International Association for Cryptologic Research

International Association
for Cryptologic Research

IACR News

If you have a news item you wish to distribute, they should be sent to the communications secretary. See also the events database for conference announcements.

Here you can see all recent updates to the IACR webpage. These updates are also available:

email icon
via email
RSS symbol icon
via RSS feed

15 August 2018

Stefan Dziembowski, Lisa Eckey, Sebastian Faust
ePrint Report ePrint Report
We introduce FairSwap -- an efficient protocol for fair exchange of digital goods using smart contracts. A fair exchange protocol allows a sender S to sell a digital commodity x for a fixed price p to a receiver R. The protocol is said to be secure if R only pays if he receives the correct x. Our solution guarantees fairness by relying on smart contracts executed over decentralized cryptocurrencies, where the contract takes the role of an external judge that completes the exchange in case of disagreement. While in the past there have been several proposals for building fair exchange protocols over cryptocurrencies, our solution has two distinctive features that makes it particular attractive when users deal with large commodities. These advantages are: (1) minimizing the cost for running the smart contract on the blockchain, and (2) avoiding expensive cryptographic tools such as zero-knowledge proofs. In addition to our new protocols, we provide formal security definitions for smart contract based fair exchange, and prove security of our construction. Finally, we illustrate several applications of our basic protocol and evaluate practicality of our approach via a prototype implementation for fairly selling large files over the cryptocurrency Ethereum.
Expand
Mahdi Sajadieh, Mohammad Vaziri
ePrint Report ePrint Report
Some features of Feistel structures have caused them to be considered as an efficient structure for design of block ciphers. Although several structures are proposed relied on Feistel structure, the type-II generalized Feistel structures (GFS) based on SP-functions are more prominent. Because of difference cancellation, which occurs in Feistel structures, their resistance against differential and linear attack is not as expected. Hitherto, to improve the immunity of Feistel structures against differential and linear attack, two methods are proposed. One of them is using multiple MDS matrices, and the other is using changing permutations of sub-blocks. In this paper by using MILP and summation representation method, a technique to count the active S-boxes is proposed. Moreover in some cases, the results proposed by Shibutani at SAC 2010 are improved. Also multiple MDS matrices are applied to GFS, and by relying on a new proposed approach, the new inequalities related to using multiple MDS matrices are extracted, and results of using the multiple MDS matrices in type II GFS are evaluated. Finally results related to linear cryptanalysis are presented. Our results show that using multiple MDS matrices leads to 22% and 19% improvement in differential cryptanalysis of standard and improved 8 sub-blocks structures, respectively, after 18 rounds.
Expand
Sanjit Chatterjee, R. Kabaleeshwaran
ePrint Report ePrint Report
A large number of parameterized complexity assumptions have been introduced in the bilinear pairing setting to design novel cryptosystems and an important question is whether such ``$q$-type" assumptions can be replaced by some static one. Recently Ghadafi and Groth captured several such parameterized assumptions in the pairing setting in a family called bilinear target assumption (BTA). We apply the D\'{e}j\`{a}Q techniques for all $q$-type assumptions in the BTA family. In this process, first we formalize the notion of extended adaptive parameter-hiding property and use it in the Chase-Meiklejohn's D\'{e}j\`{a}Q framework to reduce those $q$-type assumptions from subgroup hiding assumption in the asymmetric composite-order pairing. In addition, we extend the BTA family further into BTA1 and BTA2 and study the relation between different BTA variants. We also discuss the inapplicability of D\'{e}j\`{a}Q techniques on the $q$-type assumptions that belong to BTA1 or BTA2 family. We then provide one further application of Gerbush et al's dual-form signature techniques to remove the dependence on a $q$-type assumption for which existing D\'{e}j\`{a}Q techniques are not applicable. This results in a variant of Abe et al's structure-preserving signature with security based on a static assumption in composite order setting.
Expand
Tobias Pulls, Rasmus Dahlberg
ePrint Report ePrint Report
We present Steady: an end-to-end secure logging system engineered to be simple in terms of design, implementation, and assumptions for real-world use. Steady gets its name from being based on a steady (heart)beat of events from a forward-secure device sent over an untrusted network through untrusted relays to a trusted collector. Properties include optional encryption and compression (with loss of confidentiality but significant gain in goodput), detection of tampering, relays that can function in unidirectional networks (e.g., as part of a data diode), cost-effective use of cloud services for relays, and publicly verifiable proofs of event authenticity. The design is formalized and security proven in the standard model. Our prototype implementation ($\approx2,200$ loc) shows reliable goodput of over 1M events/s ($\approx$160 MiB/s) for a realistic dataset with commodity hardware for a device on a GigE network using 16 MiB of memory connected to a relay running at Amazon EC2.
Expand
Marina Blanton, Myoungin Jeong
ePrint Report ePrint Report
The motivation for this work comes from the need to strengthen security of secure multi-party protocols with the ability to guarantee that the participants provide their truthful inputs in the computation. This is outside the traditional security models even in the presence of malicious participants, but input manipulation can often lead to privacy and result correctness violations. Thus, in this work we treat the problem of combining secure multi-party computation (SMC) techniques based on secret sharing with signatures to enforce input correctness in the form of certification. We modify two currently available signature schemes to achieve private verification and efficiency of batch verification and show how to integrate them with two prominent SMC protocols.
Expand
Lijing Zhou, Licheng Wang, Yiru Sun, Tianyi Ai
ePrint Report ePrint Report
Currently, round complexity and communication complexity are two fundamental issues of secure multi-party computation (MPC) since all known schemes require communication for each multiplication operation. In this paper, we propose a double non-interactive secure multi-party computation, called BeeHive, that essentially addresses the two fundamental issues. Specifically, in the proposed scheme, the first non-interactivity denotes that shareholders can independently generate shares (these shares will be responses that are sent to the dealer) of any-degree polynomial of secret numbers without interaction. Furthermore, the second non-interactivity indicates that the dealer can verify correctness of responses sent by shareholders without interaction. To the best of our knowledge, it is the first work to realize that shareholders can generate shares of any-degree polynomial of secret numbers without interaction. Existing secure MPCs are not suitable for blockchain due to their issues of round complexity and communication complexity, while the proposed Beehive is very suitable. Therefore, we present a general architecture of blockchain-based Beehive. Finally, we implemented the proposed scheme in Python with a detailed performance evaluation.
Expand
George Teseleanu
ePrint Report ePrint Report
In this paper, we extend the work on purely mathematical Trojan horses initially presented by Young and Yung. This kind of mechanism affects the statistical properties of an infected random number generator (RNG) by making it very sensitive to input entropy. Thereby, when inputs have the correct distribution the Trojan has no effect, but when the distribution becomes biased the Trojan worsens it. Besides its obvious malicious usage, this mechanism can also be applied to devise lightweight health tests for RNGs. Currently, RNG designs are required to implement an early detection mechanism for entropy failure, and this class of Trojan horses is perfect for this job.
Expand

13 August 2018

Darmstadt, Germany, 2 April - 4 April 2019
Event Calendar Event Calendar
Event date: 2 April to 4 April 2019
Submission deadline: 1 December 2018
Notification: 25 January 2019
Expand

09 August 2018

Stanislaw Jarecki, Hugo Krawczyk, Jason Resch
ePrint Report ePrint Report
An Oblivious PRF (OPRF) is a protocol between a server holding a key to a PRF and a user holding an input. At the end of the interaction, the user learns the output of the OPRF on its input and nothing else. The server learns nothing, including nothing about the user's input or the function's output. OPRFs have found many applications in multiple areas of cryptography. Everspaugh et al. (Usenix 2015) introduced Partially Oblivious PRF (pOPRF) in which the OPRF accepts an additional non-secret input that can be chosen by the server itself, and showed applications in the setting of password hardening protocols. We further investigate pOPRFs showing new constructions, including distributed multi-server schemes, and new applications. We build simple pOPRFs from regular OPRFs, in particular obtaining very efficient DH-based pOPRFs, and provide (n,t)-threshold implementation of such schemes.

We apply these schemes to build Oblivious Key Management Systems (KMS) as a much more secure alternative to traditional wrapping-based KMS. The new system hides keys and object identifiers from the KMS, offers unconditional security for key transport, enables forward security, provides key verifiability, reduces storage, and more. Further, we show how to provide all these features in a distributed threshold implementation that additionally protects the service against server compromise. Finally, we extend the scheme to a threshold Oblivious KMS with updatable encryption so that upon the periodic change of OPRF keys by the server, an efficient update procedure allows a client of the KMS service to non-interactively update all its encrypted data to be decryptable only by the new key. Our techniques improve on the efficiency and security of several recent works on updatable encryption from Crypto and Eurocrypt. We report on an implementation of the above schemes and their performance, showing their practicality and readiness for use in real-world systems. In particular, our pOPRF constructions achieve speeds of over an order of magnitude relative to previous pOPRF schemes.
Expand
Avradip Mandal, John C. Mitchell, Hart Montgomery, Arnab Roy
ePrint Report ePrint Report
We show how to build a practical, private data oblivious genome variants search using Intel SGX. More precisely, we consider the problem posed in Track 2 of the iDash Privacy and Security Workshop 2017 competition, which was to search for variants with high $\chi^{2}$ statistic among certain genetic data over two populations. The winning solution of this iDash competition (developed by Carpov and Tortech) is extremely efficient, but not memory oblivious, which potentially made it vulnerable to a whole host of memory- and cache-based side channel attacks on SGX. In this paper, we adapt a framework in which we can exactly quantify this leakage. We provide a memory oblivious implementation with reasonable information leakage at the cost of some efficiency. Our solution is roughly an order of magnitude slower than the non-memory oblivious implementation, but still practical and much more efficient than naive memory-oblivious solutions--it solves the iDash problem in approximately 5 minutes. In order to do this, we develop novel definitions and models for oblivious dictionary merging, which may be of independent theoretical interest.
Expand
Itai Dinur, Nathan Keller, Ohad Klein
ePrint Report ePrint Report
The distributed discrete logarithm (DDL) problem was introduced by Boyle et al. at CRYPTO 2016. A protocol solving this problem was the main tool used in the share conversion procedure of their homomorphic secret sharing (HSS) scheme which allows non-interactive evaluation of branching programs among two parties over shares of secret inputs.

Let $g$ be a generator of a multiplicative group $\mathbb{G}$. Given a random group element $g^{x}$ and an unknown integer $b \in [-M,M]$ for a small $M$, two parties $A$ and $B$ (that cannot communicate) successfully solve DDL if $A(g^{x}) - B(g^{x+b}) = b$. Otherwise, the parties err. In the DDL protocol of Boyle et al., $A$ and $B$ run in time $T$ and have error probability that is roughly linear in $M/T$. Since it has a significant impact on the HSS scheme's performance, a major open problem raised by Boyle et al. was to reduce the error probability as a function of $T$.

In this paper we devise a new DDL protocol that substantially reduces the error probability to $O(M \cdot T^{-2})$. Our new protocol improves the asymptotic evaluation time complexity of the HSS scheme by Boyle et al. on branching programs of size $S$ from $O(S^2)$ to $O(S^{3/2})$. We further show that our protocol is optimal up to a constant factor for all relevant cryptographic group families, unless one can solve the discrete logarithm problem in a \emph{short} interval of length $R$ in time $o(\sqrt{R})$.

Our DDL protocol is based on a new type of random walk that is composed of several iterations in which the expected step length gradually increases. We believe that this random walk is of independent interest and will find additional applications.
Expand
Atsushi Fujioka, Katsuyuki Takashima, Shintaro Terada, Kazuki Yoneyama
ePrint Report ePrint Report
We propose two authenticated key exchange protocols from supersingular isogenies. Our protocols are the first post-quantum one-round Diffie-Hellman type authenticated key exchange ones in the following points: one is secure under the quantum random oracle model and the other resists against maximum exposure where a non-trivial combination of secret keys is revealed. The security of the former and the latter is proven under an isogeny version of the decisional and gap Diffie-Hellman assumption, respectively. We also propose a new approach for invalidating the Galbraith-Vercauteren attack for the gap problem.
Expand
Thierry Simon, Lejla Batina, Joan Daemen, Vincent Grosso, Pedro Maat Costa Massolino, Kostas Papagiannopoulos, Francesco Regazzoni, Niels Samwel
ePrint Report ePrint Report
We introduce a novel approach for designing symmetric ciphers to resist fault injection. The approach is fairly generic and applies to round functions of block ciphers, cryptographic permutations and stream ciphers. We showcase our method with a new permutation called FRIT and perform fault analysis on a simulated hardware and actual software implementation. We present performance results for software and hardware implementations with and without the fault detection mechanism. On a Cortex-M4 platform the overhead of the countermeasure in cycles is 83%. The penalty on resources for hardware implementations depends on the hardware and can be as low as 56%.
Expand
Takeshi Okamoto, Raylin Tso, Michitomo Yamaguchi, Eiji Okamoto
ePrint Report ePrint Report
A $k$-out-of-$n$ ring signature is a kind of anonymous signature that can be performed by any member in a group. This signature allows the creation of valid signatures if and only if actual signers more than or equal to $k$ sign the message among $n$ possible signers. In this paper, we present a new $k$-out-of-$n$ ring signature. Our signature has a remarkable property: When the signature is updated from $k$-out-of-$n$ to $(k+\alpha)$-out-of-$n$, the previous signers do not need to sign a message again. Our scheme can ``reuse'' the old signature, whereas the previous schemes revoke it and create a signature from scratch. We call this property ``{{flexibility}}'' and formalize it rigorously. Our signature scheme has a multiple ring structure, each ring of which is based on $1$-out-of-$n$ ring signature. The structure of our scheme is completely different from that of conventional schemes, such as a secret-sharing type. The signers' keys are mostly independent of each user, thanks to a part of keys which use a special hash function. We give the results of provable security for our scheme.
Expand
Shashank Agrawal, Payman Mohassel, Pratyay Mukherjee, Peter Rindal
ePrint Report ePrint Report
Threshold cryptography provides a mechanism for protecting secret keys by sharing them among multiple parties, who then jointly perform cryptographic operations. An attacker who corrupts upto a threshold number of parties cannot recover the secrets or violate security. Prior works in this space have mostly focused on definitions and constructions for public-key cryptography and digital signatures, and thus do not capture the security concerns and efficiency challenges of symmetric-key based applications which commonly use long-term (unprotected) master keys to protect data at rest, authenticate clients on enterprise networks, and secure data and payments on IoT devices.

We put forth the first formal treatment for distributed symmetric-key encryption, proposing new notions of correctness, privacy and authenticity in presence of malicious attackers. We provide strong and intuitive game-based definitions that are easy to understand and yield efficient constructions.

We propose a generic construction of threshold authenticated encryption based on any distributed pseudorandom function (DPRF). When instantiated with the two different DPRF constructions proposed by Naor, Pinkas and Reingold (Eurocrypt 1999) and our enhanced versions, we obtain several efficient constructions meeting different security definitions. We implement these variants and provide extensive performance comparisons. Our most efficient instantiation uses only symmetric-key primitives and achieves a throughput of upto 1 million encryptions/decryptions per seconds, or alternatively a sub-millisecond latency with upto 18 participating parties.
Expand
Kai Hu, Tingting Cui, Chao Gao, Meiqin Wang
ePrint Report ePrint Report
Reduced-round AES has been a popular underlying primitive to design new cryptographic schemes and thus its security including distinguishing properties deserves more attention. At Crypto'16, a key-dependent integral distinguisher on 5-round AES was put forward, which opened up a new direction to take more insights into the distinguishing properties of AES. After that, two key-dependent impossible differential (ID) distinguishers on 5-round AES were proposed at FSE'16 and CT-RSA'18, respectively. It is strange that the current key-dependent integral distinguisher requires significantly higher complexities than the key-dependent ID distinguishers, even though they are constructed with the same property of MixColumns ($2^{128} \gg 2^{98.2}$). Proposers of the 5-round key-dependent distinguishers claimed that the corresponding integral and ID distinguishers can only work under chosen-ciphertext and chosen-plaintext settings, respectively, which is very different from the situations of traditional key-independent distinguishers.

In this paper, we first construct a novel key-dependent integral distinguisher on 5-round AES with $2^{96}$ chosen plaintexts, which is much better than the previous key-dependent integral distinguisher that requires the full codebook proposed at Crypto'16. Secondly, we show that both distinguishers are valid under either chosen-plaintext setting or chosen-ciphertext setting, which is different from the claims of previous cryptanalysis. However, under different settings, complexities of key-dependent integral distinguishers are very different while those of the key-dependent ID distinguishers are almost the same. We analyze the reasons for it.
Expand
Sauvik Bhattacharya, Oscar Garcia-Morchon, Thijs Laarhoven, Ronald Rietman, Markku-Juhani O. Saarinen, Ludo Tolhuizen, Zhenfei Zhang
ePrint Report ePrint Report
Standardization bodies such as NIST and ETSI are currently seeking quantum resistant alternatives to vulnerable RSA and elliptic curve-based public-key algorithms. In this context, we present Round5, a lattice-based cryptosystem providing a key encapsulation mechanism and a public-key encryption scheme. Round5 is based on the General Learning with Rounding problem, unifying non-ring and ring lattice rounding problems into one. Usage of rounding combined with a tight analysis leads to significantly reduced bandwidth and randomness requirements. Round5's reliance on prime-order cyclotomic rings offers a large design space allowing fine-grained parameter optimization. The use of sparse-ternary secret keys improves performance and significantly reduces decryption failure rates at minimal additional cost. The use of error-correcting codes further improves the latter. Round5 parameters have been carefully optimized for bandwidth, while the design facilitates efficient implementation. As a result, Round5 has leading performance characteristics among all NIST post-quantum candidates, and at the same time attains conservative security levels that fully fit NIST's security categories. Round5's schemes share common building blocks, simplifying (security and operational) analysis and code review. Finally, Round5 proposes various approaches of refreshing the system public parameter $\textbf{A}$, which efficiently prevent precomputation and back-door attacks.
Expand
MCLEAN, United States, 6 May - 10 May 2019
Event Calendar Event Calendar
Event date: 6 May to 10 May 2019
Submission deadline: 15 February 2018
Expand
Limassol, Cyprus, 8 April - 12 April 2019
Event Calendar Event Calendar
Event date: 8 April to 12 April 2019
Submission deadline: 10 September 2018
Notification: 10 November 2018
Expand
Ruhr University Bochum
Job Posting Job Posting
We are looking for outstanding and highly motivated PhD students to work on topics related to hardware security, including:

• Side-channel analysis attacks

• Fault-injection attacks

• Countermeasures against physical attacks

• Physically unclonable functions

• Symmetric cryptography, design and analysis

• Low-power design

The group offers excellent working environment as a part of Horst Görtz Institut for IT Security (HGI hgi.rub.de/en/home/ ) including more than 200 scientists active in several different aspects of IT security and cryptography.

The candidate should have an M.Sc. degree in IT-security, electrical engineering, computer engineering, computer science, or applied mathematics with excellent grades. Being familiar with cryptography concepts and low-level programming is a must. Knowing a hardware design language, e.g., VHDL/verilog, is a plus.

In order to apply, please send your resume, transcripts, and a list of at least two professional references in a single pdf file to

emsec+apply (at) rub.de

Review of applications starts immediately until the position is filled.

Closing date for applications: 31 December 2018

Contact: Amir Moradi

www.emsec.rub.de/moradi

Expand
◄ Previous Next ►