IACR News
Here you can see all recent updates to the IACR webpage. These updates are also available:
30 June 2023
QuSoft / University of Amsterdam
Job PostingAre you fascinated by security in theory and/or practice? Are you willing to take on the challenge of securing the next generation of computer systems and networks? Do you like to work in a team of young researchers? Join our dynamic team as a Postdoctoral Researcher and contribute to ground-breaking research at the forefront of quantum technology!
Quantum technologies are advancing at an unprecedented pace. On one hand, the progress in developing quantum computers poses a significant threat to our security infrastructure, particularly concerning public-key cryptography. On the other hand, the integration of quantum communication and quantum data into our networks presents novel opportunities that can enhance security functionalities. However, at present, quantum components predominantly exist in experimental stages, and their security requires in-depth study and assessment.
Among the prominent applications of quantum networks is quantum key distribution (QKD), which theoretically offers superior security guarantees compared to classical cryptographic schemes. However, does the utilization of QKD truly provide tangible benefits over post-quantum cryptography? In the realistic context of trusted-node QKD networks, what kind of security guarantees can be proven depending on the deployed key-management system?
At a broader level, this postdoc position aims to investigate the advantages of exploiting quantum effects within the domain of security and explore the integration of quantum and classical security guarantees both in theory and practice.
The fully funded postdoc position will be within the Theory of Computer Science (TCS) group but will be carried out in close collaboration with researchers at QuSoft. The position is a part of the Quantum Delta NL growth fund project CAT-2, which focuses on the development of a national quantum network, and it will likely involve collaboration with the experimental and theoretical partners of the CAT-2 project.
Closing date for applications:
Contact: Christian Schaffner
More information: https://vacatures.uva.nl/UvA/job/PD/773632702/
29 June 2023
Yongha Son, Jinhyuck Jeong
ePrint ReportIn this work, we suggest new efficient proposals for circuit-PSI tailored for unbalanced inputs, which feature {\emph{zero}} small set holder side storage, and comparable online phase performance to the previous work. At the technical core, we use homomorphic encryption (HE) based {\emph{plain}} PSI protocols of Cong \textit{et al.} (CCS'21), with several technically non-trivial arguments on algorithm and security.
We demonstrate the superiority of our proposals in several input set sizes by an implementation. As a representative example, for input sets of size $2^{24}$ and $2^{12}$, our proposals require {\emph{zero}} storage on the small set holder whereas Lepoint \textit{et al.} requires over $7$GB. The online phase remains similar; over LAN network setting, ours takes $7.5$ (or $20.9$s) seconds with $45$MB (or $11.7$MB) communication, while Lepoint \textit{et al.} requires $4.2$ seconds with $117$MB communication.
Pierre Briaud, Pierre Loidreau
ePrint ReportEstuardo Alpirez Bock, Chris Brzuska, Russell W. F. Lai
ePrint ReportIn this paper, we show that LK-IND-CPA security with superlogarithmic-length leakage, and thus strong incompressibility, cannot be proven under standard (i.e. single-stage) assumptions, if the encryption scheme is key-fixing, i.e. a polynomial number of message-ciphertext pairs uniquely determine the key with high probability.
Our impossibility result refutes a claim by FKKM that their big-key generation mechanism achieves strong incompressibility when combined with any PRG or any conventional encryption scheme, since the claim is not true for encryption schemes which are key-fixing (or for PRGs which are injective). In particular, we prove that the cipher block chaining (CBC) block cipher mode is key-fixing when modelling the cipher as a truly random permutation for each key. Subsequent to and inspired by our work, FKKM prove that their original big-key generation mechanism can be combined with a random oracle into an LK-IND-CPA-secure encryption scheme, circumventing the impossibility result by the use of an idealised model.
Along the way, our work also helps clarifying the relations between incompressible white-box cryptography, big-key symmetric encryption, and general leakage resilient cryptography, and their limitations.
Vipul Goyal, Akshayaram Srinivasan, Mingyuan Wang
ePrint ReportIn this work, we explore the possibility of \textit{amortizing} the round complexity or in other words, \textit{reusing} a certain number of rounds of the secure computation protocol in the plain model. We obtain the following results.
1. Under standard cryptographic assumptions, we construct a four-round two-party computation protocol where (i) the first three rounds of the protocol could be reused an unbounded number of times if the receiver input remains the same and only the sender input changes, and (ii) the first two rounds of the protocol could be reused an unbounded number of times if the receiver input needs to change as well. In other words, the sender sends a single additional message if only its input changes, and in the other case, we need one message each from the receiver and the sender. The number of additional messages needed in each of the above two modes is optimal and, additionally, our protocol allows arbitrary interleaving of these two modes. 2. We also extend these results to the multiparty setting (in the simultaneous message exchange model) and give round-optimal protocols such that (i) the first two rounds could be reused an unbounded number of times if the inputs of the parties need to change and (ii) the first three rounds could be reused an unbounded number of times if the inputs remain the same but the functionality to be computed changes. As in the two-party setting, we allow arbitrary interleaving of the above two modes of operation.
Yuting Zuo, Li Xu, Yuexin Zhang, Chenbin Zhao, Zhaozhe Kang
ePrint ReportWillow Barkan-Vered, Franklin Harding, Jonathan Keller, Jiayu Xu
ePrint ReportRan Cohen, Pouyan Forghani, Juan Garay, Rutvik Patel, Vassilis Zikas
ePrint ReportThe starting point of our work is the observation that no known protocol exists for information-theoretic multi-valued OCC---i.e., OCC where the coin might take a value from a domain of cardinality larger than 2---with optimal resiliency in the asynchronous (with eventual message delivery) setting. This apparent hole in the literature is particularly problematic, as multi-valued OCC is implicitly or explicitly used in several constructions. (In fact, it is often falsely attributed to the asynchronous BA result by Canetti and Rabin [STOC ’93], which, however, only achieves binary OCC and does not translate to a multi-valued OCC protocol.)
In this paper, we present the first information-theoretic multi-valued OCC protocol in the asynchronous setting with optimal resiliency, i.e., tolerating $t
We then turn to the problem of round-preserving parallel composition of asynchronous BA. A protocol for this task was proposed by Ben-Or and El-Yaniv [Distributed Computing ’03]. Their construction, however, is flawed in several ways: For starters, it relies on multi-valued OCC instantiated by Canetti and Rabin's result (which, as mentioned above, only provides binary OCC). This shortcoming can be repaired by plugging in our above multi-valued OCC construction. However, as we show, even with this fix it remains unclear whether the protocol of Ben-Or and El-Yaniv achieves its goal of expected-constant-round parallel asynchronous BA, as the proof is incorrect. Thus, as a second contribution, we provide a simpler, more modular protocol for the above task. Finally, and as a contribution of independent interest, we provide proofs in Canetti's Universal Composability framework; this makes our work the first one offering composability guarantees, which are important as BA is a core building block of secure multi-party computation protocols.
Shuaishuai Li, Cong Zhang, Dongdai Lin
ePrint ReportFoteini Baldimtsi, Ioanna Karantaidou, Srinivasan Raghuraman
ePrint ReportIn this work, we define oblivious accumulators, a set commitment with concise membership proofs that hides the elements and the set size from every entity: an outsider, a verifier or other element holders. We formalize this notion of privacy via two properties: element hiding and add-delete indistinguishability. We also define almost-oblivious accumulators, that only achieve a weaker notion of privacy called add-delete unlinkability. Such accumulators hide the elements but not the set size. We consider the trapdoorless, decentralized setting where different users can add and delete elements from the accumulator and compute membership proofs.
We then give a generic construction of an oblivious accumulator based on key-value commitments (KVC). We also show a generic way to construct KVCs from an accumulator and a vector commitment scheme. Finally, we give lower bounds on the communication (size of update messages) required for oblivious accumulators and almost-oblivious accumulators.
Enrique Larraia, Owen Vaughan
ePrint ReportOur technique maintains the privacy of the data, and retains control of who can access it and when they can access it. This holds true even on a public blockchain, and even if the data is leaked by authorised parties. Indeed, an authorised data consumer (a designated-verifier for the ZKP), who discloses the data publicly, cannot convince anyone about the legitimacy of the data (in the sense that it is consistent with the information uploaded to the blockchain), because the ZKP proof is valid only for them.
Our techniques can be used in scenarios where it is required to audit highly-sensitive data (e.g. application logs) by specific third parties, or to provide on-demand data certification by notaries
28 June 2023
Zurich, Switzerland, 27 May - 30 May 2024
Eurocrypt27 June 2023
Syed Zair Abbas, Mudassar Aslam
ePrint ReportOffir Friedman, Avichai Marmor, Dolev Mutzari, Yehonatan C. Scaly, Yuval Spiizer, Avishay Yanai
ePrint ReportIn this work, we present a new protocol that combines the benefits of both worlds. We depart from the efficient scheme, which was proven secure relying on non-standard assumptions, and for the first time, prove that it is secure under standard assumptions only. This is possible thanks to a novel reduction technique, from the soundness of a zero-knowledge proof of equality of discrete logs, to the factoring problem. Furthermore, our simple and efficient proof supports batching, and hence enables batched threshold Paillier decryption for the first time.
Until now, verifying that a decryption share is correct was the bottleneck of threshold Paillier schemes, and prevented its implementation in practice (unless one is willing to rely on a trusted dealer). Our new proof and batching techniques shift that bottleneck back to the plaintext reconstruction, just like in the semi-honest setting, and render threshold Paillier practical for the first time, supporting large scale deployments.
We implemented our scheme and report our evaluation with up to 1000 parties, in the dishonest majority setting. For instance, over an EC2 C6i machine, we get a throughput of about 50 and 3.6 decryptions per second, when run over a network of 100 and 1000 parties, respectively.
Alain Couvreur, Ilaria Zappatore
ePrint ReportCarsten Baum, Lennart Braun, Cyprien Delpech de Saint Guilhem, Michael Klooß, Emmanuela Orsini, Lawrence Roy, Peter Scholl
ePrint ReportTo build VOLE-in-the-head while supporting both binary circuits and large finite fields, we develop several new technical tools. One of these is a new proof of security for the SoftSpokenOT protocol (Crypto 2022), which generalizes it to produce certain types of VOLE correlations over large fields. Secondly, we present a new ZK protocol that is tailored to take advantage of this form of VOLE, which leads to a publicly verifiable VOLE-in-the-head protocol with only 2x more communication than the best, designated-verifier VOLE-based protocols.
We analyze the soundness of our approach when made non-interactive using the Fiat-Shamir transform, using round-by-round soundness. As an application of the resulting NIZK, we present FAEST, a post-quantum signature scheme based on AES. FAEST is the first AES-based signature scheme to be smaller than SPHINCS+, with signature sizes between 5.6 and 6.6kB at the 128-bit security level. Compared with the smallest version of SPHINCS+ (7.9kB), FAEST verification is slower, but the signing times are between 8x and 40x faster.
Gustavo Banegas, Valerie Gilchrist, Anaëlle Le Dévéhat, Benjamin Smith
ePrint ReportAsuka Wakasugi, Mitsuru Tada
ePrint ReportZhengjun Cao, Lihua Liu
ePrint Report26 June 2023
Technical University of Denmark, greater Copenhagen area
Job PostingClosing date for applications:
Contact: Christian Majenz (chmaj@dtu.dk)