IACR Cryptol. ePrint Arch.最新文献

{"title":"Automated Generation of Fault-Resistant Circuits","authors":"Nicolai Müller, Amir Moradi","doi":"10.46586/tches.v2024.i3.136-173","DOIUrl":"https://doi.org/10.46586/tches.v2024.i3.136-173","url":null,"abstract":"Fault Injection (FI) attacks, which involve intentionally introducing faults into a system to cause it to behave in an unintended manner, are widely recognized and pose a significant threat to the security of cryptographic primitives implemented in hardware, making fault tolerance an increasingly critical concern. However, protecting cryptographic hardware primitives securely and efficiently, even with wellestablished and documented methods such as redundant computation, can be a timeconsuming, error-prone, and expertise-demanding task. In this research, we present a comprehensive and fully-automated software solution for the Automated Generation of Fault-Resistant Circuits (AGEFA). Our application employs a generic and extensively researched methodology for the secure integration of countermeasures based on Error-Correcting Codes (ECCs) into cryptographic hardware circuits. Our software tool allows designers without hardware security expertise to develop fault-tolerant hardware circuits with pre-defined correction capabilities under a comprehensive fault adversary model. Moreover, our tool applies to masked designs without violating the masking security requirements, in particular to designs generated by the tool AGEMA. We evaluate the effectiveness of our approach through experiments on various block ciphers and demonstrate its ability to produce fault-tolerant circuits. Additionally, we assess the security of examples generated by AGEFA against Side-Channel Analysis (SCA) and FI using state-of-the-art leakage and fault evaluation tools.","PeriodicalId":508905,"journal":{"name":"IACR Cryptol. ePrint Arch.","volume":" 4","pages":"708"},"PeriodicalIF":0.0,"publicationDate":"2024-07-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141826387","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Correction Fault Attacks on Randomized CRYSTALS-Dilithium","authors":"Elisabeth Krahmer, Peter Pessl, Georg Land, Tim Güneysu","doi":"10.46586/tches.v2024.i3.174-199","DOIUrl":"https://doi.org/10.46586/tches.v2024.i3.174-199","url":null,"abstract":"After NIST’s selection of Dilithium as the primary future standard for quantum-secure digital signatures, increased efforts to understand its implementation security properties are required to enable widespread adoption on embedded devices. Concretely, there are still many open questions regarding the susceptibility of Dilithium to fault attacks. This is especially the case for Dilithium’s randomized (or hedged) signing mode, which, likely due to devastating implementation attacks on the deterministic mode, was selected as the default by NIST.This work takes steps towards closing this gap by presenting two new key-recovery fault attacks on randomized/hedged Dilithium. Both attacks are based on the idea< of correcting faulty signatures after signing. A successful correction yields the value of a secret intermediate that carries information on the key. After gathering many faulty signatures and corresponding correction values, it is possible to solve for thesigning key via either simple linear algebra or lattice-reduction techniques. Our first attack extends a previously published attack based on an instruction-skipping fault to the randomized setting. Our second attack injects faults in the matrix A, which is part of the public key. As such, it is not sensitive to side-channel leakage and has, potentially for this reason, not seen prior analysis regarding faults.We show that for Dilithium2, the attacks allow key recovery with as little as 1024 and 512 faulty signatures, with each signature generated by injecting a single targeted fault. We also demonstrate how our attacks can be adapted to circumvent several popular fault countermeasures with a moderate increase in the computational runtime and the number of required faulty signatures. These results are verified using both simulated faults and clock glitches on an ARM-based standard microcontroller. The presented attacks demonstrate that also randomized Dilithium can be subject to diverse fault attacks, that certain countermeasures might be easily bypassed, and that potential fault targets reach beyond side-channel sensitive operations. Still, many further operations are likely also susceptible, implying the need for increased analysis efforts in the future.","PeriodicalId":508905,"journal":{"name":"IACR Cryptol. ePrint Arch.","volume":" 85","pages":"138"},"PeriodicalIF":0.0,"publicationDate":"2024-07-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141827366","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Generic SCARE: reverse engineering without knowing the algorithm nor the machine","authors":"Ronan Lashermes, Hélène Le Bouder","doi":"10.1007/s13389-024-00356-2","DOIUrl":"https://doi.org/10.1007/s13389-024-00356-2","url":null,"abstract":"","PeriodicalId":508905,"journal":{"name":"IACR Cryptol. ePrint Arch.","volume":"80 15","pages":"1395"},"PeriodicalIF":0.0,"publicationDate":"2024-05-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"140964604","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Local Proofs Approaching the Witness Length","authors":"Noga Ron-Zewi, Ron D. Rothblum","doi":"10.1145/3661483","DOIUrl":"https://doi.org/10.1145/3661483","url":null,"abstract":"\u0000 Interactive oracle proofs (\u0000 \u0000 (mathsf {IOP} )\u0000 \u0000 s) are a hybrid between interactive proofs and\u0000 \u0000 (mathsf {PCP} )\u0000 \u0000 s. In an\u0000 \u0000 (mathsf {IOP} )\u0000 \u0000 the prover is allowed to interact with a verifier (like in an interactive proof) by sending relatively long messages to the verifier, who in turn is only allowed to query a few of the bits that were sent (like in a\u0000 \u0000 (mathsf {PCP} )\u0000 \u0000 ). Efficient\u0000 \u0000 (mathsf {IOP} )\u0000 \u0000 s are currently at the core of leading practical implementations of highly efficient proof-systems.\u0000 \u0000 \u0000 In this work we construct, for a large class of\u0000 \u0000 (mathsf {NP} )\u0000 \u0000 relations,\u0000 \u0000 (mathsf {IOP} )\u0000 \u0000 s in which the communication complexity approaches the witness length. More precisely, for any\u0000 \u0000 (mathsf {NP} )\u0000 \u0000 relation for which membership can be decided in polynomial-time with bounded polynomial space (i.e., space\u0000 \u0000 n\u0000 ξ\u0000 \u0000 for some sufficiently small constant\u0000 ξ\u0000 > 0; e.g.,\u0000 \u0000 (mathsf {SAT} )\u0000 \u0000 ,\u0000 \u0000 (mathsf {Hamiltonicity} )\u0000 \u0000 ,\u0000 \u0000 (mathsf {Clique} )\u0000 \u0000 ,\u0000 \u0000 (mathsf {Vertextext{-}Cover} )\u0000 \u0000 , etc.) and for any constant\u0000 γ\u0000 > 0, we construct an\u0000 \u0000 (mathsf {IOP} )\u0000 \u0000 with communication complexity (1 +\u0000 γ\u0000 ) ·\u0000 n\u0000 , where\u0000 n\u0000 is the original witness length. The number of rounds, as well as the number of queries made by the\u0000 \u0000 (mathsf {IOP} )\u0000 \u0000 verifier, are constant.\u0000 \u0000 \u0000 This result improves over prior works on short\u0000 \u0000 (mathsf {IOP} )\u0000 \u0000 s/\u0000 \u0000 (mathsf {PCP} )\u0000 \u0000 s in two ways. First, the communication complexity in these short\u0000 \u0000 (mathsf {IOP} )\u0000 \u0000 s is proportional to the complexity of\u0000 verifying\u0000 the\u0000 \u0000 (mathsf {NP} )\u0000 \u0000 witness, which can be polynomially larger than the witness size. Second, even ignoring the difference between witness length and non-deterministic verification time, prior works incur (at the very least) a large constant multiplicative overhead to the communication complexity.\u0000 \u0000 \u0000 In particular, as a special case, we also obtain an\u0000 \u0000 (mathsf {IOP} )\u0000 \u0000 for\u0000 \u0000 (mathsf {CircuitSAT} )\u0000 \u0000 with communication complexity (1 +\u0000 γ\u0000 ) ·\u0000 t\u0000 , for circuits of size\u0000 t\u0000 and any constant\u0000 γ\u0000 > 0. This improves upon the prior state-of-the-art work of Ben Sasson \u0000 et al.\u0000  (ICALP, 2017) who construct an\u0000 \u0000 (mathsf {IOP} )\u0000 \u0000 for\u0000 \u0000 (mathsf {CircuitSAT} )\u0000 \u0000 with communication length\u0000 c\u0000 ·\u0000 t\u0000 for a large (unspecified) constant\u0000 c\u0000 ≥ 1.\u0000 \u0000 \u0000 Our proof leverages the local testability and (relaxed) local correctability of high-rate tensor codes, as well as their support of a sumcheck-like procedure. In particular, we bypass the barrier imposed by the low rate of\u0000 multiplication codes\u0000 (e.g., Reed-Solomon, Reed-Muller or AG codes) - a key building block of all known short\u0000 \u0000 (mathsf {PCP} )\u0000 \u0000 /\u0000 \u0000 (mathsf {IOP} )\u0000 \u0000 constructions.\u0000","PeriodicalId":508905,"journal":{"name":"IACR Cryptol. ePrint Arch.","volume":"53 32","pages":"1062"},"PeriodicalIF":0.0,"publicationDate":"2024-04-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"140656800","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"On the tropical two-sided discrete logarithm and a key exchange protocol based on the tropical algebra of pairs","authors":"Sulaiman Alhussaini, Craig Collett, Sergei Sergeev","doi":"10.1080/00927872.2024.2341814","DOIUrl":"https://doi.org/10.1080/00927872.2024.2341814","url":null,"abstract":"Since the existing tropical cryptographic protocols are either susceptible to the Kotov-Ushakov attack and its generalization, or to attacks based on tropical matrix periodicity and predictive behaviour, several attempts have been made to propose protocols that resist such attacks. Despite these attempts, many of the proposed protocols remain vulnerable to attacks targeting the underlying hidden problems, one of which we call the tropical two-sided discrete logarithm with shift. An illustrative case is the tropical Stickel protocol, which, when formulated with a single monomial instead of a polynomial, becomes susceptible to attacks based on solutions of the above mentioned tropical version of discrete logarithm. In this paper we will formally introduce the tropical two-sided discrete logarithm with shift, discuss how it is solved, and subsequently demonstrate an attack on a key exchange protocol based on the tropical semiring of pairs. This particular protocol is compromised due to the existence of efficient (albeit heuristic) solution of the tropical two-sided logarithm problem, and this highlights the ongoing challenges in search of a “good” key exchange protocol in tropical cryptography.","PeriodicalId":508905,"journal":{"name":"IACR Cryptol. ePrint Arch.","volume":"127 48","pages":"10"},"PeriodicalIF":0.0,"publicationDate":"2024-04-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"140668910","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Maypoles: Lightning Striking Twice","authors":"Clara Shikhelman","doi":"10.21428/58320208.12c632db","DOIUrl":"https://doi.org/10.21428/58320208.12c632db","url":null,"abstract":"The Lightning Network (LN) is a second layer solution built on top of Bitcoin, aimed to solve Bitcoin’s long transaction waiting times and high transaction fees. Empirical and theoretical studies show that the LN is tending towards the hub and spoke network topology. In this topology most of the nodes, the spokes, open a single channel to one of the few well-connected nodes, the hubs. This topology is known to be prone to failures, attacks, and privacy issues. In this work we introduce the May-poles protocol in which most nodes open two channels instead of one. We show that this protocol benefits the network significantly by enhancing its stability, privacy, and resilience to attacks. We also examine the economic incentives of nodes to take part in Maypoles.","PeriodicalId":508905,"journal":{"name":"IACR Cryptol. ePrint Arch.","volume":"51 7","pages":"1964"},"PeriodicalIF":0.0,"publicationDate":"2024-04-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"140675635","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Towards Practical Transciphering for FHE with Setup Independent of the Plaintext Space","authors":"Pierrick Méaux, Jeongeun Park, Hilder V. L. Pereira","doi":"10.62056/anxrxrxqi","DOIUrl":"https://doi.org/10.62056/anxrxrxqi","url":null,"abstract":"Fully Homomorphic Encryption (FHE) is a powerful tool to achieve non-interactive privacy preserving protocols with optimal computation/communication complexity. However, the main disadvantage is that the actual communication cost (bandwidth) is high due to the large size of FHE ciphertexts. As a solution, a technique called transciphering (also known as Hybrid Homomorphic Encryption) was introduced to achieve almost optimal bandwidth for such protocols. However, all existing works require clients to fix a precision for the messages or a mathematical structure for the message space beforehand. It results in unwanted constraints on the plaintext size or underlying structure of FHE based applications.\u0000 In this article, we introduce a new approach for transciphering which does not require fixed message precision decided by the client, for the first time. In more detail, a client uses any kind of FHE-friendly symmetric cipher for \u0000 \u0000 {\u0000 0\u0000 ,\u0000 1\u0000 }\u0000 \u0000 to send its input data encrypted bit-by-bit, then the server can choose a precision \u0000 \u0000 p\u0000 \u0000 depending on the application and homomorphically transforms the encrypted bits into FHE ciphertexts encrypting integers in \u0000 \u0000 \u0000 ℤ\u0000 p\u0000 \u0000 \u0000 . To illustrate our new technique, we evaluate a transciphering using FiLIP cipher and adapt the most practical homomorphic evaluation technique [CCS'22] to keep the practical latency. As a result, our proof-of-concept implementation for \u0000 \u0000 p\u0000 \u0000 from \u0000 \u0000 \u0000 2\u0000 2\u0000 \u0000 \u0000 to \u0000 \u0000 \u0000 2\u0000 8\u0000 \u0000 \u0000 takes only from \u0000 \u0000 13\u0000 \u0000 ms to \u0000 \u0000 137\u0000 \u0000 ms.","PeriodicalId":508905,"journal":{"name":"IACR Cryptol. ePrint Arch.","volume":"62 5","pages":"1531"},"PeriodicalIF":0.0,"publicationDate":"2024-04-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"140725057","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Verifiable Encryption from MPC-in-the-Head","authors":"Akira Takahashi, Greg Zaverucha","doi":"10.62056/a3wa3zl7s","DOIUrl":"https://doi.org/10.62056/a3wa3zl7s","url":null,"abstract":"Verifiable encryption (VE) is a protocol where one can provide assurance that an encrypted plaintext satisfies certain properties, or relations. It is an important building block in cryptography with many useful applications, such as key escrow, group signatures, optimistic fair exchange, and others. However, the majority of previous VE schemes are restricted to instantiation with specific public-key encryption schemes or relations. In this work, we propose a novel framework that realizes VE protocols using zero-knowledge proof systems based on the MPC-in-the-head paradigm (Ishai et al. STOC 2007). Our generic compiler can turn a large class of zero-knowledge proofs into secure VE protocols for any secure public-key encryption scheme with the undeniability property, a notion that essentially guarantees binding of encryption when used as a commitment scheme. Our framework is versatile: because the circuit proven by the MPC-in-the-head prover is decoupled from a complex encryption function, the work of the prover is focused on proving the encrypted data satisfies the relation, not the proof of plaintext knowledge. Hence, our approach allows for instantiation with various combinations of properties about the encrypted data and encryption functions. We then consider concrete applications, to demonstrate the efficiency of our framework, by first giving a new approach and implementation to verifiably encrypt discrete logarithms in any prime order group more efficiently than was previously known. Then we give the first practical verifiable encryption scheme for AES keys with post-quantum security, along with an implementation and benchmarks.","PeriodicalId":508905,"journal":{"name":"IACR Cryptol. ePrint Arch.","volume":"61 5","pages":"1704"},"PeriodicalIF":0.0,"publicationDate":"2024-04-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"140723715","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Broadcast Encryption using Sum-Product decomposition of Boolean functions","authors":"Aurélien Dupin, Simon Abelard","doi":"10.62056/av4fe0iuc","DOIUrl":"https://doi.org/10.62056/av4fe0iuc","url":null,"abstract":"The problem of Broadcast Encryption (BE) consists in broadcasting an encrypted message to a large number of users or receiving devices in such a way that the emitter of the message can control which of the users can or cannot decrypt it.\u0000 Since the early 1990s, the design of BE schemes has received significant interest and many different concepts were proposed. A major breakthrough was achieved by Naor, Naor and Lotspiech (CRYPTO 2001) by partitioning cleverly the set of authorized users and associating a symmetric key to each subset. Since then, while there have been many advances in public-key based BE schemes, mostly based on bilinear maps, little was made on symmetric cryptography.\u0000 In this paper, we design a new symmetric-based BE scheme, named \u0000 \u0000 Σ\u0000 Π\u0000 \u0000 BE, that relies on logic optimization and consensual security assumptions. It is competitive with the work of Naor et al. and provides a different tradeoff: the bandwidth requirement is significantly lowered at the cost of an increase in the key storage.","PeriodicalId":508905,"journal":{"name":"IACR Cryptol. ePrint Arch.","volume":"64 3","pages":"154"},"PeriodicalIF":0.0,"publicationDate":"2024-04-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"140721567","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"A provably masked implementation of BIKE Key Encapsulation Mechanism","authors":"Loïc Demange, Mélissa Rossi","doi":"10.62056/aesgvua5v","DOIUrl":"https://doi.org/10.62056/aesgvua5v","url":null,"abstract":"BIKE is a post-quantum key encapsulation mechanism (KEM) selected for the 4th round of the NIST's standardization campaign. It relies on the hardness of the syndrome decoding problem for quasi-cyclic codes and on the indistinguishability of the public key from a random element, and provides the most competitive performance among round 4 candidates, which makes it relevant for future real-world use cases. Analyzing its side-channel resistance has been highly encouraged by the community and several works have already outlined various side-channel weaknesses and proposed ad-hoc countermeasures. However, in contrast to the well-documented research line on masking lattice-based algorithms, the possibility of generically protecting code-based algorithms by masking has only been marginally studied in a 2016 paper by Chen et al. in SAC 2015. At this stage of the standardization campaign, it is important to assess the possibility of fully masking BIKE scheme and the resulting cost in terms of performances.\u0000 In this work, we provide the first high-order masked implementation of a code-based algorithm. We had to tackle many issues such as finding proper ways to handle large sparse polynomials, masking the key-generation algorithm or keeping the benefit of the bitslicing. In this paper, we present all the gadgets necessary to provide a fully masked implementation of BIKE, we discuss our different implementation choices and we propose a full proof of masking in the Ishai Sahai and Wagner (Crypto 2003) model.\u0000 More practically, we also provide an open C-code masked implementation of the key-generation, encapsulation and decapsulation algorithms with extensive benchmarks. While the obtained performance is slower than existing masked lattice-based algorithms, we show that masking at order 1, 2, 3, 4 and 5 implies a performance penalty of x5.8, x14.2, x24.4, x38 and x55.6 compared to order 0 (unmasked and unoptimized BIKE). This scaling is encouraging and no Boolean to Arithmetic conversion has been used.","PeriodicalId":508905,"journal":{"name":"IACR Cryptol. ePrint Arch.","volume":"24 11","pages":"76"},"PeriodicalIF":0.0,"publicationDate":"2024-04-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"140727111","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}