon entropy. Most previous work in those areas demonstrated their analysis on programs with linear constraints, in which cases model counting is polynomial time. Model counting for nonlinear constraints is notoriously hard, and thus programs with nonlinear constraints are not well-studied. This paper surveys state-of-the-art techniques and tools for model counting with respect to SMT constraints, modulo the bitvector theory, since this theory is decidable, and it can express nonlinear constraints that arise from the analysis of computer programs. We integrate these techniques within the Symbolic Pathfinder platform and evaluate them on difficult nonlinear constraints generated from the analysis of cryptographic functions.
15 March 2017
NIT Raipur
Job Posting
Design of JPEG Anti-Forensics Scheme(s) for evaluation of existing JPEG forensic schemes--
Explosive growth in the numbers of forged images has created a situation where authenticity of every image is a suspect. Also it is not humanly possible to examine each suspect image manually by experts. Thus researchers are coming up with methods to verify the authenticity of an image without any human intervention. New schemes for verification of suspect images are getting published every other day without any formal analysis of their performance. Most of these schemes employ fancy image processing techniques and their reliability is proven against standard image processing operations that can be performed using off the shelf software like Adobe Photoshop. A proper evaluation of these forensics schemes is need of the hour and we want to design anti-forensics scheme meant for JPEG compression.
Closing date for applications: 23 March 2017
More information: http://nitrr.ac.in/downloads/recruitment/recruitment2017/project_fellow/JRF_MCA_10032017.pdf
14 March 2017
Colin Boyd, Xavier Boyen, Christopher Carr, Thomas Haines
ePrint Report
We propose a public key infrastructure framework, inspired by
modern distributed cryptocurrencies, that allows for tunable key escrow, where the availability of key escrow is only provided under strict conditions and enforced through cryptographic measures. We argue that any key escrow scheme designed for the global scale must be both inert --- requiring considerable effort to recover a key --- and public --- everybody should be aware of all key recovery attempts. To this end, one of the contributions of this work is an abstract design of a proofof-work scheme that demonstrates the ability to recover a private key for some generic public key scheme. Our framework represents a new direction for key escrow, seeking an acceptable compromise between the demands for control of cryptography on the Internet and the fundamental rights of privacy, which we seek to align by drawing parallels to the physical world.
Riad S. Wahby, Ye Ji, Andrew J. Blumberg, abhi shelat, Justin Thaler, Michael Walfish, Thomas Wies
ePrint Report
Systems for verifiable outsourcing incur costs for a prover, a
verifier, and precomputation; outsourcing makes sense when these costs
are cheaper than not outsourcing. Yet, prover costs are generally
ignored. The only exception is Verifiable ASICs (VA), wherein the prover
is a custom chip; however, the only prior VA system ignores the cost of
precomputation.
This paper describes a new VA system, called Giraffe; charges Giraffe for all three costs; and identifies regimes where outsourcing is worthwhile. Giraffe’s base is an interactive proof geared to data parallel computation. Giraffe makes this protocol asymptotically optimal for the prover, which is of independent interest. Giraffe also develops a design template that produces hardware designs automatically for a wide range of parameters, introduces hardware primitives molded to the protocol’s data flows, and incorporates program analyses that expand applicability. Giraffe wins even when outsourcing several tens of sub-computations, scales to 500x larger computations than prior work, and can profitably outsource parts of programs that are not worthwhile to outsource in full.
This paper describes a new VA system, called Giraffe; charges Giraffe for all three costs; and identifies regimes where outsourcing is worthwhile. Giraffe’s base is an interactive proof geared to data parallel computation. Giraffe makes this protocol asymptotically optimal for the prover, which is of independent interest. Giraffe also develops a design template that produces hardware designs automatically for a wide range of parameters, introduces hardware primitives molded to the protocol’s data flows, and incorporates program analyses that expand applicability. Giraffe wins even when outsourcing several tens of sub-computations, scales to 500x larger computations than prior work, and can profitably outsource parts of programs that are not worthwhile to outsource in full.
Alexander Russell, Cristopher Moore, Aggelos Kiayias, Saad Quader
ePrint Report
A fundamental combinatorial notion related to the dynamics of the
Ouroboros proof-of-stake blockchain protocol (https://eprint.iacr.org/2016/889) is that of a forkable string. The original description and analysis of the protocol established that the probability that a string of length $n$ is forkable, when drawn from a binomial distribution with parameter $(1 - \epsilon)/2$, is $\exp(-\Omega(\sqrt{n}))$. In this note we improve this estimate to $\exp(-\Omega(n))$.
31 March 2017
Event Calendar
Event date: 31 March 2017
Submission deadline: 31 March 2017
Notification: 15 July 2017
Submission deadline: 31 March 2017
Notification: 15 July 2017
Ho Chi Minh City, Vietnam, 6 September - 8 September 2017
Event Calendar
Event date: 6 September to 8 September 2017
Submission deadline: 28 April 2017
Notification: 23 June 2017
Submission deadline: 28 April 2017
Notification: 23 June 2017
Centre for Secure Information Technologies (CSIT), Queen\'s University Belfast
Job Posting
Multi-Physical Unclonable Function (PUF) Designs & Architectures -
This research will investigate the design of novel Physical Unclonable Functions, which exploit random variations found in the silicon used in the manufacture of electronic chips as an inherently lightweight means to uniquely identify and authenticate IoT devices.The main aims of the proposed research are:
• To investigate novel software-based PUF designs for an embedded micro-controller (MCU) in addition to a multi-PUF design based on combining software and/or hardware PUFs.
• To investigate methods to accurately evaluate the entropy offered by a PUF primitive, as current metrics vary widely and can depend on how the PUF is to be subsequently used.
• To study the use of PUFs in higher level protocols.
This is a GCHQ-sponsored PhD studentship; therefore, only UK nationals are eligible for this funding.
Closing date for applications: 31 May 2017
More information: http://www.qub.ac.uk/schools/eeecs/Research/PhDStudy/NewBatch-Dec2016/PhD2017-52/
11 March 2017
Dan Boneh, Yuval Ishai, Amit Sahai, David J. Wu
ePrint Report
Succinct non-interactive arguments (SNARGs) enable verifying NP computations with substantially lower complexity than that required for classical NP verification. In this work, we first construct a lattice-based SNARG candidate with quasi-optimal succinctness (where the argument size is quasilinear in the security parameter). Further extension of our methods yields the first SNARG (from any assumption) that is quasi-optimal in terms of both prover overhead (polylogarithmic in the security parameter) as well as succinctness. Moreover, because our constructions are lattice-based, they plausibly resist quantum attacks. Central to our construction is a new notion of linear-only vector encryption which is a generalization of the notion of linear-only encryption introduced by Bitansky et al. (TCC 2013). We conjecture that variants of Regev encryption satisfy our new linear-only definition. Then, together with new information-theoretic approaches for building statistically-sound linear PCPs over small finite fields, we obtain the first quasi-optimal SNARGs.
We then show a surprising connection between our new lattice-based SNARGs and the concrete efficiency of program obfuscation. All existing obfuscation candidates currently rely on multilinear maps. Among the constructions that make black-box use of the multilinear map, obfuscating a circuit of even moderate depth (say, 100) requires a multilinear map with multilinearity degree in excess of 2^100. In this work, we show that an ideal obfuscation of both the decryption function in a fully homomorphic encryption scheme and a variant of the verification algorithm of our new lattice-based SNARG yields a general-purpose obfuscator for all circuits. Finally, we give some concrete estimates needed to obfuscate this "obfuscation-complete" primitive. We estimate that at 80-bits of security, a (black-box) multilinear map with ≈2^12 levels of multilinearity suffices. This is over 2^80 times more efficient than existing candidates, and thus, represents an important milestone towards implementable program obfuscation for all circuits.
We then show a surprising connection between our new lattice-based SNARGs and the concrete efficiency of program obfuscation. All existing obfuscation candidates currently rely on multilinear maps. Among the constructions that make black-box use of the multilinear map, obfuscating a circuit of even moderate depth (say, 100) requires a multilinear map with multilinearity degree in excess of 2^100. In this work, we show that an ideal obfuscation of both the decryption function in a fully homomorphic encryption scheme and a variant of the verification algorithm of our new lattice-based SNARG yields a general-purpose obfuscator for all circuits. Finally, we give some concrete estimates needed to obfuscate this "obfuscation-complete" primitive. We estimate that at 80-bits of security, a (black-box) multilinear map with ≈2^12 levels of multilinearity suffices. This is over 2^80 times more efficient than existing candidates, and thus, represents an important milestone towards implementable program obfuscation for all circuits.
Tomer Ashur, Orr Dunkelman, Atul Luykx
ePrint Report
Secure and highly efficient authenticated encryption (AE) algorithms which achieve data confidentiality and authenticity in the symmetric-key setting have existed for well over a decade. By all conventional measures, AES-OCB seems to be the AE algorithm of choice on any platform with AES-NI: it has a proof showing it is secure assuming AES is, and it is one of the fastest out of all such algorithms. However, algorithms such as AES-GCM and ChaCha20+Poly1305 have seen more widespread adoption, even though they will likely never outperform AES-OCB on platforms with AES-NI. Given the fact that changing algorithms is a long and costly process, some have set out to maximize the security that can be achieved with the already deployed algorithms, without sacrificing efficiency: ChaCha20+Poly1305 already improves over GCM in how it authenticates, GCM-SIV uses GCM's underlying components to provide nonce misuse resistance, and TLS1.3 introduces a randomized nonce in order to improve GCM's multi-user security. We continue this line of work by looking more closely at GCM and ChaCha20+Poly1305 to see what robustness they already provide over algorithms such as OCB, and whether minor variants of the algorithms can be used for applications where defense in depth is critical. We formalize and illustrate how GCM and ChaCha20+Poly1305 offer varying degrees of resilience to nonce misuse, as they can recover quickly from repeated nonces, as opposed to OCB, which loses all security. More surprisingly, by introducing minor tweaks such as an additional XOR, we can create a GCM variant which provides security even when unverified plaintext is released.
Tim Ruffing, Pedro Moreno-Sanchez
ePrint Report
The public nature of the blockchain has been shown to be a severe threat for the privacy of Bitcoin users. Even worse, since funds can be tracked and tainted, no two coins are equal, and fungibility, a fundamental property required in every currency, is at risk. With these threats in mind, several privacy-enhancing technologies have been proposed to improve transaction privacy in Bitcoin. However, they either require a deep redesign of the currency, breaking many currently deployed features, or they address only specific privacy issues and consequently provide only very limited guarantees when deployed separately.
The goal of this work is to overcome this trade-off. Building on CoinJoin, we design ValueShuffle, the first coin mixing protocol compatible with Confidential Transactions, a proposed enhancement to the Bitcoin protocol to hide payment values in the blockchain. ValueShuffle ensures the anonymity of mixing participants as well as the confidentiality of their payment values even against other possibly malicious mixing participants. By combining CoinJoin with Confidential Transactions and additionally Stealth Addresses, ValueShuffle provides comprehensive privacy (payer anonymity, payee anonymity, and payment value privacy) without breaking with fundamental design principles or features of the current Bitcoin system. Assuming that Confidential Transactions will be integrated in the Bitcoin protocol, ValueShuffle makes it possible to mix funds of different value as well as to mix and spend funds in the same transaction, which overcomes the two main limitations of previous coin mixing protocols.
The goal of this work is to overcome this trade-off. Building on CoinJoin, we design ValueShuffle, the first coin mixing protocol compatible with Confidential Transactions, a proposed enhancement to the Bitcoin protocol to hide payment values in the blockchain. ValueShuffle ensures the anonymity of mixing participants as well as the confidentiality of their payment values even against other possibly malicious mixing participants. By combining CoinJoin with Confidential Transactions and additionally Stealth Addresses, ValueShuffle provides comprehensive privacy (payer anonymity, payee anonymity, and payment value privacy) without breaking with fundamental design principles or features of the current Bitcoin system. Assuming that Confidential Transactions will be integrated in the Bitcoin protocol, ValueShuffle makes it possible to mix funds of different value as well as to mix and spend funds in the same transaction, which overcomes the two main limitations of previous coin mixing protocols.
Tim Ruffing, Giulio Malavolta
ePrint Report
Cryptographic agility is the ability to switch to larger cryptographic parameters or different algorithms in the case of security doubts. This very desirable property of cryptographic systems is inherently difficult to achieve in cryptocurrencies due to their permanent state in the blockchain: for example, if it turns out that the employed signature scheme is insecure, a switch to a different scheme can only protect the outputs of future transactions but cannot fix transaction outputs already recorded in the blockchain, exposing owners of the corresponding money to risk of theft. This situation is even worse with Confidential Transactions, a recent privacy-enhancing proposal to hide transacted monetary amounts in homomorphic commitments. If an attacker manages to break the computational binding property of a commitment, he can create money out of thin air, jeopardizing the security of the entire currency. The obvious solution is to use statistically or perfectly binding commitment schemes but they come with performance drawbacks due to the need for less efficient range proofs.
In this paper, our aim is to overcome this dilemma. We introduce switch commitments, which constitute a cryptographic middle ground between computationally binding and statistically binding commitments. The key property of this novel primitive is the possibility to switch existing commitments, e.g., recorded in the blockchain, from computational bindingness to statistical bindingness if doubts in the underlying hardness assumption arise. This switch trades off efficiency for security. We provide a practical and simple construction of switch commitments by proving that ElGamal commitments with a restricted message space are secure switch commitments.
In this paper, our aim is to overcome this dilemma. We introduce switch commitments, which constitute a cryptographic middle ground between computationally binding and statistically binding commitments. The key property of this novel primitive is the possibility to switch existing commitments, e.g., recorded in the blockchain, from computational bindingness to statistical bindingness if doubts in the underlying hardness assumption arise. This switch trades off efficiency for security. We provide a practical and simple construction of switch commitments by proving that ElGamal commitments with a restricted message space are secure switch commitments.
Pierre Loidreau
ePrint Report
We design a new McEliece-like rank metric based encryption scheme from Gabidulin codes. We explain why it is not affected by the invariant subspace attacks also known as Overbeck's attacks. The idea of the design mixes two existing approaches designing rank metric based encryption schemes. For a given security our public-keys are more compact than for the same security in the Hamming metric based settings.
Isheeta Nargis
ePrint Report
In this article, a new oblivious transfer (OT) protocol, secure
in the presence of erasure-free one-sided active adaptive adversaries
is presented. The new bit OT protocol achieves better communication
complexity than the existing bit OT protocol in this setting. The new bit OT protocol requires fewer number of public key encryption operations than the existing bit OT protocol in this setting. As a building block, a new two-party lossy threshold homomorphic public key cryptosystem is designed. It is secure in the same adversary model. It is of independent interest.
Kevin Milner, Cas Cremers, Jiangshan Yu, Mark Ryan
ePrint Report
We develop foundations and several constructions for security protocols that can automatically detect, without false positives, if a secret (such as a key or password) has been misused. Such constructions can be used, e.g., to automatically shut down compromised services, or to automatically revoke misused secrets to minimize the effects of compromise. Our threat model includes malicious agents, (temporarily or permanently) compromised agents, and clones.
Previous works have studied domain-specific partial solutions to this problem. For example, Google's Certificate Transparency aims to provide infrastructure to detect the misuse of a certificate authority's signing key, logs have been used for detecting endpoint compromise, and protocols have been proposed to detect cloned RFID/smart cards. Contrary to these existing approaches, for which the designs are interwoven with domain-specific considerations and which usually do not enable fully automatic response (i.e., they need human assessment), our approach shows where automatic action is possible. Our results unify, provide design rationales, and suggest improvements for the existing domain-specific solutions.
Based on our analysis, we construct several mechanisms for the detection of misuse. Our mechanisms enable automatic response, such as revoking keys or shutting down services, thereby substantially limiting the impact of a compromise.
In several case studies, we show how our mechanisms can be used to substantially increase the security guarantees of a wide range of systems, such as web logins, payment systems, or electronic door locks. For example, we propose and formally verify an improved version of Cloudflare's Keyless SSL protocol that enables key misuse detection.
Previous works have studied domain-specific partial solutions to this problem. For example, Google's Certificate Transparency aims to provide infrastructure to detect the misuse of a certificate authority's signing key, logs have been used for detecting endpoint compromise, and protocols have been proposed to detect cloned RFID/smart cards. Contrary to these existing approaches, for which the designs are interwoven with domain-specific considerations and which usually do not enable fully automatic response (i.e., they need human assessment), our approach shows where automatic action is possible. Our results unify, provide design rationales, and suggest improvements for the existing domain-specific solutions.
Based on our analysis, we construct several mechanisms for the detection of misuse. Our mechanisms enable automatic response, such as revoking keys or shutting down services, thereby substantially limiting the impact of a compromise.
In several case studies, we show how our mechanisms can be used to substantially increase the security guarantees of a wide range of systems, such as web logins, payment systems, or electronic door locks. For example, we propose and formally verify an improved version of Cloudflare's Keyless SSL protocol that enables key misuse detection.
10 March 2017
NEC Laboratories Europe
Job Posting
NEC Laboratories Europe is the European research center of NEC Corporation, a world leader in the computer and communications markets with a large world-wide base of R&D Laboratories. Top researchers from more than 20 countries develop, pilot and bring to reality technologies through open innovation.
We are looking for a Research Scientist / Senior Researcher to contribute to research and development in the areas of security and privacy with a special focus on applied cryptography, access control, cloud security, and distributed systems security. Our work ranges from foundational research and IPR creation to prototype development for NEC products and services. We support individual creativity, strong teamwork as well as scientific publications. English is the working language in the Laboratories. Initially, this position is limited to two years.
Applicants are sought with experience and skills in these areas:
- Excellent publication track record in security or applied cryptography.
- Strong experience in system security, distributed systems security, or software security.
- Strong experience in applied cryptography, cryptographic protocols, and security models.
- Proven experience in handling and managing large scale projects.
- Excellent interpersonal and communication skills in English. Knowledge of Japanese is a plus.
- Experience in software development including experience with programming languages, such as Golang, Java, or C/C++.
Candidates with a fresh Ph.D. in Security, Cryptography, Computer Science, or a closely related field, with a hands-on approach and proven skills in real-world problem solving are preferred.
Closing date for applications: 1 May 2017
Contact: Dr. Ghassan Karame, ghassan.karame (at) neclab.eu
Amardeo Sarma, amardeo.sarma (at) neclab.eu
More information: http://www.neclab.eu/jobs/openings/staff/NEC-NLE-1703-229-SEC-2-Security_Researcher.pdf
Microsoft Research
Job Posting
The Cryptography Research group at Microsoft Research in Redmond, Washington seeks outstanding students for 2017 summer internship projects on Homomorphic Encryption and Post-Quantum Cryptography. Developer skills or a background or interest in Machine Learning or Bioinformatics applications are desirable. PhD students in both mathematics and computer science are welcome to apply. Please submit resume, cover letter and reference(s).
Closing date for applications: 31 May 2017
Contact: Kristin Lauter, Research Manager
msrcryptointerns (at) outlook.com
More information: https://www.microsoft.com/en-us/research/project/homomorphic-encryption/
08 March 2017
Shashank Agrawal, Melissa Chase
ePrint Report
Wee (TCC'14) and Attrapadung (Eurocrypt'14) introduced predicate and pair encodings, respectively, as a simple way to construct and analyze attribute-based encryption schemes, or more generally predicate encryption. However, many schemes do not satisfy the simple information theoretic property proposed in those works, and thus require much more complicated analysis. In this paper, we propose a new simple property for pair encodings called symbolic security. Proofs that pair encodings satisfy this property are concise and easy to verify. We show that this property is inherently tied to the security of predicate encryption schemes by arguing that any scheme which is not trivially broken must satisfy it. Then we use this property to discuss several ways to convert between pair encodings to obtain encryption schemes with different properties like small ciphertexts or keys. Finally, we show that any pair encoding satisfying our new property can be used to construct a fully secure predicate encryption scheme. The resulting schemes are secure under a new q-type assumption which we show follows from several of the assumptions used to construct such schemes in previous work.
Award
The IACR Fellows Program recognizes outstanding IACR members for technical and professional contributions to the field of cryptology. Today we are pleased to announce five members that have been elevated to the rank of Fellow for 2017:
Jan Camenisch: For contributions to the theory and practice of privacy-preserving protocols and impact on government policy and industry.
Louis Guillou: For visionary actions that brought cryptography and smart cards to the real world, and for essential contributions to cryptographic standards.
Kwangjo Kim: For cryptographic design, education, and leadership, and for exemplary service to IACR and the Asia-Pacific cryptographic community.
Christof Paar: For founding CHES, service to the IACR, and for important contributions to secure and efficient implementation of cryptography.
Kenneth G. Paterson: For research and service contributions spanning theory and practice, and improving the security of widely deployed protocols.
Congratulations to the new fellows!
Jan Camenisch: For contributions to the theory and practice of privacy-preserving protocols and impact on government policy and industry.
Louis Guillou: For visionary actions that brought cryptography and smart cards to the real world, and for essential contributions to cryptographic standards.
Kwangjo Kim: For cryptographic design, education, and leadership, and for exemplary service to IACR and the Asia-Pacific cryptographic community.
Christof Paar: For founding CHES, service to the IACR, and for important contributions to secure and efficient implementation of cryptography.
Kenneth G. Paterson: For research and service contributions spanning theory and practice, and improving the security of widely deployed protocols.
Congratulations to the new fellows!