IACR News
Here you can see all recent updates to the IACR webpage. These updates are also available:
01 June 2017
Joan Daemen, Bart Mennink, Gilles Van Assche
ePrint ReportItai Dinur, Niv Nadler
ePrint ReportAt the USENIX Security Symposium 2016, Biryukov and Khovratovich presented a new promising PoW scheme called MTP (Merkle Tree Proof) that achieves essentially all desired PoW properties. As a result, MTP has received substantial attention from the cryptocurrency community. The scheme uses a Merkle hash tree construction over a large array of blocks computed by a memory consuming (memory-hard) function. Despite the fact that only a small fraction of the memory is verified by the efficient verification algorithm, the designers claim that a cheating prover that uses a small amount of memory will suffer from a significant computational penalty.
In this paper, we devise a sub-linear computation-memory tradeoff attack on MTP. We apply our attack to the concrete instance proposed by the designers which uses the memory-hard function Argon2d and computes a proof by allocating 2 gigabytes of memory. The attack computes arbitrary malicious proofs using less than a megabyte of memory (about 1/3000 of the honest prover's memory) at a relatively mild penalty of 170 in computation. This is more than 55,000 times faster than what is claimed by the designers. The attack requires a one-time precomputation step of complexity $2^{64}$, but its online cost is only increased by a factor which is less than 2 when spending $2^{48}$ precomputation time.
The main idea of the attack is to exploit the fact that Argon2d accesses its memory in a way which is determined by its previous computations. This allows to inject a small fraction of carefully selected memory blocks that manipulate Argon2d's memory access patterns, significantly weakening its memory-hardness.
Dragos Rotaru, Nigel P. Smart, Martijn Stam
ePrint ReportTibor Jager, Martijn Stam, Ryan Stanley-Oakes, Bogdan Warinschi
ePrint ReportWe show that for all single-key secure encryption schemes satisfying a minimal key uniqueness assumption and almost any instantiation of our general multi-key security notion, any reasonable reduction from the multi-key game to a standard single-key game necessarily incurs a linear loss in the number of keys. We prove this result for all three classical single-key security notions capturing confidentiality, authenticity and the combined authenticated encryption notion.
University of Luxembourg
Job PostingSuccessful candidates will participate in the activities of the Security and Trust of Software Systems (SaToSS) research group led by Prof. Dr. Sjouke Mauw. The group is focused on formalising and applying formal reasoning to real-world security problems and trust issues. We offer three different research projects:
- Multi-party Authentication Protocols. Further information and submission guidelines can be found at: https://goo.gl/yqPo6q
- Adaptive Cyber-defenses. Further information and submission guidelines can be found at: https://goo.gl/FlMo5E
- Security and Privacy in Social Networks. Further information and submission guidelines can be found at: https://goo.gl/TpZ3S7
Applicants can apply to more than one research project. Each application will be considered on receipt, therefore applying before the deadline is encouraged.
Closing date for applications: 31 August 2017
Contact: Prof. Sjouke Mauw
Université du Luxembourg
Faculté des Sciences, de la Technologie et de la Communication (FSTC)
Maison du Nombre
6, avenue de la Fonte
L-4364 Esch-sur-Alzette
Telephone: (+352) 466 644 5480
Email: sjouke.mauw (at) uni.lu
31 May 2017
Tomas Fabsic, Viliam Hromada, Paul Stankovski, Pavol Zajac, Qian Guo, Thomas Johansson
ePrint ReportThis paper shows that a similar dependence between the secret matrix $H$ and the failure probability of a decoding algorithm is also present in the QC-LDPC McEliece cryptosystem. Unlike QC-MDPC McEliece, the secret key in QC-LDPC McEliece also contains matrices $S$ and $Q$ in addition to the matrix $H$. We observe that there also exists a dependence between the failure probability and the matrix $Q$. We show that these dependences leak enough information to allow an attacker to construct a sparse parity-check matrix for the public code. This parity-check matrix can then be used for decrypting ciphertexts.
We tested the attack on an implementation of the QC-LDPC McEliece using a soft-decision decoding algorithm. Thus we also confirmed that soft-decision decoding algorithms can be vulnerable to leaking information about the secret key.
Georg T. Becker
ePrint ReportHowever, in this paper we show that from a practical perspective the problem of building a provably secure fuzzy extractor is actually not solved yet. The originally proposed robust fuzzy extractors based on BCH codes either do not have the required error-correction rates for practical applications or violate the parameters in the security proof. Since no helper data manipulation attacks on linear codes are known which work in the robust fuzzy extractor construction, it might be tempting to simply ignore the parameters of the proof. However, we present new helper data manipulation attacks on several decoding strategies for linear codes which set a key as opposed to recovering the key. These new attacks show that helper data manipulation attacks are indeed feasible against such constructions if the parameters in the proof are ignored. Robust fuzzy extractors therefore need to be revisited by both engineers and cryptographers to solve the problem of building both provably secure as well as practical robust fuzzy extractors.
Marcel Keller, Dragos Rotaru , Nigel P. Smart, Tim Wood
ePrint ReportZurich, Switzerland, 10 January - 12 January 2018
Real World CryptoSubmission deadline: 5 October 2017
Notification: 4 December 2017
Chongwon Cho, Nico Döttling, Sanjam Garg, Divya Gupta, Peihan Miao, Antigoni Polychroniadou
ePrint ReportOur key contribution is an instantiation of this primitive based on the Decisional Diffie-Hellman (DDH) assumption in the common reference string (CRS) model. The technical core of this construction is a novel use of somewhere statistically binding (SSB) hashing in conjunction with hash proof systems. Next, we show applications of laconic OT to non-interactive secure computation on large inputs and multi-hop homomorphic encryption for RAM programs.
Peter Pessl, Leon Groot Bruinderink, Yuval Yarom
ePrint ReportItay Berman, Akshay Degwekar, Ron D. Rothblum, Prashant Nalini Vasudevan
ePrint ReportIn this work we study multi-collision resistant hash functions (MCRH) a natural relaxation of collision resistant hash functions in which it is difficult to find a t-way collision (i.e., t strings that hash to the same value) although finding (t-1)-way collisions could be easy. We show the following:
- The existence of MCRH follows from the average case hardness of a variant of Entropy Approximation, a problem known to be complete for the class NISZK.
- MCRH imply the existence of constant-round statistically hiding (and computationally binding) commitment schemes.
In addition, we show a blackbox separation of MCRH from any one-way permutation
Nir Bitansky, Yael Tauman Kalai, Omer Paneth
ePrint ReportWe show how to replace collision resistance with multi-collision resistance in several foundational applications, improving on the best known round complexity, obtaining:
- 3-message zero-knowledge arguments for NP.
- 3-message succinct arguments of knowledge for NP.
- 4-message epsilon-zero-knowledge proofs for NP.
- 5-message public-coin zero-knowledge arguments for NP.
Our techniques can also be applied in the keyed setting, at the cost of adding another message. In this case, we weaken the known complexity assumptions for the last three applications, while still matching the state of the art in terms of round complexity.
The core technical contribution behind our results is a domain extension transformation from multi-collision-resistant hash functions for a fixed input length to ones with an arbitrary input length and a local opening property.
Yi LU
ePrint ReportIn this paper, we study linear attacks on GOST 28147-89. Prior to us, [Shorin-Jelezniakov-Gabidulin'2001] did some analysis on the linear approximation of GOST without giving any detailed results. [Shorin-Jelezniakov-Gabidulin'2001] claimed that the complexity of the linear attack on GOST is higher than $2^{256}$ after 5 rounds. In our work, we show that this is not true. First, we give the detailed bias analysis on the GOST round function for the first time. We show that the largest bias is $2^{-7}$. Secondly, we proposed the first known linear attacks on GOST. The recent idea of synthetic linear analysis [Lu-Vaudenay-Meier'2012] is then successfully applied to improve the bias for the $r$-round linear approximation of GOST. In summary, our attack on 8-round GOST recovers the key in time $2^{37}$ with $2^{50}$ known plaintexts in the single-key setting. For the 16-round GOST with last 8 rounds using subkeys in reverse order, our distinguishing attack works in time $2^{85}$ using $2^{85}$ known plaintexts, in the plain multiple-key setting without the related-key assumption. That is, the plaintexts can be encrypted by arbitrary number of keys, with each key encrypting arbitrary number of plaintexts, as long as we have a total of $2^{85}$ known plaintexts. For the 32-round GOST with the slightly tweaked key schedule, i.e., assuming last 16 rounds using subkeys in reverse order, our distinguishing attack works in time $2^{170.8}$, given $2^{170.8}$ known plaintexts, in the plain multiple-key setting without the related-key assumption. To the best of our knowledge, our distinguishing attacks are the first known distinguishers on block ciphers in the plain multiple-key setting without the usual related-key assumption. Finally, for the 32-round GOST with the original key schedule, our distinguisher works in time $2^{173.8}$, given $2^{173.8}$ known plaintexts, in the related-key setting. This is the fastest attack known so far, compared with the best attacks [Dinur-Dunkelman-Shamir'2012], [Courtois'2012] on the full 32-round GOST.
Ilan Komargodski, Moni Naor, Eylon Yogev
ePrint ReportIn this work we consider a relaxation of the above requirement that we call Multi-CRH: a function where it is hard to find $x_1, x_2, \ldots, x_k$ which are all distinct, yet $ h(x_1) = h(x_2) = \cdots = h(x_k)$. We show that for some of the major applications of CRH functions it is possible to replace them by the weaker notion of an Multi-CRH, albeit at the price of adding interaction: we show a statistically hiding commitment schemes with succinct interaction (committing to $\mathsf{poly}(n)$ bits requires exchanging $O(n)$ bits) that can be opened locally (without revealing the full string). This in turn can be used to provide succinct arguments for any statement. On the other hand we show black-box separation results from standard CRH and a hierarchy of such Multi-CRHs.
Jiangshan Yu, Mark Ryan, Liqun Chen
ePrint ReportThis paper presents a scheme which allows a storage service composed of several servers to create a group public key in a decentralised manner, and maintain its security even when such compromises take place. By maintaining keys for a long term, we reduce the reliance on public-key certification. The storage servers periodically update the decryption secrets corresponding to a public key, in such a way that secrets gained by an attacker are rendered useless after an update takes place. An attacker would have to compromise all the servers within a short period lying between two updates in order to fully compromise the system.
Jung Hee Cheon, Minki Hhan, Changmin Lee
ePrint ReportSergiu Carpov, Pascal Aubry, Renaud Sirdey
ePrint Report30 May 2017
University of Luxembourg
Job PostingClosing date for applications: 30 July 2017
Contact: Prof. Alex Biryukov
More information: https://www.cryptolux.org/index.php/Home#PhD_in_Applied_Cryptography.2C_the_PRIDE_project
FSE
The next deadline (ToSC 2017, issue 3) is June 1, 2017.
For more information, see the call for Papers or submission server:
General information: https://www.cosic.esat.kuleuven.be/events/fse2018/call-for-papers/
Submission server: http://tosc.iacr.org/index.php/ToSC/pages/view/Submission