International Association for Cryptologic Research

International Association
for Cryptologic Research

IACR News

Updates on the COVID-19 situation are on the Announcement channel.

Here you can see all recent updates to the IACR webpage. These updates are also available:

RSS symbol icon
via RSS feed
Twitter bird icon
via Twitter
Weibo icon
via Weibo
Facebook icon
via Facebook

17 May 2020

Noroff University College Norway
Job Posting Job Posting
Noroff University College seeks to appoint new academic staff in the area of Cyber Security. You will join a team of international staff with whom you will be expected to work in very close collaboration, in undertaking research in the area and engaging in the delivery and management of the newly launched Bachelor in Cyber Security. This degree has a shared common first year with the Digital Forensics and Applied Data Science Bachelors degrees within the Faculty. As such, evidence of prior teamwork and excellent communication skills are essential. Candidates should have a postgraduate qualification (preferably Ph.D) in Computer Science, Computer Security or a related field. The ability to teach a variety of subjects is essential, in particular a range of information security related subjects. Relevant skills and experience in the following areas are required for this post: ● Penetration testing practice and procedures - practical and research experience; ● A demonstrable technical skillset and experience relating to tools, techniques, methodologies, standards, and models for Computer Network Attack (CNO), Computer Network Defence (CND) and Computer Network Exploitation (CNE). ● Exposure to and willingness to teach one or more of the following specialist topics:  Penetration Testing  Web Security  Vulnerability Management  Exploit Development/Bug Hunting  Applied Cryptography  Information Security Principles  Incident Response and Management Compensation to commensurate with the candidate’s qualifications and relevant experience. Closing date for this application is 31 May 2020. We interview continuously and suitable candidates will be contacted to take part in the interview process. For full job description and application form, please visit our website on https://www.noroff.no/om/ledige-stillinger

Closing date for applications:

Contact: Ezanne van Niekerk - jobs@noroff.no '

More information: https://www.noroff.no/om/ledige-stillinger

Expand

16 May 2020

Christopher Patton, Thomas Shrimpton
ePrint Report ePrint Report
We give a framework for relating the concrete security of a “reference” protocol (say, one appearing in an academic paper) to that of some derived, “real” protocol (say, appearing in a cryptographic standard). It is based on the indifferentiability framework of Maurer, Renner, and Holenstein (MRH), whose application has been exclusively focused upon non-interactive cryptographic primitives, e.g., hash functions and Feistel networks. Our extension of MRH is supported by a clearly defined execution model and two composition lemmata, all formalized in a modern pseudocode language. Together, these allow for precise statements about game-based security properties of cryptographic objects (interactive or not) at various levels of abstraction. As a real-world application, we design and prove tight security bounds for a potential TLS 1.3 extension that integrates the SPAKE2 password-authenticated key-exchange into the handshake.
Expand
Marina Polubelova, Karthikeyan Bhargavan, Jonathan Protzenko, Benjamin Beurdouche, Aymeric Fromherz, Natalia Kulatova, Santiago Zanella-Béguelin
ePrint Report ePrint Report
We present a new methodology for building formally verified cryptographic libraries that are optimized for multiple architectures. In particular, we show how to write and verify generic crypto code in the F* programming language that exploits single-instruction multiple data (SIMD) parallelism. We show how this code can be compiled to platforms that supports vector instructions, including ARM Neon and Intel AVX, AVX2, and AVX512. We apply our methodology to obtain verified vectorized implementations on all these platforms for the Chacha20 encryption algorithm, the Poly1305 one-time MAC, and the SHA-2 and Blake2 families of hash algorithms.

A distinctive feature of our approach is that we aggressively share code and verification effort between scalar and vectorized code, between vectorized code for different platforms, and between implementations of different cryptographic primitives. By doing so, we significantly reduce the manual effort needed to add new implementations to our verified library. In this paper, we describe our methodology and verification results, evaluate the performance of our code, and describe its integration into the larger HACL⋆ crypto library. Our vectorized code has already been incorporated into several software projects, including the Firefox web browser.
Expand
Anubhab Baksi, Jakub Breier, Xiaoyang Dong, Chen Yi
ePrint Report ePrint Report
At CRYPTO 2019, Gohr first introduces the deep learning based cryptanalysis on round-reduced SPECK. Using a deep residual network, Gohr trains several neural network based distinguishers on 8-round SPECK-32/64. The analysis follows an `all-in-one' differential cryptanalysis approach, which considers all the output differences effect under the same input difference.

Usually, the all-in-one differential cryptanalysis is more effective than that only uses one single differential trail. However, when the cipher is non-Markov or its block size is large, it is usually very hard to fully compute. Inspired by Gohr's work, we try to simulate the all-in-one differentials for such non-Markov ciphers through deep learning. As proof of works, we trained several distinguishing attacks following machine learning simulated all-in-one differential approach. We present 8-round differntial distinguishers for Gimli-Hash and Gimli-Cipher, each with trivial complexity. Finally, we explore more on choosing an efficient machine learning model and show a three layer neural network can be used.
Expand
Dusan Bozilov
ePrint Report ePrint Report
We present a methodology for finding minimal number of output shares in $d + 1$ TI by modeling the sharing as set covering problem and using different discrete optimization techniques to find solutions. We demonstrate the results of our technique by providing optimal or near-optimal sharings of several classes of Boolean functions of any degree up to 8 variables, for first and second order TI. These solutions present new lower bounds for the total number of shares for these types of functions
Expand
Carla Ràfols, Javier Silva
ePrint Report ePrint Report
Zero-knowledge proofs of satisfiability of linear equations over a group are often used as a building block of more complex protocols. In particular, in an asymmetric bilinear group we often have two commitments in different sides of the pairing, and we want to prove that they open to the same value. This problem was tackled by González, Hevia and Ràfols (ASIACRYPT 2015), who presented an aggregated proof, in the QA-NIZK setting, consisting of only four group elements. In this work, we present a more efficient proof, which is based on the same assumptions and consists of three group elements. We argue that our construction is optimal in terms of proof size.
Expand
Tomer Ashur, Siemen Dhooghe
ePrint Report ePrint Report
This paper tells the origin story of Rescue, a family of cryptographic algorithms in the Marvellous cryptoverse.
Expand
Yi Liu, Qi Wang, Siu-Ming Yiu
ePrint Report ePrint Report
A cryptographic framework, called encryption switching protocol (ESP), has been proposed recently, which enables ciphertexts encrypted under \emph{different} schemes to be converted to the same scheme without revealing the plaintexts. This solves a major issue in privacy-preserving applications, in which users can now encrypt their data under different schemes and still be able to process their encrypted data together. In this paper, we propose an improvement to ESP. In particular, we consider the multi-exponentiation with encrypted bases argument ({\sf MEB}) protocol, which is not only the essential component and efficiency bottleneck of ESP, but also has tremendous potential in many applications and can be used to speed up many intricate cryptographic protocols, such as proof of knowledge of a double logarithm. Based on our analysis and experiments, our proposed {\sf MEB} protocol can reduce the communication cost by $36\%$ when compared to the original protocol and reduce the computation cost of the verifier by $20\% - 47\%$ depending on the settings of experimental parameters. This is particularly useful for verifiers with weak computing power. We also provide a formal security proof to confirm the security of the improved {\sf MEB} protocol.
Expand

15 May 2020

Auqib Hamid Lone, Roohie Naaz
ePrint Report ePrint Report
Security and Scalability are two major challenges that IoT is currently facing. Access control to critical IoT infrastructure is considered as top security challenge that IoT faces. Data generated by IoT devices may be driving many hard real time systems, thus it is of utmost importance to guarantee integrity and authenticity of the data and resources at the first place itself. Due to heterogeneous and constrained nature of IoT devices, traditional IoT security frameworks are not able to deliver scalable, efficient and manageable mechanisms to meet the requirements of IoT devices. On the other hand Blockchain technology has shown great potential to bridge the missing gap towards building a truly decentralized, trustworthy, secure and scalable environment for IoT. Allowing access to IoT resources and data managed through Blockchain will provide an additional security layer backed by the strongest cryptographic algorithms available. In this work we present a reputation driven dynamic access control framework for small scale IoT applications based on Proof of Authority Blockchain, we name it as Rep-ACM. In RepACM framework we build two major services, one for Reputation building (for better IoT device behaviour regulations) and other for Misbehaviour detection (for detecting any Misbehaviour on object resource usage). Both of these services work in coordination with other services of proposed framework to determine who can access what and under what conditions access should be granted. For Proof of Concept (PoC) we created private Ethereum network consisting of two Raspberry Pi single board computers, one desktop computer and a laptop as nodes. We configured Ethereum protocol to use Istanbul Byzantine Fault Tolerance (IBFT) as Proof of Authority (PoA) consensus mechanism for performance optimization in constrained environment. We deployed our model on private network for feasibility and performance analysis.
Expand
Jinkyu Cho, Young-Sik Kim, Jong-Seon No
ePrint Report ePrint Report
With the ongoing developments in artificial intelligence (AI), big data, and cloud services, fully homomorphic encryption (FHE) is being considered as a solution for preserving the privacy and security in machine learning systems. Currently, the existing FHE schemes are constructed using lattice-based cryptography. In state-of-the-art algorithms, a huge amount of computational resources are required for homomorphic multiplications and the corresponding bootstrapping that is necessary to refresh the ciphertext for a larger number of operations. Therefore, it is necessary to discover a new innovative approach for FHE that can reduce the computational complexity for practical applications. In this paper, we propose a code-based homomorphic operation scheme. Linear codes are closed under the addition, however, achieving multiplicative homomorphic operations with linear codes has been impossible until now. We strive to solve this problem by proposing a fully homomorphic code scheme that can support both addition and multiplication simultaneously using the Reed-Muller (RM) codes. This can be considered as a preceding step for constructing code-based FHE schemes. As the order of RM codes increases after multiplication, a bootstrapping technique is required to reduce the order of intermediate RM codes to accomplish a large number of operations. We propose a bootstrapping technique to preserve the order of RM codes after the addition or multiplication by proposing three consecutive transformations that create a one-to-one relationship between computations on messages and that on the corresponding codewords in RM codes.
Expand
Mahmoud Yehia, Riham AlTawy, T. Aaron Gulliver
ePrint Report ePrint Report
FORS is the underlying hash-based few-time signing scheme in SPHINCS+, one of the nine signature schemes which advanced to round 2 of the NIST Post-Quantum Cryptography standardization competition. In this paper, we analyze the security of FORS with respect to adaptive chosen message attacks. We show that in such a setting, the security of FORS decreases significantly with each signed message when compared to its security against non-adaptive chosen message attacks. We propose a chaining mechanism that with slightly more computation, dynamically binds the Obtain Random Subset (ORS) generation with signing, hence, eliminating the oine advantage of adaptive chosen message adversaries. We apply our chaining mechanism to FORS and present DFORS whose security against adaptive chosen message attacks is equal to the non-adaptive security of FORS. In a nutshell, using SPHINCS+-128s parameters, FORS provides 75-bit security and DFORS achieves 150-bit security with respect to adaptive chosen message attacks after signing one message. We note that our analysis does not affect the claimed security of SPHINCS+. Nevertheless, this work provides a better understanding of FORS and other HORS variants and furnishes a solution if new adaptive cryptanalytic techniques on SPHINCS+ emerge.
Expand
Marcelo Blatt, Alexander Gusev, Yuriy Polyakov, Shafi Goldwasser
ePrint Report ePrint Report
Genome-Wide Association Studies (GWAS) seek to identify genetic variants associated with a trait, and have been a powerful approach for understanding complex diseases. A critical challenge for GWAS has been the dependence on individual-level data that typically have strict privacy requirements, creating an urgent need for methods that preserve the individual-level privacy of participants. Here, we present a privacy-preserving framework based on several advances in homomorphic encryption and demonstrate that it can perform an accurate GWAS analysis for a real dataset of more than 25,000 individuals, keeping all individual data encrypted and requiring no user interactions. Our extrapolations show that it can evaluate GWAS of 100,000 individuals and 500,000 SNPs in 5.6 hours on a single server node (or in 11 minutes on 31 server nodes running in parallel). Our performance results are more than one order of magnitude faster than prior state-of-the-art results using secure multi-party computation, which requires continuous user interactions, with the accuracy of both solutions being similar. Our homomorphic encryption advances can also be applied to other domains where large-scale statistical analyses over encrypted data are needed.
Expand
Hocheol Shin, Juhwan Noh, Dohyun Kim, Yongdae Kim
ePrint Report ePrint Report
Fire alarm and signaling systems are a networked system of fire detectors, fire control units, automated fire extinguishers, and fire notification appliances. Malfunction of these safety-critical cyber-physical systems may lead to chaotic evacuations, property damages, and even loss of human life. Therefore, reliability is one of the most crucial factors for fire detectors. Indeed, even a single report of a fire cannot be ignored considering the importance of early fire detection and suppression. In this paper, we show that wide-area smoke detectors, which are globally installed in critical infrastructures such as airports, sports facilities, and auditoriums, have significant vulnerabilities in terms of reliability; one can remotely and stealthily induce false fire alarms and suppress real fire alarms with a minimal attacker capability using simple equipment. The practicality and generalizability of these vulnerabilities has been assessed based on the demonstration of two types of sensor attacks on two commercial-off-the-shelf optical beam smoke detectors from different manufacturers. Further, the practical considerations of building stealthy attack equipment has been analyzed, and an extensive survey of almost all optical beam smoke detectors on the market has been conducted. In addition, we show that the current standards of the fire alarm network connecting the detector and a control unit exacerbate the problem, making it impossible or very difficult to mitigate the threats we found. Finally, we discuss hardware and software-based possible countermeasures for both wide-area smoke detectors and the fire alarm network; the effectiveness of one of the countermeasures is experimentally evaluated.
Expand
Fukang Liu, Takanori Isobe, Willi Meier
ePrint Report ePrint Report
The Gimli permutation was proposed in CHES 2017, which is distinguished from other well-known permutation-based primitives for its cross-platform performance. One main strategy to achieve such a goal is to utilize a sparse linear layer (Small-Swap and Big-Swap), which occurs every two rounds. In addition, the round constant addition occurs every four rounds and only one 32-bit word is affected by it. The above two facts have been exploited by \mbox{Liu-Isobe-Meier} to mount a distinguishing attack on 14 rounds of Gimli permutation with time complexity 1 by utilizing the internal difference. Inspired by the \mbox{14-round} distinguisher, we demonstrate that it is feasible to extend it to the full Gimli permutation with time complexity $2^{129}$ by further taking advantage of its weak diffusion. The corresponding technique is named as hybrid zero internal differential since the internal difference and XOR difference are simultaneously traced. Our distinguisher can be interpreted as a variant of the common differential distinguisher and \mbox{zero-sum} distinguisher. Apart from the permutation itself, combined with some new properties of the SP-box, the weak diffusion can also be utilized to accelerate the preimage attacks on reduced \mbox{Gimli-Hash} and Gimli-XOF-128 with a divide-and-conquer method. As a consequence, the preimage attack on 2-round Gimli-Hash is practical and it can reach up to 5 rounds. For Gimli-XOF-128, our preimage attack can reach up to 9 rounds. To the best of our knowledge, this is the first attack on the full Gimli permutation and our preimage attacks on reduced Gimli-Hash and Gimli-XOF-128 are the best so far. Since Gimli is included in the second round candidates in NIST's Lightweight Cryptography Standardization process, we expect that our analysis can advance the understanding of Gimli. It should be emphasized that this work can not threaten the security of the hash scheme and authenticated encryption scheme built on Gimli.
Expand
Alexander Chepurnoy, Amitabh Saxena
ePrint Report ePrint Report
We present ZeroJoin, a practical privacy-enhancing protocol for blockchain transactions. ZeroJoin can be considered a combination of ZeroCoin and CoinJoin. It borrows ideas from both but attempts to overcome some of their drawbacks. Like ZeroCoin, our protocol uses zero-knowledge proofs and a pool of participants. However, unlike ZeroCoin, our proofs are very efficient, and our pool size is not monotonously increasing. Thus, our protocol overcomes the two major drawbacks of ZeroCoin. Our approach can also be considered a non-interactive variant of CoinJoin, where the interaction is replaced by a public transaction on the blockchain. The security of ZeroJoin is based on the Decision Diffie-Hellman (DDH) assumption. We also present ErgoMix, a practical implementation of ZeroJoin on top of Ergo, a smart contract platform based on Sigma protocols. While ZeroJoin contains the key ideas, it leaves open the practical issue of handling fees. The key contribution of ErgoMix is a novel approach to handle fee in ZeroJoin.
Expand
Giuseppe Garofalo, Tim Van hamme, Davy Preuveneers, Wouter Joosen, Aysajan Abidin, Mustafa A. Mustafa
ePrint Report ePrint Report
Successful contact tracing effectively facilitates the fight against pandemics of highly contagious diseases such as COVID-19. Existing efforts either rely on effective yet privacy-invasive surveillance infrastructure, or focus on privacy-preserving decentralised solutions which may limit their effectiveness. The former collects vast amounts of sensitive data such as identity, location and social interactions of every user, which allows function creep. The latter relies on users' willingness to share their risk scores with authorities, which limits their ability to quickly identify people at-risk and to run analytics. We propose a practical solution that aims to strike a balance between functionality and privacy: one that does not collect sensitive information, such as, location data, while at the same time allowing effective tracing and notifying the close contacts of infected users. To protect users' privacy, our solution uses local proximity tracing based on broadcasting and recording constantly changing anonymous public keys via short-range communication, for example, Bluetooth. These public keys are used to establish a shared secret key between two people in close contact. These three keys are then used to generate two unique per-user-per-contact hashes: one for infection registration and one for health status query. These hashes are never revealed to the public. To support functionality, risk score computation is performed centrally, which provides the health authorities with minimal, yet insightful and actionable data. Data minimization is achieved by the use of per-user-per-contact hashes and by enforcing role separation. In our design, the health authorities and the GPs act as proxies, while the matching between hashes is outsourced to a third-party, i.e. the matching service. This separation ensures that out-of-scope information, such as social interaction within the population, is hidden from the health authorities and, at the same time, the matching service does not learn sensitive information about the users. Our solution requires a degree of trust in the entities involved that is considerably lower w.r.t. centralised alternatives.
Expand
Bijan Fadaeinia, Thorben Moos, Amir Moradi
ePrint Report ePrint Report
The down-scaling of circuit technology has led to stronger leakage currents in CMOS standard cells. This source of power consumption is data dependent and can be utilized to extract secrets from cryptographic devices. We propose Balanced Static Power Logic (BSPL), the first leakage-balancing approach that achieves optimal data-independence with respect to drain-source leakage. We re-design fundamental standard cells in such a way that their leakage current is essentially constant, irrespective of inputs and outputs, barring process variations. Even in presence of considerable intra-die variations, modeled by Monte Carlo simulations, BSPL gates still maintain a significantly reduced mutual information between the circuit’s input and conducted leakage current.
Expand
Lilya Budaghyan, Nikolay Kaleyski, Constanza Riera, Pantelimon Stanica
ePrint Report ePrint Report
We define a set called the pAPN-spectrum of an $(n,n)$-function $F$, which measures how close $F$ is to being an APN function, and investigate how the size of the pAPN-spectrum changes when two of the outputs of a given $F$ are swapped. We completely characterize the behavior of the pAPN-spectrum under swapping outputs when $F(x) = x^{2^n-2}$ is the inverse function over $\mathbb{F}_{2^n}$. We also investigate this behavior for functions from the Gold and Welch monomial APN families, and experimentally determine the size of the pAPN-spectrum after swapping outputs for representatives from all infinite monomial APN families up to dimension $n = 10$.
Expand
Jean-Claude Caraco, Rémi Géraud-Stewart, David Naccache
ePrint Report ePrint Report
Auguste Kerckhoffs' seminal article is ritually mentioned in countless cryptography articles and Ph.D. theses.

In 1998 the first author published a little-known biographic sketch of Kerckhoffs in Esperanto. In 2013 we undertook the project to develop, complete and enrich this little-known notice with new material and publish an extended account of Kerckhoffs' life. This was unfortunately interrupted by the passing away of the first author in 2015.

This article is an attempt to provide the most comprehensive biography of Auguste Kerckhoffs.
Expand
Lisa Eckey, Sebastian Faust, Kristina Hostáková, Stefanie Roos
ePrint Report ePrint Report
Payment Channel Networks (PCNs) enable fast, scalable, and cheap payments by moving transactions off-chain, thereby overcoming debilitating drawbacks of blockchains. However, current algorithms exhibit frequent payment failures when a payment is routed via multiple intermediaries. One of the key challenges for designing PCNs is to drastically reduce this failure rate. In this paper, we design a Bitcoin-compatible protocol that allows intermediaries to split payments on the path. Intermediaries can thus easily adapt the routing to the local conditions, which the sender is unaware of. Our protocol provides both termination and atomicity of payments, and provably guarantees that no participant loses funds even in the presence of malicious parties. An extended version of our protocol further provides unlinkability between two partial split payments belonging to the same transaction, which -- as we argue -- is important to guarantee the success of split payments. Besides formally modeling and proving the security of our construction, we conducted an in-depth simulation-based evaluation of various routing algorithms and splitting methods. Concretely, we present Interdimensional SpeedyMurmurs, a modification of the SpeedyMurmurs protocol that increases the flexibility of the route choice combined with splitting. Even in the absence of splitting, Interdimensional SpeedyMurmurs increases the success ratio of transactions drastically in comparison to a Lightning-style protocol, by up to $1/3$. Splitting further increases the probability of success, e.g., from about $84\%$ to $97\%$ in one scenario.
Expand
◄ Previous Next ►