Elisabeth Krahmer, Peter Pessl, Georg Land, Tim Güneysu
{"title":"Correction Fault Attacks on Randomized CRYSTALS-Dilithium","authors":"Elisabeth Krahmer, Peter Pessl, Georg Land, Tim Güneysu","doi":"10.46586/tches.v2024.i3.174-199","DOIUrl":"https://doi.org/10.46586/tches.v2024.i3.174-199","url":null,"abstract":"After NIST’s selection of Dilithium as the primary future standard for quantum-secure digital signatures, increased efforts to understand its implementation security properties are required to enable widespread adoption on embedded devices. Concretely, there are still many open questions regarding the susceptibility of Dilithium to fault attacks. This is especially the case for Dilithium’s randomized (or hedged) signing mode, which, likely due to devastating implementation attacks on the deterministic mode, was selected as the default by NIST.This work takes steps towards closing this gap by presenting two new key-recovery fault attacks on randomized/hedged Dilithium. Both attacks are based on the idea< of correcting faulty signatures after signing. A successful correction yields the value of a secret intermediate that carries information on the key. After gathering many faulty signatures and corresponding correction values, it is possible to solve for thesigning key via either simple linear algebra or lattice-reduction techniques. Our first attack extends a previously published attack based on an instruction-skipping fault to the randomized setting. Our second attack injects faults in the matrix A, which is part of the public key. As such, it is not sensitive to side-channel leakage and has, potentially for this reason, not seen prior analysis regarding faults.We show that for Dilithium2, the attacks allow key recovery with as little as 1024 and 512 faulty signatures, with each signature generated by injecting a single targeted fault. We also demonstrate how our attacks can be adapted to circumvent several popular fault countermeasures with a moderate increase in the computational runtime and the number of required faulty signatures. These results are verified using both simulated faults and clock glitches on an ARM-based standard microcontroller. The presented attacks demonstrate that also randomized Dilithium can be subject to diverse fault attacks, that certain countermeasures might be easily bypassed, and that potential fault targets reach beyond side-channel sensitive operations. Still, many further operations are likely also susceptible, implying the need for increased analysis efforts in the future.","PeriodicalId":508905,"journal":{"name":"IACR Cryptol. ePrint Arch.","volume":" 85","pages":"138"},"PeriodicalIF":0.0,"publicationDate":"2024-07-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141827366","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Local Proofs Approaching the Witness Length","authors":"Noga Ron-Zewi, Ron D. Rothblum","doi":"10.1145/3661483","DOIUrl":"https://doi.org/10.1145/3661483","url":null,"abstract":"\u0000 Interactive oracle proofs (\u0000 \u0000 (mathsf {IOP} )\u0000 \u0000 s) are a hybrid between interactive proofs and\u0000 \u0000 (mathsf {PCP} )\u0000 \u0000 s. In an\u0000 \u0000 (mathsf {IOP} )\u0000 \u0000 the prover is allowed to interact with a verifier (like in an interactive proof) by sending relatively long messages to the verifier, who in turn is only allowed to query a few of the bits that were sent (like in a\u0000 \u0000 (mathsf {PCP} )\u0000 \u0000 ). Efficient\u0000 \u0000 (mathsf {IOP} )\u0000 \u0000 s are currently at the core of leading practical implementations of highly efficient proof-systems.\u0000 \u0000 \u0000 In this work we construct, for a large class of\u0000 \u0000 (mathsf {NP} )\u0000 \u0000 relations,\u0000 \u0000 (mathsf {IOP} )\u0000 \u0000 s in which the communication complexity approaches the witness length. More precisely, for any\u0000 \u0000 (mathsf {NP} )\u0000 \u0000 relation for which membership can be decided in polynomial-time with bounded polynomial space (i.e., space\u0000 \u0000 n\u0000 ξ\u0000 \u0000 for some sufficiently small constant\u0000 ξ\u0000 > 0; e.g.,\u0000 \u0000 (mathsf {SAT} )\u0000 \u0000 ,\u0000 \u0000 (mathsf {Hamiltonicity} )\u0000 \u0000 ,\u0000 \u0000 (mathsf {Clique} )\u0000 \u0000 ,\u0000 \u0000 (mathsf {Vertextext{-}Cover} )\u0000 \u0000 , etc.) and for any constant\u0000 γ\u0000 > 0, we construct an\u0000 \u0000 (mathsf {IOP} )\u0000 \u0000 with communication complexity (1 +\u0000 γ\u0000 ) ·\u0000 n\u0000 , where\u0000 n\u0000 is the original witness length. The number of rounds, as well as the number of queries made by the\u0000 \u0000 (mathsf {IOP} )\u0000 \u0000 verifier, are constant.\u0000 \u0000 \u0000 This result improves over prior works on short\u0000 \u0000 (mathsf {IOP} )\u0000 \u0000 s/\u0000 \u0000 (mathsf {PCP} )\u0000 \u0000 s in two ways. First, the communication complexity in these short\u0000 \u0000 (mathsf {IOP} )\u0000 \u0000 s is proportional to the complexity of\u0000 verifying\u0000 the\u0000 \u0000 (mathsf {NP} )\u0000 \u0000 witness, which can be polynomially larger than the witness size. Second, even ignoring the difference between witness length and non-deterministic verification time, prior works incur (at the very least) a large constant multiplicative overhead to the communication complexity.\u0000 \u0000 \u0000 In particular, as a special case, we also obtain an\u0000 \u0000 (mathsf {IOP} )\u0000 \u0000 for\u0000 \u0000 (mathsf {CircuitSAT} )\u0000 \u0000 with communication complexity (1 +\u0000 γ\u0000 ) ·\u0000 t\u0000 , for circuits of size\u0000 t\u0000 and any constant\u0000 γ\u0000 > 0. This improves upon the prior state-of-the-art work of Ben Sasson \u0000 et al.\u0000 (ICALP, 2017) who construct an\u0000 \u0000 (mathsf {IOP} )\u0000 \u0000 for\u0000 \u0000 (mathsf {CircuitSAT} )\u0000 \u0000 with communication length\u0000 c\u0000 ·\u0000 t\u0000 for a large (unspecified) constant\u0000 c\u0000 ≥ 1.\u0000 \u0000 \u0000 Our proof leverages the local testability and (relaxed) local correctability of high-rate tensor codes, as well as their support of a sumcheck-like procedure. In particular, we bypass the barrier imposed by the low rate of\u0000 multiplication codes\u0000 (e.g., Reed-Solomon, Reed-Muller or AG codes) - a key building block of all known short\u0000 \u0000 (mathsf {PCP} )\u0000 \u0000 /\u0000 \u0000 (mathsf {IOP} )\u0000 \u0000 constructions.\u0000","PeriodicalId":508905,"journal":{"name":"IACR Cryptol. ePrint Arch.","volume":"53 32","pages":"1062"},"PeriodicalIF":0.0,"publicationDate":"2024-04-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"140656800","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pierrick Méaux, Jeongeun Park, Hilder V. L. Pereira
{"title":"Towards Practical Transciphering for FHE with Setup Independent of the Plaintext Space","authors":"Pierrick Méaux, Jeongeun Park, Hilder V. L. Pereira","doi":"10.62056/anxrxrxqi","DOIUrl":"https://doi.org/10.62056/anxrxrxqi","url":null,"abstract":"Fully Homomorphic Encryption (FHE) is a powerful tool to achieve non-interactive privacy preserving protocols with optimal computation/communication complexity. However, the main disadvantage is that the actual communication cost (bandwidth) is high due to the large size of FHE ciphertexts. As a solution, a technique called transciphering (also known as Hybrid Homomorphic Encryption) was introduced to achieve almost optimal bandwidth for such protocols. However, all existing works require clients to fix a precision for the messages or a mathematical structure for the message space beforehand. It results in unwanted constraints on the plaintext size or underlying structure of FHE based applications.\u0000 In this article, we introduce a new approach for transciphering which does not require fixed message precision decided by the client, for the first time. In more detail, a client uses any kind of FHE-friendly symmetric cipher for \u0000 \u0000 {\u0000 0\u0000 ,\u0000 1\u0000 }\u0000 \u0000 to send its input data encrypted bit-by-bit, then the server can choose a precision \u0000 \u0000 p\u0000 \u0000 depending on the application and homomorphically transforms the encrypted bits into FHE ciphertexts encrypting integers in \u0000 \u0000 \u0000 ℤ\u0000 p\u0000 \u0000 \u0000 . To illustrate our new technique, we evaluate a transciphering using FiLIP cipher and adapt the most practical homomorphic evaluation technique [CCS'22] to keep the practical latency. As a result, our proof-of-concept implementation for \u0000 \u0000 p\u0000 \u0000 from \u0000 \u0000 \u0000 2\u0000 2\u0000 \u0000 \u0000 to \u0000 \u0000 \u0000 2\u0000 8\u0000 \u0000 \u0000 takes only from \u0000 \u0000 13\u0000 \u0000 ms to \u0000 \u0000 137\u0000 \u0000 ms.","PeriodicalId":508905,"journal":{"name":"IACR Cryptol. ePrint Arch.","volume":"62 5","pages":"1531"},"PeriodicalIF":0.0,"publicationDate":"2024-04-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"140725057","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Verifiable Encryption from MPC-in-the-Head","authors":"Akira Takahashi, Greg Zaverucha","doi":"10.62056/a3wa3zl7s","DOIUrl":"https://doi.org/10.62056/a3wa3zl7s","url":null,"abstract":"Verifiable encryption (VE) is a protocol where one can provide assurance that an encrypted plaintext satisfies certain properties, or relations. It is an important building block in cryptography with many useful applications, such as key escrow, group signatures, optimistic fair exchange, and others. However, the majority of previous VE schemes are restricted to instantiation with specific public-key encryption schemes or relations. In this work, we propose a novel framework that realizes VE protocols using zero-knowledge proof systems based on the MPC-in-the-head paradigm (Ishai et al. STOC 2007). Our generic compiler can turn a large class of zero-knowledge proofs into secure VE protocols for any secure public-key encryption scheme with the undeniability property, a notion that essentially guarantees binding of encryption when used as a commitment scheme. Our framework is versatile: because the circuit proven by the MPC-in-the-head prover is decoupled from a complex encryption function, the work of the prover is focused on proving the encrypted data satisfies the relation, not the proof of plaintext knowledge. Hence, our approach allows for instantiation with various combinations of properties about the encrypted data and encryption functions. We then consider concrete applications, to demonstrate the efficiency of our framework, by first giving a new approach and implementation to verifiably encrypt discrete logarithms in any prime order group more efficiently than was previously known. Then we give the first practical verifiable encryption scheme for AES keys with post-quantum security, along with an implementation and benchmarks.","PeriodicalId":508905,"journal":{"name":"IACR Cryptol. ePrint Arch.","volume":"61 5","pages":"1704"},"PeriodicalIF":0.0,"publicationDate":"2024-04-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"140723715","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Broadcast Encryption using Sum-Product decomposition of Boolean functions","authors":"Aurélien Dupin, Simon Abelard","doi":"10.62056/av4fe0iuc","DOIUrl":"https://doi.org/10.62056/av4fe0iuc","url":null,"abstract":"The problem of Broadcast Encryption (BE) consists in broadcasting an encrypted message to a large number of users or receiving devices in such a way that the emitter of the message can control which of the users can or cannot decrypt it.\u0000 Since the early 1990s, the design of BE schemes has received significant interest and many different concepts were proposed. A major breakthrough was achieved by Naor, Naor and Lotspiech (CRYPTO 2001) by partitioning cleverly the set of authorized users and associating a symmetric key to each subset. Since then, while there have been many advances in public-key based BE schemes, mostly based on bilinear maps, little was made on symmetric cryptography.\u0000 In this paper, we design a new symmetric-based BE scheme, named \u0000 \u0000 Σ\u0000 Π\u0000 \u0000 BE, that relies on logic optimization and consensual security assumptions. It is competitive with the work of Naor et al. and provides a different tradeoff: the bandwidth requirement is significantly lowered at the cost of an increase in the key storage.","PeriodicalId":508905,"journal":{"name":"IACR Cryptol. ePrint Arch.","volume":"64 3","pages":"154"},"PeriodicalIF":0.0,"publicationDate":"2024-04-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"140721567","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Computing isogenies between finite Drinfeld modules","authors":"B. Wesolowski","doi":"10.62056/avommp-3y","DOIUrl":"https://doi.org/10.62056/avommp-3y","url":null,"abstract":"We prove that isogenies between Drinfeld F[x]-modules over a finite field can be computed in polynomial time. This breaks Drinfeld analogs of isogeny-based cryptosystems.","PeriodicalId":508905,"journal":{"name":"IACR Cryptol. ePrint Arch.","volume":"68 6","pages":"438"},"PeriodicalIF":0.0,"publicationDate":"2024-04-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"140724943","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Preliminary Cryptanalysis of the Biscuit Signature Scheme","authors":"Charles Bouillaguet, Julia Sauvage","doi":"10.62056/aemp-4c2h","DOIUrl":"https://doi.org/10.62056/aemp-4c2h","url":null,"abstract":"Biscuit is a recent multivariate signature scheme based on the MPC-in-the-Head paradigm. It has been submitted to the NIST competition for additional signature schemes. Signatures are derived from a zero-knowledge proof of knowledge of the solution of a structured polynomial system. This extra structure enables efficient proofs and compact signatures. This short note demonstrates that it also makes these polynomial systems easier to solve than random ones. As a consequence, the original parameters of Biscuit failed to meet the required security levels and had to be upgraded.","PeriodicalId":508905,"journal":{"name":"IACR Cryptol. ePrint Arch.","volume":"37 12","pages":"148"},"PeriodicalIF":0.0,"publicationDate":"2024-04-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"140726899","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"On the Efficiency of Generic, Quantum Cryptographic Constructions","authors":"Keita Xagawa","doi":"10.62056/a66c0l5vt","DOIUrl":"https://doi.org/10.62056/a66c0l5vt","url":null,"abstract":"One of the central questions in cryptology is how efficient generic constructions of cryptographic primitives can be. Gennaro, Gertner, Katz, and Trevisan [SIAM J. of Compt., 2005] studied the lower bounds of the number of invocations of a (trapdoor) one-way permutation in order to construct cryptographic schemes, e.g., pseudorandom number generators, digital signatures, and public-key and symmetric-key encryption.\u0000 Recently, quantum machines have been explored to _construct_ cryptographic primitives other than quantum key distribution. This paper studies the efficiency of _quantum_ black-box constructions of cryptographic primitives when the communications are _classical_. Following Gennaro et al., we give the lower bounds of the number of invocations of an underlying quantumly-computable quantum-one-way permutation when the _quantum_ construction of pseudorandom number generator and symmetric-key encryption is weakly black-box. Our results show that the quantum black-box constructions of pseudorandom number generator and symmetric-key encryption do not improve the number of invocations of an underlying quantumly-computable quantum-one-way permutation.","PeriodicalId":508905,"journal":{"name":"IACR Cryptol. ePrint Arch.","volume":"26 1","pages":"1142"},"PeriodicalIF":0.0,"publicationDate":"2024-04-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"140725374","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Proximity Testing with Logarithmic Randomness","authors":"Benjamin E. Diamond, Jim Posen","doi":"10.62056/aksdkp10","DOIUrl":"https://doi.org/10.62056/aksdkp10","url":null,"abstract":"A fundamental result dating to Ligero (Des. Codes Cryptogr. '23) establishes that each fixed linear block code exhibits proximity gaps with respect to the collection of affine subspaces, in the sense that each given subspace either resides entirely close to the code, or else contains only a small portion which resides close to the code. In particular, any given subspace's failure to reside entirely close to the code is necessarily witnessed, with high probability, by a uniformly randomly sampled element of that subspace. We investigate a variant of this phenomenon in which the witness is not sampled uniformly from the subspace, but rather from a much smaller subset of it. We show that a logarithmic number of random field elements (in the dimension of the subspace) suffice to effect an analogous proximity test, with moreover only a logarithmic (multiplicative) loss in the possible prevalence of false witnesses. We discuss applications to recent noninteractive proofs based on linear codes, including Brakedown (CRYPTO '23).","PeriodicalId":508905,"journal":{"name":"IACR Cryptol. ePrint Arch.","volume":"32 6","pages":"630"},"PeriodicalIF":0.0,"publicationDate":"2024-04-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"140723594","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Recovering cryptographic keys from partial information, by example","authors":"Gabrielle De Micheli, N. Heninger","doi":"10.62056/ahjbksdja","DOIUrl":"https://doi.org/10.62056/ahjbksdja","url":null,"abstract":"Side-channel attacks targeting cryptography may leak only partial or indirect information about the secret keys. There are a variety of techniques in the literature for recovering secret keys from partial information. In this work, we survey several of the main families of partial key recovery algorithms for RSA, (EC)DSA, and (elliptic curve) Diffie-Hellman, the classical public-key cryptosystems in common use today. We categorize the known techniques by the structure of the information that is learned by the attacker, and give simplified examples for each technique to illustrate the underlying ideas.","PeriodicalId":508905,"journal":{"name":"IACR Cryptol. ePrint Arch.","volume":"29 9","pages":"1506"},"PeriodicalIF":0.0,"publicationDate":"2024-04-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"140727211","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
