International Association for Cryptologic Research

IACR News Central

Here you can see all recent updates to the IACR webpage. These updates are also available:

Now viewing news items related to:

24 June 2016
The algorithm presented in this paper computes a maximum probability differential characteristic in a Substitution-Permutation Network (or SPN). Such characteristics can be used to prove that a cipher is practically secure against differential cryptanalysis or on the contrary to build the most effective possible attack. Running in just a few second on 64 or 128-bit SPN, our algorithm is an important tool for both cryptanalists and designers of SPN.
In this work, we analyze the resistance of \textsc{Simon}-like ciphers against differential attacks without using computer-aided methods. In this context, we first define the notion of a \textsc{Simon}-like cipher as a generalization of the \textsc{Simon} design. For certain instances, we present a method for proving the resistance against differential attacks by upper bounding the probability of a differential characteristic by $2^{-2T+2}$ where $T$ denotes the number of rounds. Interestingly, if $2n$ denotes the block length, our result is sufficient in order to bound the probability by $2^{-2n}$ for all full-round variants of \textsc{Simon} and \textsc{Simeck}. Thus, it guarantees security in a sense that, even having encryptions of the full codebook, one cannot expect a differential characteristic to hold. The important difference between previous works is that our proof can be verified by hand and thus contributes towards a better understanding of the design. However, it is to mention that we do not analyze the probability of multi-round differentials.

Although there are much better bounds known, especially for a high number of rounds, they are based on experimental search like using SAT/SMT solvers. While those results have already shown that \textsc{Simon} can be considered resistant against differential cryptanalysis, our argument gives more insights into the design itself. As far as we know, this work presents the first non-experimental security argument for full-round versions of several \textsc{Simon}-like instances.
We consider a new adversarial goal in multiparty protocols, where the adversary may corrupt some parties. The goal is to manipulate the view of some honest party in a way, that this honest party learns the private data of some other honest party. The adversary itself might not learn this data at all. This goal, and such attacks are significant because they create a liability to the first honest party to clean its systems from second honest party's data; a task that may be highly non-trivial.

Protecting against this goal essentially means achieving security against several non-cooperating adversaries, where all but one adversary are passive and corrupt only a single party. We formalize the adversarial goal by proposing an alternative notion of universal composability. We show how existing, conventionally secure multiparty protocols can be transformed to make them secure against the novel adversarial goal.
ePrint Report Game-Based Privacy Analysis of RFID Security Schemes for Confident Au-thentication in IoT Behzad Abdolmaleki, Karim Baghery, Shahram Khazaei, Mohammad Reza Aref
Recently, Radio Frequency Identification (RFID) and Near Field Communication (NFC) systems are found in various user-friendly services that all of us deal with in our daily lives. As these systems are ubiquitously deployed in different authenti-cation and identification applications, inferring information about our behavior will be possible by monitoring our use of them. In order to provide privacy and security requirements of RFID users in novel authentication applications, lots of security schemes have been proposed which have tried to provide secure and untraceable communication for end-users. In this paper, we investi-gate the privacy of three RFID security schemes which have been proposed recently. For privacy analysis, we use the well-known RFID formal privacy model proposed by Ouafi and Phan. We show that all the studied protocols have some privacy drawbacks, making them vulnerable to various traceability attacks. Moreover, in order to overcome all the reported weaknesses and prevent the presented attacks, we apply some modifications in the structures of the studied protocols and propose an improved version of each one. Our analyses show that the modified protocols are more efficient than their previous versions and new modifications can omit all the existing weaknesses on the analyzed protocols. Finally, we compare the modified protocols with some new-found RFID authentication protocols in the terms of security and privacy.
Side-channel analysis and fault-injection attacks are known as major threats to any cryptographic implementation. Hardening cryptographic implementations with appropriate countermeasures is thus essential before they are deployed in the wild. However, countermeasures for both threats are of completely different nature: Side-channel analysis is mitigated by techniques that hide or mask key-dependent information while resistance against fault-injection attacks can be achieved by redundancy in the computation for immediate error detection. Since already the integration of any single countermeasure in cryptographic hardware comes with significant costs in terms of performance and area, a combination of multiple countermeasures is expensive and often associated with undesired side effects.

In this work, we introduce a countermeasure for cryptographic hardware implementations that combines the concept of a provably-secure masking scheme (i.e., threshold implementation) with an error detecting approach against fault injection. As a case study, we apply our generic construction to the lightweight LED cipher. Our LED instance achieves first-order resistance against side-channel attacks combined with a fault detection capability that is superior to that of simple duplication for most error distributions at an increased area demand of 12%.
ePrint Report Strong 8-bit Sboxes with Efficient Masking in Hardware Erik Boss, Vincent Grosso, Tim Güneysu, Gregor Leander, Amir Moradi, Tobias Schneider
Block ciphers are arguably the most important cryptographic primitive in practice. While their security against mathematical attacks is rather well understood, physical threats such as side-channel analysis (SCA) still pose a major challenge for their security. An effective countermeasure to thwart SCA is using a cipher representation that applies the threshold implementation (TI) concept. However, there are hardly any results available on how this concept can be adopted for block ciphers with large (i.e., 8-bit) Sboxes. In this work we provide a systematic analysis on and search for 8-bit Sbox constructions that can intrinsically feature the TI concept, while still providing high resistance against cryptanalysis. Our study includes investigations on Sboxes constructed from smaller ones using Feistel, SPN, or MISTY network structures. As a result, we present a set of new Sboxes that not only provide strong cryptographic criteria, but are also optimized for TI. We believe that our results will found an inspiring basis for further research on high-security block ciphers that intrinsically feature protection against physical attacks.
ePrint Report Computational integrity with a public random string from quasi-linear PCPs Eli Ben-Sasson , Iddo Ben-Tov , Alessandro Chiesa, Ariel Gabizon, Daniel Genkin, Matan Hamilis, Evgenya Pergament, Michael Riabzev, Mark Silberstein, Eran Tromer, Madars Virza
A party running a computation remotely may benefit from misreporting its output, say, to lower its tax. Cryptographic protocols that detect and prevent such falsities hold the promise to enhance the security of decentralized systems with stringent computational integrity requirements, like Bitcoin [Nak09]. To gain public trust it is imperative to use publicly verifiable protocols that have no “backdoors” and which can be set up using only a short public random string. Probabilistically Checkable Proof (PCP) systems [BFL90, BFLS91, AS98, ALM + 98] can be used to construct astonishingly efficient protocols [Kil92, Mic00] of this nature but some of the main components of such systems — proof composition [AS98] and low-degree testing via PCPs of Proximity (PCPPs) [BGH + 05, DR06] — have been considered efficient only asymptotically, for unrealistically large computations; recent cryptographic alternatives [PGHR13, BCG + 13a] suffer from a non-public setup phase.

This work introduces SCI, the first implementation of a scalable PCP system (that uses both PCPPs and proof composition). We used SCI to prove correctness of executions of up to $2^{20}$ cycles of a simple processor (Figure 1) and calculated (Figure 2) its break-even point [SVP + 12, SMBW12]. The significance of our findings is two-fold: (i) it marks the transition of core PCP techniques (like proof composition and PCPs of Proximity) from mathematical theory to practical system engineering, and (ii) the thresholds obtained are nearly achievable and hence show that PCP-supported computational integrity is closer to reality than previously assumed.
We present a high-speed, high-security implementation of the recently proposed elliptic curve FourQ (ASIACRYPT 2015) for 32-bit ARM processors with NEON support. Exploiting the versatile and compact arithmetic of this curve, we design a vectorized implementation that achieves high-performance across a large variety of ARM architectures. Our software is fully protected against timing and cache attacks, and showcases the impressive speed of FourQ when compared with other curve-based alternatives. For example, one single variable-base scalar multiplication is computed in about 235,000 Cortex-A8 cycles or 132,000 Cortex-A15 cycles which, compared to the fastest genus 2 Kummer and Curve25519 implementations on the same platforms, offers speedups between 1.3x-1.7x and between 2.1x-2.4x, respectively. In comparison with the NIST standard curve K-283, we achieve speedups above 4x and 5.5x.
Lately, several backdoors in cryptographic constructions, protocols and implementations have been surfacing in the wild: Dual-EC in RSA's B-Safe product, a modified Dual-EC in Juniper's operating system ScreenOS and a non-prime modulus in the open-source tool socat. Many papers have already discussed the fragility of cryptographic constructions not using nothing-up-my-sleeve numbers, as well as how such numbers can be safely picked. However, the question of how to introduce a backdoor in an already secure, safe and easy to audit implementation has so far rarely been researched (in the public). We present two ways of building a Nobody-But-Us (NOBUS) Diffie-Hellman backdoor: a composite modulus with a hidden subgroup (CMHS) and a composite modulus with a smooth order (CMSO). We then explain how we were able to subtly implement and exploit it in a local copy of an open source library using the TLS protocol.
22 June 2016
Event date: 18 July to 22 July 2016
Event date: 19 December to 20 December 2016
Job Posting Post-Doc University of Luxembourg
The research will be conducted under the supervision of Prof P Y A Ryan, head of the APSIA (Applied Security and Information Assurance) research group, http://wwwde.uni.lu/snt/research/apsia.

APSIA specializes in the mathematical foundations of information assurance: the mathematical modelling and analysis of information flows, the design and analysis of cryptographic primitives and protocols (both classical and quantum), secure verifiable voting systems, and anonymous marking systems and game-theoretic analysis of non-interference and coercion-resistance. The group has expertise in both the symbolic (formal methods) and the computational (“provable security”) styles of analysis and is investigating the links and synergies between them. The group has also established itself as a leading centre for the socio-technical aspects of security.

The topic lies both in Authenticated Key Exchange (AKE) and Quantum Key Distribution (QKD). Currently, complexity-theoretic definitions of security for AKEs are abundant but their relations are poorly understood, and the advent of QKD – in which both complexity theoretic and quantum mechanisms are intertwined - is further complicating matters. The research challenge is twofold: 1) to aid in finding fundamental definitions of security for AKE and 2) to develop a rigorous framework for reasoning about the composition of classical and quantum mechanisms, and in particular to examine to what extent definitions for AKE can be adapted to the QKD case.

Closing date for applications: 12 July 2016

Contact: Dr Jean Lancrenon, jean.lancrenon (at) uni.lu or Prof Dr Peter Y A Ryan peter.ryan (at) uni.lu

Job Posting 1 Postdoc and 1 PhD student Graz University of Technology
The postdoc and PhD position will be funded by the ERC project SOPHIA, which starts September 1st, 2016. The project focuses on securing software execution on IoT devices not only against network attacks, but also against physical side-channel and fault attacks. The project combines research on system security architectures (hardware and software), side-channel/fault attacks, cryptography, fault tolerant design as well as formal methods. For the open positions we are in particular looking for postdocs with experience and PhD students with interest in at least one of the following fields:

• Side-channel and fault attacks
• Operating system security
• Software isolation techniques
• Control-flow integrity
• Memory security
• Software testing
• Formal methods
• Code analysis and compilers

Applications should include a curriculum vitae, a statement of motivation, a transcript of records as well as names and email addresses of two persons that can provide references. Please send all attachments as PDFs. We are looking forward to your application.

The open postions are available in the Secure Systems Group, which is a team of about 10 researches. In total, Graz University of Technology employs about 60 researchers in the area of information security. More information on our research topics and our team can be found at http://www.iaik.tugraz.at/sesys.

Closing date for applications: 31 August 2016

Contact: Stefan Mangard

Job Posting Assistant Professor in Systems Security University of Twente, The Netherlands
The University of Twente is seeking applications from excellent candidates in Computer Science, with a convincing research and education track record in Systems Security, broadly conceived, in any one or more of the following areas:

- Operating systems security and/or hardware security;

- Distributed systems security and/or cloud computing security;

- Mobile systems security and/or web security.

We offer a challenging full-time position in an inspiring multidisciplinary and international environment. The successful candidate will be employed for the duration of 3 years as an Assistant Professor at the chair of Services, Cyber Security, and Safety (SCS). The salary, depending on your experience and qualifications, will range from € 3.400,-- to € 4.654,-- gross per month. In addition, the University of Twente offers attractive employment conditions (for example 8% holiday allowance and 8,3% end-of-year bonus), excellent support for research and facilities for professional and personal development.

Applications should include a letter of motivation (including a short research and education statement), a detailed curriculum vitae, a list of publications and three references (including at least one international reference).

Closing date for applications: 5 August 2016

Contact: Questions regarding this position can be addressed to Prof. Dr. Roel Wieringa, chairman of Services, Cyber Security and Safety (r.j.wieringa (at) utwente.nl, +31 (0)53 489 4189), or to Dr. Andreas Peter, in the same group (a.peter (at) utwente.nl, +31 (0)53 489 2918).

21 June 2016
Event Calendar : Mini-Workshop on Post-Quantum Crypto Utrecht, The Netherlands, 28 June 2016
Event date: 28 June 2016
Job Posting Staff Scientist/Post-Doctoral Scholar Drexel University Cybersecurity Institute
The Drexel University Cybersecurity Institute invites applications for a postdoctoral scholar or research staff scientist with expertise in cybersecurity.

The individual will be an integral part of the highly interdisciplinary team of more than fifteen tenure and tenure- track faculty across the Drexel University campus actively engaged in cybersecurity research. S/he will have the opportunity to work with leading scholars in areas such as i) malware detection, classification, and mitigation, ii) anomaly detection, iii) active user authentication, iv) wireless channel and wireless network security, v) media forensics and anti-?forensics, vi) privacy, anonymity, and stylometry, vii) hardware and electronic security, viii) social networking threat analysis, and others. The successful candidate will have a publication record in cybersecurity and related fields, and a demonstrated ability to lead the submission of interdisciplinary cybersecurity research proposals to government funding agencies, such as the National Science Foundation (NSF) or the various agencies of the Department of Defense (DoD).

Recent Ph.D. in Electrical and Computer Engineering or Computer Science or other closely related discipline. Strong background in any research area of cyber security. Experience in proposal authoring and capture of new business and research opportunities.

The researcher will conduct high quality research in cybersecurity, prepare and submit related grant proposals, and have the opportunity to teach in related areas.

Enter requisition # 7507 at DrexelJobs.com

Closing date for applications: 1 December 2016

Contact: Steven Weber, Ph.D.

Director

Drexel Cybersecurity Institute

We consider the situation where a large number $n$ of players want to securely compute a large function $f$ with security against an adaptive, malicious adversary which might corrupt $t < cn$ of the parties for some given $c \in [0,1)$. In other words, only some arbitrarily small constant fraction of the parties are assumed to be honest. For any fixed $c$, we consider the asymptotic complexity as $n$ and the size of $f$ grows. We are in particular interested in the computational overhead, defined as the total computational complexity of all parties divided by the size of $f$. We show that it is possible to achieve poly-logarithmic computational overhead for all $c < 1$. Prior to our result it was only known how to get poly-logarithmic overhead for $c < \frac{1}{2}$. We therefore significantly extend the area where we can do secure multiparty computation with poly-logarithmic overhead. Since we allow that more than half the parties are corrupted, we can only get security with abort, i.e., the adversary might make the protocol abort before all parties learn their outputs. We can, however, for all $c$ make a protocol for which there exists $d > 0$ such that if at most $d n$ parties are actually corrupted in a given execution, then the protocol will not abort. Our result is solely of theoretical interest.
ePrint Report Efficient and Provable White-Box Primitives Pierre-Alain Fouque, Pierre Karpman, Paul Kirchner, Brice Minaud
In recent years there have been several attempts to build white-box block ciphers whose implementation aims to be incompressible. This includes the weak white-box ASASA construction by Bouillaguet, Biryukov and Khovratovich from Asiacrypt 2014, and the recent space-hard construction by Bogdanov and Isobe at CCS 2016. In this article we propose the first constructions aiming at the same goal while offering provable security guarantees. Moreover we propose concrete instantiations of our constructions, which prove to be quite efficient and competitive with prior work. Thus provable security comes with a surprisingly low overhead.
ePrint Report Bitstream Fault Injections (BiFI) - Automated Fault Attacks against SRAM-based FPGAs Pawel Swierczynski, Georg T. Becker, Amir Moradi, Christof Paar
This contribution is concerned with the question whether an adversary can automatically manipulate an unknown FPGA bitstream realizing a cryptographic primitive such that the underlying secret key is revealed. In general, if an attacker has full knowledge about the bitstream structure and can make changes to the target FPGA design, she can alter the bitstream leading to key recovery. However, this requires challenging reverse-engineering steps including that of the proprietary bitstream format. We argue that this is a major reason why bitstream fault injection attacks have been largely neglected in the past. In this paper, we show that malicious bitstream modifications are i) much easier to conduct than commonly assumed and ii) surprisingly powerful. We introduce a novel class of bitstream fault injection (BiFI) attacks which does not require any reverse-engineering to undermine cryptographic cores. Our attacks can be automatically mounted without any detailed knowledge about either the bitstream format of the design of the crypto primitive which is being attacked. Bitstream encryption features do not necessarily prevent our attack if the integrity of the encrypted bitstream is not carefully checked. We have successfully verified the feasibility of our attacks in practice by considering several publicly available AES designs. As target platforms, we have conducted our experiments on Spartan-6 and Virtex-5 Xilinx FPGAs.
In this paper, we provide a security analysis of ELmD: a block cipher based Encrypt-Linear-mix-Decrypt authentication mode. As being one of the second-round CAESAR candidate, it is claimed to provide misuse resistant against forgeries and security against block-wise adaptive adversaries as well as 128-bit security against key recovery attacks. We scrutinize ElmD in such a way that we provide universal forgery attacks as well as key recovery attacks. First, based on the collision attacks on similar structures such as Marble, AEZ, and COPA, we present universal forgery attacks. Second, by exploiting the structure of ELmD, we acquire ability to query to the block cipher used in ELmD. Finally, for one of the proposed versions of ELmD, we mount key recovery attacks reducing the effective key strength by more than 60 bits.
In the cloud computing era, in order to avoid computational burdens, many organizations tend to outsource their computations to third-party cloud servers. In order to protect service quality, the integrity of computation results need to be guaranteed. In this paper, we develop a game theoretic framework which helps the outsourcer to minimize its cost while ensuring the integrity of the outsourced computation. We then apply the proposed framework to two collaborative ltering algorithms and demonstrate the equilibriums together with the corresponding minimal costs. Finally, we show that, by including the intermediate results in the nal output, further cost reduction can be achieved.
We discuss a tweak for the domain extension called Merkle-Damg{\aa}rd with Permutation (MDP), which was presented at ASIACRYPT 2007. We first show that MDP may produce multiple independent pseudorandom functions (PRFs) using a single secret key and multiple permutations if the underlying compression function is a PRF against related-key attacks with respect to the permutations. Using this result, we then construct a hash-function-based MAC function, which we call FMAC, using a compression function as its underlying primitive. We also present a scheme to extend FMAC so as to take as input a vector of strings.
At PQCrypto'14 Porras, Baena and Ding proposed a new interesting construction to overcome the security weakness of the HFE encryption scheme, and called their new encryption scheme ZHFE. They provided experimental evidence for the security of ZHFE, and proposed the parameter set $(q,n,D)= (7,55,105)$ with claimed security level $2^{80}$ estimated by experiment. However there is an important gap in the state-of-the-art cryptanalysis of ZHFE, i.e., a sound theoretical estimation for the security level of ZHFE is missing. In this paper we fill in this gap by computing upper bounds for the Q-Rank and for the degree of regularity of ZHFE in terms of $\log_q D$, and thus providing such a theoretical estimation. For instance the security level of ZHFE(7,55,105) can now be estimated theoretically as at least $2^{96}$. Moreover for the inefficient key generation of ZHFE, we also provide a solution to improve it significantly, making almost no computation needed.
ePrint Report New Feasibility Results in Unconditional UC-Secure Computation with (Malicious) PUFs Saikrishna Badrinarayanan, Dakshita Khurana, Rafail Ostrovsky, Ivan Visconti
Brzuska \etal. (Crypto 2011) proved that unconditional UC-secure computation is possible if parties have access to honestly generated physically unclonable functions (PUFs). Dachman-Soled \etal. (Crypto 2014) then showed how to obtain unconditional UC secure computation based on malicious PUFs, assuming such PUFs are stateless. They also showed that unconditional oblivious transfer is impossible against an adversary that creates malicious stateful PUFs. \begin{itemize} \item In this work, we go beyond this seemingly tight result, by allowing any adversary to create stateful PUFs with a priori bounded state. This relaxes the restriction on the power of the adversary, offering improved security guarantees. This is also motivated by practical scenarios, where the size of a physical object may be used to compute an upper bound on the size of its memory. \item As a second contribution, we introduce a new model where any adversary is allowed to generate a malicious PUF that may encapsulate other (honestly generated) PUFs within it, such that the outer PUF has oracle access to all the inner PUFs. This is again motivated by practical scenarios, and in fact, similar adversaries have been studied in the tamper-proof hardware-token model (\eg, Chandran \etal. (Eurocrypt 2008)), but no such notion has ever been considered with respect to PUFs. All previous constructions of UC secure protocols suffer from explicit attacks in this stronger model. \end{itemize} In a direct improvement over all previous results, we construct {\em UC protocols with unconditional security} in both these models.
ePrint Report Sealed-Glass Proofs: Using Transparent Enclaves to Prove and Sell Knowledge Florian Tramer, Fan Zhang, Huang Lin, Jean-Pierre Hubaux, Ari Juels, Elaine Shi
Trusted hardware systems, such as Intel's new SGX instruction set architecture extension, aim to provide strong confidentiality and integrity assurances for applications. Recent work, however, raises serious concerns about the vulnerability of such systems to side-channel attacks.

We propose, formalize, and explore a cryptographic primitive called a {\em Sealed-Glass Proof (SGP)} that captures computation possible in an isolated execution environment with *unbounded leakage*, and thus in the face of arbitrarily powerful side-channel attacks. A SGP specifically models the capabilities of trusted hardware that can attest to *correct execution* of a piece of code, but whose execution is *transparent*, meaning that an application's secrets and state are visible to other processes on the same host.

Despite this strong threat model, we show that a SGP can support a range of practical applications. Our key observation is that a SGP permits safe verifiable computing in zero-knowledge, as information leakage results only in the prover learning her own secrets. Among other applications, we describe the implementation of an end-to-end bug bounty (or zero-day solicitation) platform that couples a SGX-based SGP with a smart contract. This platform enables a marketplace that achieves fair exchange, protects against unfair bounty withdrawals, and resists denial-of-service attacks by dishonest sellers. We also consider a slight relaxation of the SGP model that permits black-box modules instantiating minimal, side-channel resistant primitives, yielding a still broader range of applications. Our work shows how trusted hardware systems such as SGX can support trustworthy applications even in the presence of side channels.
ePrint Report Compact CCA2-secure Hierarchical Identity-Based Broadcast Encryption for Fuzzy-entity Data Sharing Weiran Liu, Jianwei Liu, Qianhong Wu, Bo Qin, David Naccache, Houda Ferradi
With the advances of cloud computing, data sharing becomes easier for large-scale enterprises. When deploying privacy and security schemes in data sharing systems, fuzzy-entity data sharing, entity management, and efficiency must take into account, especially when the system is asked to share data with a large number of users in a tree-like structure. (Hierarchical) Identity-Based Encryption is a promising candidate to ensure fuzzy-entity data sharing functionalities while meeting the security requirement, but encounters efficiency difficulty in multi-user settings. This paper proposes a new primitive called Hierarchical Identity-Based Broadcast Encryption (HIBBE) to support multi-user data sharing mechanism. Similar to HIBE, HIBBE organizes users in a tree-like structure and users can delegate their decryption capability to their subordinates. Unlike HIBE merely allowing a single decryption path, HIBBE enables encryption to any subset of the users and only the intended users (and their supervisors) can decrypt. We define Ciphertext Indistinguishability against Adaptively Chosen-Identity-Vector-Set and Chosen-Ciphertext Attack (IND-CIVS-CCA2) for HIBBE, which capture the most powerful attacks in the real world. We achieve this goal in the standard model in two steps. We first construct an efficient HIBBE Scheme (HIBBES) against Adaptively Chosen-Identity-Vector-Set and Chosen-Plaintext Attack (IND-CIVS-CPA) in which the attacker is not allowed to query the decryption oracle. Then we convert it into an IND-CIVS-CCA2 scheme at only a marginal cost, i.e., merely adding one on-the-fly dummy user at the first depth of hierarchy in the basic scheme without requiring any other cryptographic primitives. Our CCA2-secure scheme natively allows public ciphertext validity test, which is a useful property when a CCA2-secure HIBBES is used to design advanced protocols and auditing mechanisms for HIBBE-based data sharing.
ePrint Report Making Smart Contracts Smarter Loi Luu, Duc-Hiep Chu, Hrishi Olickel, Prateek Saxena, Aquinas Hobor
Cryptocurrencies record transactions in a decentralized data structure called a blockchain. Two of the most popular cryptocurrencies, Bitcoin and Ethereum, support the feature to encode rules or scripts for processing transactions. This feature has evolved to give practical shape to the ideas of smart contracts, or full-fledged programs that are run on blockchains. Recently, Ethereum's smart contract system has seen steady adoption, supporting tens of thousands of contracts, holding tens of millions dollars worth of virtual coins.

In this paper, we investigate the security of running Ethereum smart contracts in an open distributed network like those of cryptocurrencies. We introduce several new security problems in which an adversary can manipulate smart contract execution to gain profit. These bugs suggest subtle gaps in the understanding of the distributed semantics of the underlying platform. As a refinement, we propose ways to enhance the operational semantics of Ethereum to make contracts less vulnerable. For developers writing contracts for the existing Ethereum system, we build a symbolic execution tool called Oyente to find potential security bugs. Among $19,366$ existing Ethereum contracts, Oyente flags $8,519$ of them as vulnerable. We discuss the severity of attacks for several case studies which have source code available and confirm the attacks (which target only our accounts) in the main Ethereum network.
We describe a highly optimized protocol for general-purpose secure two-party computation (2PC) in the presence of malicious adversaries. Our starting point is a protocol of Kolesnikov \etal (TCC 2015). We adapt that protocol to the online/offline setting, where two parties repeatedly evaluate the same function (on possibly different inputs each time) and perform as much of the computation as possible in an offline preprocessing phase before their inputs are known. Along the way we develop several significant simplifications and optimizations to the protocol.

We have implemented a prototype of our protocol and report on its performance. When two parties on Amazon servers in the same region use our implementation to securely evaluate the AES circuit 1024 times, the amortized cost per evaluation is \emph{5.1ms offline + 1.3ms online}. The total offline+online cost of our protocol is in fact less than the \emph{online} cost of any reported protocol with malicious security. For comparison, our protocol's closest competitor (Lindell \& Riva, CCS 2015) uses 74ms offline + 7ms online in an identical setup.

Our protocol can be further tuned to trade performance for leakage. As an example, the performance in the above scenario improves to \emph{2.4ms offline + 1.0ms online} if we allow an adversary to learn a single bit about the honest party's input with probability $2^{-20}$ (but not violate any other security property, e.g. correctness).
20 June 2016