15 results sorted by ID
Cryptanalysis of the Peregrine Lattice-Based Signature Scheme
Xiuhan Lin, Moeto Suzuki, Shiduo Zhang, Thomas Espitau, Yang Yu, Mehdi Tibouchi, Masayuki Abe
Attacks and cryptanalysis
The Peregrine signature scheme is one of the candidates in the ongoing Korean post-quantum cryptography competition. It is proposed as a high-speed variant of Falcon, which is a hash-and-sign signature scheme over NTRU lattices and one of the schemes selected by NIST for standardization. To this end, Peregrine replaces the lattice Gaussian sampler in the Falcon signing procedure with a new sampler based on the centered binomial distribution. While this modification offers significant...
Multi-Stage Group Key Distribution and PAKEs: Securing Zoom Groups against Malicious Servers without New Security Elements
Cas Cremers, Eyal Ronen, Mang Zhao
Cryptographic protocols
Video conferencing apps like Zoom have hundreds of millions of daily users, making them a high-value target for surveillance and subversion. While such apps claim to achieve some forms of end-to-end encryption, they usually assume an incorruptible server that is able to identify and authenticate all the parties in a meeting. Concretely this means that, e.g., even when using the “end-to-end encrypted” setting, malicious Zoom servers could eavesdrop or impersonate in arbitrary groups.
In...
Unconditionally secure ciphers with a short key for a source with unknown statistics
Boris Ryabko
Secret-key cryptography
We consider the problem of constructing an unconditionally secure cipher with a short key for the case where the probability distribution of encrypted messages is unknown. Note that unconditional security means that an adversary with no computational constraints can obtain only a negligible amount of information ("leakage") about an encrypted message (without knowing the key).
Here we consider the case of a priori (partially) unknown message source statistics.
More specifically, the...
Non-Interactive Blind Signatures for Random Messages
Lucjan Hanzlik
Public-key cryptography
Blind signatures allow a signer to issue signatures on messages chosen by the signature recipient. The main property is that the recipient's message is hidden from the signer. There are many applications, including Chaum's e-cash system and Privacy Pass, where no special distribution of the signed message is required, and the message can be random. Interestingly, existing notions do not consider this practical use case separately.
In this paper, we show that constraining the recipient's...
Portunus: Re-imagining access control in distributed systems
Watson Ladd, Tanya Verma, Marloes Venema, Armando Faz Hernandez, Brendan McMillion, Avani Wildani, Nick Sullivan
Applications
TLS termination, which is essential to network and security infrastructure providers, is an extremely latency sensitive operation that benefits from access to sensitive key material close to the edge. However, increasing regulatory concerns prompt customers to demand sophisticated controls on where their keys may be accessed. While traditional access-control solutions rely on a highly available centralized process to enforce access, the round-trip latency and
decreased fault tolerance make...
Shorter Hash-and-Sign Lattice-Based Signatures
Thomas Espitau, Mehdi Tibouchi, Alexandre Wallet, Yang Yu
Public-key cryptography
Lattice-based digital signature schemes following the hash-and-sign design paradigm of Gentry, Peikert and Vaikuntanathan (GPV) tend to offer an attractive level of efficiency, particularly when instantiated with structured compact trapdoors. In particular, NIST postquantum finalist Falcon is both quite fast for signing and verification and quite compact: NIST notes that it has the smallest bandwidth (as measured in combined size of public key and signature) of all round 2 digital signature...
Quantum cryptography based on an algorithm for determining simultaneously all the mappings of a Boolean function
Koji Nagata, Renata Wong, Do Ngoc Diep, Tadao Nakamura
Secret-key cryptography
We study a quantum cryptography based on
an algorithm for determining simultaneously all the mappings of a Boolean function using an
entangled state.
The security of our cryptography is based on the Ekert 1991 protocol,
which uses an entangled state.
Eavesdropping destroys the entanglement.
Alice selects a secret function from the number of possible function types.
Bob's aim is then to determine the selected function
(a key) without an eavesdropper learning it.
In order for...
On Rejection Sampling Algorithms for Centered Discrete Gaussian Distribution over Integers
Yusong Du, Baodian Wei
Lattice-based cryptography has been accepted as a promising candidate for public key cryptography in the age of quantum computing. Discrete Gaussian sampling is one of fundamental operations in many lattice-based cryptosystems. In this paper, we discuss a sub-problem of discrete Gaussian sampling, which is to sample from a centered discrete Gaussian distribution over the integers with positive standard deviation and zero center. We propose three alternative rejection sampling algorithms for...
High-Throughput Semi-Honest Secure Three-Party Computation with an Honest Majority
Toshinori Araki, Jun Furukawa, Yehuda Lindell, Ariel Nof, Kazuma Ohara
Cryptographic protocols
In this paper, we describe a new information-theoretic protocol (and a computationally-secure variant) for secure {\em three}-party computation with an honest majority. The protocol has very minimal computation and communication; for Boolean circuits, each party sends only a single bit for every AND gate (and nothing is sent for XOR gates). Our protocol is (simulation-based) secure in the presence of semi-honest adversaries, and achieves privacy in the client/server model in the presence of...
Revocation in Publicly Verifiable Outsourced Computation
James Alderman, Christian Janson, Carlos Cid, Jason Crampton
Cryptographic protocols
The combination of software-as-a-service and the increasing use of mobile devices gives rise to a considerable difference in computational power between servers and clients. Thus, there is a desire for clients to outsource the evaluation of complex functions to an external server. Servers providing such a service may be rewarded per computation, and as such have an incentive to cheat by returning garbage rather than devoting resources and time to compute a valid result.
In this work, we...
New and Improved Key-Homomorphic Pseudorandom Functions
Abhishek Banerjee, Chris Peikert
Foundations
A \emph{key-homomorphic} pseudorandom function (PRF) family
$\set{F_{s} \colon D \to R}$ allows one to efficiently compute the
value $F_{s+t}(x)$ given $F_{s}(x)$ and $F_{t}(x)$. Such functions
have many applications, such as distributing the operation of a
key-distribution center and updatable symmetric encryption. The only
known construction of key-homomorphic PRFs without random oracles, due
to Boneh \etal (CRYPTO~2013), is based on the learning with errors
(\lwe) problem and hence on...
A Privacy-Flexible Password Authentication Scheme for Multi-Server Environment
Jue-Sam Chou, Yalin Chen, Chun-Hui Huang
Cryptographic protocols
Since Kerberos suffers from KDC (Key Distribution Center) compromise and impersonation attack, a multi-server password authentication protocol which highlights no verification table in the server end could therefore be an alternative. Typically, there are three roles in a multi-server password authentication protocol: clients, servers, and a register center which plays the role like KDC in Kerberos. In this paper, we exploit the theoretical basis for implementing a multi-server password...
The Average Transmission Overhead of Broadcast Encryption
Sarang Aravamuthan, Sachin Lodha
Applications
We consider broadcast encryption schemes wherein a center needs to
broadcast a secret message to a privileged set of receivers. We
prescribe a probability distribution $P$ on the privileged set. In
this setting, the transmission overhead can be viewed as a random
variable over $P$ and we define its expected value as the average transmission overhead (or ato).
Given $P$, the Shannon's entropy function $H(.)$ provides a lower
bound on the average number of bits required to identify...
Cryptanalysis of Threshold-Multisignature schemes
Lifeng Guo
Cryptographic protocols
In [1], Li et al. proposed a new
type of signature scheme, called the $(t,n)$
threshold-mutisignature scheme. The first one needs a mutually
trusted share distribution center (SDC) while the second one does
not. In this paper, we present a security analysis on their second
schemes. We point out that their second threshold-multisignature
scheme is vulnerable to universal forgery by an insider attacker
under reasonable assumptions. In our attack, $(n-t+1)$ colluding
members can control the...
Cryptanalysis of Threshold-Multisignature Schemes
Lifeng Guo
Cryptographic protocols
In [1], Li et al. proposed a new
type of signature scheme, called the $(t,n)$
threshold-mutisignature scheme. The first one needs a mutually
trusted share distribution center (SDC) while the second one does
not. In this paper, we present a security analysis on their second
schemes. We point out that their second threshold-multisignature
scheme is vulnerable to universal forgery by an insider attacker
under reasonable assumptions. In our attack, $(n-t+1)$ colluding
members can control the...
The Peregrine signature scheme is one of the candidates in the ongoing Korean post-quantum cryptography competition. It is proposed as a high-speed variant of Falcon, which is a hash-and-sign signature scheme over NTRU lattices and one of the schemes selected by NIST for standardization. To this end, Peregrine replaces the lattice Gaussian sampler in the Falcon signing procedure with a new sampler based on the centered binomial distribution. While this modification offers significant...
Video conferencing apps like Zoom have hundreds of millions of daily users, making them a high-value target for surveillance and subversion. While such apps claim to achieve some forms of end-to-end encryption, they usually assume an incorruptible server that is able to identify and authenticate all the parties in a meeting. Concretely this means that, e.g., even when using the “end-to-end encrypted” setting, malicious Zoom servers could eavesdrop or impersonate in arbitrary groups. In...
We consider the problem of constructing an unconditionally secure cipher with a short key for the case where the probability distribution of encrypted messages is unknown. Note that unconditional security means that an adversary with no computational constraints can obtain only a negligible amount of information ("leakage") about an encrypted message (without knowing the key). Here we consider the case of a priori (partially) unknown message source statistics. More specifically, the...
Blind signatures allow a signer to issue signatures on messages chosen by the signature recipient. The main property is that the recipient's message is hidden from the signer. There are many applications, including Chaum's e-cash system and Privacy Pass, where no special distribution of the signed message is required, and the message can be random. Interestingly, existing notions do not consider this practical use case separately. In this paper, we show that constraining the recipient's...
TLS termination, which is essential to network and security infrastructure providers, is an extremely latency sensitive operation that benefits from access to sensitive key material close to the edge. However, increasing regulatory concerns prompt customers to demand sophisticated controls on where their keys may be accessed. While traditional access-control solutions rely on a highly available centralized process to enforce access, the round-trip latency and decreased fault tolerance make...
Lattice-based digital signature schemes following the hash-and-sign design paradigm of Gentry, Peikert and Vaikuntanathan (GPV) tend to offer an attractive level of efficiency, particularly when instantiated with structured compact trapdoors. In particular, NIST postquantum finalist Falcon is both quite fast for signing and verification and quite compact: NIST notes that it has the smallest bandwidth (as measured in combined size of public key and signature) of all round 2 digital signature...
We study a quantum cryptography based on an algorithm for determining simultaneously all the mappings of a Boolean function using an entangled state. The security of our cryptography is based on the Ekert 1991 protocol, which uses an entangled state. Eavesdropping destroys the entanglement. Alice selects a secret function from the number of possible function types. Bob's aim is then to determine the selected function (a key) without an eavesdropper learning it. In order for...
Lattice-based cryptography has been accepted as a promising candidate for public key cryptography in the age of quantum computing. Discrete Gaussian sampling is one of fundamental operations in many lattice-based cryptosystems. In this paper, we discuss a sub-problem of discrete Gaussian sampling, which is to sample from a centered discrete Gaussian distribution over the integers with positive standard deviation and zero center. We propose three alternative rejection sampling algorithms for...
In this paper, we describe a new information-theoretic protocol (and a computationally-secure variant) for secure {\em three}-party computation with an honest majority. The protocol has very minimal computation and communication; for Boolean circuits, each party sends only a single bit for every AND gate (and nothing is sent for XOR gates). Our protocol is (simulation-based) secure in the presence of semi-honest adversaries, and achieves privacy in the client/server model in the presence of...
The combination of software-as-a-service and the increasing use of mobile devices gives rise to a considerable difference in computational power between servers and clients. Thus, there is a desire for clients to outsource the evaluation of complex functions to an external server. Servers providing such a service may be rewarded per computation, and as such have an incentive to cheat by returning garbage rather than devoting resources and time to compute a valid result. In this work, we...
A \emph{key-homomorphic} pseudorandom function (PRF) family $\set{F_{s} \colon D \to R}$ allows one to efficiently compute the value $F_{s+t}(x)$ given $F_{s}(x)$ and $F_{t}(x)$. Such functions have many applications, such as distributing the operation of a key-distribution center and updatable symmetric encryption. The only known construction of key-homomorphic PRFs without random oracles, due to Boneh \etal (CRYPTO~2013), is based on the learning with errors (\lwe) problem and hence on...
Since Kerberos suffers from KDC (Key Distribution Center) compromise and impersonation attack, a multi-server password authentication protocol which highlights no verification table in the server end could therefore be an alternative. Typically, there are three roles in a multi-server password authentication protocol: clients, servers, and a register center which plays the role like KDC in Kerberos. In this paper, we exploit the theoretical basis for implementing a multi-server password...
We consider broadcast encryption schemes wherein a center needs to broadcast a secret message to a privileged set of receivers. We prescribe a probability distribution $P$ on the privileged set. In this setting, the transmission overhead can be viewed as a random variable over $P$ and we define its expected value as the average transmission overhead (or ato). Given $P$, the Shannon's entropy function $H(.)$ provides a lower bound on the average number of bits required to identify...
In [1], Li et al. proposed a new type of signature scheme, called the $(t,n)$ threshold-mutisignature scheme. The first one needs a mutually trusted share distribution center (SDC) while the second one does not. In this paper, we present a security analysis on their second schemes. We point out that their second threshold-multisignature scheme is vulnerable to universal forgery by an insider attacker under reasonable assumptions. In our attack, $(n-t+1)$ colluding members can control the...
In [1], Li et al. proposed a new type of signature scheme, called the $(t,n)$ threshold-mutisignature scheme. The first one needs a mutually trusted share distribution center (SDC) while the second one does not. In this paper, we present a security analysis on their second schemes. We point out that their second threshold-multisignature scheme is vulnerable to universal forgery by an insider attacker under reasonable assumptions. In our attack, $(n-t+1)$ colluding members can control the...