International Association
for Cryptologic Research

The golden collision problem asks us to find a single, special collision among the outputs of a pseudorandom function. This generalizes meet-in-the-middle problems, and is thus applicable in many contexts, such as cryptanalysis of the NIST post-quantum candidate SIKE.

The main quantum algorithms for this problem are memory-intensive, and the costs of quantum memory may be very high. The quantum circuit model implies a linear cost for random access, which annihilates the exponential advantage of the previous quantum collision-finding algorithms over Grover's algorithm or classical van Oorschot-Wiener.

Assuming that quantum memory is costly to access but free to maintain, we provide new quantum algorithms for the golden collision problem with high memory requirements but low gate costs. Under the assumption of a two-dimensional connectivity layout, we provide better quantum parallelization methods for generic and golden collision finding. This lowers the quantum security of the golden collision and meet-in-the-middle problems, including SIKE.

We prove that the following are equivalent:

- Existence of one-way functions: the existence of one-way functions (which in turn are equivalent to PRGs, pseudo-random functions, secure encryptions, digital signatures, commitment schemes, and more).

- Mild average-case hardness of $K^{poly}$-complexity: the existence of polynomials $t,p$ such that no PPT algorithm can determine the $t$-time bounded Kolmogorov Complexity, $K^t$, for more than a $1-\frac{1}{p(n)}$ fraction of $n$-bit strings.

In doing so, we present the first natural, and well-studied, computational problem characterizing "non-trivial" complexity-based Cryptography: "Non-trivial" complexity-based Cryptography is possible iff $K^{poly}$ is mildly hard-on average.

Pattern matching is one of the most fundamental and important paradigms in digital forensics and cyber threat intelligence approaches. While it is a straightforward operation when performed on plaintext data, it becomes a challenging task when the privacy of both the analyzed data and the analysis patterns must be preserved. In this paper, we propose P$^3$MED: a new provably correct, secure, and quite efficient construction that allows arbitrary pattern matching over encrypted data while fully protecting both the data to be analyzed and the patterns to be matched. That is, the entity that will perform pattern matching will learn nothing about the patterns to be searched as well as the data to be inspected, except the presence or the absence of a set of "unknown" patterns (the entity charged to perform pattern matching will not have access to the analysis patterns plaintexts). Compared to existing solutions, the construction we propose has some remarkable properties: (1) the size of the ciphertext is linear to the size of plaintext and independent of the sizes and the number of the analysis patterns; (2) the sizes of the issued trapdoors are constant on the size of the data to be analyzed; and (3) the search complexity is linear to the size of the data to be inspected and is constant on the sizes of the analysis patterns. The conducted evaluations show that P$^3$MED drastically improves the performance of the most efficient state of the art solution.

Blockchain Sharding (BS) is a blockchain improvement approach. It increases the overall transaction throughput, reduces the resource required, and increases the reward expectation for nodes by splitting the blockchain into several parallel-running committees (shards). Recently, several flexible sharding methods that can tolerate up to $n/2$ Byzantine nodes ($n/2$ security level) have been proposed. However, the nodes in these methods may be frequently reassigned from shard to shard to maintain security when others leave the system.

Theoretically, nodes in non-sharding blockchains have different weight (power or stake) for creating a consensus, so that the adversary needs to control half of the overall weight of the system to make a piece of faulty information accepted into the blockchain ($p/2$ security level). However, all the nodes in the BS approaches carry the same weight, and it is only under the assumption that the honest participants are creating as many nodes as they can, that the $n/2$ security level BS approach reaches the $p/2$ security level.

In this paper, we present Multichain MWPoW, a $p/2$ security level BS architecture that does not require honest participants to create multiple nodes and allows for fewer node reassignments. It combines the Multiple Winners Proof of Work consensus protocol (MWPoW) and a flexible $n/2$ blockchain sharding approach. Our experiments suggest that Multichain MWPoW largely outperforms existing BSs in terms of security, transaction throughput and flexibility.

We present a card-based protocol for computing a three-input majority using six cards. The protocol essentially consists of performing a simple XOR protocol two times. Compared to the existing protocols, our protocol does not require private operations other than choosing cards.

Vector commitments enable a user to commit to a sequence of values and provably reveal one or many values at specific positions at a later time. In this work, we construct Pointproofs--a new vector commitment scheme that supports non-interactive aggregation of proofs across multiple commitments. Our construction enables any third party to aggregate a collection of proofs with respect to different, independently computed commitments into a single proof represented by an elliptic curve point of 48-bytes. In addition, our scheme is hiding: a commitment and proofs for some values reveal no information about the remaining values.

We build Pointproofs and demonstrate how to apply them to blockchain smart contracts. In our example application, Pointproofs reduce bandwidth overheads for propagating a block of transactions by at least 60% compared to prior state-of-art vector commitments.

Pointproofs are also efficient: on a single-thread, it takes 0.08 seconds to generate a proof for 8 values with respect to one commitment, 0.25 seconds to aggregate 4000 such proofs across multiple commitments into one proof, and 23 seconds (0.7 ms per value proven) to verify the aggregated proof.

The Institute of Cybersecurity and Cryptology (iC2) at the University of Wollongong, Australia offers a full-time PhD position (3.5 years) in the area of applied cryptography. The PhD candidate will work on the ARC DP200100144 project titled “Securing Public Cloud Storage with Protection against Malicious Senders” under the supervision of Prof. Willy Susilo, A/Prof. Guomin Yang and Dr. Fuchun Guo.

We are looking for an enthusiastic and outstanding student with an Honours or Master degree in Computer Science or related area. Applicants with prior research experience in cryptography are more favourable. As women are underrepresented in this area, women are strongly encouraged to apply.

The PhD candidate will receive a full scholarship (stipend approx. AUD$27,094/annum + the tuition fee waiver valued at approx. AUD$ 30,000/annum).

Any interested applicant will need to send their full CV + record in prior study (Bachelor and Master transcripts) to A/Prof. Guomin Yang (gyang@uow.edu.au) by 1 June 2020, and highlighting their previous experience in cryptography research in the email. Please use the subject “PhD scholarship application to iC2” in the email sent. The successful candidate will be expected to start his/her study from August 2020 (depending on the approval of the required student visa).

Closing date for applications:

Contact: Guomin Yang

EUROCRYPT 2020 is the 39th Annual International Conference on the Theory and Applications of Cryptographic Techniques and one of the three general conferences of the International Association for Cryptologic Research (IACR).

Due to the current novel coronavirus outbreak, EUROCRYPT 2020 has been converted into an all-digital event, which will be taking place online during 11-15 May 2020. The event will be viewable through Zoom Video Webinars or a live broadcast on YouTube, and will contain a mix of pre-recorded talks and live events with chat and Q&A.

Registrations for the original EUROCRYPT 2020 event have already been refunded and registrants should be seeing refunds in their credit card account in the coming days as their banks clear the transactions.

Registration for the virtual EUROCRYPT 2020 event will be open shortly. We will ask you to register for it although there will be no cost for EUROCRYPT 2020 virtual attendance itself. If you have not already paid your IACR membership fee (USD 50 for regular members or USD 25 for student members) by attending a previous IACR event in 2020, you will need to pay that fee as part of registering for EUROCRYPT 2020.

Further details about the all-digital event, including its scientific program and registration process, will be communicated soon via the IACR news system, the conference website, and other appropriate communication channels.

Decentralized Privacy-Preserving Proximity Tracing (DP-3T) is an open protocol which aims to help fight the current pandemic. Their proposal is an app for mobile phones which broadcasts frequently changing pseudorandom identifiers via (low energy) Bluetooth, and at the same time, the app stores IDs broadcast by phones in its proximity. Only if a user is tested positive, their IDs of the last 14 days are published so other users can check if they have stored them locally and thus were close to an infected person.

Vaudenay [eprint 2020/399] observes that this basic scheme succumbs to relay and even replay attacks, and proposes more complex \emph{interactive} schemes which prevent those attacks without giving up too many privacy aspects. Unfortunately interaction is problematic for this application for efficiency and security reasons.

In this note we suggest a very simple and efficient \emph{non-interactive} solution to prevent relay and replay attacks while preserving most of the privacy guarantees. In a nutshell, we let the users broadcast their IDs together with their current time (and if we want to prevent relay attacks, also location). The time and location are authenticated using a concept we term ``delayed authentication": We propose a message authentication code, where one can first check that the message matches the tag without knowing the key. The message and parts of the tag can then be deleted, and this delayed tag is independent of the message, but it's still possible to finish verification of the tag later when the key become known.

This means a receiving party can first check if the time and location match its own, but then delete those values, so this sensitive data is never locally stored. Should the sender be tested positive and his keys get released, the receiving party still can authenticate the delayed tag to detect a potential replay or relay attack.

Since its proposal in Asiacrypt 2018, the commutative isogeny-based key exchange protocol (CSIDH) has spurred considerable attention to improving its performance and re-evaluating its classical and quantum security guarantees. In this paper we discuss how the optimal strategies employed by the Supersingular Isogeny Diffie-Hellman (SIDH) key agreement protocol can be naturally extended to CSIDH. Furthermore, we report a software library that achieves moderate but noticeable performance speedups when compared against state-of-the-art implementations of CSIDH-512, which is the most popular CSIDH instantiation.

We introduce the Multi-Base Discrete Logarithm (MBDL) problem. We show that, unlike the basic Discrete Logarithm (DL) problem, MBDL allows a TIGHT (rewinding-avoiding) proof for the IMP-PA security of the Schnorr identification scheme, leading to a proof from MBDL for the Schnorr signature scheme that loses only a factor of the number of adversary hash queries, which is essentially optimal. We show that not only is the MBDL problem hard in the generic group model, but with a bound that matches that for DL, so that our new reductions for Schnorr allow implementations, for the same level of proven security, to use smaller groups, which increases efficiency. We then give an MBDL-based, non-rewinding proof for the BN multi-signature scheme (seeing renewed interest in crypto-currencies) that is tight up to the number of hash queries, improving on the prior DL-based proof, and leading again to improved efficiency by allowing the use of smaller groups.

Candidates of Indistinguishability Obfuscation (iO) can be categorized as ``direct'' or ``bootstrapping based''. Direct constructions rely on high degree multilinear maps [GGH13,GGHRSW13] and provide heuristic guarantees, while bootstrapping based constructions [LV16,Lin17,LT17,AJLMS19,Agr19,JLMS19] rely, in the best case, on bilinear maps as well as new variants of the Learning With Errors (LWE) assumption and pseudorandom generators. Recent times have seen exciting progress in the construction of indistinguishability obfuscation (iO) from bilinear maps (along with other assumptions) [LT17,AJLMS19,JLMS19,Agr19].

As a notable exception, a recent work by Agrawal [Agr19] provided a construction for iO without using any maps. This work identified a new primitive, called Noisy Linear Functional Encryption (NLinFE) that provably suffices for iO and gave a direct construction of NLinFE from new assumptions on lattices. While a preliminary cryptanalysis for the new assumptions was provided in the original work, the author admitted the necessity of performing significantly more cryptanalysis before faith could be placed in the security of the scheme. Moreover, the author did not suggest concrete parameters for the construction.

In this work, we fill this gap by undertaking the task of thorough cryptanalytic study of NLinFE. We design two attacks that let the adversary completely break the security of the scheme. To achieve this, we develop new cryptanalytic techniques which (we hope) will inform future designs of the primitive of NLinFE.

From the knowledge gained by our cryptanalytic study, we suggest modifications to the scheme. We provide a new scheme which overcomes the vulnerabilities identified before. We also provide a thorough analysis of all the security aspects of this scheme and argue why plausible attacks do not work. We additionally provide concrete parameters with which the scheme may be instantiated. We believe the security of NLinFE stands on significantly firmer footing as a result of this work.

Quantum money allows a bank to mint quantum money states that can later be verified and cannot be forged. Usually, this requires a quantum communication infrastructure to transfer quantum states between the user and the bank. This work combines the notion of classical verification -- introduced by Gavinsky (CCC 2012) -- with the notion of user-generated money -- introduced here -- to introduce Semi-Quantum Money, the first quantum money scheme to require only classical communication with the (entirely classical) bank. This work features constructions for both a public memory-dependent semi-quantum money scheme, based on the works of Zhandry and Coladangelo, and for a private memoryless semi-quantum money scheme, based on the notion of Noisy Trapdoor Claw Free Functions (NTCF) introduced by Brakerski et al. (FOCS 2018). In terms of technique, our main contribution is a strong parallel repetition theorem for NTCF.

The goal of white-box cryptography is to protect secret keys embedded in a cryptographic software deployed in an untrusted environment. In this article, we revisit state-of-the-art countermeasures employed in white-box cryptography, and we discuss possible ways to combine them. Then we analyze the different gray-box attack paths and study their performances in terms of required traces and computation time. Afterward, we propose a new paradigm for the gray-box attack against white-box cryptography, which exploits the data-dependency of the target implementation. We demonstrate that our approach provides substantial complexity improvements over the existing attacks. Finally, we showcase this new technique by breaking the three winning AES-128 white-box implementations from WhibOx 2019 white-box cryptography competition.

The GIFT family of lightweight block ciphers, published at CHES 2017, offers excellent hardware performance figures and has been used, in full or in part, in several candidates of the ongoing NIST lightweight cryptography competition. However, implementation of GIFT in software seems complex and not efficient due to the bit permutation composing its linear layer (a feature shared with PRESENT cipher). In this article, we exhibit a new non-trivial representation of the GIFT family of block ciphers over several rounds. This new representation, that we call fixslicing, allows extremely efficient software bitsliced implementations of GIFT, using only a few rotations, surprisingly placing GIFT as a very efficient candidate on micro-controllers. Our constant time implementations show that, on ARM Cortex-M3, 128-bit data can be ciphered with only about 800 cycles for GIFT-64 and about 1300 cycles for GIFT-128 (assuming pre-computed round keys). In particular, this is much faster than the impressive PRESENT implementation published at CHES 2017 that requires 2116 cycles in the same setting, or the current best AES constant time implementation reported that requires 1617 cycles. This work impacts GIFT, but also improves software implementations of all other cryptographic primitives directly based on it or strongly related to it. For example, we observe that with the fixslicing technique GIFT-COFB performs faster than Ascon on ARM Cortex-M processors.

Secure multi-party computation has been extensively studied in the past years and has reached a level that is considered practical for several applications. The techniques developed thus far have been steadily optimized for performance and were shown to be secure in the classical setting, but are not known to be secure against quantum adversaries. In this work, we start to pave the way for secure two-party computation in a quantum world where the adversary has access to a quantum computer. We show that post-quantum secure two-party computation has comparable efficiency to their classical counterparts. For this, we develop a lattice-based OT protocol which we use to implement a post-quantum secure variant of Yao's famous garbled circuits (GC) protocol (FOCS'82). Along with the OT protocol, we show that the oblivious transfer extension protocol of Ishai et al. (CRYPTO'03), which allows running many OTs using mainly symmetric cryptography, is post-quantum secure. To support these results, we prove that Yao's GC protocol achieves post-quantum security if the underlying building blocks do.

We present the first practical software implementation of Supersingular Isogeny Key Encapsulation (SIKE) round 2, targeting NIST's 1, 2, and 5 security levels on 32-bit ARM Cortex-M4 microcontrollers. The proposed library introduces a new speed record of SIKE protocol on the target platform. We achieved this record by adopting several state-of-the-art engineering techniques as well as highly-optimized hand-crafted assembly implementation of finite field arithmetic. In particular, we carefully redesign the previous optimized implementations of filed arithmetic on 32-bit ARM Cortex-M4 platform and propose a set of novel techniques which are explicitly suitable for SIKE/SIDH primes. Moreover, the proposed arithmetic implementations are fully scalable to larger bit-length integers and can be adopted over different security levels. The benchmark result on STM32F4 Discovery board equipped with 32-bit ARM Cortex-M4 microcontrollers shows that the entire key encapsulation over p434 takes about 326 million clock cycles (i.e. 1.94 seconds @168MHz). In contrast to the previous optimized implementation of the isogeny-based key exchange on low-power 32-bit ARM Cortex-M4, our performance evaluation shows feasibility of using SIKE mechanism on the target platform. In comparison to the most of the post-quantum candidates, SIKE requires an excessive number of arithmetic operations, resulting in significantly slower timings. However, its small key size makes this scheme as a promising candidate on low-end microcontrollers in the quantum era by ensuring the lower energy consumption for key transmission than other schemes.

The US National Institute of Standards and Technology (NIST) recently announced the public-key cryptosystems (PKC) that have passed to the second round of the post-quantum standardization process. Most of these PKC come in two flavours: a weak IND-CPA version and a strongly secure IND-CCA construction. For the weaker scheme, no level of security is claimed in the plaintext-checking attack (PCA) model. However, previous works showed that, for several NIST candidates, only a few PCA queries are sufficient to recover the secret key. In order to create a more complete picture, we design new key-recovery PCA against several round 2 candidates. Our attacks against CRYSTALS-Kyber, HQC, LAC and SABER are all practical and require only a few thousand queries to recover the full secret key. In addition, we present another KR-PCA attack against the rank-based scheme RQC, which needs roughly $O(2^{38})$ queries. Hence, this type of scheme seems to resist better than others to key recovery. Motivated by this observation, we prove an interesting result on the rank metric. Namely, that the learning problem with the rank distance is hard for some parameters, thus invalidating a common strategy for reaction attacks.

Rainbow is a signature scheme that is based on multivariate polynomials. It is one of the Round-2 candidates of the NIST’s Post-Quantum Cryptography Standardization project. Its computations rely heavily on GF(2^8) arithmetic and the Rainbow submission optimizes the code by using AVX2 shuffle and permute instructions. In this paper, we show a new optimization that leverages: a) AVX512 architecture; b) the latest processor capabilities Galois Field New Instructions(GF-NI), available on Intel "Ice Lake" processor. We achieved a speedup of 2.43x/3.13x/0.64x for key generation/signing/verifying, respectively. We also propose a variation of Rainbow, with equivalent security, using a different representation of GF(2^8). With this variant, we achieve a speedup of 2.44x/4.7x/2.1x for key generation/signing/verifying, respectively.

With the growth of cloud computing, the need arises for Private Set Intersection (PSI) protocols that can operate on outsourced data and delegate computation to cloud servers. One limitation of existing delegated PSI protocols is that they are all designed for static data and do not allow efficient update on outsourced data. Another limitation is that they cannot efficiently support PSI among multiple clients, which is often needed in practice. This paper presents “Feather”, the first delegated PSI protocol that supports efficient data updates and scalable multi-party PSI computation on outsourced datasets. The clients can independently prepare and upload their private data to the cloud once, then delegate the computation an unlimited number of times. The update operation has O(1) communication and computation complexity, and this is achieved without sacrificing PSI efficiency and security. Feather does not use public key cryptography, that makes it more scalable. We have implemented a prototype and compared the concrete performance against the state of the art. The evaluation indicates that Feather does achieve better performance in both update and PSI computation.