International Association for Cryptologic Research

International Association
for Cryptologic Research

IACR News

Here you can see all recent updates to the IACR webpage. These updates are also available:

email icon
via email
RSS symbol icon
via RSS feed

27 December 2020

Alexander R. Block, Simina Branzei, Hemanta K. Maji, Himanshi Mehta, Tamalika Mukherjee, Hai H. Nguyen
ePrint Report ePrint Report
$P_4$-free graphs-- also known as cographs, complement-reducible graphs, or hereditary Dacey graphs--have been well studied in graph theory. We introduce the graph properties of partitioning and covering the edges of a graph with the minimum number of $P_4$-free graphs, namely, the $P_4$-free partition and $P_4$-free cover numbers. We prove that computing these numbers is \npol-complete, even for bipartite graphs. We present bipartite graph constructions where these numbers are at least ${\epsilon N^{1-2\epsilon}}$, for $\epsilon\in\{1/3,1/4,1/5,\dotsc\}$, where $N$ is the number of vertices in each partite set. Finally, we upper bound these numbers for bipartite graphs encoding well-studied Boolean functions from circuit complexity, such as set intersection, set disjointness, and inequality.

Our work encodes joint probability distributions and Boolean functions as equivalent bipartite graphs and studies the $P_4$-free partition and cover numbers of these graphs. Leveraging this connection, we present representative applications of these graph properties and their estimates to information-theory and circuit complexity. For applications in information theory, we consider a system where a setup samples from a joint distribution and gives the participants, Alice and Bob, their portion from this joint sample. The objective of Alice and Bob is to non-interactively establish a shared key and extract the left-over entropy from their portion of the samples as independent private randomness. A genie, who observes the joint sample, provides an appropriate assistance to help Alice and Bob with their objective. Lower bounds to the minimum size of the genie's assistance translates into communication and cryptographic lower bounds. We show that (the $\log_2$ of) the $P_4$-free partition number of a graph encoding the joint distribution that the setup uses is equivalent to the size of the genie's assistance. Consequently, the joint distributions corresponding to the bipartite graphs constructed above with high $P_4$-free partition number correspond to joint distributions requiring more assistance from the genie.

As a representative application in communication complexity, we study communication complexity of non-deterministic protocols augmented by access to the equality oracle at the output. We show that (the $\log_2$ of) the $P_4$-free cover number of the bipartite graph encoding a Boolean function $f$ is equivalent to the minimum size of the non-deterministic input required by the parties (referred to as the communication complexity of $f$ in this model). Consequently, the functions corresponding to the bipartite graphs with high $P_4$-free cover number have high communication complexity. Furthermore, there are functions with communication complexity close to the \naive protocol where the non-deterministic input reveals the input of a party. Finally, the access to the equality oracle reduces the communication complexity of computing set intersection and disjointness by a constant factor in contrast to the model where parties do not have access to the equality oracle. In the case of computing the inequality function, we show an exponential reduction in the communication complexity.
Expand
Andrei Lapets, Wyatt Howe, Ben Getchell, Frederick Jansen
ePrint Report ePrint Report
Contemporary libraries and frameworks that make it possible to incorporate secure multi-party computation protocols and capabilities into production software systems and applications must sometimes deliver underlying capabilities (such as logical circuit synthesis) to new kinds of environments (such as web browsers or serverless cloud computing platforms). In order to illustrate some of the benefits of addressing this challenge by building a solution from the ground up that leverages the features of a contemporary and widely used programming language, we present an embedded domain-specific language that allows programmers to describe and synthesize logical circuits. Notably, this approach allows programmers to employ many of the language features and any of the programming paradigms supported by the host language. We illustrate this flexibility by considering two use cases: synthesizing circuits for relational operations and synthesizing circuits corresponding to the SHA-256 cryptographic hash function.
Expand
Takashi Nishide
ePrint Report ePrint Report
Delegation of signing rights can be useful to promote effective resource sharing and smooth cooperation among participants in distributed systems, and in many situations, we often need restricted delegation such as one-timeness and unlinkability rather than simple full delegation. Particularly, one-timesness cannot be achieved just by deploying cryptographic measures, and one needs to resort to some form of tamper-proofness or the assistance from external cloud servers for ``key-disabling''. In this work, we extend the latter such that a delegatee can sign a message without the delegator's involvement with the assumption that there exists at least one honest cloud server with secure erasure to achieve one-timeness. In this setting, if the delegator just shares their signing key between the delegatee and cloud servers, it may be problematic. It is because in the worst case, the delegator cannot know whether or not a signing key theft occurred because the signatures generated illegally are indistinguishable from the ones generated legally. To solve this, first we propose an efficient one-time delegation scheme of Okamoto-Schnorr signing. Further we combine the basic delegation scheme with anonymous credentials such that the delegator can detect the signing key theft even if one-time delegation is broken while also achieving unlinkability for both the delegator and cloud servers. Further we show its application to an e-cash scheme, which can prevent double-spending.
Expand
Aurélien Greuet, Simon Montoya, Guénaël Renault
ePrint Report ePrint Report
Polynomial multiplication is one of the most costly operations of ideal lattice-based cryptosystems. In this work, we study its optimization when one of the operand has coefficients close to 0. We focus on this structure since it is at the core of lattice-based Key Exchange Mechanisms submitted to the NIST call for post-quantum cryptography. In particular, we propose optimization of this operation for embedded devices by using a RSA/ECC coprocessor that provides efficient large-integer arithmetic. In this context, we compare Kronecker Substitution, already studied by Albrecht et al. in TCHES 2019, with two specific algorithms that we introduce: KSV, a variant of this substitution, and an adaptation of the schoolbook multiplication, denoted Shift&Add. All these algorithms rely on the transformation of polynomial multiplication to large-integer arithmetic. Then, thanks to these algorithms, existing coprocessors dedicated to large-integer can be re-purposed in order to speed-up post-quantum schemes. The efficiency of these algorithms depends on the component specifications and the cryptosystem parameters set. Thus, we establish a methodology to determine which algorithm to use, for a given component, by only implementing basic large-integer operations. Moreover, the three algorithms are assessed on a chip ensuring that the theoretical methodology matches with practical results. They are also compared to reference software implementations such as NTT or schoolbook multiplication.
Expand
Rami Khalil, Naranker Dulay
ePrint Report ePrint Report
Second-layer or off-chain protocols increase the throughput of permissionless blockchains by enabling parties to lock funds into smart-contracts and perform payments through peer-to-peer communication, only resorting to the smart-contracts for protection against fraud. Current protocols have fixed time periods during which participants can dispute any fraud attempts. However, current blockchains have limited transaction processing capacity, so a fixed dispute period will not always be sufficient to deter all fraudulent behaviour in an off-chain protocol. In this work, we describe how to set adaptive dispute periods that accommodate the congestion and capacity of the underlying blockchain. Adaptive dispute periods ensure that users retain the opportunity to dispute fraudulent behaviours during blockchain congestion, while increasing second-layer protocol efficiency by reducing dispute period lengths when the number of disputes is low. We describe a non-interactive argument system for setting adaptive dispute periods under the current Ethereum Virtual Machine, and discuss how to efficiently integrate built-in support for adaptive dispute periods in any blockchain. We empirically demonstrate that an adaptive-dispute second-layer protocol can handle a larger number of disputes and prevent more fraud than its non-adaptive counterparts even when users are slow to issue disputes, due to denial of service or blockchain congestion.
Expand
Unai Rioja, Lejla Batina, Jose Luis Flores, Igor Armendariz
ePrint Report ePrint Report
Due to the constant increase and versatility of IoT devices that should keep sensitive information private, Side-Channel Analysis (SCA) attacks on embedded devices are gaining visibility in the industrial field. The integration and validation of countermeasures against SCA can be an expensive and cumbersome process, especially for the less experienced ones, and current certification procedures require to attack the devices under test using multiple SCA techniques and attack vectors, often implying a high degree of complexity.

The goal of this paper is to ease one of the most crucial and tedious steps of profiling attacks i.e. the points of interest (POI) selection and hence assist the SCA evaluation process. To this end, we introduce the usage of Estimation of Distribution Algorithms (EDAs) in the SCA field in order to automatically tune the point of interest selection. We showcase our approach on several experimental use cases, including attacks on unprotected and protected AES implementations over distinct copies of the same device, dismissing in this way the portability issue.
Expand

24 December 2020

Samuel Dittmer, Yuval Ishai, Steve Lu, Rafail Ostrovsky, Mohamed Elsabagh, Nikolaos Kiourtis, Brian Schulte, Angelos Stavrou
ePrint Report ePrint Report
In this work we describe a token-based solution to Contact Tracing via Distributed Point Functions (DPF) and, more generally, Function Secret Sharing (FSS). The key idea behind the solution is that FSS natively supports secure keyword search on raw sets of keywords without a need for processing the keyword sets via a data structure for set membership. Furthermore, the FSS functionality enables adding up numerical payloads associated with multiple matches without additional interaction. These features make FSS an attractive tool for lightweight privacy-preserving searching on a database of tokens belonging to infected individuals.
Expand
Manoj Kumar, Tarun Yadav
ePrint Report ePrint Report
WARP is proposed by S. Banik et al. in SAC 2020. It is a 128-bit lightweight block cipher with 128-bit key. WARP is based on 32-nibble type-2 Generalised Feistel Network (GFN). It uses permutation over nibbles designed to optimize the security and efficiency. Designers have provided a lower bound for the number of differentially active S-boxes but detailed differential characteristics are not provided. In this paper, we discuss MILP based search technique and present differential characteristics for 18-round and 19-round WARP with probability of $2^{-122}$ and $2^{-132}$ respectively. To the best of our knowledge, these detailed differential characteristics for WARP are presented for the first time.
Expand
Abderrahmane Nitaj, Willy Susilo, Joseph Tonien
ePrint Report ePrint Report
The Advanced Encryption Standard (AES) is the most widely used symmetric encryption algorithm. Its security is mainly based on the structure of the S-box. In this paper, we present a new way to create S-boxes for AES and exhibit an S-box with improved cryptographic properties such as Bit Independence Criterion (BIC), periodicity, algebraic complexity, Strict Avalanche Criterion (SAC) and Distance to SAC.
Expand
Kinan Dak Albab, Rawane Issa, Mayank Varia, Kalman Graffi
ePrint Report ePrint Report
Private Information Retrieval (PIR) hides access patterns when several clients query a database held by one or more servers. Prior PIR schemes have achieved sublinear communication and computation by leveraging computational assumptions, federating trust among many servers, relaxing security to permit differentially private leakage, refactoring effort into a pre-processing stage to reduce online costs, or amortizing costs over a large batch of queries.

In this work, we present an efficient PIR protocol that combines all of the above techniques to achieve constant amortized communication and computation complexity in the size of the database, and is the first to scale to more than $10^5$ queries per second deployed on an AWS micro instance. Our protocol also builds upon a new secret sharing scheme that is both incremental and non-malleable, which may be of interest to a wider audience. We leverage differentially private leakage in order to provide better trade-offs between privacy and efficiency. Our protocol provides security up to abort against malicious adversaries that can corrupt all but one party.
Expand
Tingting Guo, Peng Wang, Lei Hu, Dingfeng Ye
ePrint Report ePrint Report
The security in the quantum setting of a series of message authentication codes (MACs) with provable beyond-birthday-bound (BBB) security is analyzed in this paper, including SUM-ECBC, PolyMAC, PMAC_Plus, 3kf9 and some variants (2K-ECBC_Plus, GCM-SIV2, 1k-PMAC_Plus, 2K-PMAC_Plus, PMAC_TBC3k and 2kf9). All these MACs have a security proof up to $2^{2n/3}$ (even $2^{3n/4}$) queries assuming the block size of the underlying (tweakable) block cipher is $n$ bits. Given that the adversary can make quantum queries, we consider secret state recovery and partial key recovery attacks against these MACs. Both attacks lead to successful forgeries. For the first one, we apply Grover-meet-Simon algorithm to recover some secret states of SUM-ECBC, PolyMAC, PMAC_Plus, 3kf9 and so on. Our research shows this forgery attack costs at most $O(2^{n/2}n)$ quantum queries using at most $O(n^{2})$ qubits. For the second one, we apply Grover's algorithm to recover partial keys of PMAC_Plus, 3kf9, PMAC_TBC3k and so on. Our research shows this forgery attack costs $O(2^{m/2})$ quantum queries and $O(m+n^2)$ qubits assuming the size of one key is $m$ bits. As far as we know, these are the first quantum attacks against BBB MACs. Our results show that in the quantum setting their securities go back to birthday bounds.
Expand
HyungChul Kang, Joon-Woo Lee, Yongwoo Lee, Young-Sik Kim, Jong-Seon No
ePrint Report ePrint Report
We implement bootstrapping of RNS-CKKS on SEAL, a homomorphic encryption library released by Microsoft. And we measure the accuracy of encrypted data after bootstrapping for various parameters, which allows us to do more than thousands of homomorphic operations.
Expand
Edward Eaton, David Jao, and Chelsea Komlo
ePrint Report ePrint Report
In this work, we present the first post-quantum secure Updatable Public-Key Encryption (UPKE) construction. UPKE has been proposed in the literature as a mechanism to improve the forward-secrecy and post-compromise security of secure messaging protocols, but the hardness of all existing constructions to date rely on discrete logarithm assumptions. We focus our assessment on isogeny-based cryptosystems due to their suitability for performing a potentially unbounded number of update operations, a practical requirement for secure messaging where user conversations can occur over months, if not years.

We begin by formalizing two UPKE variants presented in the literature as Symmetric and Asymmetric UPKE. At a fundamental level, these variants differ in how encryption and decryption keys are updated, and consequently impact the design and security model for quantum-safe constructions.

We demonstrate that Asymmetric UPKE cannot be instantiated using existing isogeny-based constructions. We then describe a SIDH-based Symmetric UPKE construction that is possible in theory but requires improving existing mathematical limitations before a practical implementation is possible. Finally, we present a CSIDH-based Symmetric UPKE construction that can be instantiated using a parameter set in which the class group structure is fully known to ensure efficient uniform sampling and canonical representation to prevent leakage of secret keys. We discuss several open problems which are applicable to any cryptosystem with similar requirements for continuous operations over elements in the secret domain.
Expand
Elaine Shi, Waqar Aqeel, Balakrishnan Chandrasekaran, Bruce Maggs
ePrint Report ePrint Report
Imagine that one or more non-colluding servers each holds a large public database, e.g., the repository of DNS entries. Clients would like to access entries in this database without disclosing their queries to the servers. Classical private information retrieval (PIR) schemes achieve polylogarithmic bandwidth per query, but require the server to perform linear computation per query, which is a deal breaker with respect to practical adoption.

Several recent works have shown, however, that by introducing a one-time, per-client, off-line preprocessing phase, an \emph{unbounded} number of client queries can be subsequently served with sublinear on-line computation time per query (and the cost of the preprocessing can be amortized over the unboundedly many queries). Unfortunately, existing preprocessing PIRs make undesirable tradeoffs to achieve sublinear online computation: they either require $\sqrt{n}$ or more bandwidth per query, which is asymptotically worse than classical PIR schemes, or they require the servers to store a linear amount state per client (or even per query), or require polylogarithmically many non-colluding servers.

We propose a novel 2-server preprocessing PIR scheme that achieves $\widetilde{O}(\sqrt{n})$ online computation per query, while preserving the polylogarithmic online bandwidth of classical PIR schemes. In our construction, each server stores only the original database and nothing extra, and each online query is served within a single round trip. Our construction relies on the standard LWE assumption. As an important stepping stone, we propose new, more generalized definitions for a cryptographic object called a Privately Puncturable Pseudorandom Set, and give novel constructions that depart significantly from prior approaches.
Expand
Kai-Min Chung, T-H. Hubert Chan, Ting Wen, Elaine Shi (random author ordering)
ePrint Report ePrint Report
Suppose that $n$ players want to elect a random leader and they communicate by posting messages to a common broadcast channel. This problem is called leader election, and it is fundamental to the distributed systems and cryptography literature. Recently, it has attracted renewed interests due to its promised applications in decentralized environments.

In a game theoretically fair leader election protocol, roughly speaking, we want that even majority coalitions cannot increase its own chance of getting elected, nor hurt the chance of any honest individual. The folklore tournament-tree protocol, which completes in logarithmically many rounds, can easily be shown to satisfy game theoretic security. To the best of our knowledge, no sub-logarithmic round protocol was known in the setting that we consider.

We show that by adopting an appropriate notion of approximate game-theoretic fairness, and under standard cryptographic assumption, we can achieve $(1-1/2^{\Theta(r)})$-fairness in $r$ rounds for $\Theta(\log \log n) \leq r \leq \Theta(\log n)$, where $n$ denotes the number of players. In particular, this means that we can approximately match the fairness of the tournament tree protocol using as few as $O(\log \log n)$ rounds. We also prove a lower bound showing that logarithmically many rounds is necessary if we restrict ourselves to ``perfect'' game-theoretic fairness and protocols that are ``very similar in structure'' to the tournament-tree protocol.

Although leader election is a well-studied problem in other contexts in distributed computing, our work is the first exploration of the round complexity of {\it game-theoretically fair} leader election in the presence of a possibly majority coalition. As a by-product of our exploration, we suggest a new, approximate game-theoretic fairness notion, called ``approximate sequential fairness'', which provides a more desirable solution concept than some previously studied approximate fairness notions.
Expand

22 December 2020

Max Planck Institutes in Computer Science, Germany
Job Posting Job Posting

Looking for a top PhD program in English that you can start after BSc or MSc?

CS@max planck is a highly selective doctoral program that grants admitted students full financial support to pursue research in the broad area of computer and information science, with faculty at Max Planck Institutes and some of the best German universities. The faculty at the Max Planck Institute for Security and Privacy (MPI-SP) is also part of this program.

To qualify for the program, students must hold a Bachelor’s or Master’s degree in computer science (or a related field) and have an outstanding academic record. We especially encourage applications from students who wish to explore research across the CS spectrum before committing to a topic and advisor.

For more information about CS@max planck, see here: https://www.cis.mpg.de/graduate-programs/cs-max-planck

The next upcoming application deadline is 31 December 2020.

Closing date for applications:

Contact: csmaxplanck@cis.mpg.de

More information: https://www.cis.mpg.de/graduate-programs/cs-max-planck

Expand
University of Surrey, Guildford, United Kingdom
Job Posting Job Posting

This Ph.D. position is funded for EU and UK students, and the application deadline is on the 24th of January 2021.

In recent years, the use of solvers (SAT, MILP, CP...) to solve cryptanalysis problems has become prominent. The aim of this Ph.D. is to develop a fully automated framework based on these solvers for the cryptanalysis of block ciphers, starting with differential cryptanalysis. In particular, non-trivial modeling strategies are sometimes necessary to improve the resolution and scale up[1]. An important part of the task will be to derive efficient ways to model different types of ciphers, and compare which method (among MILP, CP, SAT) works best for each types of building blocks.

This position is fully funded, with a stipend of 16 000 GBP per year, and successful applicants are expected to start in April 2021.

[1] David Gerault, Pascal Lafourcade, Marine Minier, Christine Solnon: Computing AES related-key differential characteristics with constraint programming. Artificial Intelligence 278 (2020)

Closing date for applications:

Contact: David Gerault (david.gerault@surrey.ac.uk)

More information: https://www.surrey.ac.uk/fees-and-funding/studentships/phd-studentships-computer-science

Expand

21 December 2020

New Jersey Institute of Technology
Job Posting Job Posting
The Department of Computer Science at New Jersey Institute of Technology (NJIT) seeks candidates to fill a University Lecturer/Senior University Lecturer position. Candidates are expected to teach courses under the umbrella of Cybersecurity, in support of our graduate and undergraduate programs. Applicants must have at least an MS degree in Computer Science or in a related computing area. A PhD degree and prior university teaching experience are an advantage.

Successful candidates must have an expert grasp of knowledge of Cybersecurity at all levels, with an emphasis on hands-on applied cybersecurity skills, either through a demonstrated record of teaching excellence, or through industrial experience. The successful candidate will also be involved in creating course content and materials with a focus on hands-on experiential and project-based learning. Strong written, oral and interpersonal skills are required in order to communicate effectively with students in person and online. The formal education and experience prerequisites may be waived at the university’s discretion if the candidate can demonstrate to the satisfaction of the university an equivalent combination of education and experience specifically preparing the candidate for success in the position.

Interested applicants should submit their CV and at least two references by applying as soon as possible at: https://njit.csod.com/ats/careersite/JobDetails.aspx?site=1&id=2600

Work environment and location: The Computer Science department, part of the Ying Wu College of Computing Sciences, is the largest at NJIT, comprising one tenth of the student population. It is also the largest computer science department among all research universities in the New York metropolitan area.​ Located in Northern New Jersey, within the greater New York Metropolitan area, NJIT is part of a vibrant ecosystem of research universities and corporate research centers.

Closing date for applications:

Contact: reza.curtmola@njit.edu

More information: https://njit.csod.com/ats/careersite/JobDetails.aspx?site=1&id=2600

Expand
Eindhoven University of Technology,, Eindhoven, the Netherlands,
Job Posting Job Posting

The position will be part of the Coding Theory and Cryptology (CC) group, within the Discrete Mathematics (DM) cluster. The other group in DM is Discrete Algebra and Geometry. The CC group consists of one full professor (Lange), two associate professors (Schoenmakers and de Weger), and three assistant professors (Ashur, Hülsing and Ravagnani). CC provides undergraduate and graduate courses in cryptology, coding theory, algebra and number theory, as well as service teaching.

CC and the Security (SEC) group of Etalle form the Eindhoven Institute for the Protection of Systems and Information (Ei/ Ψ) which covers the whole technical spectrum of information security. Ei/ Ψ organizes the master's track Information Security Technology within the Computer Science program at TU/e.

The ideal candidate has research experience complementing the existing strengths in CC and SEC but candidates from all areas of cryptology including neighboring fields such as software security, side-channel attacks, reverse engineering, etc. are encouraged to apply.

The assistant professor is expected to

  • perform outstanding research in the area of cryptology and security;
  • establish research collaborations within the department and nternationally;
  • take responsibility in coordinating and updating courses; advise BSc, MSc, and PhD students;
  • initiate, acquire and coordinate research projects;
  • perform managerial and/or administrative tasks for the cluster or department.
Applications need to be submitted via the URL below. Deadline is 16 Feb 2021.

Closing date for applications:

Contact: Tanja Lange tanja@hyperelliptic.org

More information: https://jobs.tue.nl/en/vacancy/assistant-professor-in-cryptology-868539.html

Expand
Adithya Bhat, Nibesh Shreshta, Aniket Kate, Kartik Nayak
ePrint Report ePrint Report
Random beacon protocols provide a continuous public source of randomness and their applications range from public lotteries to zero-knowledge proofs. Existing random beacon protocols in the bounded synchronous model sacrifice either the fault tolerance or the communication complexity for security, or ease of reconfigurability. This work overcomes the challenges with the existing works through a novel communication efficient combination of state machine replication and (publicly) verifiable secret sharing (PVSS/VSS) protocols.

We first design a new Byzantine fault-tolerant state machine replication protocol with $O(\kappa n^2)$ bits communication per consensus decision without using threshold signatures. Next, we design GRandPiper (Good Pipelined Random beacon), a random beacon protocol with bias-resistance and unpredictability, that uses PVSS and has a communication complexity of $O(\kappa n^2)$ always (best and worst cases), for a static adversary. However, GRandPiper allows an adaptive adversary to predict beacon values up to $t+1$ epochs into the future. Therefore, we design BRandPiper (Better RandPiper), that uses VSS and has a communication complexity of $O(\kappa fn^2)$, where $f$ is the actual number of faults, while offering a strong unpredictability with an advantage of only a single round even for an adaptive adversary.
Expand
◄ Previous Next ►