IACR News
Here you can see all recent updates to the IACR webpage. These updates are also available:
29 August 2017
Rahul Chatterjee, Joanne Woodage, Yuval Pnueli, Anusha Chowdhury, Thomas Ristenpart
ePrint ReportWe introduce personalized typo-tolerant password checking. In our approach, the authentication system learns over time the typos made by a specific user. In experiments using Mechanical Turk, we show that 45% of users would benefit from personalization. Therefore, we design a system, called TypTop, that securely implements personalized typo-tolerance. Underlying TypTop is a new stateful password-based encryption scheme that can be used to store recent failed login attempts. Our formal analysis shows that security in the face of an attacker that obtains the state of the system reduces to the difficulty of a brute-force dictionary attack against the real password. We implement TypTop for Linux and Mac OS login and report on a proof-of-concept deployment.
28 August 2017
Hao Chen, Kim Laine, Rachel Player, Yuhou Xia
ePrint ReportWe combine a trick of Hoffstein and Silverman, where the modulus $t$ is replaced by a polynomial $x-b$, with the Fan-Vercauteren homomorphic encryption scheme. This yields a new scheme with a very convenient plaintext space $\mathbb{Z}/(b^n+1)\mathbb{Z}$. We then show how rational numbers can be encoded as elements of this plaintext space, enabling homomorphic evaluation of deep circuits with high-precision rational number inputs. We perform a fair and detailed comparison to the Fan-Vercauteren scheme with the Non-Adjacent Form encoder, and find that the new scheme significantly outperforms this approach. For example, when the new scheme allows us to evaluate circuits of depth $9$ with $32$-bit integer inputs, in the same parameter setting the Fan-Vercauteren scheme only allows us to go up to depth $2$. We conclude by discussing how known applications can benefit from the new scheme.
Shuichi Katsumata
ePrint Report- We propose two VRFs on bilinear maps. Both of our schemes are secure under a non-interactive $Q$-type assumption where $Q$ is only poly-logarithmic in the security parameter, and they achieve either a poly-logarithmic verification key size or proof size. This is a significant improvement over prior works, where all previous schemes either require a strong hardness assumption or a large verification key and proof size.
- We propose a lattice-based PE scheme for the class of \emph{multi-dimensional equality} (MultEq) predicates. This class of predicate is expressive enough to capture many of the appealing applications that motivates PE schemes. Our scheme achieves the best in terms of the required approximation factor for LWE (we only require $\poly(\lambda)$) and the decryption time. In particular, all existing PE schemes that support the class of MultEq predicates either require a subexponential LWE assumption or an exponential decryption time (in the dimension of the MultEq predicates).
Shashank Agrawal, Melissa Chase
ePrint ReportThis paper proposes the first fully secure ciphertext-policy and key-policy ABE schemes based on a standard assumption on Type-III pairing groups, which do not put any restriction on policy type or attributes. We implement our schemes along with several other prominent ones using the Charm library, and demonstrate that they perform better on almost all parameters of interest.
Daniel Genkin, Luke Valenta, Yuval Yarom
ePrint ReportBased on the secure design of Curve25519, users of the curve are advised that there is no need to perform validation of input points. In this work we demonstrate that when this recommendation is followed, the mathematical structure of Curve25519 facilitates the exploitation of side-channel weaknesses.
We demonstrate the effect of this vulnerability on three software applications---encrypted git, email and messaging---that use Libgcrypt. In each case, we show how to craft malicious OpenPGP files that use the Curve25519 point of order 4 as a chosen ciphertext to the ECDH encryption scheme. We find that the resulting interactions of the point at infinity, order-2, and order-4 elements in the Montgomery ladder scalar-by-point multiplication routine create side channel leakage that allows us to recover the private key in as few as 11 attempts to access such malicious files.
Raphael Bost, Brice Minaud, Olga Ohrimenko
ePrint ReportZheng Li, Wenquan Bi, Xiaoyang Dong, Xiaoyun Wang
ePrint ReportIn this paper, we bring out a new MILP model to solve the above problem. We show how to model the CP-like-kernel and model the way that the ordinary cube variables do not multiply together in the 1st round as well as do not multiply with the conditional cube variable in the 2nd round. Based on these modeling strategies, a series of linear inequalities are given to restrict the way to add an ordinary cube variable. Then, by choosing the objective function of the maximal number of ordinary cube variables, we convert Huang et al.'s greedy algorithm into an MILP problem and the maximal ordinary cube variables are found.
Using this new MILP tool, we improve Huang et al.'s key-recovery attacks on reduced-round Keccak-MAC-384 and Keccak-MAC-512 by 1 round, get the first 7-round and 6-round key-recovery attacks, respectively. For Ketje Major, we conclude that when the nonce is no less than 11 lanes, a 7-round key-recovery attack could be achieved. In addition, for Ketje Minor, we use conditional cube variable with 6-6-6 pattern to launch 7-round key-recovery attack.
Andrei Lapets, Mayank Varia, Azer Bestavros, Frederick Jansen
ePrint ReportOur own experiences deploying MPC indicate that the technology is beyond ready for transition and deployment in the real world for appropriate scenarios and at suitable scales. MPC's benefits are often subtle and identifying compatible scenarios that would benefit from MPC is a multi-disciplinary array of challenges. Many difficulties and opportunities remain in terms of both the accessibility and the scalability of the candidate solutions for a given scenario. How can the community ensure that further research and development efforts lead to building blocks that will have the flexibility necessary to fit idiosyncratic real-world use cases?
Based on our insights, we advocate for the construction of a collection of production-quality, modular, open-source components that can support a broad ecosystem in which organizations and developers can rapidly spin up applications that employ MPC (or related technologies) to protect security-sensitive data, perform privacy-preserving computations, and enable new opportunities for collective data analysis that are currently inhibited or disincentivized by legal, institutional, or economic constraints. Such an ecosystem can allow and incentivize data owners and a diverse assortment of service providers to leverage sensitive data in deriving new insights that serve participant goals and/or the public interest.
In addition to its security benefits, the ecosystem vision facilitates separation of responsibilities and areas or expertise by decoupling the work of software engineers, lawyers, data analysts, communications infrastructure providers, cloud providers, and others. Crucial ingredients for a realization of such an ecosystem include modular design of functionalities that enable delivery of MPC services, composable security analyses of such functionalities, policy-agnostic programming and static analysis techniques that enable modularity and scalability, and accessible and scalable production-quality software applications that utilize MPC functionalities.
Gottfried Herold, Max Hoffmann, Michael Kloo\ss, Carla R\`afols, Andy Rupp
ePrint ReportTo ease this burden on the verifier, batch verification techniques have been proposed that allow to combine and check multiple equations probabilistically using less operations than checking each equation individually. In this work, we revisit the batch verification problem and existing standard techniques. We introduce a new technique which, in contrast to previous work, enables us to fully exploit the structure of certain systems of equations. Equations of the appropriate form naturally appear in many protocols, e.g., due to the use of Groth-Sahai proofs.
The beauty of our technique is that the underlying idea is pretty simple: we observe that many systems of equations can alternatively be viewed as a single equation of products of polynomials for which probabilistic polynomial identity testing following Schwartz-Zippel can be applied. Comparisons show that our approach can lead to significant improvements in terms of the number of pairing evaluations. Indeed, for the BeleniosRF voting system presented at CCS 2016, we can reduce the number of pairings (required for ballot verification) from $4k+140$, as originally reported by Chaidos et al., to $k+7$. As our implementation and benchmarks demonstrate, this may reduce the verification runtime to only $5\%$ to $13\%$ of the original runtime.
Pratish Datta, Ratna Dutta, Sourav Mukhopadhyay
ePrint ReportFukang Liu, Florian Mendel, Gaoli Wang
ePrint Report26 August 2017
Dresden, Germany, 19 March - 23 March 2018
Event CalendarSubmission deadline: 10 September 2017
Sibenik, Croatia, 11 June - 15 June 2018
Event CalendarSingapore University of Technology and Design (SUTD)
Job PostingI am looking for PhD interns with interest in cyber-physical system security (IoT, autonomous vehicle, and power grid etc.), especially on the topics such as 1) Lightweight and low-latency crypto algorithms for CPS devices, 2) Resilient authentication of devices and data in CPS, 3) Advanced SCADA firewall to filter more sophisticated attacking packets in CPS, 4) Big data based threat analytics for detection of both known and unknown threats, 5) Attack mitigation to increase the resilience of CPS. The attachment will be at least 3 months. Allowance will be provided for local expenses.
Interested candidates please send your CV with a research statement to Prof. Jianying Zhou.
Closing date for applications: 30 September 2017
Contact: jianying_zhou (at) sutd.edu.sg
More information: http://jianying.space/
25 August 2017
Election
Vladimir Kolesnikov, Naor Matania, Benny Pinkas, Mike Rosulek, Ni Trieu
ePrint ReportWe demonstrate the practicality of our protocols with an implementation. To the best of our knowledge, this is the first implementation of a multi-party PSI protocol. For 5 parties with data-sets of $2^{20}$ items each, our protocol requires only $72$ seconds. In an optimization achieving a slightly weaker variant of security (augmented semi-honest model), the same task requires only $22$ seconds.
The technical core of our protocol is oblivious evaluation of a {\em programmable} pseudorandom function (\OPPRF), which we instantiate in three different ways. We believe our new \OPPRF abstraction and constructions may be of independent interest.
Daniel Günther, Ágnes Kiss, Thomas Schneider
ePrint ReportIn this paper, we revisit Valiant's UC constructions and the recent results, and provide a modular and generic embedding algorithm for any $k$-way UC. Furthermore, we discuss the possibility for a more efficient UC based on a 3-way recursive strategy. We show with a counterexample that even though it is a promising approach, the 3-way UC does not yield an asymptotically better result than the 4-way UC. We propose a hybrid approach that combines the 2-way with the 4-way UC in order to minimize the size of the resulting UC. We elaborate on the concrete size and depth of all discussed UC constructions and show that our hybrid UC yields on average 3.65% improvement in size over the 2-way UC. We implement the 4-way UC in a modular manner based on our proposed embedding algorithm, and show that our methods for programming the UC can be generalized for any $k$-way construction.
Parvin Rastegari, Mehdi Berenjkoub
ePrint ReportSikhar Patranabis, Debdeep Mukhopadhyay
ePrint ReportZvika Brakerski, Rotem Tsabary, Vinod Vaikuntanathan, Hoeteck Wee
ePrint ReportBoneh, Kim and Montgomery (EUROCRYPT 2017) presented a construction of private constrained PRF for point function constraints, and Canetti and Chen (EUROCRYPT 2017) presented a completely different construction for NC1 constraints. In this work, we show two constructions of LWE-based constraint-hiding constrained PRFs for general predicates described by polynomial-size circuits.
The two constructions are based on two distinct techniques that we show have further applicability by constructing weak attribute-hiding predicate encryption schemes. In a nutshell, the first construction imports the technique of modulus switching from the FHE world into the domain of trapdoor extension and homomorphism. The second construction shows how to use the duality between FHE secret-key/randomness and ABE randomness/secret-key to construct a scheme with dual use of the same values for both FHE and ABE purposes.