International Association for Cryptologic Research

International Association
for Cryptologic Research

IACR News

Here you can see all recent updates to the IACR webpage. These updates are also available:

email icon
via email
RSS symbol icon
via RSS feed

03 February 2021

Vienna, Austria, 13 December - 15 December 2021
Event Calendar Event Calendar
Event date: 13 December to 15 December 2021
Submission deadline: 1 June 2021
Notification: 1 October 2021
Expand

02 February 2021

Singapore, Singapore, 5 December - 9 December 2021
Asiacrypt Asiacrypt
Event date: 5 December to 9 December 2021
Expand

01 February 2021

Mila Anastasova, Reza Azarderakhsh, Mehran Mozaffari Kermani
ePrint Report ePrint Report
Abstract The Supersingular Isogeny Key Encapsulation mechanism (SIKE) is the only post-quantum key encapsulation mechanism based on supersingular elliptic curves and isogenies between them. Despite the security of the protocol, unlike the rest of the NIST post-quantum algorithms, SIKE requires more number of clock cycles and hence does not provide competitive timing, energy and power consumption results. However, it is more attractive offering smallest public key sizes as well as ciphertext sizes, which taking into account the impact of the communication costs and storage of the keys could become as good fit for resource-constrained devices. In this work, we present the fastest practical implementation of SIKE, targeting the platform Cortex-M4 based on the ARMv7-M architecture. We performed our measurements on NIST recommended device based on STM32F407 microcontroller, for benchmarking the clock cycles, and on the target board Nucleo-F411RE, attached to X-NUCLEO-LPM01A (Power Shield), for measuring the power and energy consumption. The lower level finite field arithmetic and extension field operations play main role determining the efficiency of SIKE. Therefore, we mainly focus on those improvements and apply them to all NIST required security levels. Our SIKEp434 implementations for NIST security level 1 take about 850ms which is about 22.3% faster than the counterparts appeared in previous work. Moreover, our implementations are 21.9%, 19.7% and 19.5% faster for SIKEp503, SIKEp610 and SIKEp751 in comparison to the previously reported work for other NIST recommended security levels. Finally, we benchmark power and energy consumption and report the results for comparison.
Expand
Michel Abdalla, Björn Haase, Julia Hesse
ePrint Report ePrint Report
In response to standardization requests regarding password-authenticated key exchange (PAKE) protocols, the IRTF working group CFRG has setup a PAKE selection process in 2019, which led to the selection of the CPace protocol in the balanced setting, in which parties share a common password.

In this paper, we provide a security analysis of CPace in the universal composability framework for implementations on elliptic-curve groups. When doing so, we restrict the use of random oracles to hash functions only and refrain from modeling CPace's MapToPoint function that maps field elements to curve points as an idealized function. As a result, CPace can be proven secure under standard complexity assumptions in the random-oracle model.

Finally, in order to extend our proofs to different CPace variants optimized for specific environments, we employ a new approach, which represents the assumptions required by the proof as libraries which a simulator can access. By allowing for the modular replacement of assumptions used in the proof, this new approach avoids a repeated analysis of unchanged protocol parts and lets us efficiently analyze the security guarantees of all the different CPace variants.
Expand
Ahmad Akmal Aminuddin Mohd Kamal, Keiichi Iwamura
ePrint Report ePrint Report
Secure multi-party computation (MPC) allows a set of n servers to jointly compute an arbitrary function of their inputs, without revealing these inputs to each other. A (k,n) threshold secret sharing is a protocol in which a single secret is divided into n shares and the secret can be recovered from a threshold k shares. Typically, multiplication of (k,n) secret sharing will result in increase of polynomial degree from k-1 to 2k-2, thus increasing the number of shares required from k to 2k-1. Since each server typically hold only one share, the number of servers required in MPC will also increase from k to 2k-1. Therefore, a set of n servers can compute multiplication securely if the adversary corrupts at most k-1<n/2 of the servers. In this paper, we differentiate the number of servers N required and parameter n of (k,n) secret sharing scheme, and propose a method of computing (k-1) sharing of multiplication ab by using only N=k servers. By allowing each server to hold two shares, we realize MPC of multiplication with the setting of N=k,n&#8805;2k-1. We also show that our proposed method is information theoretic secure against a semi-honest adversary.
Expand
Majid Salimi, Hamid Mala, Honorio Martin, Pedro Peris-Lopez
ePrint Report ePrint Report
Multi-Party Non-Interactive Key Exchange (MP-NIKE) is a fundamental cryptographic primitive in which users register into a key generation centre and receive a public/private key pair each. After that, any subset of these users can compute a shared key without any interaction. Nowadays, IoT devices suffer from a high number and large size of messages exchanged in the Key Management Protocol (KMP). To overcome this, an MP-NIKE scheme can eliminate the airtime and latency of messages transferred between IoT devices. MP-NIKE schemes can be realized by using multilinear maps. There are several attempts for constructing multilinear maps based on indistinguishable obfuscation, lattices and the Chinese Remainder Theorem (CRT). Nevertheless, these schemes are inefficient in terms of computation cost and memory overhead. Besides, several attacks have been recently reported against CRT-based and lattice-based multilinear maps. There is only one modular exponentiation-based MP-NIKE scheme in the literature which has been claimed to be both secure and efficient. In this article, we present an attack on this scheme based on the Euclidean algorithm, in which two colluding users can obtain the shared key of any arbitrary subgroup of users. We also propose an efficient and secure MP-NIKE scheme. We show how our proposal is secure in the random oracle model assuming the hardness of the root extraction modulo a composite number.
Expand
Kelesidis Evgnosia-Alexandra
ePrint Report ePrint Report
Even though the currently used encryption and signature schemes are well tested and secure in a classical computational setting, they are not quantum-resistant as Shor's work proves. Taking this into account, alternatives based on hard mathematical problems that cannot be solved using quantum methods are needed, and lattice-based cryptography offers such solutions. The well-known GGH and NTRUEncrypt encryption schemes are proven secure, but their corresponding signature schemes are flawed in their design approach. Once introducing the computationally hard problems like Ring-LWE, elegant and efficient cryptographic primitives could be built.
Expand
Kenji Yasunaga
ePrint Report ePrint Report
Security of cryptographic primitives is usually proved by assuming ``ideal'' probability distributions. We need to replace them with approximated ``real'' distributions in the real-world systems without losing the security level. We demonstrate that the Hellinger distance is useful for this problem, while the statistical distance is mainly used in the cryptographic literature. First, we show that for preserving $\lambda$-bit security of a given security game, the closeness of $2^{-\lambda/2}$ to the ideal distribution is sufficient for the Hellinger distance, whereas $2^{-\lambda}$ is generally required for the statistical distance. The result can be applied to both search and decision primitives through the bit security framework of Micciancio and Walter (Eurocrypt 2018). We also show that the Hellinger distance gives a tighter evaluation of closeness than the max-log distance when the distance is small. Finally, we show that the leftover hash lemma can be strengthened to the Hellinger distance. Namely, a universal family of hash functions gives a strong randomness extractor with optimal entropy loss for the Hellinger distance. Based on the results, a $\lambda$-bit entropy loss in randomness extractors is sufficient for preserving $\lambda$-bit security. The current understanding based on the statistical distance is that a $2\lambda$-bit entropy loss is necessary.
Expand
Amin Rezaei, Hai Zhou
ePrint Report ePrint Report
Due to high IC design costs and emergence of countless untrusted foundries, logic encryption has been taken into consideration more than ever. In state-of-the-art logic encryption works, a lot of performance is sold to guarantee security against both the SAT-based and the removal attacks. However, the SAT-based attack cannot decrypt the sequential circuits if the scan chain is protected or if the unreachable states encryption is adopted. Instead, these security schemes can be defeated by the model checking attack that searches iteratively for different input sequences to put the activated IC to the desired reachable state. In this paper, we propose a practical logic encryption approach to defend against the model checking attack on sequential circuits. The robustness of the proposed approach is demonstrated by experiments on around fifty benchmarks.
Expand
Sara Ricci, Lukas Malina, Petr Jedlicka, David Smekal, Jan Hajny, Petr Cibik, Patrik Dobias
ePrint Report ePrint Report
In July 2020, the lattice-based CRYSTALS-Dilithium digital signature scheme has been chosen as one of the three third-round finalists in the post-quantum cryptography standardization process by the National Institute of Standards and Technology (NIST). In this work, we present the first Very High Speed Integrated Circuit Hardware Description Language (VHDL) implementation of the CRYSTALS-Dilithium signature scheme for Field-Programmable Gate Arrays (FPGAs). Due to our parallelization-based design requiring only low numbers of cycles, running at high frequency and using reasonable amount of hardware resources on FPGA, our implementation is able to sign 15832 messages per second and verify 10524 signatures per second. In particular, the signing algorithm requires 68461 Look-Up Tables (LUTs), 86295 Flip-Flops (FFs), and the verification algorithm takes 61738 LUTs and 34963 FFs on Virtex 7 UltraScale+ FPGAs. In this article, experimental results for each Dilithium security level are provided and our VHDL-based implementation is compared with related High-Level Synthesis (HLS)-based implementations. Our solution is ca 114 times faster (in the signing algorithm) and requires less hardware resources.
Expand
Seny Kamara, Tarik Moataz, Andrew Park, Lucy Qin
ePrint Report ePrint Report
Gun violence results in a significant number of deaths in the United States. Starting in the 1960’s, the US Congress passed a series of gun control laws to regulate the sale and use of firearms. One of the most important but politically fraught gun control measures is a national gun registry. A US Senate office is currently drafting legislation that proposes the creation of a voluntary national gun registration system. At a high level, the bill envisions a decentralized system where local county officials would control and manage the registration data of their constituents. These local databases could then be queried by other officials and law enforcement to trace guns. Due to the sensitive nature of this data, however, these databases should guarantee the confidentiality of the data.

In this work, we translate the high-level vision of the proposed legislation into technical requirements and design a cryptographic protocol that meets them. Roughly speaking, the protocol can be viewed as a decentralized system of locally-managed end-to-end encrypted databases. Our design relies on various cryptographic building blocks including structured encryption, secure multi-party computation and secret sharing. We propose a formal security definition and prove that our design meets it. We implemented our protocol and evaluated its performance empirically at the scale it would have to run if it were deployed in the United States. Our results show that a decentralized and end-to-end encrypted national gun registry is not only possible in theory but feasible in practice.
Expand

30 January 2021

Abu Dhabi, United Arab Emirates, 28 June - 1 July 2021
Event Calendar Event Calendar
Event date: 28 June to 1 July 2021
Submission deadline: 18 March 2021
Notification: 29 April 2021
Expand
University of Twente, The Netherlands
Job Posting Job Posting

The Services and Cybersecurity (SCS) group at the University of Twente invites applications for a 4-years PhD position on the topic of 'cryptographic protocols for privacy-preserving machine learning'.

We are looking for candidates with a strong background in (applied) cryptography.

More information:
https://www.utwente.nl/en/organisation/careers/!/2021-218/phd-position-on-cryptographic-protocols-for-privacy-preserving-machine-learning

Deadline for applications: 11 February 2021, 23:59 CET

Closing date for applications:

Contact: Prof. Dr. Andreas Peter (a.peter@utwente.nl)

More information: https://www.utwente.nl/en/organisation/careers/!/2021-218/phd-position-on-cryptographic-protocols-for-privacy-preserving-machine-learning

Expand

29 January 2021

Award Award
The IACR Test-of-Time Award is given annually for each one of the three IACR General Conferences (Eurocrypt, Crypto, and Asiacrypt). An award will be given at a conference for a paper which has had a lasting impact on the field and was published 15 years prior.

We welcome nominations for the 2021 award (for papers published in 2006) until Feb 20, 2021. The proceedings of these conferences can be found here: To submit your nomination please send an email to testoftime@iacr.org

More information about the IACR Test-of-Time awards can be found in iacr.org/testoftime/

The 2021 Selection Committee:
  • Ueli Maurer (chair)
  • Nigel Smart
  • Francois-Xavier Standaert (Eurocrypt 2021 program co-chair)
  • Chris Peikert (Crypto 2021 program co-chair)
  • Mehdi Tibouchi (Asiacrypt 2021 program co-chair)
Expand

28 January 2021

Aram Jivanyan, Jesse Lancaster, Arash Afshar, Parnian Alimi
ePrint Report ePrint Report
For security token adoption by financial institutions and industry players on the blockchain, there is a need for a secure asset management protocol that enables con dential asset issuance and transfers by concealing from the public the transfer amounts and asset types, while on a public blockchain. Flexibly supporting arbitrary restrictions on financial transactions, only some of which need to be supported by zero-knowledge proofs. This paper proposes leveraging a hybrid design approach, by using zero-knowledge proofs, supported by restrictions enforced by trusted mediators. As part of our protocol, we also describe a novel transaction ordering mechanism that can support a flexible transaction workflow without putting any timing constraints on when the transactions should be generated by the users or processed by the network validators. This technique is likely to be of independent interest.
Expand
Majid Salimi
ePrint Report ePrint Report
So far, most of the Identity-Based Encryption (IBE) schemes have been realized by employing bilinear pairings, lattices, trapdoor discrete logarithm, or based on the quadratic residue problem. Among the IBE schemes, only pairing-based methods seem to be practical. Previously published non-pairing-based schemes are generally inefficient in encryption, decryption, key generation, ciphertext size or key size. In this paper, we propose an IBE scheme based on a hybrid of Diffie-Hellman and RSA-like hardness assumption. The computational cost of the proposed scheme is lower than the previous schemes and the ciphertext size for an $l$-bit plaintext is only $2l$ bits. The proposed scheme is similar to the well-known ElGamal encryption algorithm; therefore it might be used in applications such as oblivious computation.
Expand
Shivam Bhasin, Jan-Pieter D'Anvers, Daniel Heinz, Thomas Pöppelmann, Michiel Van Beirendonck
ePrint Report ePrint Report
In this work, we are concerned with the hardening of post-quantum key encapsulation mechanisms (KEM) against side-channel attacks, with a focus on the comparison operation required for the Fujisaki-Okamoto (FO) transform. We identify critical vulnerabilities in two proposals for masked comparison and successfully attack the masked comparison algorithms from TCHES 2018 and TCHES 2020. To do so, we use first-order side-channel attacks and show that the advertised security properties do not hold. Additionally, we break the higher-order secured masked comparison from TCHES 2020 using a collision attack, which does not require side-channel information. To enable implementers to spot such flaws in the implementation or underlying algorithms, we propose a framework that is designed to test the re-encryption step of the FO transform for information leakage. Our framework relies on a specifically parametrized $t$-test and would have identified the previously mentioned flaws in the masked comparison. Our framework can be used to test both the comparison itself and the full decapsulation implementation.
Expand
Elena Andreeva, Amit Singh Bhati, Damian Vizar
ePrint Report ePrint Report
ForkAE is a family of authenticated encryption (AE) schemes using a forkcipher as a building block. ForkAE was published in Asiacrypt'19 and is a second-round candidate in the NIST lightweight cryptography process. ForkAE comes in several modes of operation: SAEF, PAEF, and rPAEF. SAEF is optimized for authenticated encryption of short messages and processes the message blocks in a sequential and online manner. SAEF requires a smaller internal state than its parallel sibling PAEF and is better fitted for devices with smaller footprint. At SAC 2020 it was shown that SAEF is also an online nonce misuse-resistant AE (OAE) and hence offers enhanced security against adversaries that make blockwise adaptive encryption queries. It has remained an open question if SAEF resists attacks against blockwise adaptive decryption adversaries, or more generally when the decrypted plaintext is released before the verification (RUP).

RUP security is a particularly relevant security target for lightweight (LW) implementations of AE schemes on memory-constrained devices or devices with stringent real-time requirements. Surprisingly, very few NIST lightweight AEAD candidates come with any provable guarantees against RUP. In this work, we show that the SAEF mode of operation of the ForkAE family comes with integrity guarantees in the RUP setting. The RUP integrity (INT-RUP) property was defined by Andreeva et~al.~in Asiacrypt'14. Our INT-RUP proof is conducted using the coefficient H technique and it shows that, without any modifications, SAEF is INT-RUP secure up to the birthday bound, i.e., up to $2^{n/2}$ processed data blocks, where $n$ is the block size of the forkcipher. The implication of our work is that SAEF is indeed RUP secure in the sense that the release of unverified plaintexts will not impact its ciphertext integrity.
Expand

27 January 2021

Riverside Research, Open Innovation Center, Beavercreek, OH
Job Posting Job Posting
Universal Composability Summer Intern Beavercreek, Ohio Riverside Research’s Trusted and Resilient Systems research group is conducting cutting edge research in applying formal methods for system security analysis. This innovative research will help transform how we design and build high assurance, complex systems. We are seeking a motivated researcher (ideally in a PhD program) who has experience with the Universal Composability framework to join our team for the summer and help us tackle some interesting and challenging problems. The individual who fills this role will work with top researchers in secure system design and cryptography to explore the art of the possible in analyzing complex systems using Universal Composability. All positions with Riverside Research require U.S. citizenship. Job Duties: • Conduct literature reviews • Scope and define challenging research problems in the area of Universal Composability • Conduct research with a small, dynamic team • Publish results in a top security conference • Other duties as assigned Required Qualifications: • U.S. Citizenship • Enrolled in a degree seeking program (ideally PhD) in fields such as Computer Science, Computer Engineering, Electrical Engineering, Mathematics • Previous experience with Universal Composability • Ability to work independently and with a team • Superior written and verbal communications skills Desired Qualifications: • Previous publications using Universal Composability (especially if applied to systems beyond traditional cryptographic protocols) • Understanding of Open Architecture systems Riverside Research strives to be one of America's premier providers of independent, trusted technical and scientific expertise. We continue to add experienced and technically astute staff who are highly motivated to help our DoD and Intelligence Community (IC) customers deliver world class programs. As a not-for-profit, technology-oriented defense company, we believe service to customers and s

Closing date for applications:

Contact: Eileen Norton, Sr. Recruiter, Riverside Research, enorton@riversideresearch.org Dr. Michael Clark, Associate Director, Trusted and Resilient Systems, Riverside Research Open Innovation Center, IACR Member

More information: https://boards.greenhouse.io/riversideresearch/jobs/4347155003

Expand
Zcash Foundation
Job Posting Job Posting
The Zcash Foundation is a 501(c)(3) nonprofit, public charity that builds and supports privacy infrastructure for the public good. We work on strengthening financial privacy with technology, focused on the Zcash protocol and blockchain.

We’re looking for someone who is as excited as we are about building private financial infrastructure for the public good, and we take that task very seriously.

The role as a cryptography engineer within the core Zcash Foundation team will be responsible for building cryptographic protocols as well as distributed systems. The ideal candidate embodies the Foundation’s values, while fully aligning with its mission and goals.

Engineers at the Zcash Foundation are responsible for implementing the core Zcash protocol, maintaining deployed software, fixing bugs, and identifying improvements to the protocol for the future. Other duties include writing about our work and interfacing with external stakeholders such as those who use our software and interoperable implementations of the Zcash protocol. The position reports to the Zcash Foundation’s engineering manager.

Zcash Foundation Core Engineering Projects: Currently the engineering team is working on Zebra, an independent implementation of the Zcash protocol written in Rust, and soon we will dedicate resources to building out Zcash wallet functionality.

Closing date for applications:

Contact: Submit application here: https://docs.google.com/forms/d/e/1FAIpQLSelpDkmqjgVgiTfVFukB9TbIoIExWxVDHn0VvnSboO4nJIN1A/viewform

More information: https://www.zfnd.org/blog/open-position-cryptography-engineer/

Expand
◄ Previous Next ►