IACR News
Here you can see all recent updates to the IACR webpage. These updates are also available:
08 July 2020
Orlando, USA, 9 November 2020
Event CalendarSubmission deadline: 23 July 2020
Notification: 26 August 2020
Villanova University, Department of Electrical and Computer Engineering
Job Posting2. Research area. Post quantum cryptography hardware implementation, fault detection/attack, and hardware security.
3. Qualification. Preferred to have research experience in the areas of cryptographic engineering, fault detection, hardware security, and VLSI design. Students from electrical/computer engineering, computer science, and cryptography (applied mathematics) or other related majors are WARMLY welcome! Programming skills such as HDL, C++ will be more favorable.
NOTE: because of the time urgency, it's better that you are currently in U.S.
4. Application process. Interested students can directly send the CV/resume to Dr. Jiafeng Harvest Xie's email: jiafeng.xie@villanova.edu.
5. Application information. The detailed application requirement is available at the department website.
6. Additional information. Villanova University is a private research university located in Radnor Township, a suburb northwest of Philadelphia, Pennsylvania. U.S. News & World Report ranks Villanova as tied for the 46th best National University in the U.S. for 2020.
7. PI introduction. Dr. Jiafeng Harvest Xie is currently an Assistant Professor at the Department of Electrical and Computer Engineering of Villanova University. His research interests include cryptographic engineering, hardware security, and VLSI digital design. He is the Best Paper Awardee of IEEE HOST 2019. He is also the Associate Editor for Microelectronics Journal, IEEE Access, and IEEE Trans. Circuits and Systems II.
Contact: Dr. Jiafeng Harvest Xie, email: jiafeng.xie@villanova.edu
Closing date for applications:
Contact: Dr. Jiafeng Harvest Xie, email: jiafeng.xie@villanova.edu
More information: https://www1.villanova.edu/villanova/engineering/departments/ece/facultyStaff/biodetail.html?mail=jiafeng.xie@villanova.
07 July 2020
Eunsang Lee, Joon-Woo Lee, Jong-Seon No, Young-Sik Kim
ePrint ReportFlorian Unterstein, Tolga Sel, Thomas Zeschg, Nisha Jacob, Michael Tempelmeier, Michael Pehl, Fabrizio De Santis
ePrint ReportSusumu Kiyoshima
ePrint ReportMichele Ciampi, Roberto Parisella, Daniele Venturi
ePrint Report- We exhibit a generic compiler taking any delayed-input Sigma protocol and returning a delayed-input Sigma protocol satisfying adaptive-input special honest-verifier zero-knowledge (SHVZK). In case the initial Sigma protocol also satisfies adaptive-input special soundness, our compiler preserves this property. - We revisit the recent paradigm by Canetti et al. (STOC 2019) for obtaining NIZK proof systems in the CRS model via the Fiat-Shamir transform applied to so-called trapdoor Sigma protocols, in the context of adaptive security. In particular, assuming correlation-intractable hash functions for all sparse relations, we prove that Fiat- Shamir NIZKs satisfy either: (i) Adaptive soundness (and non-adaptive zero-knowledge), so long as the challenge is obtained by hashing both the provers first round and the instance being proven; (ii) Adaptive zero-knowledge (and non-adaptive soundness), so long as the challenge is obtained by hashing only the provers first round, and further assuming that the initial trapdoor Sigma protocol satisfies adaptive-input SHVZK. - We exhibit a generic compiler taking any Sigma protocol and returning a trapdoor Sigma protocol. Unfortunately, this transform does not preserve the delayed-input property of the initial Sigma protocol (if any). To complement this result, we also give yet another compiler taking any delayed-input trapdoor Sigma protocol and returning a delayed-input trapdoor Sigma protocol with adaptive-input SHVZK.
An attractive feature of our first two compilers is that they allow obtaining efficient delayed-input Sigma protocols with adaptive security, and efficient Fiat-Shamir NIZKs with adaptive soundness (and non-adaptive zero-knowledge) in the CRS model. Prior to our work, the latter was only possible using generic NP reductions.
Arnold G. Reinhold
ePrint ReportAude Le Gluher, Pierre-Jean Spaenlehauer, Emmanuel Thomé
ePrint ReportAshoka SB, Lakshmikanth D
ePrint ReportDaniel Adkins, Archita Agarwal, Seny Kamara, Tarik Moataz
ePrint ReportXuan Thanh Do, Duong Hieu Phan, Moti Yung
ePrint ReportWe first present an AnoBEB construction for up to $k$ users from LWE assumption, where $k$ is bounded by the scheme security parameter. The scheme does not grow with the parameter and beat the PKE method. Actually, our scheme is as efficient as the underlying LWE public-key encryption; namely, the rate is, in fact, $1$ and thus optimal. The scheme is achieved easily by an observation about an earlier scheme with a different purpose.
More interestingly, we move on to employ the new AnoBEB in other multimedia broadcasting methods and, as a second contribution, we introduce a new approach to construct an efficient ``Trace and Revoke scheme'' which combines the functionalites of revocation and of tracing people (called traitors) who in a broadcasting schemes share their keys with the adversary which, in turn, generates a pirate receiver. Note that, as was put forth by Kiayias and Yung (EUROCRYPT '02), combinatorial traitor tracing schemes can be constructed by combining a system for small universe, integrated via an outer traceability codes (collusion-secure code or identifying parent property (IPP) code). There were many efficient traitor tracing schemes from traceability codes, but no known scheme supports revocation as well. Our new approach integrates our AnoBEB system with a Robust IPP code, introduced by Barg and Kabatiansky (IEEE IT '13). This shows an interesting use for robust IPP in cryptography. The robust IPP codes were only implicitly shown by an existence proof. In order to make our technique concrete, we propose two explicit instantiations of robust IPP codes. Our final construction gives the most efficient trace and revoke scheme in the bounded collusion model.
Jiayu Qiang, Yi Deng
ePrint ReportFynn Dallmeier, Jan P. Drees, Kai Gellert, Tobias Handirk, Tibor Jager, Jonas Klauke, Simon Nachtigall, Timo Renzelmann, Rudi Wolf
ePrint ReportSuch protocols meet the demand for communication with minimal latency, but those currently deployed in practice achieve only rather weak security properties, as they may not achieve forward security for the first transmitted payload message and require additional countermeasures against replay attacks.
Recently, 0-RTT protocols with full forward security and replay resilience have been proposed in the academic literature. These are based on puncturable encryption, which uses rather heavy building blocks, such as cryptographic pairings. Some constructions were claimed to have practical efficiency, but it is unclear how they compare concretely to protocols deployed in practice, and we currently do not have any benchmark results that new protocols can be compared with.
We provide the first concrete performance analysis of a modern 0-RTT protocol with full forward security, by integrating the Bloom Filter Encryption scheme of Derler et al. (EUROCRYPT 2018) in the Chromium QUIC implementation and comparing it to Google's original QUIC protocol.
We find that for reasonable deployment parameters, the server CPU load increases approximately by a factor of eight and the memory consumption on the server increases significantly, but stays below 400 MB even for medium-scale deployments that handle up to 50K connections per day. The difference of the size of handshake messages is small enough that transmission time on the network is identical, and therefore not significant.
We conclude that while current 0-RTT protocols with full forward security come with significant computational overhead, their use in practice is not infeasible, and may be used in applications where the increased CPU and memory load can be tolerated in exchange for full forward security and replay resilience on the cryptographic protocol level. Our results also serve as a first benchmark that can be used to assess the efficiency of 0-RTT protocols potentially developed in the future.
Jacqueline Brendel, Cas Cremers, Dennis Jackson, Mang Zhao
ePrint ReportRemarkably, no detailed proofs have ever been given for these security properties for EdDSA, and in particular its Ed25519 instantiations. Ed25519 is one of the most efficient and widely used signature schemes, and different instantiations of Ed25519 are used in protocols such as TLS 1.3, SSH, Tor, ZCash, and WhatsApp/Signal. The differences between these instantiations are subtle, and only supported by informal arguments, with many works assuming results can be directly transferred from Schnorr signatures. Similarly, several proofs of protocol security simply assume that Ed25519 satisfies properties such as EUF-CMA or SUF-CMA.
In this work we provide the first detailed analysis and security proofs of Ed25519 signature schemes. While the design of the schemes follows the well-established Fiat-Shamir paradigm, which should guarantee existential unforgeability, there are many side cases and encoding details that complicate the proofs, and all other security properties needed to be proven independently.
Our work provides scientific rationale for choosing among several Ed25519 variants and understanding their properties, fills a much needed proof gap in modern protocol proofs that use these signatures, and supports further standardisation efforts.
Kwangsu Lee
ePrint ReportMichail Moraitis, Elena Dubrova
ePrint Report06 July 2020
Tim Beyne, Anne Canteaut, Gregor Leander, María Naya-Plasencia, Léo Perrin, Friedrich Wiemer
ePrint ReportWilly Quach
ePrint ReportOur main technical contribution is a public-key encryption scheme from LWE where messy public keys (under which encryptions hide the underlying message statistically) can be recognized in time essentially independent of the LWE modulus $q$.
Christian Badertscher, Alexandru Cojocaru, Léo Colisson, Elham Kashefi, Dominik Leichtle, Atul Mantri, Petros Wallden
ePrint ReportTherefore the question becomes relevant whether it is possible to rely solely on classical channels between client and server and yet benefit from its quantum capabilities while retaining privacy. Classical-client remote state preparation ($\sf{RSP}_{CC}$) is one of the promising candidates to achieve this because it enables a client, using only classical communication resources, to remotely prepare a quantum state. However, the privacy loss incurred by employing $\sf{RSP}_{CC}$ as sub-module to avoid quantum channels is unclear.
In this work, we investigate this question using the Constructive Cryptography framework by Maurer and Renner (ICS'11). We first identify the goal of $\sf{RSP}_{CC}$ as the construction of ideal \RSP resources from classical channels and then reveal the security limitations of using $\sf{RSP}_{CC}$ in general and in specific contexts:
1. We uncover a fundamental relationship between constructing ideal $\sf{RSP}$ resources (from classical channels) and the task of cloning quantum states with auxiliary information. Any classically constructed ideal $\sf{RSP}$ resource must leak to the server the full classical description (possibly in an encoded form) of the generated quantum state, even if we target computational security only. As a consequence, we find that the realization of common $\sf{RSP}$ resources, without weakening their guarantees drastically, is impossible due to the no-cloning theorem.
2. The above result does not rule out that a specific $\sf{RSP}_{CC}$ protocol can replace the quantum channel at least in some contexts, such as the Universal Blind Quantum Computing ($\sf{UBQC}$) protocol of Broadbent et al. (FOCS 09). However, we show that the resulting $\sf{UBQC}$ protocol cannot maintain its proven composable security as soon as $\sf{RSP}_{CC}$ is used as a subroutine.
3. We show that replacing the quantum channel of the above $\sf{UBQC}$ protocol by the $\sf{RSP}_{CC}$ protocol QFactory of Cojocaru et al. (Asiacrypt 19), preserves the weaker, game-based, security of $\sf{UBQC}$.