International Association for Cryptologic Research

# IACR News Central

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

2014-11-06
19:17 [Pub][ePrint]

There is a large body of work on using noisy communication channels for realizing different cryptographic tasks. In particular, it is known that secure message transmission can be achieved unconditionally using only {\\em one-way} communication from the sender to the receiver. In contrast, known solutions for more general secure computation tasks inherently require interaction, even when the entire input originates from the sender.

We initiate a general study of cryptographic protocols over noisy channels in a setting where only one party speaks. In this setting, we show that the landscape of what a channel is useful for is much richer. Concretely, we obtain the following results.

[-] Relationships between channels. The binary erasure channel (BEC) and the binary symmetric channel (BSC), which are known to be securely reducible to each other in the interactive setting, turn out to be qualitatively different in the setting of one-way communication. In particular, a BEC cannot be implemented from a BSC, and while the erasure probability of a BEC can be manipulated in both directions, the crossover probability of a BSC can only be manipulated in one direction.

[-] Zero-knowledge proofs and secure computation of deterministic functions. One-way communication over BEC or BSC is sufficient for securely realizing any deterministic (possibly reactive) functionality which takes its inputs from a sender and delivers its outputs to a receiver. This provides the first truly non-interactive solutions to the problem of zero-knowledge proofs.

[-] Secure computation of randomized functions. One-way communication over BEC or BSC {\\em cannot} be used for realizing general randomized functionalities which take input from a sender and deliver output to a receiver. On the other hand, one-way communication over other natural channels, such as bursty erasure channels, can be used to realize such functionalities. This type of protocols can be used for distributing certified cryptographic keys without revealing the keys to the certification authority.

19:17 [Pub][ePrint]

At Asiacrypt 2014, Hanser and Slamanig presented a structure-preserving signatures and prove its EUF-CMA security. Very recently,

Fuchsbauer gave a very surprising attack to point out their claim is flawed by showing how to generate a valid existential forgery with overwhelming probability with 4 chosen-message queries for $l=2$. However, we go further in this paper to show that the Hanser-Slamanig signature scheme is not unforgeable under the adaptive chosen message attack. We present a deterministic polynomial-time chosen-message attack which can forge the valid signature for any message with 3 ({\\it resp.} 4) chosen-message queries for $l=2$ ({\\it resp.} $l\\geq 3$ ).

19:17 [Pub][ePrint]

In a homomorphic signature scheme, given the public key and a vector of signatures $\\vec{\\sigma}:= (\\sigma_1, \\ldots, \\sigma_l)$ over $l$ messages $\\vec{\\mu}:= (\\mu_1, \\ldots, \\mu_l)$, there exists an efficient algorithm to produce a signature $\\sigma\'$ for $\\mu = f(\\vec{\\mu})$. Given the tuple $(\\sigma\', \\mu, f)$, anyone can then publicly verify the validity of the signature $\\sigma\'$.

Inspired by the recent (selectively secure) key-homomorphic functional encryption for circuits, recent works propose fully homomorphic signature schemes in the selective security model.

However, in order to gain adaptive security, one must rely on generic complexity leveraging, which is not only very inefficient but also leads to reductions that are unfalsifiable\'\'.

In this paper, we construct the first \\emph{adaptively secure} homomorphic signature scheme that can evaluate any circuit over signed data. For {\\it poly-logarithmic depth} circuits, our scheme achieves adaptive security under the standard {\\it Small Integer Solution} (SIS) assumption. For {\\it polynomial depth} circuits, the security of our scheme relies on sub-exponential SIS --- but unlike complexity leveraging, the security loss in our reduction depends only on circuit depth and on neither message length nor dataset size.

06:48 [Event][New]

From December 4 to December 8
Location: Hanoi, Vietnam

06:48 [Event][New]

From May 8 to May 13
Location: Vienna, Austria

06:40 [Event][New]

From December 6 to December 10
Location: Auckland, New Zealand

2014-11-05
13:17 [Pub][ePrint]

We show that there exist commitment, zero-knowledge and general function evaluation protocols with universally composable security, in a model where all parties and all protocols have access to a single, global, random oracle and no other trusted setup. This model provides significantly stronger composable security guarantees than the traditional random oracle model of Bellare and Rogaway [CCS\'93] or even the common reference string model. Indeed, these latter models provide no security guarantees in the presence of arbitrary protocols that use the same random oracle (or reference string or hash function).

Furthermore, our protocols are highly efficient. Specifically, in the interactive setting, our commitment and general computation protocols are much more efficient than the best known ones due to Lindell [Crypto\'11,\'13] which are secure in the common reference string model. In the non-interactive setting, our protocols are slightly less efficient than the best known ones presented by Afshar et al. [Eurocrypt \'14] but do away with the need to rely on a non-global (programmable) reference string.

13:17 [Pub][ePrint]

We study robust secret sharing schemes in which between one third and one half of the players are corrupted. In this scenario, robust secret sharing is possible only with a share size larger than the secrets, and allowing a positive probability of reconstructing the wrong secret. In the standard model, it is known that at least $m+k$ bits per share are needed to robustly share a secret of bit-length $m$ with an error probability of $2^{-k}$; however, to the best of our knowledge, the efficient scheme that gets closest to this lower bound has share size $m+\\widetilde O (n+k)$, where $n$ is the number of players in the scheme.

We show that it is possible to obtain schemes with close to minimal share size in a model of local adversaries, i.e. in which corrupt players cannot communicate between receiving their respective honest shares and submitting corrupted shares to the reconstruction procedure, but may coordinate before the execution of the protocol and can also gather information afterwards.

In this limited adversarial model, we prove a lower bound of roughly $m+k$ bits on the minimal share size, which is (somewhat surprisingly) similar to the lower bound in the standard model, where much stronger adversaries are allowed.

We then present an efficient secret sharing scheme that essentially meets our lower bound, therefore improving upon the best known constructions in the standard model by removing a linear dependence on the number of players. For our construction, we introduce a novel procedure that compiles an error correcting code into a new randomized one, with the following two properties: a single local portion of a codeword leaks no information on the encoded message itself, and any set of portions of a codeword reconstructs the message with error probability exponentially low in the set size.

13:17 [Pub][ePrint]

Non-interactive key exchange (NIKE) is a fundamental notion in Cryptography. This notion was introduced by Diffie and Hellman in 1976. They proposed the celebrated 2-party NIKE protocol and left open as a fascinating question, whether NIKE could be realized in the multiparty setting. NIKE has since then been an active area of research with an ultimate goal of obtaining best possible security in the multiparty setting. Although this has evaded researchers for many decades, advancements have been made through relaxations in multiple directions such as restricting to 3-parties, static/semi-static model (where the adversary needs to commit to the set of parties he wishes to be challenged upon ahead of time), random-oracle model, allowing initial setup, etc.

In this work, we settle the longstanding open question: we present the first multiparty NIKE protocol that is adaptively secure with no setup and in the standard model.

Our construction is based on indistinguishability obfuscation and obliviously-patchable puncturable pseudorandom functions, a new notion that we introduce.

We employ novel techniques of using indistinguishability obfuscation, which are interesting in their own right and which we believe would find wider applications in other settings. One such technique pertains overcoming, the somewhat inherent, drawback of non-adaptivity of the puncturing technique introduced by Sahai and Waters [STOC\'14]. Central to this technique is our new notion of obliviously-patchable puncturable pseudorandom functions. We present a concrete construction of these pseudorandom functions using multilinear maps.

Note that pseudorandom functions amounts to an interactive assumption. We shall establish via a meta-reduction technique that, in natural settings, an interactive assumption is necessary (even with setup).

13:17 [Pub][ePrint]

Bitcoin supports complex transactions where the recipient of a transaction can be programmatically determined.

Using these transactions, multi-party computation protocols that aim to ensure fairness among participants have been designed.

We present a Denial of Service attack against these protocols that results in a net loss for some or all of the honest parties involved, violating those fairness goals.

13:17 [Pub][ePrint]

In many applications, encryption alone does not provide enough security. To enhance security, dedicated authenticated encryption (AE) mode are invented. Galios Counter Mode (GCM) and Counter with CBC-MAC mode (CCM) are the AE modes recommended by the National Institute of Standards and Technology. To support high data rates, AE modes are usually implemented in hardware. However, natural faults reduce its reliability and may undermine both its encryption and

authentication capability. We present a low-cost concurrent error detection (CED) scheme for 7 AE architectures. The proposed technique explores idle cycles of the AE mode architectures. Experimental results shows that the performance overhead can be lower than 100% for all architectures depending on the workload. FPGA implementation results show that the hardware overhead in the 0.1-23.3% range and

the power overhead is in the 0.2-23.2% range. ASIC implementation results show that the hardware overhead in the 0.1-22.8% range and the power overhead is in the 0.3-12.6% range. The underlying block cipher and hash module need not have CED built in. Thus, it allows system designers to integrate block cipher and hash function intellectual property from different vendors.