IACR News
If you have a news item you wish to distribute, they should be sent to the communications secretary. See also the events database for conference announcements.
Here you can see all recent updates to the IACR webpage. These updates are also available:
23 May 2018
University of Maryland Baltimore County (UMBC)
Ph.D. student positions are available (start date: Fall 2018) in the field of hardware security, reliability, VLSI Testing and VLSI in the CSEE Department of University of Maryland, Baltimore County.
UMBC is ranked 55 in Computer Engineering according to US News, and places 7th in the ranking of Most Innovative national universities.
Our group has a strong background in hardware security, reliability, and trust, and in particular in side-channel analysis and fault analysis attacks, IC Counterfeiting, Trojan detection, IP/IC protection, Physically Unclonable Functions (PUFs) and Crypto devices as well as testing and reliability of secure devices and VLSI.
Requirements:
- M.Sc./B.Sc. in Computer Engineering or Electrical Engineering
- Solid knowledge in Hardware Description Languages (HDL)
- Solid Knowledge in digital design
Please contact me with your CV and Statement of Purpose by June 30th.
Naghmeh Karimi, Assistant Professor
Department of Computer Science and Electrical Engineering
University of Maryland, Baltimore County
Baltimore, MD 21250
Web: http://www.csee.umbc.edu/~nkarimi/
Closing Date for Applications: 2018-06-30
Closing date for applications: 30 June 2018
Contact: Naghmeh Karimi, Ph.D.
E-mail: nkarimi (at) umbc.edu
Jack Doerner, Yashvanth Kondi, Eysa Lee, abhi shelat
We propose new protocols for multi-party ECDSA key-generation and signing with a threshold of two, which we prove secure against malicious adversaries in the random oracle model using only the Computational Diffie-Hellman Assumption and the assumptions already relied upon by ECDSA itself. Our scheme requires only two messages, and via implementation we find that it outperforms the best prior results in practice by a factor of 56 for key generation and 11 for signing, coming to within a factor of 18 of local signatures. Concretely, two parties can jointly sign a message in just over three milliseconds.
Qian Guo, Vincent Grosso, François-Xavier Standaert
Xiangfu Song, Changyu Dong, Dandan Yuan, Qiuliang Xu, Minghao Zhao
Aydin Abadi, Sotirios Terzis, Roberto Metere, Changyu Dong
Changyu Dong, Grigorios Loukides
Zvika Brakerski, Renen Perlman
The focus of this work is RLWE with non-uniform distribution on secrets. A legal RLWE secret is (roughly) a uniform element in the ring of integers of a number field, modulo an integer $q$. We consider two main classes of "illegal" distributions of secrets.
The first is sampling from a subring of the intended domain. We show that this translates to a generalized form of RLWE that we call Order-LWE, we provide worst case hardness results for this new problem, and map out regimes where it is secure and where it is insecure. Two interesting corollaries are a (generalization of) the known hardness of RLWE with secrets sampled from the ring of integers of a subfield, and a new hardness results for the Polynomial-LWE (PLWE) problem, with different parameters than previously known.
The second is sampling from a $k$-wise independent distribution over the CRT representation of the secret. We cannot show worst case hardness in this case, but instead present a single average case problem (specifically, bounded distance decoding on a fixed specific distribution over lattices) whose hardness implies the hardness of RLWE for all such distributions of secrets.
Lior Rotem, Gil Segev
We initiate the study of out-of-band authentication in the group setting, extending the user-to-user setting where messaging platforms (e.g., Telegram and WhatsApp) protect against man-in-the-middle attacks by assuming that users have access to an external channel for authenticating one short value (e.g., two users who recognize each other's voice can compare a short value). Inspired by the frameworks of Vaudenay (CRYPTO '05) and Naor et al. (CRYPTO '06) in the user-to-user setting, we assume that users communicate over a completely-insecure channel, and that a group administrator can out-of-band authenticate one short message to all users. An adversary may read, remove, or delay this message (for all or for some of the users), but cannot undetectably modify it.
Within our framework we establish tight bounds on the tradeoff between the adversary's success probability and the length of the out-of-band authenticated message (which is a crucial bottleneck given that the out-of-band channel is of low bandwidth). We consider both computationally-secure and statistically-secure protocols, and for each flavor of security we construct an authentication protocol and prove a lower bound showing that our protocol achieves essentially the best possible tradeoff.
In particular, considering groups that consist of an administrator and $k$ additional users, for statistically-secure protocols we show that at least $(k+1)\cdot (\log(1/\epsilon) - \Theta(1))$ bits must be out-of-band authenticated, whereas for computationally-secure ones $\log(1/\epsilon) + \log k$ bits suffice, where $\epsilon$ is the adversary's success probability. Moreover, instantiating our computationally-secure protocol in the random-oracle model yields an efficient and practically-relevant protocol (which, alternatively, can also be based on any one-way function in the standard model).
22 May 2018
Pierre Karpman, Daniel S. Roche
In this paper, we use in turn an algebraic, heuristic, and experimental approach to find many more safe instances of Belaïd et al.'s algorithms. This results in explicit instantiations up to order $d = 6$ over large fields, and up to $d = 4$ over practically relevant fields such as $\mathbb{F}_{2^8}$.
Matvei Kotov, Anton Menshov, Alexey Myasnikov, Dmitry Panteleev, Alexander Ushakov
An implementation of our attack is freely available in CRAG. In particular, the implementation contains all challenging instances we had to deal with on a way to $100\%$ success. We hope it will be useful to braid-group cryptography community.
Thorben Moos, Amir Moradi, Tobias Schneider, François-Xavier Standaert
Changyu Dong, Yilei Wang, Amjad Aldweesh, Patrick McCorry, Aad van Moorsel
Benoît Cogliati, Jooyoung Lee
This paper extends the work initiated by Dodis et al. in three directions; first, we make SPNs tweakable by allowing keyed tweakable permutations in the permutation layer, and prove their security as tweakable block ciphers. Second, we prove beyond-the-birthday-bound security for $2$-round non-linear SPNs with independent S-boxes and independent round keys. Our bounds also tend towards optimal security $2^n$ (in terms of the number of threshold queries) as the number of rounds increases. Finally, all our constructions permit their security proofs in the multi-user setting.
As an application of our results, SPNs can be used to build provably secure wide tweakable block ciphers from several public permutations, or from a block cipher. More specifically, our construction can turn two strong public $n$-bit permutations into a tweakable block cipher working on $wn$-bit blocks and using a $6n$-bit key and an $n$-bit tweak (for any $w\geq 2$); the tweakable block cipher provides security up to $2^{2n/3}$ adversarial queries in the random permutation model, while only requiring $w$ calls to each permutation and $3w$ field multiplications for each $wn$-bit block.
Edouard Dufour Sans, David Pointcheval
Ghada Dessouky, Farinaz Koushanfar, Ahmad-Reza Sadeghi, Thomas Schneider, Shaza Zeitouni, Michael Zohner
Luca De Feo, Jean Kieffer, Benjamin Smith
Chun Guo, Olivier Pereira, Thomas Peters, François-Xavier Standaert
Our definitions offer various insights on the effect of leakages in the security landscape. In particular, we show that, in contrast with the black-box setting, leaking variants of INT-CTXT and CPA security do not imply a leaking variant CCA security, and that leaking variants of INT-PTXT and CCA do not imply a leaking variant of INT-CTXT. Eventually, we propose FEMALE, a new mode of operation that satisfies our security definitions and supports efficient leveled implementations, and AEDT, another efficient mode of operation that offers the strongest form of misuse resistance that can be achieved in the presence of leakages, while not being fully misuse resistant in the black-box setting.
Dan Boneh, Manu Drijvers, Gregory Neven
In addition, we construct the first short accountable-subgroup multi-signature (ASM) scheme. An ASM scheme enables any subset S of a set of n parties to sign a message m so that a valid signature discloses which subset generated the signature (hence the subset S is accountable for signing m). We construct the first ASM scheme where signature size is only O(k) bits over the description of S, where k is the security parameter. Similarly, the aggregate public key is only O(k) bits, independent of n. The signing process is non-interactive. Our ASM scheme is very practical and well suited for compressing the data needed to spend funds from a t-of-n Multisig Bitcoin address, for any (polynomial size) t and n.
Ronald Cramer, Ivan Damgård, Daniel Escudero, Peter Scholl, Chaoping Xing
We present a new scheme for information-theoretic MACs that are homomorphic modulo $2^k$, and are as efficient as the well-known standard solutions that are homomorphic over fields. We apply this to construct an MPC protocol for dishonest majority in the preprocessing model that has efficiency comparable to the well-known SPDZ protocol (Damgård et al., CRYPTO 2012), with operations modulo $2^k$ instead of over a field. We also construct a matching preprocessing protocol based on oblivious transfer, which is in the style of the MASCOT protocol (Keller et al., CCS 2016) and almost as efficient.
Arpita Patra, Divya Ravi
In the minimal setting of pairwise-private channels, 3PC with selective abort is known to be feasible in just two rounds, while guaranteed output delivery is infeasible to achieve irrespective of the number of rounds. Settling the quest for exact round complexity of 3PC in this setting, we show that three rounds are necessary and sufficient for unanimous abort and fairness. Extending our study to the setting with an additional broadcast channel, we show that while unanimous abort is achievable in just two rounds, three rounds are necessary and sufficient for fairness and guaranteed output delivery. Our lower bound results extend for any number of parties in honest majority setting and imply tightness of several known constructions. The fundamental concept of garbled circuits underlies all our upper bounds. Concretely, our constructions involve transmitting and evaluating only constant number of garbled circuits. Assumption-wise, our constructions rely on injective (one-to-one) one-way functions.