IACR News
Here you can see all recent updates to the IACR webpage. These updates are also available:
28 May 2021
Atsushi Takayasu
ePrint ReportIgnacio Cascudo, Emanuele Giunta
ePrint ReportThis motivates the question of what is the best way to apply these IOPs to statements that are naturally written as R1CS over small fields, and more concretely, the binary field $\mathbb{F}_2$. While one can just see the system as one over an extension field $\mathbb{F}_{2^e}$ containing $\mathbb{F}_2$, this seems wasteful, as it uses $e$ bits to encode just one ``information'' bit. In fact, the recent BooLigero has devised a way to apply the well-known Ligero while being able to encode $\sqrt{e}$ bits into one element of $\mathbb{F}_{2^e}$.
In this paper, we introduce a new protocol for $\mathbb{F}_2$-R1CS which among other things relies on a more efficient embedding which (for practical parameters) allows to encode $\geq e/4$ bits into an element of $\mathbb{F}_{2^e}$. Our protocol makes then black box use of lincheck and rowcheck protocols for the larger field. Using the lincheck and rowcheck introduced in Aurora and Ligero respectively we obtain $1.31 - 1.65 \times$ smaller proofs for Aurora and $3.71 \times$ for Ligero. We also estimate the reduction of prover time by a factor of $24.7 \times$ for Aurora and between $6.9 - 32.5 \times$ for Ligero without interactive repetitions.
Our methodology uses the notion of reverse multiplication friendly embeddings introduced in the area of secure multiparty computation, combined with a new IOPP to test linear statements modulo a subspace $V \leq \mathbb{F}_{2^e}$ which may be of independent interest.
Mark Fischer, Fabian Langer, Johannes Mono, Clemens Nasenberg, Nils Albartus
ePrint ReportChristoph Dobraunig, Daniel Kales, Christian Rechberger, Markus Schofnegger, Greg Zaverucha
ePrint ReportFirst, we show how to provably remove the need to include the key schedule of block ciphers. This simplifies schemes like Picnic and it also leads to the fastest and smallest AES-based signatures. For example, we achieve signature sizes of around 10.8 to 14.2 KB for the 128-bit security level, on average 10% shorter than Banquet and 15% faster.
Second, we investigate a variant of AES with larger S-boxes we call LSAES, for which we can argue that it is very likely at least as strong as AES, further reducing the size of AES-based signatures to 9.9 KB.
Finally, we present a new signature scheme, Rainier, based on a new block cipher called Rain combined with a Banquet-like proof system. To the best of our knowledge, it is the first MPCitH-based signature scheme which can produce signatures that are less than 5 KB in size; it also outperforms previous Picnic and Banquet instances in all performance metrics.
Andrey Kim, Maxim Deryabin, Jieun Eom, Rakyong Choi, Yongwoo Lee, Whan Ghang, Donghoon Yoo
ePrint ReportAarushi Goel, Abhishek Jain, Manoj Prabhakaran, Rajeev Raghunath
ePrint ReportIn this work, we set out to understand what features of the communication model are necessary for these results, and more broadly the design of two-round MPC. Focusing our study on the plain model -- the most natural model for honest-majority MPC -- we obtain the following results:
1. Dishonest majority from Honest majority: In the two round setting, honest-majority MPC and dishonest-majority MPC are surprisingly close, and often equivalent. This follows from our results that the former implies 2-message oblivious transfer, in many settings. (i) We show that without private point-to-point (P2P) channels, i.e., when we use only broadcast (BC) channels, honest-majority MPC implies 2-message oblivious transfer. (ii) Furthermore, this implication holds even when we use both P2P and BC, provided that the MPC protocol is robust against ``fail-stop'' adversaries.
2. The curious case of Identifiable Abort: While security with guaranteed output delivery (and even fairness) against malicious adversaries is impossible in two rounds, nothing is known with regards to the ``next best'' security notion, namely, security with identifiable abort (IA). We show that IA is impossible to achieve with honest-majority even if we use both P2P and BC channels. However, surprisingly, this lower bound can be overcome by replacing P2P channels with a ``bare'' (i.e., untrusted) public-key infrastructure (PKI).
These results ``explain'' that the reliance on P2P channels (together with BC) in the recent two-round protocols was in fact necessary, and that these protocols couldn't have achieved a stronger security guarantee, namely, IA. Overall, our results (put together with prior works) fully determine the best-achievable security for honest-majority MPC in different communication models in two rounds. As a consequence, they yield the following hierarchy of communication models:
BC < PTP < BC+PTP < BC+PKI
This shows that contrary to common perception, BC channel is the weakest communication model, and that a bare PKI setup is strictly stronger than P2P channels.
Ripon Patgiri
ePrint ReportGeoffroy Couteau, Shuichi Katsumata, Elahe Sadeghi, Bogdan Ursu
ePrint ReportHanshen Xiao, Srinivas Devadas
ePrint ReportWe take mixup: a random linear aggregation of inputs, as a concrete example. Our contributions are twofold. First, we develop a rigorous analysis on the privacy amplification provided by mixup either on samples or updates, where we find the hybrid structure of mixup and the Laplace Mechanism produces a new type of DP guarantee lying between Pure DP and Approximate DP. Such an average-case privacy amplification can produce tighter composition bounds. Second, both empirically and theoretically, we show that proper mixup comes almost free of utility compromise.
Gabriel Kaptchuk, Tushar M. Jois, Matthew Green, Aviel Rubin
ePrint ReportMelissa Azouaoui, Kostas Papagiannopoulos, Dominik Zürner
ePrint ReportNicholas Brandt
ePrint ReportGiven broadcast, we give tight bounds for the necessary and sufficient setup cardinality, i.e. number of participating parties, for UC-MPC protocols with Identifiable Abort. Concretely, we improve previous upper bounds by constructing Secure Function Evaluation for \(n\) parties (\(h\) of which are honest) from setups of cardinality \(\beta := \min(n,\lfloor n/h\rfloor+\lfloor(n-1)/h\rfloor-1)\) and broadcast. Conversely, we present the first general lower bound on the minimal setup cardinality for Identifiable Abort by proving that setups of cardinality \(\beta-1\) plus broadcast are insufficient even for a commitment among \(n\) parties. Somewhat surprisingly, we show that Oblivious Transfer plus broadcast is sufficient for \(n = 2h \geq 2\) which is consistent with the fact that in two-party MPC Identifiable Abort comes for free. We present the results in the Universal Composibility (UC) framework and assume the setup functionalities to be secure with Identifiable Abort.
Our constructions yield an efficient (poly-time) protocol for any \(n \in \mathrm{poly}(\lambda)\) where \(\lambda\) is the security parameter if at least a constant fraction \(h \in \Theta(n)\) of parties is honest. However for \(h \in \mathrm{o}(n)\) our results suggest that for efficient protocols the overall number of parties \(n\) is limited quite severely by \(\binom{n}{\beta} \in \mathrm{poly}(\lambda)\).
Tânia Esteves, Mariana Miranda, João Paulo, Bernardo Portela
ePrint ReportWe present S2Dedup, a trusted hardware-based privacy-preserving deduplication system designed to support multiple security schemes that enable different levels of performance, security guarantees and space savings. An in-depth evaluation shows these trade-offs for the distinct Intel SGX-based secure schemes supported by our prototype.
Moreover, we propose a novel Epoch and Exact Frequency scheme that prevents frequency analysis leakage attacks present in current deterministic approaches for secure deduplication while maintaining similar performance and space savings to state-of-the-art approaches.
27 May 2021
Virtual event, Anywhere on Earth, 18 November - 19 November 2021
Event CalendarSubmission deadline: 15 August 2021
Notification: 30 September 2021
Cryptography Research Group at Mathematical Center in Akademgorodok
Job Posting
Our research area:
More details about our group can be found on crypto.nsu.ru
Fellowship Applicant Profile
All applications must include the following:
Submit your materials at english.nsu.ru/mca/jobs
Closing date for applications:
Contact: Please direct inquiries to english.nsu.ru/mca/jobs
More information: https://drive.google.com/file/d/1qKwGrjcekwejLngFwVDCeBHVLhXpoCjo/view?usp=sharing
Univ. Grenoble Alpes, TIMA Laboratory, Grenoble, France
Job PostingThe candidate is expected to analyze the sensitivity of MITIX circuits under X-ray beams thanks to simulation models and compare them with experimental results. The goal will be to reproduce the experimental conditions, possibly extending the analyses on the circuit, and extract sensitivity maps extended to a larger area of the topology.
The candidate will then be able to use the developed models and flow in order to evaluate hardening techniques or fault attack countermeasures. This subtask will consist in using the multi-physics and multi-level methodology to study and optimize the layout/routing of the cells, and extract high-level models of the injected faults. This will be essential in order to evaluate techniques from the state of the art, and propose novel solutions against fault attacks.
Closing date for applications:
Contact: Paolo Maistri (paolo.maistri at univ-grenoble-alpes.fr)
Guillaume Hubert (guillaume.hubert at onera.fr)
Alain Zergainoh (Alain.Zergainoh at univ-grenoble-alpes.fr)
More information: https://www.linkedin.com/posts/tima-laboratory_phd-thesis-proposition-3-years-activity-6802886839834288128-iMbC
New York University Abu Dhabi, Abu Dhabi, UAE
Job PostingClosing date for applications:
Contact: ccsad@nyu.edu
More information: https://apply.interfolio.com/80439
IIT Jodhpur, India
Job PostingClosing date for applications:
Contact: head-cse@iitj.ac.in
More information: https://oa.iitj.ac.in/OA_REC_Faculty/
25 May 2021
Ian McQuoid, Mike Rosulek, Lawrence Roy
ePrint ReportWe provide a full treatment of how to properly optimize recent 2-round OT protocols for the batch setting. Along the way we show several performance improvements to the OT protocol of McQuoid, Rosulek, and Roy (ACM CCS 2020). In particular, we show an extremely simple OT construction that may be of pedagogical interest.