International Association
for Cryptologic Research

Existing Oblivious RAM protocols do not support the storage of data items of variable size in a non-trivial way. While the study of ORAM for items of variable size is of interest in and of itself, it is also motivated by the need for more performant and more secure Searchable Symmetric Encryption (SSE) schemes.

In this article, we introduce the notion of weighted ORAM, which supports the storage of blocks of different sizes. In a standard ORAM scheme, each data block has a fixed size $B$. In weighted ORAM, the size (or weight) of a data block is an arbitrary integer $w_i \in [1,B]$. The parameters of the weighted ORAM are entirely determined by an upper bound $B$ on the block size, and an upper bound $N$ on the total weight $\sum w_i$ of all blocks\textemdash regardless of the distribution of individual weights $w_i$. During write queries, the client is allowed to arbitrarily change the size of the queried data block, as long as the previous upper bounds continue to hold.

We introduce a framework to build efficient weighted ORAM schemes, based on an underlying standard ORAM satisfying a certain suitability criterion. This criterion is fulfilled by various Tree ORAM schemes, including Simple ORAM and Path ORAM. We deduce several instantiations of weighted ORAM, with very little overhead compared to standard ORAM. As a direct application, we obtain efficient SSE constructions with attractive security properties.

Electronic Medical Records (EMRs) have been utilized in plentiful medical institutions due to their superior convenience and low storage overhead. Nevertheless, it is difficult for medical departments with disparate management regulations to share EMRs through secure communication channels since sensitive EMRs are prone to be tampered with. Therefore, the EMRs should be encrypted before being outsourced to the network servers. Public key Encryption with Keyword Search (PEKS) has the ability for doctors to search encrypted EMRs, but traditional PEKS algorithms are susceptible to quantum computing attacks and without considering access control. To address the aforementioned issues, we proposed AAQ-PEKS scheme, named an attribute-based anti-quantum public-key encryption scheme with keyword search. Initially, based on the LWE hardness, we first introduce the attribute-based PEKS that can resist quantum attacks in E-health scenarios. Secondly, we combine Attribute-Based Encryption (ABE) into AAQ-PEKS to realize access control for sensitive EMRs. Thirdly, the computational security analysis illustrates that our scheme achieves correctness, Indistinguishability against Chosen Plaintext Attack (IND-CPA) and Indistinguishability against Chosen Keyword Attack (IND-CKA). Lastly, comprehensive performance evaluation in practice elaborates that our AAQ-PEKS is more efficient compared with other existing top-tier schemes. To conclude, our scheme has the characteristics of resisting quantum attacks and fine-grained access control for E-health scenarios.

Cryptographic hash functions map data of arbitrary size to a fixed size digest, and are one of the most commonly used cryptographic objects. As it is infeasible to design an individual hash function for every input size, variable-input length hash functions are built by designing and bootstrapping a single fixed-input length function that looks sufficiently random. To prevent trivial preprocessing attacks, applications often require not just a single hash function but rather a family of keyed hash functions.

The most well-known methods for designing variable-input length hash function families from a fixed idealized function are the Merkle-Damgård and Sponge designs. The former underlies the SHA-1 and SHA-2 constructions and the latter underlies SHA-3. Unfortunately, recent works (Coretti et al. EUROCRYPT 2018, Coretti et al. CRYPTO 2018) show non-trivial time-space tradeoff attacks for finding collisions for both. Thus, this forces a parameter blowup (i.e., efficiency loss) for reaching a certain desired level of security. We ask whether it is possible to build families of keyed hash functions which are provably resistant to any non-trivial time-space tradeoff attacks for finding collisions, without incurring significant efficiency costs.

We present several new constructions of keyed hash functions that are provably resistant to any non-trivial time-space tradeoff attacks for finding collisions. Our constructions provide various tradeoffs between their efficiency and the range of parameters where they achieve optimal security for collision resistance. Our main technical contribution is proving optimal security bounds for converting a hash function with a fixed-sized input to a keyed hash function with (potentially larger) fixed-size input. We then use this keyed function as the underlying primitive inside the standard MD and Merkle tree constructions. We strongly believe that this paradigm of using a keyed inner hash function in these constructions is the right one, for which non-uniform security has not been analyzed prior to this work.

A typical approach for scaling blockchains is to create bilateral, off-chain channels, known as payment/state channels, that can protect parties against cheating via on-chain collateralization. While such channels have been studied extensively, not much attention has been given to off-chain programmability, where the parties can agree to enforce arbitrary conditions over their payments without going on-chain. Such ability is especially important for scaling off-chain channels via the hub-and-spoke model, where each party establishes a channel with a highly available (but untrusted) hub without a priori knowledge about the type and conditions of its off-chain transactions.

We introduce the notion of a programmable payment channel (PPC) that allows two parties to agree on a smart contract off-chain specifying the conditions on which the transactions can happen. If either party violates any of the terms, the other party can later deploy the contract on-chain to receive a remedy as agreed upon in the contract. Specifically, our PPC supports programmable payments where only one party deposits to the agreed off-chain contract, enabling lightweight payments. We further show that any two-party contract (even ones with two party deposits) can be implemented with PPC, by a compiler and associated protocol, allowing the parties to use their pre-deposited on-chain collaterals for any off-chain interaction potentially not anticipated at the time of channel setup. We formalize and prove the security and correctness of our protocol under the UC framework. We implement our protocol on Ethereum using accumulators to achieve efficient concurrent programmable transactions and measure the gas overhead of a hash-time-lock PPC contract to be < 100K which can be amortized over many off-chain payments.

The Faculty of Science and the Leiden Institute of Advanced Computer Science (LIACS) are looking for a PhD Candidate in Privacy-Preserving Machine Learning to work with Assistant Professor Eleftheria Makri.

The successful applicant should be a motivated university graduate who is a top performer among his/her peers and has an excellent education and/or research track record proven by relevant experience, publications, etc. The applicant is expected to have:

MSc degree in Computer Science, Electrical Engineering, Cryptography, Applied Mathematics, or related field;

Solid background in Computer Science and Mathematics;

Good programming skills in e.g., Python, C, C++;

Experience with Machine Learning;

Excellent written and oral communication skills in English.

For more information about the position, please see: https://www.universiteitleiden.nl/vacatures/2023/kwartaal-1/23-124phd-candidate-privacy-preserving-machine-learning

Closing date for applications:

Contact: Eleftheria Makri: e.makri@liacs.leidenuniv.nl

More information: https://www.universiteitleiden.nl/vacatures/2023/kwartaal-1/23-124phd-candidate-privacy-preserving-machine-learning

We are looking for a Research Associate to contribute, in the frame of an EU funded project, to the research and the development of solutions in the area of security and privacy, with a special focus on distributed systems and blockchain security.

Required Skills and Experience

• Strong experience in system security and distributed systems
• Experience in blockchain technologies.
• Experience in cryptography
• Experience in software development with programming languages such as Python, Golang, Java, or C/C++
• Excellent interpersonal and communication skills in English

Our work ranges from foundational research and IPR creation to prototype development for NEC products and services.

The Security group (SEC) is considered one of the pioneers in Europe in the area of security and privacy R&D with its top researchers in the fields of cloud security, blockchain security, system security, and applied cryptography.

At NEC Laboratories Europe, we provide a collaborative, team-working environment that supports your career aspirations. Our working language is English. The position is initially limited to two years.

NEC Laboratories Europe is located in the beautiful city of Heidelberg, Germany. Home office schemes within the country may be offered. Heidelberg is an international and lively city with a large number of exciting cultural, entertainment, and outdoor activities.

Application deadline: March 27, 2023

For further detail and how to apply, see:

https://jobs.neclab.eu/jobs/openings/staff/NEC-NLE-2301-461-SEC-1-Research_Associate_%5b2301_461_SEC%5d.pdf

Closing date for applications:

Contact: Giorgia Marson

More information: https://jobs.neclab.eu/jobs/openings/staff/NEC-NLE-2301-461-SEC-1-Research_Associate_%5b2301_461_SEC%5d.pdf

Event date: 21 June to 22 June 2023
Submission deadline: 1 May 2023
Notification: 19 March 2023

Due to the completeness, reliability and zero-knowledge nature, the zero-knowledge proof is widely used to designed various protocols, including zero-knowledge authentication protocols. However, the existing zero-knowledge proof scheme cannot realize bidirectional authentication. In this paper, we design a series of bidirectional zero-knowledge protocols based on two new flavors of operations applicable to multiplicative cyclic group. The two notions are formally defined in this paper. We also provide some formal definitions and properties for the two notions. According to our definitions, any bounded polynomial function defined on multiplicative cyclic group has duality and mirror. Based on the two operations, we introduce and formally define dual commitment scheme and mirror commitment scheme. Besides, we provide two efficient constructions for dual commitment and mirror commitment respectively based on CDH assumption and RSA assumption, and named DCCDH, DCRSA, MCCDH and MCRSA respectively. We also provide the extended version supporting multiple messages in the appendix. Then, we design some efficient non-interactive as well as interactive zero-knowledge authentication protocols based on these commitments. The protocols allow two participants to submit commitments to each other so that they can achieve mutual zero-knowledge authentication only a communication initialization needed. Moreovere , similar to other commitment schemes, our schemes also can be widely used to construction of other schemes for cryptography, such as, verifiable secret sharing, zero-knowledge sets, credentials and content extraction signatures.

It is an important question to find constructions of quantum cryptographic protocols which rely on weaker computational assumptions than classical protocols. Recently, it has been shown that oblivious transfer and multi-party computation can be constructed from one-way functions, whereas this is impossible in the classical setting in a black-box way. In this work, we study the question of building quantum public-key encryption schemes from one-way functions and even weaker assumptions. Firstly, we revisit the definition of IND-CPA security to this setting. Then, we propose three schemes for quantum public-key encryption from one-way functions, pseudorandom function-like states with proof of deletion and pseudorandom function-like states, respectively.

The learning with errors (LWE) problem is one of the fundamental problems in cryptography and it has many applications in post-quantum cryptography. There are two variants of the problem, the decisional-LWE problem, and the search-LWE problem. LWE search-to-decision reduction shows that the hardness of the search-LWE problem can be reduced to the hardness of the decisional-LWE problem. We initiate a study of quantum search-to-decision reduction for the LWE problem and propose a reduction that satisfies sample-preserving. In sample-preserving reduction, it preserves all parameters even the number of instances. Especially, our quantum reduction invokes the distinguisher only $2$ times to solve the search-LWE problem, while classical reductions require a polynomial number of invocations. Furthermore, we give a way to amplify the success probability of the reduction algorithm. Our amplified reduction works with fewer LWE samples compared to the classical reduction that has a high success probability. Our reduction algorithm supports a wide class of error distributions and also provides a search-to-decision reduction for the learning parity with noise problem. In the process of constructing the search-to-decision reduction, we give a quantum Goldreich-Levin theorem over $\mathbb{Z}_q$ where $q$ is prime. In short, this theorem states that, if a hardcore predicate $a\cdot s \pmod q$ can be predicted with probability distinctly greater than $1/q$ with respect to a uniformly random $a\in\mathbb{Z}_q^n$, then it is possible to determine $s\in\mathbb{Z}_q^n$.

A \emph{witness map} deterministically maps a witness $w$ of some NP statement $x$ into computationally sound proof that $x$ is true, with respect to a public common reference string (CRS). In other words, it is a deterministic, non-interactive, computationally sound proof system in the CRS model. A \emph{unique witness map} (UWM) ensures that for any fixed statement $x$, the witness map should output the same \emph{unique} proof for $x$, no matter what witness $w$ it is applied to. More generally a \emph{compact witness map} (CWM) can only output one of at most $2^\alpha$ proofs for any given statement $x$, where $\alpha$ is some compactness parameter. Such compact/unique witness maps were proposed recently by Chakraborty, Prabhakaran and Wichs (PKC '20) as a tool for building tamper-resilient signatures, who showed how to construct UWMs from indistinguishability obfuscation (iO). In this work, we study CWMs and UWMs as primitives of independent interest and present a number of interesting connections to various notions in cryptography. \begin{itemize} \item First, we show that UWMs lie somewhere between witness PRFs (Zhandry; TCC '16) and iO -- they imply the former and are implied by the latter. In particular, we show that a relaxation of UWMs to the ``designated verifier (dv-UWM)'' setting is \emph{equivalent} to witness PRFs. Moreover, we consider two flavors of such dv-UWMs, which correspond to two flavors of witness PRFs previously considered in the literature, and show that they are all in fact equivalent to each other in terms of feasibility. \item Next, we consider CWMs that are extremely compact, with $\alpha = O(\log \kappa)$, where $\kappa$ is the security parameter. We show that such CWMs imply \emph{pseudo-UWMs} where the witness map is allowed to be \emph{pseudo-deterministic} -- i.e., for every true statement $x$, there is a unique proof such that, on any witness $w$, the witness map outputs this proof with $1-1/p(\lambda)$ probability, for a polynomial $p$ that we can set arbitrarily large. \item Lastly, we consider CWMs that are mildly compact, with $\alpha = p(\lambda)$ for some a-priori fixed polynomial $p$, independent of the length of the statement $x$ or witness $w$. Such CWMs are implied by succinct non-interactive arguments (SNARGs). We show that such CWMs imply NIZKs, and therefore lie somewhere between NIZKs and SNARGs. \end{itemize}

In a recent presentation, we promoted the use of 12-round instances of Keccak, collectively called “TurboSHAKE”, in post-quantum cryptographic schemes, but without defining them further. The goal of this note is to fill this gap: The definition of the TurboSHAKE family simply consists in exposing and generalizing the primitive already defined inside KangarooTwelve.

Zero-knowledge proof (ZKP) mixers are one of the most widely used blockchain privacy solutions, operating on top of smart contract-enabled blockchains. We find that ZKP mixers are tightly intertwined with the growing number of Decentralized Finance (DeFi) attacks and Blockchain Extractable Value (BEV) extractions. Through coin flow tracing, we discover that 205 blockchain attackers and 2,595 BEV extractors leverage mixers as their source of funds, while depositing a total attack revenue of 412.87M USD. Moreover, the US OFAC sanctions against the largest ZKP mixer, Tornado.Cash, have reduced the mixer’s daily deposits by more than 80%.

Further, ZKP mixers advertise their level of privacy through a so-called anonymity set size, which similarly to $k$-anonymity allows a user to hide among a set of $k$ other users. Through empirical measurements, we, however, find that these anonymity set claims are mostly inaccurate. For the most popular mixers on Ethereum (ETH) and Binance Smart Chain (BSC), we show how to reduce the anonymity set size on average by 27.34% and 46.02% respectively. Our empirical evidence is also the first to suggest a differing privacy-predilection of users on ETH and BSC.

State-of-the-art ZKP mixers are moreover interwoven with the DeFi ecosystem by offering anonymity mining (AM) incentives, i.e., users receive monetary rewards for mixing coins. However, contrary to the claims of related work, we find that AM does not necessarily improve the quality of a mixer’s anonymity set. Our findings indicate that AM attracts privacy-ignorant users, who then do not contribute to improving the privacy of other mixer users.

The Learning With Errors (LWE) problem is one of the major hard problems in post-quantum cryptography. For example, 1) the only Key Exchange Mechanism KEM standardized by NIST [14] is based on LWE; and 2) current publicly available Homomorphic Encryption (HE) libraries are based on LWE. NIST KEM schemes use random secrets, but homomorphic encryption schemes use binary or ternary secrets, for efficiency reasons. In particular, sparse binary secrets have been proposed, but not standardized [2], for HE. Prior work SALSA [49] demonstrated a new machine learning attack on sparse binary secrets for the LWE problem in small dimensions (up to n = 128) and low Hamming weights (up to h = 4). However, this attack assumed access to millions of LWE samples, and was not scaled to higher Hamming weights or dimensions. Our attack, PICANTE, reduces the number of samples required to just m = 4n samples. Moreover, it can recover secrets with much larger dimensions (up to 350) and Hamming weights (roughly n/10, or h = 33 for n = 300). To achieve this, we introduce a preprocessing step which allows us to generate the training data from a linear number of samples and changes the distribution of the training data to improve transformer training. We also improve the distinguisher/secret recovery methods of SALSA and introduce a novel cross-attention recovery mechanism which allows us to read-off the secret directly from the trained models.

Grover’s algorithm is a quantum searching algorithm that poses a threat to symmetric cryptography. Due to their smaller key sizes, lightweight cryptographic algorithms such as Simplified-AES face a much more immediate threat from Grover’s algorithm than traditional cryptographic algorithms. By analyzing different S-boxes, it was discovered that the S-box 946C753AE8FBD012 may be more quantum resistant than the S-box that Simplified-AES uses, 94ABD1856203CEF7. In addition to this, 16x4 S-boxes (or 4 4x4 S-boxes) showed to be significantly more quantum secure than 4x4 S-boxes. This is because the number of gates needed to model a $2^n$x4 S-box increases at an exponential rate. It was also found that this property extends to $2^n$x8 S-boxes, implying the existence of a more quantum secure 8x8 S-box that AES could use. However, an increase in quantum security does not equate to an increase in classical security, as some of the least quantum secure S-boxes analyzed displayed some of the best classical security. Finally, an alteration of Simplified-AES that used a 16x4 S-box was found that displayed better classical and quantum security than Simplified-AES and did not require an increase in key size.

The rising issues of harassment, exploitation, corruption, and other forms of abuse have led victims to seek comfort by acting in unison against common perpetrators (e.g., #MeToo movement). One way to curb these issues is to install allegation escrow systems that allow victims to report such incidents. The escrows are responsible for identifying victims of a common perpetrator and taking the necessary action to bring justice to them. However, users hesitate to participate in these systems due to the fear of such sensitive reports being leaked to perpetrators, who may further misuse them. Thus, to increase trust in the system, cryptographic solutions are being designed to realize secure allegation escrow (SAE) systems.

In the work of Arun et al. (NDSS'20), which presents the state-of-the-art solution, we identify attacks that can leak sensitive information and compromise victim privacy. We also report issues present in prior works that were left unidentified. To arrest all these breaches, we put forth an SAE system that prevents the identified attacks and retains the salient features from all prior works. The cryptographic technique of secure multi-party computation (MPC) serves as the primary underlying tool in designing our system. At the heart of our system lies a new duplicity check protocol and an improved matching protocol. We also provide additional features such as allegation modification and deletion, which were absent in the state of the art. To demonstrate feasibility, we benchmark the proposed system with state-of-the-art MPC protocols and report the cost of processing an allegation. Different settings that affect system performance are analyzed, and the reported values showcase the practicality of our solution.

Security vulnerabilities in the symmetric-key primitives of a cipher can undermine the overall security claims of the cipher. With the rapid advancement of quantum computing in recent years, there is an increasing effort to evaluate the security of symmetric-key cryptography against potential quantum attacks. This paper focuses on analyzing the quantum attack resistance of AIM, a symmetric-key primitive used in the AIMer digital signature scheme. We presents the first quantum circuit implementation of AIM and estimates its complexity (such as qubit count, gate count, and circuit depth) with respect to Grover's search algorithm. For Grover's key search, the most important optimization metric is the depth, especially when considering parallel search. Our implementation gathers multiple methods for a low-depth quantum circuit of AIM in order to reduce the Toffoli depth and full depth.

Electronic voting (e-voting) aims to provide a sustainable and accessible environment for voters while preserving anonymity and trust. In this paper, we present a novel e-voting scheme that combines Group Identity-based Identification (GIBI) scheme with Homomorphic Encryption (HE) based on the Distributed ElGamal (DE) cryptosystem. Our scheme allows for efficient voter authentication through the use of a Discrete Logarithm (DL)-based identification protocol and enables encrypted vote counting without the need for decryption. Additionally, our scheme allows for individual and universal verifiability through the use of Zero-Knowledge (ZK) proofs. We also propose some future work to enhance the scheme for more secure or practical use.

Due to recent cryptanalytical breakthroughs, the multivariate signature schemes that seemed to be most promising in the past years are no longer in the focus of the research community. Hence, the cryptographically mature UOV scheme is of great interest again. Since it has not been part of the NIST process for standardizing post-quantum cryptography so far, it has not been studied intensively for its physical security.

In this work, we present a side-channel attack on the latest implementation of UOV. In the first part of the attack, a single side-channel trace of the signing process is used to learn all vinegar variables used in the computation. Then, we employ the reconciliation attack to reveal the complete secret key. Our attack, unlike previous work, targets the inversion of the central map and not the subsequent linear transformation. It further does not require the attacker to control the message to be signed.

We have verified the practicality of our attack on a ChipWhisperer-Lite board with a 32-bit STM32F3 ARM Cortex-M4 target mounted on a CW308 UFO board. We publicly provide the code and both reference and target traces. Additionally, we discuss several countermeasures that can at least make our attack less efficient.

We present a new generic transform that takes a multi-round interactive proof for the membership of a language $\mathcal{L}$ and outputs a non-interactive zero-knowledge proof (not of knowledge) in the common reference string model. Similar to the Fiat-Shamir transform, it requires a hash function $\mathsf{H}$. However, in our transform the zero-knowledge property is in the standard model, and the adaptive soundness is in the non-programmable random oracle model ($\mathsf{NPROM}$). Behind this new generic transform, we build a new generic OR-composition of two multi-round interactive proofs. Note that the two common techniques for building OR-proofs (parallel OR-proof and sequential OR-proof) cannot be naturally extended to the multi-round setting. We also give a proof of security for our OR-proof in the quantum oracle model ($\mathsf{QROM}$), surprisingly the security loss in $\\mathsf{QROM}$ is independent from the number of rounds.