IACR News
Here you can see all recent updates to the IACR webpage. These updates are also available:
26 May 2020
Ben Kreuter, Sarvar Patel, Ben Terner
ePrint ReportViet Tung Hoang, Yaobin Shen
ePrint ReportIvan Damgård, Sophia Yakoubov
ePrint ReportIn this paper, we set out to determine whether we can get ATE with short ciphertexts from standard primitives. We therefore work in a model where we limit reliance on computational assumptions. We do this by demanding information theoretic security given black-box access to limited cryptographic tools such as non-interactive key exchange and pseudorandom generators.
We show that, with access only to idealized two-party key exchange, any secure ATE scheme must produce ciphertexts of size at least (n-t-1)l (where l is the length of the message). If access is additionally given to an idealized PRG, the lower bound on ciphertext size becomes k(n-t)/2 + l (where k is the length of the input to the PRG).
If idealized q-party key exchange for q > 2 is availabe, then we can achieve a constant-size ciphertext, at the cost of invoking the key exchange an exponential number of times. We also prove that, if the size of the ciphertext is optimal (that is, equal to the size of the message), the exponential overhead is unavoidable. Finally, we give some alternative constructions demonstrating that the overhead can be reduced at the cost of slightly larger ciphertext size.
Rachit Garg, George Lu, Brent Waters
ePrint ReportDamg{\aa}rd, Ganesh, and Orlandi (CRYPTO' 19) proposed a novel notion that we will call proof of replication with client setup. Here, a client first operates with secret coins to generate the replicas for a file. Such systems do not inherently have to require fine-grained timing assumptions. At the core of their solution to building proofs of replication with client setup is an abstraction called replica encodings. Briefly, these comprise a private coin scheme where a client algorithm given a file $m$ can produce an encoding $\sigma$. The encodings have the property that, given any encoding $\sigma$, one can decode and retrieve the original file $m$. Secondly, if a server has significantly less than $n \cdot |m|$ bit of storage, it cannot reproduce $n$ encodings. The authors give a construction of encodings from ideal permutations and trapdoor functions.
In this work, we make three central contributions: 1) Our first contribution is that we discover and demonstrate that the security argument put forth by DGO19 is fundamentally flawed. Briefly, the security argument makes assumptions on the attacker's storage behavior that does not capture general attacker strategies. We demonstrate this issue by constructing a trapdoor permutation which is secure assuming indistinguishability obfuscation, serves as a counterexample to their claim (for the parameterization stated). 2) In our second contribution we show that the DGO19 construction is actually secure in the ideal permutation model from any trapdoor permutation when parameterized correctly. In particular, when the number of rounds in the construction is equal to $\lambda \cdot n \cdot b$ where $\lambda$ is the security parameter, $n$ is the number of replicas and $b$ is the number of blocks. To do so we build up a proof approach from the ground up that accounts for general attacker storage behavior where we create an analysis technique that we call ``sequence-then-switch''. 3) Finally, we show a new construction that is provably secure in the random oracle (or random function) model. Thus requiring less structure on the ideal function.
25 May 2020
Sanjam Garg, Romain Gay, Mohammad Hajiabadi
ePrint ReportDiego F. Aranha, Felipe Rodrigues Novaes, Akira Takahashi, Mehdi Tibouchi, Yuval Yarom
ePrint ReportIn this paper, we uncover LadderLeak, a novel class of side-channel vulnerabilities in implementations of the Montgomery ladder used in ECDSA scalar multiplication. The vulnerability is in particular present in several recent versions of OpenSSL. However, it leaks less than $1$ bit of information about the nonce, in the sense that it reveals the most significant bit of the nonce, but with probability $<1$. Exploiting such a mild leakage would be intractable using techniques present in the literature so far. However, we present a number of theoretical improvements of the Fourier analysis approach to solving the HNP (an approach originally due to Bleichenbacher), and this lets us practically break LadderLeak-vulnerable ECDSA implementations instantiated over the sect163r1 and NIST P-192 elliptic curves. In so doing, we achieve several significant computational records in practical attacks against the HNP.
Amit Deo, Benoit Libert, Khoa Nguyen, Olivier Sanders
ePrint ReportTomoki Moriya, Hiroshi Onuki, Tsuyoshi Takagi
ePrint ReportNext, we propose a Naor-Reingold type pseudo random function based on SiGamal. If the P-CSSDDH assumption and the CSSDDH$^*$ assumption, which guarantees the security of CSIDH that uses a prime $p$ in the setting of SiGamal, hold, then our proposed function is a pseudo random function. Moreover, we estimate computational costs of group actions to compute our proposed PRF are about $\sqrt{\frac{8T}{3\pi}}$ times than that of the group action in CSIDH, where $T$ is the Hamming weight of input of the PRF.
Finally, we experimented group actions in SiGamal and C-SiGamal. In our experimentation, the computational costs of group actions in SiGamal-512 with a $256$-bit plaintext message space are about $2.62$ times that of a group action in CSIDH-512.
Jeroen Pijnenburg, Bertram Poettering
ePrint ReportRami Elkhatib, Reza Azarderakhsh, Mehran Mozaffari-Kermani
ePrint ReportNavid Alamati, Hart Montgomery, Sikhar Patranabis
ePrint ReportA number of recent works have shown how to build iO from multilinear maps endowed with plausible assumptions; one example would be the work of Lin and Tessaro (Crypto17) which shows how to construct iO from subexponentially secure SXDH-hard multilinear maps and some (subexponentially secure) plausible assumptions. Coupled with any one of these constructions, our results here can be seen as formally proving the equivalence of iO and multilinear maps/graded encodings (modulo subexponential reductions and other plausible assumptions) for the first time.
Behnaz Rezvani, Thomas Conroy, Luke Beckwith, Matthew Bozzay, Trevor Laffoon, David McFeeters, Yijia Shi, Minh Vu, William Diehl
ePrint ReportFatih Balli, Andrea Caforio, Subhadeep Banik
ePrint ReportIn the paper, we extend these results on bit-serial implementations all the way to three authenticated encryption schemes from NIST LWC. Our first focus is to decrease latency and improve throughput with the use of swap-and-rotate technique. Our blockcipher implementations have the most efficient round operations in the sense that a round function of a $n$-bit blockcipher is computed in exactly $n$ clock cycles. This leads to implementations that are similar in size to the state-of-the-art, but have much lower latency (savings up to 20 percent).
Though these results are promising, blockciphers themselves are not end-user primitives, as they need to used together with a mode of operation. Hence, in the second part of the paper, we use our blockciphers in bit-serial implementations for three active NIST authenticated encryption candidates: SUNDAE-GIFT, Romulus and SAEAES. We provide the smallest blockcipher-based authenticated encryption circuits known in the literature so far.
Andrea Caforio, Fatih Balli, Subhadeep Banik
ePrint ReportIn this paper, we focus on a less investigated metric under the umbrella term lightweight, i.e. energy consumption. Quantitatively speaking, energy is the sum total electrical work done by a voltage source and thus is a critical metric of lightweight efficiency. Among the thirty-two second round candidates, we give a detailed evaluation of the ten that only make use of a lightweight or semi-lightweight block cipher at their core. We use this pool of candidates to investigate a list of generic implementation choices that have considerable effect on both the size and the energy consumption of modes of operation circuit, which function as an authenticated encryption primitive. Besides providing energy and circuit size metrics of these candidates, our results provide useful insights for designers who wish to understand what particular choices incur significant energy consumption in AEAD schemes. In the second part of the paper we shift our focus to threshold implementations that offer protection against first order power analysis attacks. There has been no study focusing on energy efficiency of such protected implementations and as such the optimizations involved in such circuits are not well established. We explore the simplest possible protected circuit: the one in which only the state path of the underlying block cipher is shared, and we explore how design choices like number of shares, implementation of the masked s-box and the circuit structure of the AEAD scheme affect the energy consumption.
Navid Alamati, Hart Montgomery, Sikhar Patranabis
ePrint Report- Multiparty non-interactive key exchange (NIKE) for an arbitrary number of parties.
- Indistinguishability obfuscation for all circuits in NC_1.
Our proofs are in the standard model, and the proof for our iO scheme is program-independent. Our iO scheme can also be bootstrapped to all polynomial-size circuits using standard techniques. We also consider restricted versions of RKHwPRFs that are structurally weaker than a classic RKHwPRF but suffice for all our constructions. We show how to instantiate these restricted RKHwPRFs from various multilinear maps and associated assumptions. Our framework gives several new results, such as:
- The first iO scheme that relies only on SXDH over any asymmetric multilinear map without additional assumptions.
- The first iO scheme that relies only on DLIN (or more generally Matrix-DDH) over any (even symmetric) multilinear map without additional assumptions.
- The first iO scheme that relies on SXDH over the multilinear map presented by Ma and Zhandry (TCC'18) (the authors only presented a NIKE protocol in their paper). To our knowledge, this candidate multilinear map has not been successfully cryptanalyzed, and the SXDH assumption plausibly holds over it.
Our analysis of RKHwPRFs in a sense completes the work initiated by Alamati et al. (EUROCRYPT'19) on building cryptosystems from generic Minicrypt primitives with structure. With our results, almost all of the major known cryptosystems can be built from a weak PRF with either a group or ring homomorphism over either the input space or the key space. Thus, a major contribution of this work is advancing the study of the relationship between structure and cryptography.
Artur Mariano
ePrint ReportLUSA was designed to be 1) simple to install and use, 2) have no other dependencies, 3) be designed specifically for lattice-based cryptanalysis, including the majority of the most relevant algorithms in this field and 4) offer efficient, parallel and scalable methods for those algorithms.
LUSA explores paralellism mainly at the thread level, being based on OpenMP. However the code is also written to be efficient at the cache and operation level, taking advantage of carefully sorted data structures and data level parallelism.
This paper shows that LUSA delivers these promises, by being simple to use while consistently outperforming its counterparts, such as NTL, plll and fplll, and offering scalable, parallel implementations of the most relevant algorithms to date, which are currently not available in other libraries.
Barcelona, Spain, 27 May 2020
Event CalendarIMDEA Software Institute, Madrid (Spain)
Job PostingApplications are invited for multiple PhD student positions at the IMDEA Software Institute, Madrid, Spain.
Selected candidates will work under the supervision of Marco Guarnieri on the design, verification, and implementation of countermeasures against CPU micro-architectural attacks.
The specific topic of the research will be determined based on the common interests of the candidate and the supervisor.
The positions are fully funded by a research grant from Intel Corporation.
How to apply?
Applicants interested in the position should submit their application at https://careers.software.imdea.org/ selecting option 5 - PhD Student and reference code 2020-05-phd-uarchsec.
Questions
For any questions about these positions, please contact Marco Guarnieri directly (marco dot guarnieri at imdea dot org).
Closing date for applications:
Contact:
Marco Guarnieri, Assistant Professor @ IMDEA Software
Email: marco dot guarnieri at imdea dot org
Website: https://mguarnieri.github.io
More information: https://software.imdea.org/open_positions/2020-05-phd-uarchsec.html
University of Warwick, UK
Job PostingWe have two post-docs posts (Research Fellow and Senior Research Fellow, each for up to 4 years) available in the Department of Computer Science, University of Warwick, as part of a 4-year EPSRC project on "End to End Authentication of Caller ID in Heterogeneous Telephony Systems", working with Professor Feng Hao (PI) and Dr Adrian Von Mühlenen (co-I). The primary aim of this project is to improve security in telecommunication systems, in particular, providing reliable authentication of the caller ID without requiring any PKI, and protecting end-to-end privacy of the call contents.
The candidates will join a dynamic and growing team of security researchers in the Department of Computer Science, University of Warwick. Warwick Computer Science is ranked 1st in research output, 2nd in research impact, and 2nd overall among all computer science departments in the UK based on REF 2014. The candidates will have the flexibility to collaborate with other members in the security team on a wider range of topics, such as key exchange, e-voting, e-auction, PUF, cryptocurrency, mobile security, IoT, web security and e-payment security. Our work has been largely driven by tackling real-world security problems. Candidates who have a strong interest in working on real-world problems for practical impacts are encouraged to apply. Those who have industrial experiences are also most welcome to apply.
- Research fellow: https://tinyurl.com/y8spmtb5
- Senior research fellow (equivalent grade as Assistant Professor): https://tinyurl.com/ybjyqzh4
Application deadline: 17 June, 2020. After the deadline, the posts will be vacant until they are filled. Interested candidates are encouraged to contact Prof Feng Hao with an expression of interest as early as possible.
Closing date for applications:
Contact: Professor Feng Hao (feng.hao@warwick.ac.uk)
Radboud University, Nijmegen
Job PostingWe offer one 2-year and one 3-year position as postdoctoral researcher in the area of symmetric cryptography.
The positions will be fulfilled within the Digital Security group at Radboud University in Nijmegen in the team led by Joan Daemen and Bart Mennink. Your main tasks will be to perform research and supervise that of the PhD of our ESCADA and SCALAR teams and master students. The research subjects are cryptanalysis and design of primitives, provable security of modes of use, implementation attacks and countermeasures. We concentrate on cryptography based on permutations as in the sponge, duplex and farfalle constructions. As such, we are building an alternative for block cipher based cryptography, both in the lightweight as in the high-performance arena.
There are possibilities for teaching courses within our BSc in Cyber Security program and MSc in Computer Security.
The starting date is negotiable but is preferably not later than October.
The successful candidate should ideally have a PhD in Computer Science, Mathematics, or Electrical engineering and a good publication record in the area.
Applications will be considered until the position is filled.
Closing date for applications:
Contact: Joan Daemen, joan (at) cs.ru.nl and Bart Mennink, b.mennink (at) cs.ru.nl