International Association
for Cryptologic Research

A determined algorithm is presented for solving the rSUM problem for any natural r with a sub-quadratic assessment of time complexity in some cases. In terms of an amount of memory used the obtained algorithm is the nlog^3(n) order. The idea of the obtained algorithm is based not considering integer numbers, but rather k (is a natural) successive bits of these numbers in the binary numeration system. It is shown that if a sum of integer numbers is equal to zero, then the sum of numbers presented by any k successive bits of these numbers must be sufficiently "close" to zero. This makes it possible to discard the numbers, which a fortiori, do not establish the solution.

V. Anashin et al gave criteria for measure-preservation and ergodicity of 1-lipschitz transformations on the ring of p-adic integers. However, issue of describing the ergodic 1-lipschitz transformations on the Cartesian power of the ring of p-adic integers has been opened so far. In this paper we present the resulting solution to this problem. In other words, T-Funtions of several variables are considered.

KEMTLS is a proposal for changing the TLS handshake to authenticate the handshake using long-term key encapsulation mechanism keys instead of signatures, motivated by trade-offs in the characteristics of post-quantum algorithms. Prior proofs of security of KEMTLS and its variant KEMTLS-PDK have been hand-written proofs in the reductionist model under computational assumptions. In this paper, we present computer-verified symbolic analyses of KEMTLS and KEMTLS-PDK using two distinct Tamarin models. In the first analysis, we adapt the detailed Tamarin model of TLS 1.3 by Cremers et al. (ACM CCS 2017), which closely follows the wire-format of the protocol specification, to KEMTLS(-PDK). We show that KEMTLS(-PDK) has equivalent security properties to the main handshake of TLS 1.3 proven in this model. We were able to fully automate this Tamarin proof, compared with the previous TLS 1.3 Tamarin model, which required a big manual proving effort; we also uncovered some inconsistencies in the previous model. In the second analysis, we present a novel Tamarin model of KEMTLS(-PDK), which closely follows the multi-stage key exchange security model from prior pen-and-paper proofs of KEMTLS(-PDK). The second approach is further away from the wire-format of the protocol specification but captures more subtleties in security definitions, like deniability and different levels of forward secrecy; it also identifies some flaws in the security claims from the pen-and-paper proofs. Our positive security results increase the confidence in the design of KEMTLS(-PDK). Moreover, viewing these models side-by-side allows us to comment on the trade-off in symbolic analysis between detail in protocol specification and granularity of security properties.

This brief note introduces a new attack vector applicable to a symbolic computation tool routinely used by cryptographers.

The attack takes advantage of the fact that the very rich user interface allows displaying formulae in invisible color or in font size zero. This allows to render some code portions invisible when opened using the tool.

We implement a classical fault attack thanks to this deceptive mechanism but other cryptographic or non-cryptographic attacks (e.g. formatting the victim's disk or installing rootkits) can be easily conducted using identical techniques.

This underlines the importance of creating malware detection software for symbolic computation tools. Such protections do not exist as of today.

We stress that our observation is not a vulnerability in Mathematica but rather a misuse of the rich possibilities offered by the software.

Quantum copy-protection, introduced by Aaronson (CCC'09), uses the no-cloning principle of quantum mechanics to protect software from being illegally distributed. Constructing copy-protection has been an important problem in quantum cryptography. Since copy-protection is shown to be impossible to achieve in the plain model, we investigate the question of constructing copy-protection for arbitrary classes of unlearnable functions in the random oracle model. We present an impossibility result that rules out a class of copy-protection schemes in the random oracle model assuming the existence of quantum fully homomorphic encryption and quantum hardness of learning with errors. En route, we prove the impossibility of approximately correct copy-protection in the plain model.

We give the first constructions in the plain model of 1) nonmalleable digital lockers (Canetti and Varia, TCC 2009) and 2) robust fuzzy extractors (Boyen et al., Eurocrypt 2005) that secure sources with entropy below 1/2 of their length. Constructions were previously only known for both primitives assuming random oracles or a common reference string (CRS). Along the way, we define a new primitive called a nonmalleable point function obfuscation with associated data. The associated data is public but protected from all tampering. We use the same paradigm to then extend this to digital lockers. Our constructions achieve nonmalleability over the output point by placing a CRS into the associated data and using an appropriate non-interactive zero-knowledge proof. Tampering is protected against the input point over low-degree polynomials and over any tampering to the output point and associated data. Our constructions achieve virtual black box security. These constructions are then used to create robust fuzzy extractors that can support low-entropy sources in the plain model. By using the geometric structure of a syndrome secure sketch (Dodis et al., SIAM Journal on Computing 2008), the adversary’s tampering function can always be expressed as a low-degree polynomial; thus, the protection provided by the constructed nonmalleable objects suffices.

The existence of finite maps from hyperelliptic curves to elliptic curves has been studied for more than a century and their existence has been related to isogenies between a product of elliptic curves and their Jacobian surface. Such finite covers, sometimes named gluing maps have recently appeared in cryptography in the context of genus 2 isogenies and more spectacularly, in the work of Castryck and Decru about the cryptanalysis of SIKE. Computation methods include the use of algebraic theta functions or correspondences such as Richelot isogenies or degree 3 analogues. This article aims at giving geometric meaning to the gluing morphism from a product of elliptic curves $E_1 \times E_2$ to a genus 2 Jacobian when it is a degree (3, 3) isogeny. An explicit (uni)versal family and an algorithm were previously provided in the literature (Bröker-Howe-Lauter-Stevenhagen) and a similar special case was studied by Kuwata. We provide an alternative construction of the universal family using concepts from classical algebraic and projective geometry. The family of genus 2 curves which are triple covers of 2 elliptic curves with a level 3 structure arises as a correspondence given by a polarity relation. The construction does not provide closed formulas for the final curves equations and morphisms. However, an alternative algorithm based on the geometric construction is proposed for computation on finite fields. It relies only on elementary operations and a limited number of square roots and computes the equation of the genus 2 curves and morphisms in all cases.

\par Topology-hiding computation (THC) enables $n$ parties to perform a secure multiparty computation (MPC) protocol in an incomplete communication graph while keeping the communication graph hidden. The work of Akavia et al. (CRYPTO 2017 and JoC 2020) shown that THC is feasible for any graph. In this work, we focus on the efficiency of THC and give improvements for various tasks including broadcast, sum and general computation. We mainly consider THC on undirected cycles, but we also give two results for THC on general graphs. All of our results are derived in the presence of a passive adversary statically corrupting any number of parties.

\par In the undirected cycles, the state-of-the-art topology-hiding broadcast (THB) protocol is the Akavia-Moran (AM) protocol of Akavia et al. (EUROCRYPT 2017). We give an optimization for the AM protocol such that the communication cost of broadcasting $O(\kappa)$ bits is reduced from $O(n^2\kappa^2)$ bits to $O(n^2\kappa)$ bits. We also consider the sum and general computation functionalities. Previous to our work, the only THC protocols realizing the sum and general computation functionalities are constructed by using THB to simulate point-to-point channels in an MPC protocol realizing the sum and general computation functionalities, respectively. By allowing the parties to know the exact value of the number of the parties (the AM protocol and our optimization only assume the parties know an upper bound of the number of the parties), we can derive more efficient THC protocols realizing these two functionalities. As a result, comparing with previous works, we reduce the communication cost by a factor of $O(n\kappa)$ for both the sum and general computation functionalities.

\par As we have mentioned, we also get two results for THC on general graphs. The state-of-the-art THB protocol for general graphs is the Akavia-LaVigne-Moran (ALM) protocol of Akavia et al. (CRYPTO 2017 and JoC 2020). Our result is that our optimization for the AM protocol also applies to the ALM protocol and can reduce its communication cost by a factor of $O(\kappa)$. Moreover, we optimize the fully-homomorphic encryption (FHE) based GTHC protocol of LaVigne et al. (TCC 2018) and reduce its communication cost from $O(n^8\kappa^2)$ FHE ciphertexts and $O(n^5\kappa)$ FHE public keys to $O(n^6\kappa)$ FHE ciphertexts and $O(n^5\kappa)$ FHE public keys.

Previously [4], Orbis Labs presented a method for compiling (“arithmetizing”) relations, expressed as Σ¹₁ formulas in the language of rings, into Halo 2 [1, 2, 3] arithmetic circuits. In this research, we extend this method to support polynomial quantifier bounds, in addition to constant quantifier bounds. This allows for more efficient usage of rows in the resulting circuit.

Zero Knowledge Set Membership Proofs (zkSMPs) allow efficiently, i.e. sublinearly in the size of the set, proving membership of a value in a set in zero knowledge with respect to the value. They have been used to construct anonymous cryptocurrencies such as ZCash, which uses a zero knowledge Merkle proof to show that the inputs of a transaction belong to the Transaction Output (TXO) set. Using a Merkle tree instantiated with a pair of Pedersen hash functions between an amicable cycle of elliptic curves, similarly to Curve Trees, and the Weil Elliptic Curve Inner Product (ECIPs) proofs, I design a set membership protocol with substantially smaller witness sizes than other Merkle zkSMPs. This protocol uses a pair of communicating Bulletproofs, one over each curve, whose total proof size I am able to reduce by proving portions of each verifier inside the other proof. Using these techniques, along with an adaptation of the Bulletproofs++ confidential transaction protocol, I design an anonymous transaction protocol for a decentralized cryptocurrency, whose security argument is reducible to the discrete log problem over a pair of elliptic curves and that does not require a trusted setup. Over a $256$ bit field, these transactions are $1349 + 64n + 32 \lceil \log_2 c \rceil$ bytes for $n$ inputs, $m$ outputs, $d$ depth, and $c$ proof capacity, which is bounded by a linear function of $n d$, $n$, and $m$ and is equal to $1$ for up to $m < 1000$ or $n < 37$ when $d = 48$. Proving complexity is quasilinear and verifier complexity is linear in both $n d$ and $m$, and in practice verification will be dominated by the cost of two Bulletproof verifications of length $1536$ and $1744$ for $c=1$. $\mu$Cash support efficient batch verification, user defined assets and multi-asset confidential transactions, privacy preserving multi-party proving, adaptor signatures, absolute and relative time locks, and a multiphase transaction structure to support scriptless scripts for private atomic swaps and payment channels. This protocol is likely compatible with the Halo accumulation scheme, although I do not investigate this.

Although the supersingular isogeny Diffie-Hellman (SIDH) protocol is one of the most promising post-quantum cryptosystems, it is significantly slower than its main counterparts due to the underlying large smooth-degree isogeny computation. In this work, we address the problem of evaluating and constructing a strategy for computing the large smooth-degree isogeny in the multi-processor setting by formulating them as scheduling problems with dependencies. The contribution of this work is two-fold. For the strategy evaluation, we transform strategies into task dependency graphs and apply precedence-constrained scheduling algorithms to them in order to find their costs. For the strategy construction, we construct strategies from smaller parts that are optimal solutions of integer programming representing the problem. We show via experiments that the proposed two techniques together offer more than 13% reduction in the strategy costs compared to the best current results by Hutchinson and Karabina presented at Indocrypt 2018.

Assume that Alice can do only classical probabilistic polynomial-time computing while Bob can do quantum polynomial-time computing. Alice and Bob communicate over only classical channels, and finally Bob gets a state $|x_0\rangle+|x_1\rangle$ with some bit strings $x_0$ and $x_1$. Is it possible that Alice can know $\{x_0,x_1\}$ but Bob cannot? Such a task, called {\it remote state preparations}, is indeed possible under some complexity assumptions, and is bases of many quantum cryptographic primitives such as proofs of quantumness, (classical-client) blind quantum computing, (classical) verifications of quantum computing, and quantum money. A typical technique to realize remote state preparations is to use 2-to-1 trapdoor collision resistant hash functions: Alice sends a 2-to-1 trapdoor collision resistant hash function $f$ to Bob, and Bob evaluates it coherently, i.e., Bob generates $\sum_x|x\rangle|f(x)\rangle$. Bob measures the second register to get the measurement result $y$, and sends $y$ to Alice. Bob's post-measurement state is $|x_0\rangle+|x_1\rangle$, where $f(x_0)=f(x_1)=y$. With the trapdoor, Alice can learn $\{x_0,x_1\}$ from $y$, but due to the collision resistance, Bob cannot. This Alice's advantage can be leveraged to realize the quantum cryptographic primitives listed above. It seems that the collision resistance is essential here. In this paper, surprisingly, we show that the collision resistance is not necessary for a restricted case: we show that (non-verifiable) remote state preparations of $|x_0\rangle+|x_1\rangle$ secure against {\it classical} probabilistic polynomial-time Bob can be constructed from classically-secure (full-domain) trapdoor permutations. Trapdoor permutations are not likely to imply the collision resistance, because black-box reductions from collision-resistant hash functions to trapdoor permutations are known to be impossible. As an application of our result, we construct proofs of quantumness from classically-secure (full-domain) trapdoor permutations.

Weak coin flipping is an important cryptographic primitive, as it is the strongest known secure two-party computation primitive, that classically becomes secure only when certain assumptions are made (e.g. computational hardness), while quantumly there exist protocols that achieve arbitrarily close to perfect security. This breakthrough result was established by C. Mochon in 2007 [arXiv:0711.4114], however, his proof of existence was partially non-constructive, thus, setting back the proposal of explicit protocols. In this work, we report three different solutions to the quantum weak coin flipping problem. In particular, we propose different methods that result---either analytically or numerically---in the operators needed to construct weak coin flipping protocols with different levels of security, including nearly perfect security. In order to develop these methods, we study the quantum weak coin flipping problem from both an algebraic and a geometric perspective. We also analytically construct illustrative examples of weak coin flipping protocols achieving different levels of security.

We construct non-malleable codes in the split-state model with codeword length $m + 3\lambda$ or $m+5\lambda$, where $m$ is the message size and $\lambda$ is the security parameter, depending on how conservative one is. Our scheme is very simple and involves a single call to a block cipher meeting a new security notion which we dub entropic fixed-related-key security, which essentially means that the block cipher behaves like a pseudorandom permutation when queried upon inputs sampled from a distribution with sufficient min-entropy, even under related-key attacks with respect to an arbitrary but fixed key relation. Importantly, indistinguishability only holds with respect to the original secret key (and not with respect to the tampered secret key).

In a previous work, Fehr, Karpman, and Mennink (ToSC 2018) used a related assumption (where the block cipher inputs can be chosen by the adversary, and where indistinguishability holds even with respect to the tampered key) to construct a non-malleable code in the split-state model with codeword length $m + 2\lambda$. Unfortunately, no block cipher (even an ideal one) satisfies their assumption when the tampering function is allowed to be cipher-dependent. In contrast, we are able to show that entropic fixed-related-key security holds in the ideal cipher model with respect to a large class of cipher-dependent tampering attacks (including those which break the assumption of Fehr, Karpman, and Mennink).

Arithmetic to Boolean masking (A2B) conversion is a crucial technique in the masking of lattice-based post-quantum cryptography. It is also a crucial part of building a masked comparison which is one of the hardest to mask building blocks for active secure lattice-based encryption. We first present a new method, called one-hot conversion, to efficiently convert from higher-order arithmetic masking to Boolean masking using a variant of the higher-order table-based conversion of Coron et al. Secondly, we specialize our method to perform arithmetic to 1-bit Boolean functions. Our one-hot function can be applied to masking lattice-based encryption building blocks such as masked comparison or to determine the most significant bit of an arithmetically masked variable. In our benchmarks, a speedup of 40 to 66 times is achieved over state-of-the-art table-based A2B conversions, bringing table-based A2B conversions in the performance range of the Boolean circuit-based A2B conversions by only a slowdown of factor 1.2 to 2.

Cryptanalysis of block ciphers is an active and important research area with an extensive volume of literature. For this work, we focus on SBox-based ciphers, as they are widely used and cover a large class of block ciphers. While there have been prior works that have consolidated attacks on block ciphers, they usually focus on describing and listing the attacks. Moreover, the methods for evaluating a cipher's security are often ad hoc, differing from cipher to cipher, as attacks and evaluation techniques are developed along the way. As such, we aim to organise the attack literature, as well as the work on security evaluation.

In this work, we present a systematization of cryptanalysis of SBox-based block ciphers focusing on three main areas: (1) Evaluation of block ciphers against standard cryptanalytic attacks; (2) Organisation and relationships between various attacks; (3) Comparison of the evaluation and attacks on existing ciphers.

The FX construction provides a way to increase the effective key length of a block cipher E. We prove security of a tweakable version of the FX construction in the post-quantum setting, i.e., against a quantum attacker given only classical access to the secretly keyed construction while retaining quantum access to E, a setting that seems to be the most relevant one for real-world applications. We then use our results to prove post-quantum security—in the same model—of the (plain) FX construction, Elephant (a finalist of NIST's lightweight cryptography standardization effort), and Chaskey (an ISO-standardized lightweight MAC).

Searchable Symmetric Encryption (SSE) supports efficient yet secure query processing over outsourced symmetrically encrypted databases without the need for decryption. A longstanding open question has been the following: can we design a fast, scalable, linear storage and low-leakage SSE scheme that efficiently supports arbitrary Boolean queries over encrypted databases? In this paper, we present the design, analysis and prototype implementation of the first SSE scheme that efficiently supports conjunctive, disjunctive and more general Boolean queries (in both the conjunctive and disjunctive normal forms) while scaling smoothly to extremely large encrypted databases, and while incurring linear storage overheads and supporting extremely fast query processing in practice. We quantify the leakage of our proposal via a rigorous cryptographic analysis and argue that it achieves security against a well-known class of leakage-abuse and volume analysis attacks. Finally, we demonstrate the storage-efficiency and scalability of our proposed scheme by presenting experimental results of a prototype implementation of our scheme over large real-world databases.

Shor's algorithm solves Elliptic Curve Discrete Logarithm Problem(ECDLP) in polynomial time. To optimize Shor's algorithm for binary elliptic curve, reducing the cost for binary field multiplication is essential because it is most cost-critical basic arithmetic. In this paper, we propose Toffoli gate count optimized space-efficient quantum circuits for binary field $(\mathbb{F}_{2^{n}})$ multiplication. To do so, we take advantage of Karatsuba-like formula and show that its application can be provided without ancillary qubits and optimized them in terms of CNOT gate and depth. Based on the Karatsuba-like formula, we drive a space-efficient CRT-based multiplication with two types of out-of-place multiplication algorithm to reduce CNOT gate cost. Our quantum circuits do not use ancillary qubits and have extremely low TOF gates count $O(n2^{\log_{2}^{\ast}n})$ where $\log_{2}^{\ast}$ is a function named iterative logarithm that grows very slowly. Compared to recent Karatsuba-based space-efficient quantum circuit, our circuit requires only $(12 \sim 24 \% )$ of Toffoli gate count with comparable depth for cryptographic field sizes $(n = 233 \sim 571)$. To the best of our knowledge, this is the first result that utilizes Karatsuba-like formula and CRT-based multiplication in quantum circuits.

This work considers the problem of mitigating information leakage between communication and sensing in systems jointly performing both operations. Specifically, a discrete memoryless state-dependent broadcast channel model is studied in which (i) the presence of feedback enables a transmitter to convey information, while simultaneously performing channel state estimation; (ii) one of the receivers is treated as an eavesdropper whose state should be estimated but which should remain oblivious to part of the transmitted information. The model abstracts the challenges behind security for joint communication and sensing if one views the channel state as a sensitive attribute, e.g., location. For independent and identically distributed states, perfect output feedback, and when part of the transmitted message should be kept secret, a partial characterization of the secrecy-distortion region is developed. The characterization is exact when the broadcast channel is either physically-degraded or reversely-physically-degraded. The partial characterization is also extended to the situation in which the entire transmitted message should be kept secret. The benefits of a joint approach compared to separation-based secure communication and state-sensing methods are illustrated with binary joint communication and sensing models.