International Association for Cryptologic Research

IACR News Central

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

2015-06-30
21:17 [Pub][ePrint]

We study the question of how much interaction is needed for unconditionally secure multiparty computation. We first consider the number of messages that need to be sent to compute a non-trivial function (such as the AND of several input bits), assuming that all players have input and get output. We show that for $n$ players and $t$ corruptions,

$n(t+3)/2$ messages is necessary, this holds already for semi-honest and static corruption. Note that for functions that can be securely computed in constant round, this bound is tight up to a constant factor. For the case $t=1$ and semi-honest security, we show that $2 n$ messages is also sufficient to compute a rich class of functions efficiently, showing that the bound is exact for $t=1$.

Next, we consider round complexity.

It is a long-standing open problem to determine whether all efficiently computable functions can also be efficiently computed in constant-round with {\\em unconditional} security. Providing a positive answer seems to require completely new ideas for protocol design. Motivated by this, we consider the question of whether we can compute any function securely, while minimizing the interaction of {\\em some of} the players? And if so, how many players can this apply to? Note that we still want the standard security guarantees (correctness, privacy, termination) and we consider the standard communication model with secure point-to-point channels. We answer the questions as follows: for passive security, with $n=2t+1$ players and $t$ corruptions, up to $t$ players can have minimal interaction, i.e., they send 1 message in the first round to each of the $t+1$ remaining players and receive one message from each of them in the last round. Using our result on message complexity, we show that this is (unconditionally) optimal. For malicious security with $n=3t+1$ players and $t$ corruptions, up to $t$ players can have minimal interaction, also this is shown to be optimal.

21:17 [Pub][ePrint]

Homomorphic encryption allows computation on encrypted data and makes it possible to securely outsource computational tasks to untrusted environments. However, all proposed schemes are quite inefficient and homomorphic evaluation of ciphertexts usually takes several seconds on high-end CPUs, even for evaluating simple functions. In this work we investigate the potential of FPGAs for speeding up those evaluation operations. We propose an architecture to accelerate schemes based on the ring learning with errors (RLWE) problem and specifically implemented the somewhat homomorphic encryption scheme YASHE, which was proposed by Bos, Lauter, Loftus, and Naehrig in 2013. Due to the large size of ciphertexts and evaluation keys, on-chip storage of all data is not possible and external memory is required. For efficient utilization of the external memory we propose an efficient double-buffered memory access scheme and a polynomial multiplier based on the number theoretic transform (NTT). For the parameter set (n=16384,log_2(q)=512) capable of evaluating 9 levels of multiplications, we can perform a homomorphic addition in 48.67 and a homomorphic multiplication in 0.94 ms.

21:17 [Pub][ePrint]

The celebrated work of Barak et al. (Crypto\'01) ruled out the possibility of virtual black-box (VBB) obfuscation for general circuits. The recent work of Canetti, Kalai, and Paneth (TCC\'15) extended this impossibility to the random oracle model as well assuming the existence of trapdoor permutations (TDPs). On the other hand, the works of Barak et al. (Crypto\'14) and Brakerski-Rothblum (TCC\'14) showed that general VBB obfuscation is indeed possible in idealized graded encoding models. The recent work of Pass and Shelat (Cryptology ePrint 2015/383) complemented this result by ruling out general VBB obfuscation in idealized graded encoding models that enable evaluation of constant-degree polynomials in finite fields.

In this work extend the above two impossibly results for general VBB obfuscation in idealized models. In particular we prove the following two results both assuming the existence of TDPs:

* There is no general VBB obfuscation in the generic group model of Shoup (Eurocrypt\'97) for {any abelian} group. By applying our techniques to the setting of Pass and Shelat we extend their result to any (even noncommutative) finite {ring}.

* There is no general VBB obfuscation even in the {random trapdoor permutation oracle} model. Our proof extends to any number of levels of hierarchical trapdoors.

21:17 [Pub][ePrint]

One of the most important benefits of public cloud storage is outsourcing of management and maintenance with easy accessibility and retrievability over the internet. However, outsourcing data on the cloud brings new challenges such as integrity verification and privacy of data. More concretely, once the users outsource their data on the cloud they have no longer physical control over the data and this leads to the integrity protection issue. Hence, it is crucial to guarantee proof of data storage and integrity of the outsourced data. Several pairing-based au- diting solutions have been proposed utilizing the Boneh-Lynn-Shacham (BLS) short signatures. They basically provide a desirable and efficient property of non-repudiation protocols. In this work, we propose the first ID-based privacy-preserving public auditing scheme with message recov- erable signatures. Because of message recoverable auditing scheme, the message itself is implicitly included during the verification step that was not possible in previously proposed auditing schemes. Furthermore, we point out that the algorithm suites of existing schemes is either insecure or very inefficient due to the choice of the underlying bilinear map and its baseline parameter selections. We show that our scheme is more ef- ficient than the recently proposed auditing schemes based on BLS like short signatures.

21:17 [Pub][ePrint]

Private Set Intersection (PSI) allows two parties to compute the intersection of private sets while revealing nothing more than the intersection itself. PSI needs to be applied to large data sets in scenarios such as measurement of ad conversion rates, data sharing, or contact discovery. Existing PSI protocols do not scale up well, and therefore some applications use insecure solutions instead.

We describe a new approach for designing PSI protocols based on permutation-based hashing, which enables to reduce the length of items mapped to bins while ensuring that no collisions occur. We denote this approach as Phasing, for Permutation-based Hashing Set Intersection. Phasing can dramatically improve the performance

of PSI protocols whose overhead depends on the length of the representations of input items.

We apply Phasing to design a new approach for circuit-based PSI protocols. The resulting protocol is up to 5 times faster than the previously best Sort-Compare-Shuffle circuit of Huang et al. (NDSS 2012). We also apply Phasing to the OT-based PSI protocol of Pinkas et

al. (USENIX Security 2014), which is the fastest PSI protocol to date. Together with additional improvements that reduce the computation complexity by a logarithmic factor, the resulting protocol improves run-time by a factor of up to 20 and can also have better communication overhead than the previously best PSI protocol in that respect. The new protocol is only moderately less efficient

than an insecure PSI protocol that is currently used by real-world applications, and is therefore the first secure PSI protocol that is scalable to the demands and the constraints of current real-world settings.

21:17 [Pub][ePrint]

An off-line electronic cash scheme is proposed that is suitable for

small payments. The approach is innovative, in that each coin may be

efficiently verified by the same or different merchants during payment. The scheme relies on a batch signature technique to efficiently sign and verify individually spent coins; coins may also be deposited in batch manner. The scheme outlined differs considerably from conventional micropayments schemes by servicing a number of cash-like properties, such as off-line processing, detection of double spent coins, and ability to spend at different merchants. Additionally, the scheme eliminates a number of processing overheads that are apparent to some existing micropayment schemes.

21:17 [Pub][ePrint]

In the last years, much research work has been invested into the security analysis of key alternating ciphers in the random oracle model. These are pseudorandom permutations (PRPs), sometimes also called iterated Even-Mansour ciphers, which are defined by alternatingly adding $n$-bit sub-keys $k_i$ and calling public $n$-bit permutations $P_i$. Besides the fact, that results of this kind concern the fundamental questions of understanding the nature of pseudorandomness, a practical motivation for this study is that many modern block cipher designs correspond exactly to variants of iterated Even-Mansour ciphers.

In this paper, we study similar construction for pseudorandom functions (PRFs), where additionally the access to a public $n$-bit (one-way) function $F$ is allowed. In particular, we show a sharp $n/2$-security bound for the simplest possible construction $F(x\\oplus k)$ and a sharp $2/3\\cdot n$-bound for the $FP(1)$-construction $F(P(x\\oplus k)\\oplus k)$, both in the random oracle model. The latter result contrasts with a sharp bound of the same order for $P(P(x\\oplus k)\\oplus \\pi(k))\\oplus k$, recently proved by Chen et. al.

One practical motivation for our research is due to the fact that operation modes of key stream generator based (KSG-based) stream ciphers can be modeled in a very straightforward way by FP-constructions. Our research shows a way to save KSG inner state length by using operation modes, which yield provable security beyond the birthday bound against time-space-data tradeoff attacks. For instance, we demonstrate that a slight change in the operation mode of the Bluetooth cipher (adding the session key twice in the initialization phase) raises the security w.r.t. to generic time-space-data tradeoff attacks from $n/2$ to $2/3\\cdot n$, where $n$ denotes the KSG inner state length.

21:17 [Pub][ePrint]

With the developments of mobile communication, networks and information technology, many new information service patterns and dissemination modes emerge with some security and privacy threats in access control, i.e., the ownership of data is separated from the administration of them, secondary/mutiple information distribution etc. Existing access control models, which are always proposed for some specific scenarios, are hardly to achieve fine-grained and adaptive access control. In this paper, we propose a novel Cyberspace-oriented Access Control model, termed as CoAC, which avoids the aforementioned threats by comprehensively considering some vital factors, such as the access requesting entity, general tense, access point, resource, device, networks, internet-based interactive graph and chain of resource transmission. By appropriately adjusting these factors, CoAC covers most of typical access control models and fulfills the requirements of new information service patterns and dissemination modes. We also present the administrative model of our proposed CoAC model and formally describe the administrative functions and methods used in the administrative model by utilizing Z-notation. Our CoAC is flexible and scalable, it can be further refined and expanded to figure out new opportunities and challenges in the upcoming access control techniques.

21:17 [Pub][ePrint]

Elliptic Curve Cryptography (ECC) is a popular tool to construct public-key crypto-systems.

The security of ECC is based on the hardness of the elliptic curve discrete logarithm problem (ECDLP).

Implementing and analyzing the performance of the best known methods to solve the ECDLP is useful to assess the security of ECC and choose security parameters in practice.

We present a novel many-core hardware architecture implementing the parallel version of Pollard\'s rho algorithm

to solve the ECDLP. This architecture results in a speed-up of almost 300% compared to the state of the art and we use it to estimate the monetary cost of solving the Certicom ECCp-131 challenge using FPGAs.

21:17 [Pub][ePrint]

Many cryptographic schemes have been established based on the hardness of lattice problems. For the asymptotic efficiency, ideal lattices

in the ring of cyclotomic integers are suggested to be used in most such schemes. On the other hand in computational algebraic number theory one of the main problem

is called principle ideal problem (PIP). Its goal is to find a generators of any principle ideal in the ring of algebraic integers in any number field. In this paper we establish a polynomial time reduction from approximate shortest lattice vector problem for principle ideal lattices to their PIP\'s in many cyclotomic integer rings. Combining with the polynomial time quantum algorithm for PIP of arbitrary number fields, this implies that some approximate SVP problem for principle ideal lattices within a polynomial factor in some cyclotomic integer rings can be solved by polynomial time quantum algorithm.

21:17 [Pub][ePrint]

Secure two-party parallel coin-flipping is a cryptographic functionality that allows two mutually distrustful parties to agree on a common random bit-string of a certain target length. In coin-flipping into-a-well, one party learns the bit-string and then decides whether to abort or to allow the other party to learn it. It is well known that this functionality can be securely achieved in the ideal/real simulation paradigm, using commitment schemes that are simultaneously extractable (X) and equivocable (Q).

This paper presents two new constant-round simulatable coin-flipping protocols, based explicitly on one or a few X-commitments of short seeds and a Q-commitment of a short hash, independently of the large target length. A pseudo-random generator and a collision-resistant hash function are used to combine the separate X and Q properties (associated with short bit-strings) into a unified X&Q property amplified to the target length, thus amortizing the cost of the base commitments. In this way, the new protocols are significantly more efficient than an obvious batching or extension of coin-flippings designed (in the same security setting) for short bit-strings and based on inefficient X&Q commitments.

The first protocol, simulatable with rewinding, deviates from the traditional coin-flipping template in order to improve simulatability in case of unknown adversarial probabilities of abort, without having to use a X&Q commitment scheme. The second protocol, one-pass simulatable, derives from a new construction of a universally composable X&Q commitment scheme for large bit-strings, achieving communication-rate asymptotically close to 1. Besides the base X and Q commitments, the new commitment scheme only requires corresponding collision-resistant hashing, pseudo-random generation and application of a threshold erasure code. Alternative constructions found in recent work with comparable communication complexity require explicit use of oblivious transfer and use different encodings of the committed value.