International Association
for Cryptologic Research

Digital signatures ensure legitimate access through identity authentication. It is also used to build blocks in blockchains and to authenticate transactions. The Courtois-Finiasz-Sendrier (CFS) digital signature is a well-known code-based digital signature scheme based on the Niederreiter cryptosystem. The CFS signature, however, is not widely used due to the long processing time required by its signing algorithm. Most code-based digital signature schemes are based on Niederreiter. The present paper proposes a new code-based digital signature based on the McEliece cryptosystem. The proposed McEliece code-based scheme also gives less complexity and a higher success rate. The scheme provides an efficient code-based algorithm to sign a document in a shorter processing time. The scheme is also secure against public key structural attacks. Key generation, signing, and verification algorithms are presented. The key generation algorithm constructs three-tuple public keys using a dual inverse matrix. The proposed signing scheme is the first code-based digital signature based on McEliece with the lower processing time required to construct a valid digital signature. The proposed signing algorithm also constructs smaller signatures. In addition, the verification algorithm checks the integrity value to avoid any forgery before final verification.

Machine learning (ML) has seen a strong rise in popularity in recent years and has become an essential tool for research and industrial applications. Given the large amount of high quality data needed and the often sensitive nature of ML data, privacy-preserving collaborative ML is of increasing importance. In this paper, we introduce new actively secure multiparty computation (MPC) protocols which are specially optimized for privacy-preserving machine learning applications. We concentrate on the optimization of (tensor) convolutions which belong to the most commonly used components in ML architectures, especially in convolutional neural networks but also in recurrent neural networks or transformers, and therefore have a major impact on the overall performance. Our approach is based on a generalized form of structured randomness that speeds up convolutions in a fast online phase. The structured randomness is generated with homomorphic encryption using adapted and newly constructed packing methods for convolutions, which might be of independent interest. Overall our protocols extend the state-of-the-art Overdrive family of protocols (Keller et al., EUROCRYPT 2018). We implemented our protocols on-top of MP-SPDZ (Keller, CCS 2020) resulting in a full-featured implementation with support for faster convolutions. Our evaluation shows that our protocols outperform state-of-the-art actively secure MPC protocols on ML tasks like evaluating ResNet50 by a factor of 3 or more. Benchmarks for depthwise convolutions show order-of-magnitude speed-ups compared to existing approaches.

The security of cryptographic primitives is an important issue. The Shor algorithm illustrates how quantum attacks threaten the security of these widely used primitives. Code-based cryptography is one of several approaches resistant to quantum attacks. To date, no attack has been able to break a code-based cryptosystem in polynomial time. Despite this level of security, these cryptosystems have not been considered for practical applications such as e-commerce, medical and industrial IoT, finance, blockchain, mobile services, and online banking. The main reason is the large public and private key sizes. This paper presents a new code-based cryptosystem based on inverse parity check matrices. The dual matrix provides both a parity check matrix transpose and a parity check matrix inverse. These are employed in the key generation, encryption, and decryption algorithms. The proposed scheme provides public and private key sizes smaller than the McEliece cryptosystem and has a higher level of security.

Fully homomorphic encryption FHE has been one of the most promising cryptographic tools for secure two-party computation and secure outsourcing computation in recent years. However, the complex bootstrapping procedure in FHE schemes is the main bottleneck of it practical usage, and the TFHE scheme is the state-of-the-art for efficient bootstrapping. To further improve the efficiency of bootstrapping in TFHE, the number of fast Fourier transforms (FFT) should be reduced since bootstrapping in TFHE is mainly composed of vast FFTs. In this paper, we focus on a novel method of decomposing-in-Fourier (DIF) to reduce the number of FFTs in bootstrapping of TFHE, from $2(\ell+1)n$ to $4n$. As a result, our method would reduce the number of FFTs required by each external product in bootstrapping to a constant number rather than varying with decomposing parameters, which leads to a scale-invariant bootstrapping structure.

IACR is soliciting for affiliated events to be held in conjunction with Crypto 2023 Saturday, August 19th, and/or Sunday, August 20th, 2023.

The call for proposals is now out at: https://crypto.iacr.org/2023/affiliated.php

Eurocrypt 2023 will take place in Lyon, France on April 23-27, 2023.

The registration site is now open. To avoid late fees please register before March 30th.
https://eurocrypt.iacr.org/2023/registration.php

The goal of this research is to raise technical doubts regarding the usefulness of the repeated attempts by governments to curb Cryptography (aka the ``Crypto Wars''), and argue that they, in fact, cause more damage than adding effective control. The notion of {\em Anamorphic Encryption} was presented in Eurocrypt'22 for a similar aim. There, despite the presence of a Dictator who possesses all keys and knows all messages, parties can arrange a hidden ``{\it anamorphic}'' message in an otherwise indistinguishable from regular ciphertexts (wrt the Dictator).

In this work, we postulate a stronger cryptographic control setting where encryption does not exist (or is neutralized) since all communication is passed through the Dictator in, essentially, cleartext mode (or otherwise, when secure channels to and from the Dictator are the only confidentiality mechanism). Messages are only authenticated to assure recipients of the identity of the sender. We ask whether security against the Dictator still exists, even under such a~strict regime which allows only authentication (i.e., authenticated/ signed messages) to pass end-to-end, and where received messages are determined by/ known to the Dictator, and the Dictator also eventually gets all keys to verify compliance of past signing. To frustrate the Dictator, this authenticated message setting gives rise to the possible notion of anamorphic channels inside signature and authentication schemes, where parties attempt to send undetectable secure messages (or other values) using signature tags which are indistinguishable from regular tags. We define and present implementation of schemes for anamorphic signature and authentication; these are applicable to existing and standardized signature and authentication schemes which were designed independently of the notion of anamorphic messages. Further, some cornerstone constructions of the foundations of signatures, in fact, introduce anamorphism.

MIBS is a 32-round lightweight block cipher following a Feistel structure with the block length of 64-bit and the key length of 64 or 80 bits. In this paper, the properties of the key scheduling algorithm are investigated and lots of repeated bits among the different round keys are found. Moreover, the optimal guessing order of the unknown key bits is obtained by using the greedy algorithm. At last, combined with the early abort technique, the differential cryptanalyses are improved to 15 rounds both of MIBS-64 and MIBS-80. For MIBS-64, the data complexity is $2^{59}$, and the time complexity is $2^{46.2}$ encryptions. For MIBS-80, the data complexity is $2^{59}$, and the time complexity is $2^{51.7}$ encryptions. The key scheduling algorithm of MIBS is similar to some other lightweight block ciphers, and we hope further similarities will help build better attacks for them as well.

GIFT-64 is a block cipher that has received a lot of attention from the community since its proposal in 2017. The attack on the highest number of rounds is a differential related-key attack on 26 rounds~\cite{DBLP:journals/tosc/SunWW21}. We studied this attack, in particular with respect to the generic framework for improving key recovery from~\cite{DBLP:conf/asiacrypt/BrollCFLN21}, and we realised that this framework, combined with an efficient parallel key guessing of interesting subsets of the key and a consequent list merging applied to the partial solutions, can improve the complexity of the attack. We propose two different trade-offs, as a result of the improved key-recovery. We believe that the techniques are quite generic and that it is possible to apply them to improve other differential attacks.

Over the years, a large number of attacks have been proposed against substitution boxes used in symmetric ciphers such as differential attacks, linear attacks, algebraic attacks, etc. In the Advanced Encryption Standard (AES) Block cipher, the substitution box is the only nonlinear component and thus it holds the weight of the cipher. This basically means that if an attacker is able to mount a successful attack on the substitution box of AES, the cipher is compromised. This research work aims to provide a solution for increasing cryptographic immunity of S-boxes against such attacks. A genetic algorithm based approach has been proposed to search for 8 × 8 balanced and bijective S-boxes that exhibit values of differential branch number, non-linearity, differential uniformity, count and length of cycles present and distance from strict avalanche criterion that are similar to or better than the AES S-box. An S-Box evaluation tool is also implemented to evaluate any S-boxes generated. S-box of AES is resistant to the crypt-analytic attacks. S-boxes constructed by the proposed algorithm have better cryptographic properties so they are also resistant to the crypt-analytic attacks. The strict avalanche criterion[11], which is based on completeness[22] and diffusion[5], is an essential property for any 8 × 8 S-box. Good diffusion means that a small change in the plaintext may influence the complete block after a small number of rounds. Therefore, a lower DSAC value is desirable to prevent vulnerabilities to attacks such as differential attacks. The DSAC is therefore used as the primary fitness criterion in this research work to search for S-boxes with better diffusion.

The Extended Access Control (EAC) protocol for authenticated key agreement is mainly used to secure connections between machine-readable travel documents (MRTDs) and inspection terminals, but it can also be adopted as a universal solution for attribute-based access control with smart cards. The security of EAC is currently based on the Diffie-Hellman problem, which may not be hard when considering quantum computers.

In this work we present PQ-EAC, a quantum-resistant version of the EAC protocol. We show how to achieve post-quantum confidentiality and authentication without sacrificing real-world usability on smart cards. To ease adoption, we present two main versions of PQ-EAC: One that uses signatures for authentication and one where authentication is facilitated using long-term KEM keys. Both versions can be adapted to achieve forward secrecy and to reduce round complexity. To ensure backwards-compatibility, PQ-EAC can be implemented using only Application Protocol Data Units (APDUs) specified for EAC in standard BSI TR-03110. Merely the protocol messages needed to achieve forward secrecy require an additional APDU not specified in TR-03110. We prove security of all versions in the real-or-random model of Bellare and Rogaway.

To show real-world practicality of PQ-EAC we have implemented a version using signatures on an ARM SC300 security controller, which is typically deployed in MRTDs. We also implemented PQ-EAC on a VISOCORE terminal for border control. We then conducted several experiments to evaluate the performance of PQ-EAC executed between chip and terminal under various real-world conditions. Our results strongly suggest that PQ-EAC is efficient enough for use in border control.

Herein, we propose an anonymous broadcast authentication (ABA) scheme to simultaneously control $10^9$ devices practically. We find a barrier to construct an ABA working with a larger number of devices.In a nutshell, there is a trilemma between (i) security, (ii) ciphertext length, and (iii) freedom in the target devices selection. For practical use, we propose ABAs with a ciphertext size of $O(\log N)$ where $N$ is the number of target devices while we impose a certain restriction on (iii). We provide an ABA template and instantiate it into specific schemes from the discrete logarithm problem (DLP) or the learning with errors (LWE) problem.

Existing Oblivious RAM protocols do not support the storage of data items of variable size in a non-trivial way. While the study of ORAM for items of variable size is of interest in and of itself, it is also motivated by the need for more performant and more secure Searchable Symmetric Encryption (SSE) schemes.

In this article, we introduce the notion of weighted ORAM, which supports the storage of blocks of different sizes. In a standard ORAM scheme, each data block has a fixed size $B$. In weighted ORAM, the size (or weight) of a data block is an arbitrary integer $w_i \in [1,B]$. The parameters of the weighted ORAM are entirely determined by an upper bound $B$ on the block size, and an upper bound $N$ on the total weight $\sum w_i$ of all blocks\textemdash regardless of the distribution of individual weights $w_i$. During write queries, the client is allowed to arbitrarily change the size of the queried data block, as long as the previous upper bounds continue to hold.

We introduce a framework to build efficient weighted ORAM schemes, based on an underlying standard ORAM satisfying a certain suitability criterion. This criterion is fulfilled by various Tree ORAM schemes, including Simple ORAM and Path ORAM. We deduce several instantiations of weighted ORAM, with very little overhead compared to standard ORAM. As a direct application, we obtain efficient SSE constructions with attractive security properties.

Electronic Medical Records (EMRs) have been utilized in plentiful medical institutions due to their superior convenience and low storage overhead. Nevertheless, it is difficult for medical departments with disparate management regulations to share EMRs through secure communication channels since sensitive EMRs are prone to be tampered with. Therefore, the EMRs should be encrypted before being outsourced to the network servers. Public key Encryption with Keyword Search (PEKS) has the ability for doctors to search encrypted EMRs, but traditional PEKS algorithms are susceptible to quantum computing attacks and without considering access control. To address the aforementioned issues, we proposed AAQ-PEKS scheme, named an attribute-based anti-quantum public-key encryption scheme with keyword search. Initially, based on the LWE hardness, we first introduce the attribute-based PEKS that can resist quantum attacks in E-health scenarios. Secondly, we combine Attribute-Based Encryption (ABE) into AAQ-PEKS to realize access control for sensitive EMRs. Thirdly, the computational security analysis illustrates that our scheme achieves correctness, Indistinguishability against Chosen Plaintext Attack (IND-CPA) and Indistinguishability against Chosen Keyword Attack (IND-CKA). Lastly, comprehensive performance evaluation in practice elaborates that our AAQ-PEKS is more efficient compared with other existing top-tier schemes. To conclude, our scheme has the characteristics of resisting quantum attacks and fine-grained access control for E-health scenarios.

Cryptographic hash functions map data of arbitrary size to a fixed size digest, and are one of the most commonly used cryptographic objects. As it is infeasible to design an individual hash function for every input size, variable-input length hash functions are built by designing and bootstrapping a single fixed-input length function that looks sufficiently random. To prevent trivial preprocessing attacks, applications often require not just a single hash function but rather a family of keyed hash functions.

The most well-known methods for designing variable-input length hash function families from a fixed idealized function are the Merkle-Damgård and Sponge designs. The former underlies the SHA-1 and SHA-2 constructions and the latter underlies SHA-3. Unfortunately, recent works (Coretti et al. EUROCRYPT 2018, Coretti et al. CRYPTO 2018) show non-trivial time-space tradeoff attacks for finding collisions for both. Thus, this forces a parameter blowup (i.e., efficiency loss) for reaching a certain desired level of security. We ask whether it is possible to build families of keyed hash functions which are provably resistant to any non-trivial time-space tradeoff attacks for finding collisions, without incurring significant efficiency costs.

We present several new constructions of keyed hash functions that are provably resistant to any non-trivial time-space tradeoff attacks for finding collisions. Our constructions provide various tradeoffs between their efficiency and the range of parameters where they achieve optimal security for collision resistance. Our main technical contribution is proving optimal security bounds for converting a hash function with a fixed-sized input to a keyed hash function with (potentially larger) fixed-size input. We then use this keyed function as the underlying primitive inside the standard MD and Merkle tree constructions. We strongly believe that this paradigm of using a keyed inner hash function in these constructions is the right one, for which non-uniform security has not been analyzed prior to this work.

A typical approach for scaling blockchains is to create bilateral, off-chain channels, known as payment/state channels, that can protect parties against cheating via on-chain collateralization. While such channels have been studied extensively, not much attention has been given to off-chain programmability, where the parties can agree to enforce arbitrary conditions over their payments without going on-chain. Such ability is especially important for scaling off-chain channels via the hub-and-spoke model, where each party establishes a channel with a highly available (but untrusted) hub without a priori knowledge about the type and conditions of its off-chain transactions.

We introduce the notion of a programmable payment channel (PPC) that allows two parties to agree on a smart contract off-chain specifying the conditions on which the transactions can happen. If either party violates any of the terms, the other party can later deploy the contract on-chain to receive a remedy as agreed upon in the contract. Specifically, our PPC supports programmable payments where only one party deposits to the agreed off-chain contract, enabling lightweight payments. We further show that any two-party contract (even ones with two party deposits) can be implemented with PPC, by a compiler and associated protocol, allowing the parties to use their pre-deposited on-chain collaterals for any off-chain interaction potentially not anticipated at the time of channel setup. We formalize and prove the security and correctness of our protocol under the UC framework. We implement our protocol on Ethereum using accumulators to achieve efficient concurrent programmable transactions and measure the gas overhead of a hash-time-lock PPC contract to be < 100K which can be amortized over many off-chain payments.

The Faculty of Science and the Leiden Institute of Advanced Computer Science (LIACS) are looking for a PhD Candidate in Privacy-Preserving Machine Learning to work with Assistant Professor Eleftheria Makri.

The successful applicant should be a motivated university graduate who is a top performer among his/her peers and has an excellent education and/or research track record proven by relevant experience, publications, etc. The applicant is expected to have:

MSc degree in Computer Science, Electrical Engineering, Cryptography, Applied Mathematics, or related field;

Solid background in Computer Science and Mathematics;

Good programming skills in e.g., Python, C, C++;

Experience with Machine Learning;

Excellent written and oral communication skills in English.

For more information about the position, please see: https://www.universiteitleiden.nl/vacatures/2023/kwartaal-1/23-124phd-candidate-privacy-preserving-machine-learning

Closing date for applications:

Contact: Eleftheria Makri: e.makri@liacs.leidenuniv.nl

More information: https://www.universiteitleiden.nl/vacatures/2023/kwartaal-1/23-124phd-candidate-privacy-preserving-machine-learning

We are looking for a Research Associate to contribute, in the frame of an EU funded project, to the research and the development of solutions in the area of security and privacy, with a special focus on distributed systems and blockchain security.

Required Skills and Experience

• Strong experience in system security and distributed systems
• Experience in blockchain technologies.
• Experience in cryptography
• Experience in software development with programming languages such as Python, Golang, Java, or C/C++
• Excellent interpersonal and communication skills in English

Our work ranges from foundational research and IPR creation to prototype development for NEC products and services.

The Security group (SEC) is considered one of the pioneers in Europe in the area of security and privacy R&D with its top researchers in the fields of cloud security, blockchain security, system security, and applied cryptography.

At NEC Laboratories Europe, we provide a collaborative, team-working environment that supports your career aspirations. Our working language is English. The position is initially limited to two years.

NEC Laboratories Europe is located in the beautiful city of Heidelberg, Germany. Home office schemes within the country may be offered. Heidelberg is an international and lively city with a large number of exciting cultural, entertainment, and outdoor activities.

Application deadline: March 27, 2023

For further detail and how to apply, see:

https://jobs.neclab.eu/jobs/openings/staff/NEC-NLE-2301-461-SEC-1-Research_Associate_%5b2301_461_SEC%5d.pdf

Closing date for applications:

Contact: Giorgia Marson

More information: https://jobs.neclab.eu/jobs/openings/staff/NEC-NLE-2301-461-SEC-1-Research_Associate_%5b2301_461_SEC%5d.pdf

Event date: 21 June to 22 June 2023
Submission deadline: 1 May 2023
Notification: 19 March 2023

Due to the completeness, reliability and zero-knowledge nature, the zero-knowledge proof is widely used to designed various protocols, including zero-knowledge authentication protocols. However, the existing zero-knowledge proof scheme cannot realize bidirectional authentication. In this paper, we design a series of bidirectional zero-knowledge protocols based on two new flavors of operations applicable to multiplicative cyclic group. The two notions are formally defined in this paper. We also provide some formal definitions and properties for the two notions. According to our definitions, any bounded polynomial function defined on multiplicative cyclic group has duality and mirror. Based on the two operations, we introduce and formally define dual commitment scheme and mirror commitment scheme. Besides, we provide two efficient constructions for dual commitment and mirror commitment respectively based on CDH assumption and RSA assumption, and named DCCDH, DCRSA, MCCDH and MCRSA respectively. We also provide the extended version supporting multiple messages in the appendix. Then, we design some efficient non-interactive as well as interactive zero-knowledge authentication protocols based on these commitments. The protocols allow two participants to submit commitments to each other so that they can achieve mutual zero-knowledge authentication only a communication initialization needed. Moreovere , similar to other commitment schemes, our schemes also can be widely used to construction of other schemes for cryptography, such as, verifiable secret sharing, zero-knowledge sets, credentials and content extraction signatures.