International Association
for Cryptologic Research

Passwords are the most widely used factor in various areas such as secret sharing, key establishment, and user authentication. Single password protocols are proposed (starting with Belenkiy et. al [4]) to overcome the challenges of traditional password protocols and provide provable security against offline dictionary, man-in-the-middle, phishing, and honeypot attacks. While they ensure provable security, they allow a user securely to use a single \textit{low-entropy human memorable} password for all her accounts. They achieve this with the help of a cloud or mobile storage device. However, an attacker corrupting both the login server and storage can mount an offline dictionary attack on user's single password.

In this work, we introduce a framework for distributed single password protocols (DiSPP) that analyzes existing protocols, improves upon them regarding novel constructions and distributed schemes, and allows exploiting alternative cryptographic primitives to obtain secure distributed single password protocols with various trade-offs. Previous single password solutions can be instantiated as part of our framework. We further introduce a secure DiSPP instantiation derived from our framework enforcing the adversary to corrupt several cloud and mobile storage devices in addition to the login server in order to perform a successful offline dictionary attack. We also provide a comparative analysis of different solutions derived from our framework.

Single password authentication (SPA) schemes are introduced to overcome the challenges of traditional password authentications, which are vulnerable to offline dictionary, phishing, honeypot, and man-in-the-middle attacks. Unlike classical password-based authentication systems, in SPA schemes the user is required to remember only a single password (and a username) for all her accounts, while the password is protected against offline dictionary attacks in a provably secure manner. Several cryptographic SPA solutions were proposed in this decade, some based on cloud storage, and some employing a trusted personal mobile device. However, studies on usability of these novel SPA systems are rare, hardening their deployment and the validation of their practicality.

In this paper, we implement two very different SPA systems and assess their usability with the following two comparative experiments: one comparing the state-of-the-art cloud-based browser-extension SPA solution against traditional password-based authentication (where in both cases the user experience is simply entering a username and password), and another comparing the first mobile-application-based SPA solution against two-factor authentication (where, in both cases, in addition to the password, the user needs access to her mobile device). We obtain that the cloud-based SPA system is easier to use than the traditional approach, making it suitable for daily use deployment, and the mobile-based SPA system is as easy as, but less intimidating and more secure than two-factor authentication, making it a better alternative for online banking type deployments. Hence, SPA systems overall constitute a usable alternative to the existing solutions, while providing offline dictionary attack protection.

Functional encryption (FE) is advanced encryption that enables us to issue functional decryption keys where functions are hardwired. When we decrypt a ciphertext of a message $m$ by a functional decryption key where a function $f$ is hardwired, we can obtain $f(m)$ and nothing else. We say FE is selectively or adaptively secure when target messages are chosen at the beginning or after function queries are sent, respectively. In the setting of weakly-selective setting, function queries are also chosen at the beginning. We say FE is single-key/collusion-resistant when it is secure against adversaries that are given only-one/polynomially-many functional decryption keys, respectively. We say FE is sublinearly-succinct/succinct when the running time of an encryption algorithm is sublinear/poly-logarithmic in the function description size, respectively.

In this study, we propose adaptively secure, collusion-resistant, and succinct (we call ``fully-equipped'') PKFE schemes for circuits. More specifically, we propose a generic transformation from weakly-selectively secure, single-key, and sublinearly-succinct PKFE for circuits into fully-equipped PKFE for circuits. We assume only the existence of weakly-selectively secure, single-key, and sublinearly-succinct PKFE for circuits. That is, our transformation relies on \emph{neither} concrete assumptions such as learning with errors \emph{nor} indistinguishability obfuscation. This is the first generic construction of fully-equipped PKFE that does not rely on indistinguishability obfuscation.

As side-benefits of our results, we obtain the following primitives from weakly-selectively, single-key, and sublinearly-succinct PKFE for circuits: (1) laconic oblivious transfer (2) succinct garbling scheme for Turing machines (3) selectively secure, collusion-resistant, and succinct PKFE for Turing machines (4) low-overhead adaptively secure traitor tracing (5) key-dependent-message secure and leakage-resilient public-key encryption. We also obtain a semi-generic transformation from simulation-based adaptively secure garbling schemes into adaptively indistinguishable garbling schemes whose online complexity does not depend on the output length.

In this work, we introduce and construct $D$-restricted Functional Encryption (FE) for any constant $D \ge 3$, based only on the SXDH assumption over bilinear groups. This generalizes the notion of $3$-restricted FE recently introduced and constructed by Ananth et al. (ePrint 2018) in the generic bilinear group model.

A $D=(d+2)$-restricted FE scheme is a secret key FE scheme that allows an encryptor to efficiently encrypt a message of the form $M=(\vec{x},\vec{y},\vec{z})$. Here, $\vec{x}\in \F_{\prm}^{d\times n}$ and $\vec{y},\vec{z}\in \F_{\prm}^n$. Function keys can be issued for a function $f=\Sigma_{\vec{I}= (i_1,..,i_d,j,k)}\ c_{\vec{I}}\cdot \vec{x}[1,i_1] \cdots \vec{x}[d,i_d] \cdot \vec{y}[j]\cdot \vec{z}[k]$ where the coefficients $c_{\vec{I}}\in \F_{\prm}$. Knowing the function key and the ciphertext, one can learn $f(\vec{x},\vec{y},\vec{z})$, if this value is bounded in absolute value by some polynomial in the security parameter and $n$. The security requirement is that the ciphertext hides $\vec{y}$ and $\vec{z}$, although it is not required to hide $\vec{x}$. Thus $\vec{x}$ can be seen as a public attribute.

$D$-restricted FE allows for useful evaluation of constant-degree polynomials, while only requiring the SXDH assumption over bilinear groups. As such, it is a powerful tool for leveraging hardness that exists in constant-degree expanding families of polynomials over $\mathbb{R}$. In particular, we build upon the work of Ananth et al. to show how to build indistinguishability obfuscation (iO) assuming only SXDH over bilinear groups, LWE, and assumptions relating to weak pseudorandom properties of constant-degree expanding polynomials over $\mathbb{R}$.

Recently, another kind of dynamic cube attack is proposed by Fu \etal. With some key guesses and a transformation in the output bit, they claim that, when the key guesses are correct, the degree of the transformed output bit can drop so significantly that the cubes of lower dimension can not exist, making the output bit vulnerable to the zero-sum cube tester using slightly higher dimensional cubes. They applied their method to 855-round TRIVIUM. In order to verify the correctness of their result, they even proposed a practical attack on 721-round TRIVIUM claiming that the transformed output bit after 721-rounds of initialization does not contain cubes of dimensions 31 and below. However, the degree evaluation algorithm used by Fu \etal is innovative and complicated, and its complexity is not given. Their algorithm can only be implemented on huge clusters and cannot be verified by existing theoretic tools.

In this paper, we theoretically analyze the dynamic cube attack method given by Fu \etal using the division property and MILP modeling technique.

Firstly, we draw links between the division property and Fu \etal's dynamic cube attack so that their method can be described as a theoretically well founded and computationally economic MILP-aided division-property-based cube attack. With the MILP model drawn according to the division property, we analyzed the 721-round TRIVIUM in detail and find some interesting results: \begin{enumerate} \item The degree evaluation using our MILP method is more accurate than that of Fu \etal's. Fu \etal prove that the degree of pure $z^{721}$ is 40 while our method gives 29. We practically proved the correctness of our method by trying thousands of random keys, random 30-dimensional cubes and random assignments to non-cube IVs finding that the summations are constantly 0. \item For the transformed output bit $(1+s_1^{290})\cdot z^{721}$, we proved the same degree 31 as Fu \etal and we also find 32-dimensional cubes have zero-sum property for correct key guesses. But since the degree of pure $z^{721}$ is only 29, the 721-round practical attack on TRIVIUM is violating the principle of Fu \etal's work: after the transformation in the output bit, when the key guesses are correct, the degree of the transformed output bit has not dropped but risen. \item Now that the degree theoretic foundation of the 721-round attack has been violated, we also find out that the key-recovery attack cannot be carried out either. We theoretically proved and practically verified that no matter the key guesses are correct or incorrect, the summation over 32-dimensional cube are always 0. So, no key bit can be recovered at all. \end{enumerate} All these analysis on 721-round TRIVIUM can be verified practically and we open our C++ source code for implementation as well.

Secondly, we revisit their 855-round result. Our MILP model reveal that the 855-round result suffers from the same problems with its 721-round counterpart. We provide theoretic evidence that, after their transformation, the degree of the output bit is more likely to rise rather than drop. Furthermore, since Fu \etal's degree evaluation is written in an unclear manner and no complexity analysis is given, we rewrite the algorithm according to their main ideas and supplement a detailed complexity analysis. Our analysis indicates that a precise evaluation to the degree requires complexities far beyond practical reach. We also demonstrate that further abbreviation to our rewritten algorithm can result in wrong evaluation. This might be the reason why Fu \etal give such a degree evaluation. This is also an additional argument against Fu \etal's dynamic cube attack method.

Thirdly, the selection of Fu \etal's cube dimension is also questionable. According to our experiments and existing theoretic results, there is high risk that the correct key guesses and wrong ones share the same zero-sum property using Fu \etal's cube testers. As a remedy, we suggest that concrete cubes satisfying particular conditions should be identified rather than relying on the IV-degree drop hypothesis.

To conclude, Fu \etal's dynamic cube attack on 855-round TRIVIUM is questionable. 855-round as well as 840-and-up-round TRIVIUM should still be open for further convincible cryptanalysis.

A chameleon-hash behaves likes a standard collision-resistant hash function for outsiders. If, however, a trapdoor is known, arbitrary collisions can be found. Chameleon-hashes with ephemeral trapdoors (CHET; Camenisch et al., PKC ’17) allow prohibiting that the holder of the long-term trapdoor can find collisions by introducing a second, ephemeral, trapdoor. However, this ephemeral trapdoor is required to be chosen freshly for each hash. We extend these ideas and introduce the notion of chameleon-hashes with dual long-term trapdoors (CHDLTT). Here, the second trapdoor is not chosen freshly for each new hash; Rather, the hashing party can decide if it wants to generate a fresh second trapdoor or use an existing one. This primitive generalizes CHETs, extends their applicability and enables some appealing new use-cases, including three-party sanitizable signatures, group-level selectively revocable signatures and break-the-glass signatures. We present two provably secure constructions and an implementation which demonstrates that this extended primitive is efficient enough for use in practice.

We introduce the notion of Protean Signature schemes. This novel type of signature scheme allows to remove and edit signer-chosen parts of signed messages by a semi-trusted third party simultaneously. In existing work, one is either allowed to remove or edit parts of signed messages, but not both at the same time. Which and how parts of the signed messages can be modified is chosen by the signer. Thus, our new primitive generalizes both redactable (Steinfeld et al., ICISC '01, Johnson et al., CT-RSA '02 & Brzuska et al., ACNS'10) and sanitizable signatures schemes (Ateniese et al., ESORICS '05 & Brzuska et al., PKC'09). We showcase a scenario where either primitive alone is not sufficient. Our provably secure construction (offering both strong notions of transparency and invisibility) makes only black-box access to sanitizable and redactable signature schemes, which can be considered standard tools nowadays. Finally, we have implemented our scheme; Our evaluation shows that the performance is reasonable.

In this paper we give a comprehensive comparison between pairing-friendly elliptic curves in Jacobi Quartic and Edwards form with quadratic, quartic, and sextic twists. Our comparison looks at the best choices to date for pairings on elliptic curves with even embedding degree on both $\mathbb{G}_1 \times \mathbb{G}_2$ and $\mathbb{G}_2 \times \mathbb{G}_1$ (these are the twisted Ate pairing and the optimal Ate pairing respectively). We apply this comparison to each of the nine possible 128-bit TNFS-secure families of elliptic curves computed by Fotiadis and Konstantinou; we compute the optimal choice for each family together with the fastest curve shape/pairing combination. Comparing the nine best choices from the nine families gives a optimal choice of elliptic curve, shape and pairing (given current knowledge of TNFS-secure families). We also present a proof-of-concept MAGMA implementation for each case. Additionally, we give the first analysis, to our knowledge, of the use of quadratic twists of both Jacobi Quartic and Edwards curves for pairings on $\mathbb{G}_2 \times \mathbb{G}_1$, and of the use of sextic twists on Jacobi Quartic curves on $\mathbb{G}_1 \times \mathbb{G}_2$.

We present Edrax, a general architecture for building cryptocurrencies with stateless transaction validation. In Edrax, all cryptocurrency nodes, such as miners and validating nodes, can validate incoming transactions and subsequently update user balances simply by accessing the last confirmed block. This removes the current need for storing, off-chain and on-disk, order-of-gigabytes large validation state. We present and implement two instantiations of Edrax, one in the UTXO-based model of Bitcoin-like cryptocurrencies, where we use sparse Merkle trees, and one in the account-based model of Ethereum-like cryptocurrencies, where we show that Merkle trees cannot be used and where algebraic vector commitments are needed instead. Towards this goal, we construct, prove secure and implement the first practical algebraic vector commitment with logarithmic asymptotic costs that can scale to millions of accounts, as required by cryptocurrencies today. Our evaluation of Edrax shows that (i) for the current scale of Bitcoin and Ethereum our stateless transaction validation overhead is comparable to stateful transaction validation that requires gigabytes of local index data; (ii) while the scale increases, the performance of stateful validation deteriorates substantially due to expensive I/Os and our stateless validation is faster by up to approximately two orders of magnitude.

Since 2016 and the introduction of the exTNFS (extended Tower Number Field Sieve) algorithm, the security of cryptosystems based on non- prime finite fields, mainly the paring and torus-based one, is being reassessed. The feasibility of the relation collection, a crucial step of the NFS variants, is especially investigated. It usually involves polynomials of degree one, i.e., a search space of dimension two. However, exTNFS uses bivariate polynomials of at least four coefficients. If sieving in dimension two is well described in the literature, sieving in higher dimension received significantly less attention. We describe and analyze three different generic algorithms to sieve in any dimension for the NFS algorithms. Our implementation shows the practicability of dimension four sieving, but the hardness of dimension six sieving.

The Multivariate Ring Learning with Errors ($m$-RLWE) problem was introduced in 2015 by Pedrouzo-Ulloa, Troncoso-Pastoriza and P\'erez-Gonz\'alez. Instead of working over a polynomial residue ring with one variable as in RLWE, it works over a polynomial residue ring in several variables. However, care must be taken when choosing the multivariate rings for use in cryptographic applications as they can be either weak or simply equivalent to univariate RLWE. For example, Pedrouzo-Ulloa et al.\ suggest using tensor products of cyclotomic rings, in particular power-of-two cyclotomic rings. They claim incorrectly that the security increases with the product of the individual degrees. In this paper, we present simple methods to solve the search $m$-RLWE problem far more efficiently than is stated in the current literature by reducing the problem to the RLWE problem in dimension equal to the maximal degree of its components (and not the product) and where the noise increases with the square-root of the degree of the other components. Our methods utilise the fact that the defining cyclotomic polynomials share algebraically related roots. We use these methods to successfully attack the search variant of the $m$-RLWE problem for a set of parameters estimated to offer more than 2600 bits of security, and being equivalent to solving the bounded distance decoding problem in a highly structured lattice of dimension 16384, in less than two weeks of computation time or just a few hours if parallelized on 128 cores.

Finally, we also show that optimizing module-LWE cryptosystems by introducing an extra ring structure as is common practice to optimize LWE, often results in a total breakdown of security.

We present attacks that use only the volume of responses to range queries to reconstruct databases. Our focus is on practical attacks that work for large-scale databases with many values and records, without requiring assumptions on the data or query distributions. Our work improves on the previous state-of-the-art due to Kellaris \emph{et al.} (CCS 2016) in all of these dimensions.

Our main attack targets reconstruction of database counts and involves a novel graph-theoretic approach. It generally succeeds when $R$, the number of records, exceeds $N^2/2$, where $N$ is the number of possible values in the database. For a uniform query distribution, we show that it requires volume leakage from only $O(N^2 \log N)$ queries (cf.\ $O(N^4 \log N)$ in prior work).

We present two ancillary attacks. The first identifies the value of a new item added to a database using the volume leakage from fresh queries, in the setting where the adversary knows or has previously recovered the database counts. The second shows how to efficiently recover the ranges involved in queries in an online fashion, given an auxiliary distribution describing the database.

Our attacks are all backed with mathematical analyses and extensive simulations using real data.

This paper addresses fast scalar multiplication for elliptic curves over finite fields. In the first part of the paper, we obtain several efficiently computable formulas for basic elliptic curves arithmetic in the family of twisted Edwards curves over prime fields. Our $2Q+P$ formula saves about $2.8$ field multiplications, and our $5P$ formula saves about $4.2$ field multiplications in standard projective coordinate systems, compared to the latest existing results. In the second part of the paper, we formulate bucket methods for the DAG-based and the tree-based abstract ideas. We propose systematically finding a near optimal chain for multi-base number systems (MBNS). These proposed bucket methods take significantly less time to find a near optimal chain, compared to an optimal chain. We conducted extensive experiments to compare the performance of the MBNS methods (e.g., greedy, ternary/binary, multi-base NAF, tree-based, rDAG-based, and bucket). Our proposed formulas were integrated in these methods. Our results show our work had an important role in advancing the efficiency of scalar multiplication.

Attribute-Based Encryption (ABE) is a versatile one-to-many encryption primitive which enables fine-grained access control over encrypted data. Due to its promising applications in practice, ABE has been attracting much attention in the community and schemes with better security, access policy expressivity, and efficiency have been continuously emerging. On the other hand, due to the nature of ABE, namely, different users may share some common decryption privileges and a malicious user may leak some common decryption privileges for financial gain or other incentives, being able to identify such malicious users (i.e. traitor tracing) is crucial towards the practicality of an ABE system. For some existing ABE schemes with appealing properties (e.g. full security, large universe), the corresponding traceable counterparts have been proposed. However, these works are proceeded case by case, and there are still many appealing ABE schemes not having the traceable counterparts. Furthermore, when any new ABE scheme emerges and we want to apply it in practice, it will take significant workload to investigate and propose its traceable counterpart.

In this paper, we propose a framework to transform existing and (possibly) future ABE schemes to their traceable counterparts in a generic manner. In particular, by specifying some requirements on the structure of the ABE constructions, we propose an ABE template, and show that any ABE scheme satisfying this template can be transformed to a fully collusion-resistant blackbox traceable ABE scheme in a generic manner, at the cost of sublinear overhead, while keeping the appealing properties, such as fine-grained access control on encrypted data, highly expressive access policy, short ciphertext, and so on. We prove the security in the framework all in the standard model, and we present a couple of existing ABE schemes with appealing properties as examples that do satisfy our ABE template.

Ledger-based systems that enable rich applications often suffer from two limitations. First, validating a transaction requires re-executing the state transition that it attests to. Second, transactions not only reveal which application had a state transition but also reveal the application's internal state. Unfortunately, expensive re-execution and lack of privacy rule out many use cases.

We design, implement, and evaluate ZEXE, a ledger-based system where users can execute offline computations and subsequently produce transactions, attesting to the correctness of these computations, that satisfy two main properties. First, transactions hide all information about the offline computations. Second, transactions can be validated by anyone in constant time, regardless of the offline computation.

The core of ZEXE is a protocol for a new cryptographic primitive that we introduce, *decentralized private computation* (DPC). The security guarantees of DPC are concisely expressed via an ideal functionality, which our protocol provably achieves. In order to achieve an efficient implementation of our protocol, we leverage tools in the area of cryptographic proofs, including succinct zero knowledge proofs and recursive proof composition. Overall, transactions in ZEXE are 968 bytes *regardless of the offline computation*, and generating them takes less than 2 minutes plus a time that grows with the offline computation.

To facilitate real-world deployments, ZEXE also provides support for delegating the process of producing a transaction to an untrusted worker, and support for threshold transactions and blind transactions.

Ring oscillator-based true random number generators (RO-based TRNGs) are widely used to provide unpredictable random numbers for cryptographic systems. The unpredictability of the output numbers, which can be measured by entropy, is extracted from the jitter of the oscillatory signal. To quantitatively evaluate the entropy, several stochastic models have been proposed, all of which take the jitter as a key input parameter. So it is crucial to accurately estimate the jitter in the process of entropy evaluation. However, several previous methods have estimated the jitter with non-negligible error, which would cause the overestimation of the entropy. In this paper, we propose a jitter estimation method with high accuracy. Our method aims at eliminating the quantization error in previous counter-based jitter estimation methods and finally can estimate the jitter with the error smaller than $1\%$. Furthermore, for the first time, we give a theoretical error bound for our jitter estimation. The error bound confirms the $1\%$ error level of our method. As a consequence, our method will signicantly help to evaluate the entropy of RO-based TRNGs accurately. Finally, we present the application of our jitter estimation method on a practical FPGA device and provide a circuit module diagram for on-chip implementation.

A central tenet of theoretical cryptography is the study of the minimal assumptions re- quired to implement a given cryptographic primitive. One such primitive is the one-time memory (OTM), introduced by Goldwasser, Kalai, and Rothblum [CRYPTO 2008], which is a classical functionality modeled after a non-interactive 1-out-of-2 oblivious transfer, and which is complete for one-time classical and quantum programs. It is known that secure OTMs do not exist in the standard model in both the classical and quantum settings.

Here, we propose a scheme for using quantum information, together with the assumption of stateless (i.e., reusable) hardware tokens, to build statistically secure OTMs. Via the semidefinite programming-based quantum games framework of Gutoski and Watrous [STOC 2007], we prove security for a malicious receiver, against a linear number of adaptive queries to the token, in the quantum universal composability framework. We prove stand-alone security against a malicious sender, but leave open the question of composable security against a malicious sender, as well as security against a malicious receiver making a polynomial number of adaptive queries. Compared to alternative schemes derived from the literature on quantum money, our scheme is technologically simple since it is of the “prepare-and-measure” type. We also show our scheme is “tight” according to two scenarios.

Videos from talks at Crypto 2018 are now available on the IACR Youtube Channel. This includes the rump session and the affiliated workshop titled "Beyond Crypto: A TCS Perspective". See https://youtube.com/TheIACR

The Department of Information Technology and Electrical Engineering (www.ee.ethz.ch) at ETH Zurich invites applications for Professor or Assistant Professor (Tenure Track) of Hardware Security position.

The successful candidate will build a leading research programme in the area of computing architectures that addresses security concerns (data integrity, user authentication, and privacy) from a hardware perspective. Topics of interest include, but are not limited to, the development of architectures designed with both performance and security in mind, such as specific hardware implementations for computing on encrypted data, efficient post-quantum cryptography and novel hardware solutions to prevent side-channel (power, timing) attacks. He or she is expected to collaborate and interact with colleagues in the department and at ETH Zurich, benefiting from strong activities on integrated circuits (e.g. the Microelectronic Design Center) and on security and privacy (e.g. the Zurich Information Security and Privacy Center).

Closing date for applications: 15 January 2019

Contact: Applications through online forms from the URL below:

More information: https://bit.ly/2CGCTXg

The School of Engineering & Technology at the University of Washington Tacoma is seeking applications from qualified candidates for a full-time lecturer position for the Master of Cybersecurity & Leadership Program (MCL) program, with an emphasis on Cyber Risk Management, Cloud Computing/Cloud Security, IoT Security, Mobile Security, and Blockchains. This is a full-time, renewable position with an initial appointment of one to three years based on experience, beginning September 2019. Reappointments are up to five years. The successful candidate(s) will teach master and undergraduate courses in Cybersecurity and Leadership and Information Technology in one or more of the following areas:

Network and Internet Security

Principles of Cybersecurity

Information Assurance, Risk Management and Security Strategies

Cybersecurity Management

Server-Side Web Programming

Database Systems Design & Administration

Network and System Administration

Course description can be found at: https://www.washington.edu/students/crscatt/tcsl.html, and

https://www.washington.edu/students/crscatt/tinfo.html

Screening of applications will begin on December 15, 2018, and will continue until the position is filled. Salary is competitive and will be commensurate with experience and qualifications. For additional information, please contact MCL/IT Lecturer Search Committee at mcl (at) uw.edu.

Required Education:

This position requires a minimum of an MS or foreign equivalent in Cybersecurity, Information Technology, or a related field at the time of appointment.

Required Work Experience:

This position requires at least 1 year of teaching experience in Cybersecurity/ Information Technology-related areas.

Application Instructions

Curriculum Vitae

A cover letter including:

A list of courses in which you feel qualified for teaching

Evidence of prior teaching success

Statement about demonstrated commitment to diversity in teaching, mentoring, and/or service

Contact information for three references

Closing date for applications: 31 March 2019

More information: http://apply.interfolio.com/53684