IACR News
If you have a news item you wish to distribute, they should be sent to the communications secretary. See also the events database for conference announcements.
Here you can see all recent updates to the IACR webpage. These updates are also available:
07 July 2018
Bin Yu, Joseph Liu, Amin Sakzad, Surya Nepal, Paul Rimba, Ron Steinfeld, Man Ho Au
      Cryptographic techniques are employed to ensure the security of voting systems in order to increase its wide adoption. However, in such electronic voting systems, the public bulletin board that is hosted by the third party for publishing and auditing the voting results should be trusted by all participants. Recently a number of blockchain-based solutions have been proposed to address this issue. However, these systems are impractical to use due to the limitations on the voter and candidate numbers supported, and their security framework, which highly depends on the underlying blockchain protocol and suffers from potential attacks (e.g., force-abstention attacks). To deal with two aforementioned issues, we propose a practical platform-independent secure and verifiable voting system that can be deployed on any blockchain that supports an execution of a smart contract. Verifiability is inherently provided by the underlying blockchain platform, whereas cryptographic techniques like Paillier encryption, proof-of-knowledge, and linkable ring signature are employed to provide a framework for system security and user-privacy that are independent from the security and privacy features of the blockchain platform. We analyse the correctness and coercion-resistance of our proposed voting system. We employ Hyperledger Fabric to deploy our voting system and analyse the performance of our deployed scheme numerically.
          
  Seattle, USA, 10 December - 13 December 2018
      Event date: 10 December to 13 December 2018
Submission deadline: 10 October 2018
Notification: 1 November 2018
  Submission deadline: 10 October 2018
Notification: 1 November 2018
06 July 2018
Abhishek Bajpai, S V Kulgod
      In this paper a FPGA cluster based framework for high performance Cryptanalysis has been proposed. The framework abstracts underlying networked FPGA cluster into a unified acceleration resource. It does so by implementing requested amount of computation kernels (cryptographic modules) and managing efficient distribution of the network band-width between the inter-FPGA and intra-FPGA computation kernels. Further agile methodology for developing such networked computation kernels with use of a high level language (Python) based HDL library and seamless integration with a user space crypt analysis application have been discussed. 40-bit partial key attack over AES256 has been demonstrated as a capability demonstration. Performance higher than clustered CPUs and GPUs at lower costs and power is reported.
          
  Lijing Zhou, Licheng Wang, Yiru Sun, Pin Lv
      Currently, the blockchain technology is experiencing an exponential growth in the academia and industry. Blockchain may provide the fault-tolerance, tamper-resistance, credibility and privacy to users. In this paper, we propose a blockchain-based residual loanable-limit query system, called Loamit. Firstly, to the best of our knowledge, it is the first work to prevent that a client, who lacks the ability to repay, borrows an un-repayable amount of money from independent banks without releasing the personal privacy of client.
Specifically, if a client wants to borrow a certain amount of money from a bank, then the bank can get the client's residual loanable-limit in the alliance of banks without knowing details of the client's previous loans and repayments.
Secondly, most of data in Loamit is verifiable. Therefore, malicious banks can be checked out.
Thirdly, Loamit is fault-tolerant since it may work smoothly as long as a certain number of banks are active and honest.
Finally, we deploy the Loamit system on the Ethererum private blockchain and give the corresponding performance evaluation.
          
  Ivan Damgård, Chaya Ganesh, Claudio Orlandi
      In this paper we provide a formal treatment of proof of replicated storage, a novel cryptographic primitive
recently proposed in the context of a novel cryptocurrency, namely Filecoin.
In a nutshell, proofs of replicated storage is a solution to the following problem: A user stores a file $m$ on $n$ different servers to ensure that the file will be available even if some of the servers fail. Using proof of retrievability, the user could check that every server is indeed storing the file. However, what if the servers collude and, in order to save on resources, decide to only store one copy of the file? A proof of replicated storage guarantees that, unless the server is indeed reserving the space necessary to store the $n$ copies of the file, the user will not accept the proof.
While some candidate proofs of replicated storage have already been proposed, their soundness relies on timing assumptions i.e., the user must reject the proof if the prover does not reply within a certain time-bound.
In this paper we provide the first construction of a proof of replication which does not rely on any timing assumptions.
  In a nutshell, proofs of replicated storage is a solution to the following problem: A user stores a file $m$ on $n$ different servers to ensure that the file will be available even if some of the servers fail. Using proof of retrievability, the user could check that every server is indeed storing the file. However, what if the servers collude and, in order to save on resources, decide to only store one copy of the file? A proof of replicated storage guarantees that, unless the server is indeed reserving the space necessary to store the $n$ copies of the file, the user will not accept the proof.
While some candidate proofs of replicated storage have already been proposed, their soundness relies on timing assumptions i.e., the user must reject the proof if the prover does not reply within a certain time-bound.
In this paper we provide the first construction of a proof of replication which does not rely on any timing assumptions.
Pierre-Alain Fouque, Benjamin Hadjibeyli, Paul Kirchner
      Optimizing performance of Fully Homomorphic Encryption (FHE) is nowadays an active trend of research in cryptography. One way of improvement is to use a hybrid construction with a classical symmetric encryption scheme to transfer encrypted data to the Cloud. This allows to reduce the bandwidth since the expansion factor of symmetric schemes (the ratio between the ciphertext and the plaintext length) is close to one, whereas for FHE schemes it is in the order of 1,000 to 1,000,000. However, such a construction requires the decryption circuit of the symmetric scheme to be easy to evaluate homomorphically. Several works have studied the cost of homomorphically evaluating classical block ciphers, and some recent works have suggested new homomorphic oriented constructions of block ciphers or stream ciphers. Since the multiplication gate of FHE schemes significantly increases the noise of the ciphertext, we cannot afford too many multiplication stages in the decryption circuit. Consequently, FHE-friendly symmetric encryption schemes have a decryption circuit with small multiplication depth.
We aim at minimizing the cost of the homomorphic evaluation of the decryption of symmetric encryption schemes. To do so, we focus on schemes based on learning problems: Learning With Errors (LWE), Learning Parity with Noise (LPN) and Learning With Rounding (LWR). We show that they have lower multiplicative depth than usual block ciphers, and hence allow more FHE operations before a heavy bootstrapping becomes necessary. Moreover, some of them come with a security proof. Finally, we implement our schemes in HElib. Experimental evidence shows that they achieve lower amortized and total running time than previous performance from the literature: our schemes are from 10 to 10,000 more efficient for the time per bit and the total running time is also reduced by a factor between 20 to 10,000. Of independent interest, the security of our LWR-based scheme is related to LWE and we provide an efficient security proof that allows to take smaller parameters.
          
  Fukang Liu
      In this paper, we re-consider the connecting techniques to find colliding messages, which is achieved by connecting the middle part with the initial part. To obtain the best position of middle part, we propose two principles even when the case is not ideal.
Then, we reviewed the searching strategy to find a differential path presented at Asiacrypt 2017, we observe some useful characteristics of the path which is not used in their work. To fully capture the characteristics of the differential path discovered by the searching strategy, we find an efficient attack framework under the guidance of the two principles, which in turn helps improve the searching strategy. Under our efficient attack framework, we easily improve the collision attack on 30-step RIPEMD-160 by a factor of $2^{13}$. And we believe that the collision attack can be further improved under this efficient framework if the differential path is discovered by taking the new strategies into consideration.
For some interest, we also consider an opposite searching strategy and propose another efficient attack framework special for the differential path discovered by the new searching strategy. Under this new framework, we find we can control one more step than that special for the original searching strategy. Therefore, we expect that we can obtain better collision attack by adopting the new searching strategy and attack framework.
Moreover, combining with the searching tool, we may give a tight upper bound of steps to mount collision attack on reduced RIPEMD-160 when adopting the two searching strategies.
  Then, we reviewed the searching strategy to find a differential path presented at Asiacrypt 2017, we observe some useful characteristics of the path which is not used in their work. To fully capture the characteristics of the differential path discovered by the searching strategy, we find an efficient attack framework under the guidance of the two principles, which in turn helps improve the searching strategy. Under our efficient attack framework, we easily improve the collision attack on 30-step RIPEMD-160 by a factor of $2^{13}$. And we believe that the collision attack can be further improved under this efficient framework if the differential path is discovered by taking the new strategies into consideration.
For some interest, we also consider an opposite searching strategy and propose another efficient attack framework special for the differential path discovered by the new searching strategy. Under this new framework, we find we can control one more step than that special for the original searching strategy. Therefore, we expect that we can obtain better collision attack by adopting the new searching strategy and attack framework.
Moreover, combining with the searching tool, we may give a tight upper bound of steps to mount collision attack on reduced RIPEMD-160 when adopting the two searching strategies.
Nicola Tuveri, Sohaib ul Hassan, Cesar Pereida García, Billy Brumley
      SM2 is a public key cryptography suite originating from Chinese standards, including digital signatures and public key encryption. Ahead of schedule, code for this functionality was recently mainlined in OpenSSL, marked for the upcoming 1.1.1 release.
We perform a security review of this implementation, uncovering various deficiencies ranging from traditional software quality issues to side-channel risks.
To assess the latter, we carry out a side-channel security evaluation and discover that the implementation hits every pitfall seen for OpenSSL's ECDSA code in the past decade. We carry out remote timings, cache timings, and EM analysis, with accompanying empirical data to demonstrate secret information leakage during execution of both digital signature generation and public key decryption.
Finally, we propose, implement, and empirically evaluate countermeasures.
          
  Gustavo Banegas, Paulo S. L. M. Barreto, Edoardo Persichetti, Paolo Santini
      Cryptographic primitives from coding theory are some of the most promising candidates for NIST's Post-Quantum Cryptography Standardization process. In this paper, we introduce a variety of techniques to improve operations on dyadic matrices, a particular type of symmetric matrices that appear in the automorphism group of certain linear codes. Besides the independent interest, these techniques find an immediate application in practice. In fact, one of the candidates for the Key Exchange functionality, called DAGS, makes use of quasi-dyadic matrices to provide compact keys for the scheme.
          
  Susumu Kiyoshima
      In this paper, we give a no-signaling linear probabilistically checkable proof (PCP) system for P, i.e., a PCP system such that (1) the PCP oracle is a linear function and (2) the soundness holds against any (computational) no-signaling cheating prover, who answers each query according to a distribution that depends on the entire query set in a certain way. To the best of our knowledge, our construction is the first PCP system that satisfies these two properties simultaneously.
As an application of our PCP system, we obtain a 2-message scheme for delegating computation by using a known transformation. Compared with existing 2-message delegation schemes based on standard cryptographic assumptions, our scheme requires preprocessing (which can be reused multiple times) but has a simpler structure and makes use of cheaper cryptographic primitives such as additive/multiplicative homomorphic encryption schemes.
  As an application of our PCP system, we obtain a 2-message scheme for delegating computation by using a known transformation. Compared with existing 2-message delegation schemes based on standard cryptographic assumptions, our scheme requires preprocessing (which can be reused multiple times) but has a simpler structure and makes use of cheaper cryptographic primitives such as additive/multiplicative homomorphic encryption schemes.
Cyprien Delpech de Saint Guilhem, Emmanuela Orsini, Christophe Petit, Nigel P. Smart
      In this work we first define semi-commutative (invertible) masking structures which present a simple abstraction to capture the various examples of protocol design that are based on exponentiation-only style operations (such as discrete logarithm and isogeny based cryptography).
We discuss two possible instantiations of our structure:
The first is based on commutative group actions and captures both the action of exponentiation in the discrete logarithm setting and also the action of the class group of commutative endomorphism rings of elliptic curves, in the style of the CSIDH key-exchange protocol; the second is based on the semi-commutative action of isogenies of supersingular elliptic curves, in the style of the SIDH key-exchange protocol.
We then design two oblivious transfer protocols using this structure and prove that they securely UC-realise the standard OT-functionality in the Random-Oracle-hybrid model against passive adversaries with static corruptions.
This paper thus introduces the first oblivious transfer protocol based on supersingular isogenies that is proven secure in the UC framework.
          
  Thorsten Kleinjung, Benjamin Wesolowski
      A new proof is given for the correctness of the powers of two descent method for computing discrete logarithms. The result is slightly stronger than the original work, but more importantly we provide a unified geometric argument, eliminating the need to analyse all possible subgroups of $\mathrm{PGL}_2(\mathbb{F}_q)$. Our approach sheds new light on the role of $\mathrm{PGL}_2$, in the hope to eventually lead to a complete proof that discrete logarithms can be computed in quasi-polynomial time in finite fields of fixed characteristic.
          
  Huijia Lin, Christian Matt
      We construct indistinguishability obfuscation from subexponentially secure Learning With Errors (LWE), bilinear maps, a constant-locality Pseudo Random Generator (PRG), and a new tool called Pseudo Flawed-smudging Generator (PFG). A PFG is an expanding function whose outputs $Y$ satisfy a weak form of pseudo randomness. Roughly speaking, for some polynomial bound $B$, and any $B$-bounded noise vector distribution $\chi$, it guarantees that for $e \gets \chi$, the distribution of $(e,\ Y + e)$ is indistinguishable from $(e', Y + e)$, where $e'$ is a fresh random sample from $\chi$ conditioned on agreeing with $e$ at a few, $o(\lambda)$, locations. In other words, $Y$ hides $e$ at all but a few locations. Our construction of indistinguishability obfuscation requires a PFG that is computable by a degree 2 polynomial over the integers and has polynomially bounded outputs. We finally propose a candidate of such PFGs and formalize an assumption under which it satisfies the requirements of our construction.
          
  Lucas Kowalczyk, Jiahui Liu, Kailash Meiyappan, Tal Malkin
      We present a key-policy attribute-based encryption scheme that is adaptively secure under a static assumption and is not directly affected by an attribute ``one-use restriction." Our construction dramatically improves upon the only other such scheme (Takashima '17) by mitigating its downside of a ciphertext size that is dependent on the size of the attribute universe.
          
  Osmanbey Uzunkol, Jothi Rangasamy, Lakshmi Kuppusamy
      Security protocols using public-key cryptography often requires large number of costly modular exponentiations (MEs).  With the
proliferation of resource-constrained (mobile) devices and advancements in cloud computing, delegation of such expensive computations to powerful server providers has gained lots of attention. In this paper, we address the problem of verifiably secure delegation of MEs using two servers, where at most one of which is assumed to be malicious (the OMTUP-model). We first show verifiability issues of two recent schemes: We show that a scheme from IndoCrypt 2016 does not offer full verifiability, and that a scheme for $n$ simultaneous MEs from AsiaCCS 2016 is verifiable only with a probability $0.5909$ instead of the author's claim with a probability $0.9955$ for $n=10$. Then, we propose the first non-interactive fully verifiable secure delegation scheme by hiding the modulus via Chinese Remainder Theorem (CRT). Our scheme improves also the computational efficiency of the previous schemes considerably. Hence, we provide a lightweight delegation enabling weak clients to securely and verifiably delegate MEs without any expensive local computation (neither online nor offline).  The proposed scheme is highly useful for devices having (a) only ultra-lightweight memory, and (b) limited computational power (e.g. sensor nodes, RFID tags).
          
  Alexei Zamyatin, Dominik Harz, William J. Knottenbelt
      The ecosystem of cryptocurrencies has been steadily growing since the introduction of Bitcoin, the first decentralised digital currency. While the notion of trustless asset exchange lies at the core of most blockchain-based systems, existing cross-chain communication techniques expose limitations regarding security, performance, and usability.
As a result, centralised liquidity providers remain the preferred way for cross-chain transactions. 
We systematise the notion of cryptocurrency-backed tokens, an approach towards trustless blockchain interoperability. We then propose a protocol for issuing, trading, and redeeming Bitcoin-backed tokens on Ethereum. Consequently, we provide an overview of system requirements, discuss open challenges regarding performance and security, and give an outlook on possible extensions. Our protocol, which requires no modifications to Bitcoin's consensus rules, can thereby be generalised to also support other cryptocurrencies.
  We systematise the notion of cryptocurrency-backed tokens, an approach towards trustless blockchain interoperability. We then propose a protocol for issuing, trading, and redeeming Bitcoin-backed tokens on Ethereum. Consequently, we provide an overview of system requirements, discuss open challenges regarding performance and security, and give an outlook on possible extensions. Our protocol, which requires no modifications to Bitcoin's consensus rules, can thereby be generalised to also support other cryptocurrencies.
Rami Khalil, Arthur Gervais
      Bitcoin is meant to offer a payment system where the users are custodians of their funds instead of entrusting a trusted financial institution. The limited transaction throughput of such permissionless blockchains, however, results for example in volatile transaction prices that hardly fit into traditional service level agreements required by professional institutions and cannot accommodate micro-transactions.
We present a novel non-custodial 2nd-layer financial intermediary solution secure against double-spending that guarantees users control of funds through leveraging a smart contract enabled decentralized blockchain ledger as a means of dispute resolution. Two-party payment channels networks have been proposed as building blocks for trust-free payments that do not exhaust the resources of the blockchain; however, they bear multiple fundamental limitations. NOCUST is a specification for secure N-party payment hubs with improved transaction utility, cheaper operational costs and leaner user enrollment.
  We present a novel non-custodial 2nd-layer financial intermediary solution secure against double-spending that guarantees users control of funds through leveraging a smart contract enabled decentralized blockchain ledger as a means of dispute resolution. Two-party payment channels networks have been proposed as building blocks for trust-free payments that do not exhaust the resources of the blockchain; however, they bear multiple fundamental limitations. NOCUST is a specification for secure N-party payment hubs with improved transaction utility, cheaper operational costs and leaner user enrollment.
Michael Backes, Lucjan Hanzlik, Jonas Schneider
      Group signatures present a trade-off between the traditional goals of digital signatures and the signer's desire for privacy, allowing for the creation of unforgeable signatures in the name of a group which reveal nothing about the actual signer's identity beyond their group membership. Considering the desired properties formally opens up a possibility space of different security goals under various assumptions on trust placed in the designated entities of any scheme. Many models differ in their consideration of the variability of group membership as well, yet a formal treatment of the privacy of group membership status is lacking in all models, thus far.
We address this issue, starting from the vantage point of the comprehensive model due to Bootle et al. (ACNS'16), who prove that any scheme secure in their model is also secure in the previous models. Their model allows for fully dynamic management of group membership by segmenting the scheme's lifetime into epochs during which group membership is static but between which users may join or leave the group.
We extend the model of Bootle et al. by introducing formal notions of membership privacy. We then propose an efficient generic construction for a fully dynamic group signature scheme with membership privacy that is based on signatures with flexible public key (SFPK) and signatures on equivalence classes (SPSEQ). We instantiate the construction using a SFPK scheme based on the bilinear decisional Diffie-Hellman assumption and SPSEQ scheme by Fuchsbauer and Gay (PKC'18). The resulting scheme provides shorter signatures than existing schemes from standard assumption, while at the same time achieving stronger security guarantees.
  We address this issue, starting from the vantage point of the comprehensive model due to Bootle et al. (ACNS'16), who prove that any scheme secure in their model is also secure in the previous models. Their model allows for fully dynamic management of group membership by segmenting the scheme's lifetime into epochs during which group membership is static but between which users may join or leave the group.
We extend the model of Bootle et al. by introducing formal notions of membership privacy. We then propose an efficient generic construction for a fully dynamic group signature scheme with membership privacy that is based on signatures with flexible public key (SFPK) and signatures on equivalence classes (SPSEQ). We instantiate the construction using a SFPK scheme based on the bilinear decisional Diffie-Hellman assumption and SPSEQ scheme by Fuchsbauer and Gay (PKC'18). The resulting scheme provides shorter signatures than existing schemes from standard assumption, while at the same time achieving stronger security guarantees.
Masayuki Abe, Miguel Ambrona, Miyako Ohkubo, Mehdi Tibouchi
      Lower bounds for structure-preserving signature (SPS) schemes based on non-interactive assumptions have only been established in the case of unilateral messages, i.e. schemes signing tuples of group elements all from the same source group. In this paper, we consider the case of bilateral messages, consisting of elements from both source groups. We show that, for Type-III bilinear groups, SPSs must consist of at least 6 group elements: many more than the 4 elements needed in the unilateral case, and optimal, as it matches a known upper bound from the literature. We also obtain the first non-trivial lower bounds for SPSs in Type-II groups: a minimum of 4 group elements, whereas constructions with 3 group elements are known from interactive assumptions.
          
  Lucas Schabh\"{u}ser, Denis Butin, Denise Demirel, Johanens Buchmann
      In cloud computing, delegated computing raises the security issue of guaranteeing data authenticity during a remote computation. Existing solutions do not simultaneously provide fast correctness verification, strong security properties, and information-theoretic confidentiality. We introduce a novel approach, in the form of function-dependent commitments, that combines these strengths. We also provide an instantiation of function-dependent commitments for linear functions that is unconditionally, i.e. information-theoretically, hiding and relies on standard hardness assumptions. This powerful construction can for instance be used to build verifiable computing schemes providing information-theoretic confidentiality. As an example, we introduce a verifiable multi-party computation scheme for shared data providing public verifiability and unconditional privacy towards the servers and parties verifying the correctness of the result. Our scheme can be used to perform verifiable computations on secret shares while requiring only a single party to compute the audit data for verification. Furthermore, our verification procedure is asymptotically even more efficient than performing operations locally on the shared data. Thus, our solution improves the state of the art for authenticated computing, verifiable computing and multi-party computation.
          
  