International Association
for Cryptologic Research

While privacy preserving distributed payment schemes manage to drastically improve user privacy, they come at the cost of generating new regulatory concerns: in a private ledger the transactions cannot be subject to any level of auditing, and thus are not compatible with tracing illegal behaviors. In this work we present MiniLedger, a distributed payment system which not only guarantees the privacy of transactions, but also offers built-in functionalities for various types of audits by any external authority. MiniLedger is the first private and auditable payment system with storage costs independent of the number of transactions. To achieve such a storage improvement, we introduce pruning functionalities for the transaction history while maintaining integrity and auditing. We provide formal security definitions and a number of extensions for various auditing levels. Our evaluation results show that MiniLedger is practical in terms of storage requiring as low as 70KB per participant for 128 bits of security, and depending on the implementation choices, can prune 1 million transactions in less than a second.

Efficient implementation of Boolean masking in terms of low latency has evolved into a hot topic due to the necessity of embedding a physically secure and at-the-same-time fast implementation of cryptographic primitives in e.g., the memory encryption of pervasive devices. Instead of fully minimizing the circuit's area and randomness requirements at the cost of latency, the focus has changed into finding optimal tradeoffs between the circuit area and the execution time. The main latency bottleneck in hardware masking lies in the need for registers to stop the propagation of glitches and maintain non-completeness. Usually, an exponentially growing number of shares (hence an extremely large circuit), as well as a high demand for fresh randomness, are the result of avoiding registers in a securely masked hardware implementation of a block cipher. In this paper, we present several first-order secure and low-latency implementations of PRINCE. In particular, we show how to realize the masked variant of round-based PRINCE with only a single register stage per cipher round. We compare the resulting architectures, based on the popular TI and GLM masking scheme based on the area, latency, and randomness requirements and point out that both designs are suited for specific use cases.

This paper revisits Key-Policy Attribute-Based Encryption, allowing the delegation of keys, traceability of compromised keys and key anonymity, as additional properties. Whereas delegation of rights has been addressed in the seminal paper by Goyal et al? in 2006, introducing KPABE, this nice feature has almost been neglected in all subsequent works in favor of better security levels. However, in multi-device scenarios, this is quite important to allow users to independently authorize their own devices, still with some tracing capabilities and some anonymity properties.

To this aim, we define a new primitive with switchable attributes, in both the ciphertexts and the keys, and new indistinguishability properties. We then provide concrete and efficient instantiations with adaptive security under the sole SXDH assumption in the standard model.

The one more-discrete logarithm assumption (OMDL) underlies the security analysis of identification protocols, blind signature and multi-signature schemes, such as blind Schnorr signatures and the recent MuSig2 multi-signatures. As these schemes produce standard Schnorr signatures, they are compatible with existing systems, e.g. in the context of blockchains. OMDL is moreover assumed for many results on the impossibility of certain security reductions.

Despite its wide use, surprisingly, OMDL is lacking any rigorous analysis; there is not even a proof that it holds in the generic group model (GGM). (We show that a claimed proof is flawed.) In this work we give a formal proof of OMDL in the GGM. We also prove a related assumption, the one-more computational Diffie-Hellman assumption, in the GGM. Our proofs deviate from prior proofs in the GGM and replace the use of the Schwartz-Zippel Lemma by a new argument.

Ternary LWE, i.e., LWE with coefficients of the secret and the error vectors taken from $\{-1, 0, 1\}$, is a popular choice among NTRU-type cryptosystems and some signatures schemes like BLISS and GLP.

In this work we consider quantum combinatorial attacks on ternary LWE. Our algorithms are based on the quantum walk framework of Magniez-Nayak-Roland-Santha. At the heart of our algorithms is a combinatorial tool called the representation technique that appears in algorithms for the subset sum problem. This technique can also be applied to ternary LWE resulting in faster attacks. The focus of this work is quantum speed-ups for such representation-based attacks on LWE.

When expressed in terms of the search space $\mathcal{S}$ for LWE keys, the asymptotic complexity of the representation attack drops from $\mathcal{S}^{0.24}$ (classical) down to $\mathcal{S}^{0.19}$ (quantum). This translates into noticeable attack's speed-ups for concrete NTRU instantiations like NTRU-HRSS and NTRU Prime. Our algorithms do not undermine current security claims for NTRU or other ternary LWE based schemes, yet they can lay ground for improvements of the combinatorial subroutines inside hybrid attacks on LWE.

We build the first construction of a partially oblivious pseudorandom function (POPRF) that does not rely on bilinear pairings. Our construction can be viewed as combining elements of the 2HashDH OPRF of Jarecki, Kiayias, and Krawczyk with the Dodis-Yampolskiy PRF. We analyze our POPRF's security in the random oracle model via reduction to a new one-more gap strong Diffie-Hellman inversion assumption. The most significant technical challenge is establishing confidence in the new assumption, which requires new proof techniques that enable us to show that its hardness is implied by the $q$-DL assumption in the algebraic group model.

Our new construction is as fast as the current, standards-track OPRF 2HashDH protocol, yet provides a new degree of flexibility useful in a variety of applications. We show how POPRFs can be used to prevent token hoarding attacks against Privacy Pass, reduce key management complexity in the OPAQUE password authenticated key exchange protocol, and ensure stronger security for password breach alerting services.

We construct the first authenticated key exchange protocols that achieve tight security in the standard model. Previous works either relied on techniques that seem to inherently require a random oracle, or achieved only “Multi-Bit-Guess” security, which is not known to compose tightly, for instance, to build a secure channel.

Our constructions are generic, based on digital signatures and key encapsulation mechanisms (KEMs). The main technical challenges we resolve is to determine suitable KEM security notions which on the one hand are strong enough to yield tight security, but at the same time weak enough to be efficiently instantiable in the standard model, based on standard techniques such as universal hash proof systems.

Digital signature schemes with tight multi-user security in presence of adaptive corruptions are a central building block, which is used in all known constructions of tightly-secure AKE with full forward security. We identify a subtle gap in the security proof of the only previously known efficient standard model scheme by Bader et al. (TCC 2015). We develop a new variant, which yields the currently most efficient signature scheme that achieves this strong security notion without random oracles and based on standard hardness assumptions.

In this work we resolve the open problem raised by Prabhakaran and Rosulek at CRYPTO 2007, and present the first anonymous, rerandomizable, Replayable-CCA (RCCA) secure public-key encryption scheme. This solution opens the door to numerous privacy-oriented applications with a highly desired RCCA security level. At the core of our construction is a non-trivial extension of smooth projective hash functions (Cramer and Shoup, EUROCRYPT 2002), and a modular generic framework developed for constructing rerandomizable RCCA-secure encryption schemes with receiver-anonymity. The framework gives an enhanced abstraction of the original Prabhakaran and Rosulek's scheme (which was the first construction of rerandomizable RCCA-secure encryption in the standard model), where the most crucial enhancement is the first realization of the desirable property of receiver-anonymity, essential to privacy settings. It also serves as a conceptually more intuitive and generic understanding of RCCA security, which leads, for example, to new implementations of the notion. Finally, note that (since CCA security is not applicable to the privacy applications motivating our work) the concrete results and the conceptual advancement presented here, seem to substantially expand the power and relevance of the notion of rerandomizable RCCA-secure encryption.

With the development of side-channel attacks, a necessity arises to invent authenticated key exchange protocols in a leakage-resilient manner. Constructing authenticated key exchange protocols using existing cryptographic schemes is an effective method, as such construction can be instantiated with any appropriate scheme in a way that the formal security argument remains valid. In parallel, constructing authenticated key exchange protocols that are proven to be secure in the standard model is more preferred as they rely on real-world assumptions. In this paper, we present a Diffie-Hellman-style construction of a leakage-resilient authenticated key exchange protocol, that can be instantiated with any CCLA2-secure public-key encryption scheme and a function from the pseudo-random function family. Our protocol is proven to be secure in the standard model assuming the hardness of the decisional Diffie-Hellman problem. Furthermore, it is resilient to continuous partial leakage of long-term secret keys, that happens even after the session key is established, while satisfying the security features defined by the eCK security model.

We introduce a novel method for reducing an arbitrary $\delta$-noisy leakage function to a collection of $\epsilon$-random probing leakages. These reductions combined with linear algebra tools are utilized to study the security of linear Boolean masked circuits in a practical and concrete setting. The secret recovery probability (SRP) that measures an adversary's ability to obtain secrets of a masked circuit is used to quantify the security. Leakage data and the parity-check relations imposed by the algorithm's structure are employed to estimate the SRP

Both the reduction method and the SRP metric were used in the previous works. Here, as our main contribution, the SRP evaluation task is decomposed from the given $\mathbb{F}_q$ field to $q-1$ different binary systems indexed with $i$. Where for the $i$th system, the equivalent $\delta_i$-noisy leakage is reduced optimally to a $\epsilon_i$-random probing leakage with $\epsilon_i=2\delta_i$. Each binary system is targeting a particular bit-composition of the secret. The $q-1$ derived $\delta_i\leq \delta$ values are shown to be a good measure for the informativeness of the given $\delta$-noisy leakage function.

Our works here can be considered as an extension of the work of TCC 2016. There, only $ \delta$-noisy leakage from the shares of a secret was considered. Here, we also incorporate the leakages that are introduced by the computations over the shares.

We study masked implementation's security when an adversary randomly probes each of its internal variables, intending to recover non-trivial knowledge about its secrets. We introduce a novel metric called Secret Recovery Probability (SRP) for assessing the informativeness of the probing leakages about the masked secrets. To evaluate SRP, our starting point is to describe the relations of the intermediate variables with a parity equation system where the target secret is an unknown of this system ...

This paper describes the first practical single-trace side-channel power analysis of SIKE. While SIKE is a post-quantum key exchange, the scheme still relies on a secret elliptic curve scalar multiplication which involves a loop of a double-and-add procedure, of which each iteration depends on a single bit of the private key. The attack therefore exploits the nature of elliptic curve point addition formulas which require the same function to be executed multiple times. We show how a single trace of a loop iteration can be segmented into several power traces on which 32-bit words can be hypothesised based on the value of a single private key bit. This segmentation enables a classical correlation power analysis in an extend-and-prune approach. Further error-correction techniques based on depth-search are suggested. The attack is explicitly geared towards and experimentally verified on an STM32F3 featuring a Cortex-M4 microcontroller which runs the SIKEp434 implementation adapted to 32-bit ARM that is part of the official implementations of SIKE. We obtained a resounding 100% success rate recovering the full private key in each experiment. We argue that our attack defeats many countermeasures which were suggested in a previous power analysis of SIKE, and finally show that the well-known countermeasure of projective coordinate randomisation stops the attack with a negligible overhead.

Secure computation enables two or more parties to jointly evaluate a function without revealing to each other their private input. G-module is an abelian group M, where the group G acts compatibly with the abelian group structure on M. In this work, we present several secure computation protocols for G-module operations in the online/offline mode. We then show how to instantiate those protocols to implement many widely used secure computation primitives in privacy-preserving machine learning and data mining, such as oblivious cyclic shift, one-round shared OT, oblivious permutation, oblivious shuffle, secure comparison, oblivious selection, DReLU, and ReLU, etc. All the proposed protocols are constant-round, and they are 2X - 10X more efficient than the-state-of-the-art constant-round protocols in terms of communication complexity.

In building boomerang distinguishers, Murphy indicated that two independently chosen differentials for a boomerang may be incompatible. In this paper, we find that similar incompatibility also happens to key-recovery phase. When generating quartets for the rectangle attack on linear key-schedule ciphers, we find that the right quartets which may suggest key candidates have to satisfy some nonlinear relationships. However, some quartets generated always violate these relationships, so that they will never suggest any key candidates. We call those quartets as nonlinearly incompatible quartets. Inspired by previous rectangle frameworks, we find that guessing certain key cells before generating quartets may reduce the number of nonlinearly incompatible quartets. However, guessing a lot of key cells at once may lose the benefit from the guess-and-filter or early abort technique, which may lead to a higher overall complexity. To get better tradeoff from the two aspects, we build a new rectangle attack framework on linear key-schedule ciphers with the purpose of reducing the overall complexity or attacking more rounds. The first application is on SKINNY. In the tradeoff model, there are many parameters affecting the overall complexity. We build a uniform automatic model on SKINNY to identify all the optimal parameters, which includes the optimal rectangle distinguishers for key-recovery phase, the number and positions of key guessing cells before generating quartets, the size of key counters to build that affecting the exhaustive search step, etc. Based on the automatic model, we identify a 32-round key-recovery attack on SKINNY-128-384 in related-key setting, which extend the best previous attack by 2 rounds. For other versions with n-2n or n-3n, we also achieve one more round than before. In addition, using the previous rect- angle distinguishers, we achieve better attacks on reduced ForkSkinny, Deoxys-BC-384 and GIFT-64. At last, we discuss the conversion of our rectangle framework from related-key setting into single-key setting and give new single-key rectangle attack on 10-round Serpent.

Payment channel networks are a promising solution to the scalability issues of current decentralized cryptocurrencies. They allow arbitrarily many payments between any two users connected through a path of intermediate payment channels while minimizing interaction with the blockchain only to open and close those channels. Yet, compromised intermediaries may make payments unreliable, slower, expensive, and privacy-invasive. Virtual channels mitigate these issues by allowing the two endpoints of a path to create a channel over the intermediaries such that after the channel is constructed, the intermediaries are no longer involved in payments. Unfortunately, existing UTXO-based virtual channel constructions are either limited to a single intermediary or only recursively build a virtual channel over multiple intermediaries. While the former single-hop channels are overly restrictive, the latter recursive constructions introduce issues such as forced closure and virtual griefing attacks.

This work presents Donner, the first virtual channel construction over multiple intermediaries in a single round of communication. We formally define the security and privacy in the Universal Composability framework and show that Donner is a realization thereof. Our experimental evaluation shows that Donner reduces the on-chain number of transactions for disputes from linear in the path length to a single one. Moreover, Donner reduces the storage overhead from logarithmic in the path length to constant. Donner is an efficient virtual channel construction that is backward compatible with the prominent, 50K channels strong Lightning network.

A full funded (at UK/EU-home rate) PhD studentship is available at UWE Bristol. The studentship is themed around cyber security analytics in telecommunications systems: Managing security and service in complex real-time 5G networks.

UWE is an accredited (by the UK's National Cyber Security Centre (NCSC)) Centre of Excellence in Cyber Security Education. You will be joining the Cyber Security team (http://www.cems.uwe.ac.uk/~pa-legg/uwecyber/) part of the Computer Science Research Centre (https://www.uwe.ac.uk/research/centres-and-groups/csrc). The student will be supervised by Dr Phil Legg. The deadline for applications is 1st July 2021.

When applying, please use the Application Reference: 2021-OCT-FET03. For any queries, contact Dr Phil Legg (Phil.Legg@uwe.ac.uk)

Closing date for applications:

Contact: Dr Phil Legg (Phil.Legg@uwe.ac.uk)

More information: https://www.uwe.ac.uk/research/postgraduate-research-study/how-to-apply/studentship-opportunities/fet-phd-studentships#section-5

Post-quantum cryptography (PQC) is nowadays a very active research field [1]. We follow a non-standard way to achieve it, taking any common protocol and replacing arithmetic with GF(2^8) field operations, a procedure defined as R-Propping [2-7]. The resulting protocol security relies on the intractability of a generalized discrete log problem, combined with the power sets of algebraic ring extension tensors and resilience to quantum and algebraic attacks. Oblivious Transfer (OT) is a keystone for Secure Multiparty Computing (SMPC) [8], one of the most pursued cryptographic areas. It is a critical issue to develop a fast OT solution because of its intensive use in many protocols. Here, we adopt the simple OT protocol developed by Chou and Orlandi [9] as the base model to be propped. Our solution is fully scalable to achieve quantum and classical security levels as needed. We present a step-by-step numerical example of the proposed protocol.

We introduce the problem of private signaling. In this problem, a sender posts a message to a certain location of a public bulletin board, and then computes a signal that allows only the intended recipient (and no one else) to learn that it is the recipient of the posted message. Besides privacy, this problem has the following crucial efficiency requirements. First, the sender and recipient do not participate in any out-of-band communication, and second, the overhead of the recipient should be asymptotically better than scanning the entire board.

Existing techniques, such as the server-aided fuzzy message detection (Beck et al., CCS’21), could be employed to solve the private signaling problem. However, this solution requires that the computational effort of the recipient grows with the amount of privacy desired, providing no saving over scanning the entire board if the maximum privacy is required.

In this work, we present a server-aided solution to the private signaling problem that guar- antees full privacy for all recipients, while requiring only constant amount of work for both the recipient and the sender. We provide the following contributions. First, we provide a formal definition of private signaling in the Universal Composability (UC) framework and show that it generalizes several real-world settings where recipient anonymity is desired. Second, we present two protocols that UC-realize our definition: one using a single server equipped with a trusted execution environment, and one based on two servers that employs garbled circuits. Third, we provide an open-source implementation of both of our protocols and evaluate their performance and show that they are practical.

A full funded (at UK/EU-home rate) PhD studentship is available at UWE Bristol. The studentship is themed around fuzzing and the candidate should have an interest in Software Security and AI. UWE is an accredited (by the UK's National Cyber Security Centre (NCSC)) Centre of Excellence in Cyber Security Education. You will be joining the Cyber Security team (http://www.cems.uwe.ac.uk/~pa-legg/uwecyber/) part of the Computer Science Research Centre (https://www.uwe.ac.uk/research/centres-and-groups/csrc). The student will be supervised by Dr Panagiotis Andriotis, and Prof Jun Hong. The deadline for applications is 1st July 2021. When applying, please use the Application Reference: 2021-OCT-FET03 For any queries, contact Dr Panagiotis Andriotis (Panagiotis.Andriotis@uwe.ac.uk)

Closing date for applications:

Contact: Dr Panagiotis Andriotis (Panagiotis.Andriotis@uwe.ac.uk)

More information: https://www.uwe.ac.uk/research/postgraduate-research-study/how-to-apply/studentship-opportunities/fet-phd-studentships#section-5

In the project SEC4FACTORY financed by the Swedish Foundation for Strategic Research, we are developing the future security solutions for interconnected factories or what is often referred to Industry 4.0 systems. The project objectives are to investigate how cloud based resources can be used to control and supervise production system while at the same time offering a high level of information security, availability and performance. We are in particular looking into how one can use digital twins to improve security in production systems. Especially, we welcome candidates interested in the combination of AI and security for these applications The project is developing a large demonstrator showing how the new security mechanisms work in practice. We are now looking for a new post-doc that can join the project and give significant contributions to the research.

Closing date for applications:

Contact: Christian Gehrmann

More information: https://lu.varbi.com/en/what:job/jobID:411795/