IACR News
Here you can see all recent updates to the IACR webpage. These updates are also available:
20 September 2021
Gizem Kara, Oğuz Yayla
ePrint ReportAljosha Judmayer, Nicholas Stifter, Philipp Schindler, Edgar Weippl
ePrint ReportAmit Agarwal, James Bartusek, Vipul Goyal, Dakshita Khurana, Giulio Malavolta
ePrint ReportAt the heart of our approach is a two-round multi-party conditional disclosure of secrets (MCDS) protocol in the plain model from bilinear maps, which is constructed from techniques introduced in [Benhamouda and Lin, TCC 2020].
David Lanzenberger, Ueli Maurer
ePrint ReportHanwen Feng, Qiang Tang
ePrint ReportIn this work, we give a systematic study about robust (fuzzy) extractors for general CRS {\em dependent} sources. We show in the information-theoretic setting, the same entropy lower bound holds even in the CRS model; we then show we {\em can} have robust extractors in the computational setting for general CRS-dependent source that is only with minimal entropy. We further extend our construction to robust fuzzy extractors. Along the way, we propose a new primitive called $\kappa$-MAC, which is unforgeable with a weak key and hides all partial information about the key (both against auxiliary input); it may be of independent interests.
Sarvar Patel, Giuseppe Persiano, Joon Young Seo, Kevin Yeo
ePrint ReportWe improve on previous work by presenting a new construction CNFFilter for CNF queries with significantly less leakage than BIEX, while maintaining both optimal communication and worst-case sublinear search time. As a direct consequence our construction shows additional resistance to leakage-abuse attacks in comparison to prior works. For most CNF queries, CNFFilter avoids leaking the result sets for any singleton queries for labels appearing in the CNF query. As an example, for the CNF query of the form (l1 ∨ l2) ∧ l3, our scheme does not leak the result sizes of queries to l1, l2 or l3 individually. On the other hand, BIEX does leak some of this information. This is just an example of the reduced leakage obtained by CNFFilter. The core of CNFFilter is a new filtering algorithm that performs set intersections with significantly less leakage compared to prior works.
We implement CNFFilter and show that CNFFilter achieves faster search times and similar communication overhead compared to BIEX at the cost of a small increase in server storage.
Lalita Devadas, Willy Quach, Vinod Vaikuntanathan, Hoeteck Wee, Daniel Wichs
ePrint ReportKai Hu, Siwei Sun, Yosuke Todo, Meiqin Wang, Qingju Wang
ePrint ReportSuvradip Chakraborty, Stefan Dziembowski, Malgorzata Galazka, Tomasz Lizurej, Krzysztof Pietrzak, Michelle Yeo
ePrint ReportTo detect such Trojans, countermeasures using multiparty computation (MPC) or verifiable computation (VC), have been proposed. On a high level, to realize a circuit with specification $\cF$ one has more sophisticated circuits $\cF^\diamond$ manufactured (where $\cF^\diamond$ specifies a MPC or VC of $\cF$), and then embeds these $\cF^\diamond$'s into a \emph{master circuit} which must be trusted but is relatively simple compared to $\cF$. Those solutions have a significant overhead as $\cF^\diamond$ is significantly more complex than $\cF$ and also the master circuits are not exactly trivial either.
In this work, we show that in restricted settings, where $\cF$ has no evolving state and is queried on independent inputs, we can achieve a relaxed security notion using very simple constructions. In particular, we do not change the specification of the circuit at all (i.e., $\cF=\cF^\diamond$). Moreover the master circuit basically just queries a subset of its manufactured circuits and checks if they're all the same.
The security we achieve guarantees that, if the manufactured circuits are initially tested on up to $T$ inputs, the master circuit will catch Trojans that try to deviate on significantly more than a $1/T$ fraction of the inputs. This bound is optimal for the type of construction considered, and we provably achieve it using a construction where $12$ instantiations of $\cF$ need to be embedded into the master. We also discuss an extremely simple construction with just $2$ instantiations for which we conjecture that it already achieves the optimal bound.
Fabrice Benhamouda, Elette Boyle, Niv Gilboa, Shai Halevy, Yuval Ishai, Ariel Nof
ePrint ReportMotivated by the goal of minimizing the communication and latency costs of MPC with a strong honest majority, we make two related contributions. \begin{itemize}[leftmargin=*] \item {\bf Generalized pseudorandom secret sharing (PRSS).} Linear correlations serve as an important resource for MPC protocols and beyond. PRSS enables secure generation of many pseudorandom instances of such correlations without interaction, given replicated seeds of a pseudorandom function. We extend the PRSS technique of Cramer et al.\ (TCC 2015) for sharing degree-$d$ polynomials to new constructions leveraging a particular class of combinatorial designs. Our constructions yield a dramatic efficiency improvement when the degree $d$ is higher than the security threshold $t$, not only for standard degree-$d$ correlations but also for several useful generalizations. In particular, correlations for locally converting between slot configurations in ``share packing'' enable us to avoid the concrete overhead of prior works.
\item {\bf Cheap straggler resilience.} In reality, communication is not fully synchronous: protocol executions suffer from variance in communication delays and occasional node or message-delivery failures. We explore the benefits of PRSS-based MPC with a strong honest majority toward robustness against such failures, in turn yielding improved latency delays. In doing so we develop a novel technique for defending against a subtle ``double-dipping'' attack, which applies to the best existing protocols, with almost no extra cost in communication or rounds.
\end{itemize}
Combining the above tools requires further work, including new methods for batch verification via distributed zero-knowledge proofs (Boneh et al., CRYPTO 2019) that apply to packed secret sharing. Overall, our work demonstrates new advantages of the strong honest majority setting, and introduces new tools---in particular, generalized PRSS---that we believe will be of independent use within other cryptographic applications.
Julius Hermelink, Peter Pessl, Thomas Pöppelmann
ePrint ReportIn fact, a first practical fault attack on lattice-based KEMs was demonstrated just very recently by Pessl and Prokop. However, while their attack can bypass some standard fault countermeasures, it may be defeated using shuffling, and their use of skipping faults makes it also highly implementation dependent. Thus, the vulnerability of implementations against fault attacks and the concrete need for countermeasures is still not well understood.
In this work, we shine light on this problem and demonstrate new attack paths. Concretely, we show that the combination of fault injections with chosen-ciphertext attacks is a significant threat to implementations and can bypass several countermeasures. We state an attack on Kyber which combines ciphertext manipulation - flipping a single bit of an otherwise valid ciphertext - with a fault that "corrects" the ciphertext again during decapsulation. By then using the Fujisaki-Okamoto transform as an oracle, i.e., observing whether or not decapsulation fails, we derive inequalities involving secret data, from which we may recover the private key. Our attack is not defeated by many standard countermeasures such as shuffling in time or Boolean masking, and the fault may be introduced over a large execution-time interval at several places. In addition, we improve a known recovery technique to efficiently and practically recover the secret key from a smaller number of inequalities compared to the previous method.
Ofri Nevo, Ni Trieu, Avishay Yanai
ePrint ReportOur protocols follow the client-server model where each party is either a client or a server. However, in contrast to previous works where the client has to engage in an expensive interactive cryptographic protocol, our clients need only send a single key to each server and a single message to a {\em pivot} party (where message size is in the order of the set size). Our experiments show that the client's load improves by up to $10 \times$ (compared to both semi-honest and malicious settings) and that factor increases with the number of parties.
We implemented our protocol and conducted an extensive experiment over both LAN and WAN and up to 32 parties with up to $2^{20}$ items each. We provide a comparison of the performance of our protocol and the state-of-the-art for both the semi-honest setting (by Chandran et al.) and the malicious setting (by Ben Efraim et al. and Garimella et al.).
Denis Diemert, Kai Gellert, Tibor Jager, Lin Lyu
ePrint ReportWe show that this impression is false, by giving the first constructions of signature schemes with full tightness in all dimensions in the MC setting. To circumvent the known impossibility results, we first introduce the notion of canonical reductions in the SC setting. We prove a general theorem establishing that every signature scheme with a canonical reduction is already memory-tightly secure in the MC setting, provided that it is strongly unforgeable, the adversary receives only one signature per message, and assuming the existence of a tightly-secure pseudorandom function. We then achieve memory-tight many-signatures-per-message security in the MC setting by a simple additional generic transformation. This yields the first memory-tightly, strongly EUF-CMA-secure signature schemes in the MC setting. Finally, we show that standard security proofs often already can be viewed as canonical reductions. Concretely, we show this for signatures from lossy identification schemes (Abdalla et al., EUROCRYPT 2012), two variants of RSA Full-Domain Hash (Bellare and Rogaway, EUROCRYPT 1996), and two variants of BLS signatures (Boneh et al., ASIACRYPT 2001).
Julia Hesse, Dennis Hofheinz, Lisa Kohl, Roman Langrehr
ePrint ReportThe main technical obstacle in achieving tightly secure NIKE schemes are adaptive corruptions. Hence, in this work, we explore security notions and schemes that lie between selective security and fully adaptive security. Concretely:
- We exhibit a tradeoff between key size and reduction loss. We show that a tighter reduction can be bought by larger public and secret NIKE keys. Concretely, we present a simple NIKE scheme with a reduction loss of O(N^2 log(\nu)/\nu^2), and public and secret keys of O(\nu) group elements, where N denotes the overall number of users in the system, and \nu is a freely adjustable scheme parameter.
Our scheme achieves full adaptive security even against multiple "test queries" (i.e., adversarial challenges), but requires keys of size O(N) to achieve (almost) tight security under the matrix Diffie-Hellman assumption. Still, already this simple scheme circumvents existing lower bounds.
- We show that this tradeoff is inherent. We contrast the security of our simple scheme with a lower bound for all NIKE schemes in which shared keys can be expressed as an ``inner product in the exponent''. This result covers the original Diffie-Hellman NIKE scheme, as well as a large class of its variants, and in particular our simple scheme. Our lower bound gives a tradeoff between the ``dimension'' of any such scheme (which directly corresponds to key sizes in existing schemes), and the reduction quality. For \nu = O(N), this shows our simple scheme and reduction optimal (up to a logarithmic factor).
- We exhibit a tradeoff between security and key size for tight reductions. We show that it is possible to circumvent the inherent tradeoff above by relaxing the desired security notion. Concretely, we consider the natural notion of semi-adaptive security, where the adversary has to commit to a single test query after seeing all public keys. As a feasibility result, we bring forward the first scheme that enjoys compact public keys and tight semi-adaptive security under the conjunction of the matrix Diffie-Hellman and learning with errors assumptions.
We believe that our results shed a new light on the role of adaptivity in NIKE security, and also illustrate the special role of NIKE when it comes to tight security reductions.
Michel Abdalla, Manuel Barbosa, Jonathan Katz, Julian Loss, Jiayu Xu
ePrint Report17 September 2021
Centre for Secure Information Technologies (CSIT), Queen’s University Belfast, UK
Job PostingCSIT is an Innovation and Knowledge centre in cyber security funded by EPSRC and Innovate UK since 2009. It is host to the UK Research Institute in Secure Hardware and Embedded Systems (RISE: www.ukrise.org). It is also a partner in the UK Research Institute in Trustworthy Interconnected Cyber Physical Systems (RITICS: ritics.org) and is recognised by NCSC as an Academic Centre of Excellence (ACE) in Cyber Security Research. You will also have opportunities to work with vibrant engineering and commercial teams to translate your research into impact and help you build industry linkages.
We are seeking candidates with research experience (commensurate with career stage) in one or more of the following areas:
(1) Hardware & Embedded Systems Security:
Hardware cryptographic architectures, physical unclonable function, side channel analysis, security of microprocessor architectures, and/or hardware Trojan detection
(2) Applied Cryptography: hardware and software implementation of advanced cryptographic algorithms (e.g., post-quantum, homomorphic encryption), security protocol design, privacy-preserving cryptographic protocol design and implementation
(3) Security of AI: Adversarial learning and/or testing, mitigations against poisoning, evasion, and backdoor attacks.
(4) Network forensics and/or software defined networks: Network intrusion detection, vulnerabilities in SDNFV networks, analytics-based monitoring, and forensics capabilities
(5) Industrial control system security: Resilience in ICS, cyber-physical situation awareness in IT-OT systems, Programmable Logic Controller security
Closing date for applications:
Contact: Professor Máire O'Neill
More information: https://hrwebapp.qub.ac.uk/tlive_webrecruitment/wrd/run/ETREC107GF.open?VACANCY_ID=198185FSGi&WVID=6273090Lgx&LANG=USA
Simula UiB - Bergen, Norway
Job PostingSimula UiB AS is a research center with strong professional competence in cryptography and information theory. Through research and education of master’s and PhD candidates in the field, we ensure valuable expertise in technological protection of business and public institutions in Norway. Established in 2016, Simula UiB is owned by Simula Research Laboratory AS and the University of Bergen (UiB). We work closely with other companies in the Simula Group, Universities, and other research centers. We are currently nine permanent employees and 17 PhD fellows and Postdocs. Read more about us at www.simula-uib.com.
Closing date for applications:
Contact: Anne S. Posner, Managing Partner of Bønes Virik
email: anne@bonesvirik.no
phone: +47 90691846
More information: https://bonesvirik.recman.no/job.php?job_id=229981
University of Wollongong, Australia
Job PostingClosing date for applications:
Contact: Prof. Willy Susilo
More information: https://uniroles.com.au/display-job/23863/Lecturer,-Cyber-Security.html?searchId=1631859551.4407&page=1
University of Alabama at Birmingham
Job PostingThe Department of Computer Science (CS) at the University of Alabama at Birmingham (UAB) is seeking candidates for a tenured faculty position who will assume the role of the Director of the Center for Cyber Security. Highly qualified candidates at both Associate Professor and Professor rank will be considered.
Further information on the position and how to apply can be found at:
https://uab.peopleadmin.com/postings/9605
Closing date for applications:
Contact: Yuliang Zheng, Professor & Chair (yzheng at uab.edu)
IIT Kanpur, India
Job PostingClosing date for applications:
Contact: Manindra Agrawal