Efficient asynchronous accumulators for distributed PKI

Cryptographic accumulators are a tool for compact set representation and secure set membership proofs. When an element is added to a set by means of an accumulator, a membership witness is generated. This witness can later be used to prove the membership of the element. Typically, the membership witness has to be synchronized with the accumulator value, and to be updated every time another element is added to the accumulator. In this work we propose an accumulator that, unlike any prior scheme, does not require strict synchronization. In our construction a membership witness needs to be updated only a logarithmic number of times in the number of subsequent element additions. Thus, an out-of-date witness can be easily made current. Vice versa, a verifier with an out-of-date accumulator value can still verify a current membership witness. These properties make our accumulator construction uniquely suited for use in distributed applications, such as blockchain-based public key infrastructures

Indistinguishability Obfuscation: From Approximate to Exact

We show general transformations from subexponentially-secure approximate indistinguishability obfuscation (IO) where the obfuscated circuit agrees with the original circuit on a 1/2+ϵ fraction of inputs on a certain samplable distribution, into exact indistinguishability obfuscation where the obfuscated circuit and the original circuit agree on all inputs. As a step towards our results, which is of independent interest, we also obtain an approximate-to-exact transformation for functional encryption. At the core of our techniques is a method for “fooling” the obfuscator into giving us the correct answer, while preserving the indistinguishability-based security. This is achieved based on various types of secure computation protocols that can be obtained from different standard assumptions. Put together with the recent results of Canetti, Kalai and Paneth (TCC 2015), Pass and Shelat (TCC 2016), and Mahmoody, Mohammed and Nemathaji (TCC 2016), we show how to convert indistinguishability obfuscation schemes in various ideal models into exact obfuscation schemes in the plain model.National Science Foundation (U.S.) (Grant CNS-1350619)National Science Foundation (U.S.) (Grant CNS-1414119

Securing Update Propagation with Homomorphic Hashing

In database replication, ensuring consistency when propagating updates is a challenging and extensively studied problem. However, the problem of securing update propagation against malicious adversaries has received less attention in the literature. This consideration becomes especially relevant when sending updates across a large network of untrusted peers. In this paper we formalize the problem of secure update propagation and propose a system that allows a centralized distributor to propagate signed updates across a network while adding minimal overhead to each transaction. We show that our system is secure (in the random oracle model) against an attacker who can maliciously modify any update and its signature. Our approach relies on the use of a cryptographic primitive known as homomorphic hashing, introduced by Bellare, Goldreich, and Goldwasser. We make our study of secure update propagation concrete with an instantiation of the lattice-based homomorphic hash LtHash of Bellare and Miccancio. We provide a detailed security analysis of the collision resistance of LtHash, and we implement Lthash using a selection of parameters that gives at least 200 bits of security. Our implementation has been deployed to secure update propagation in production at Facebook, and is included in the Folly open-source library

Four-Round Concurrent Non-Malleable Commitments from One-Way Functions

How many rounds and which assumptions are required for concurrent non-malleable commitments? The above question has puzzled researchers for several years. Pass in [TCC 2013] showed a lower bound of 3 rounds for the case of black-box reductions to falsifiable hardness assumptions with respect to polynomial-time adversaries. On the other side, Goyal [STOC 2011], Lin and Pass [STOC 2011] and Goyal et al. [FOCS 2012] showed that one-way functions (OWFs) are sufficient with a constant number of rounds. More recently Ciampi et al. [CRYPTO 2016] showed a 3-round construction based on subexponentially strong one-way permutations. In this work we show as main result the first 4-round concurrent non-malleable commitment scheme assuming the existence of any one-way function. Our approach builds on a new security notion for argument systems against man-in-the-middle attacks: Simulation-Witness-Independence. We show how to construct a 4-round one-many simulation-witnesses-independent argument system from one-way functions. We then combine this new tool in parallel with a weak form of non-malleable commitments constructed by Goyal et al. in [FOCS 2014] obtaining the main result of our work

Weak Zero-Knowledge Beyond the Black-Box Barrier

The round complexity of zero-knowledge protocols is a long-standing open question, yet to be settled under standard assumptions. So far, the question has appeared equally challenging for relaxations such as weak zero-knowledge and witness hiding. Protocols satisfying these relaxed notions under standard assumptions have at least four messages, just like full-fledged zero knowledge. The difficulty in improving round complexity stems from a fundamental barrier: none of these notions can be achieved in three messages via reductions (or simulators) that treat the verifier as a black box. We introduce a new non-black-box technique and use it to obtain the first protocols that cross this barrier under standard assumptions. Our main results are: \begin{itemize} \item Weak zero-knowledge for $NP$in two messages, assuming quasipolynomially-secure fully-homomorphic encryption and other standard primitives (known from quasipolynomial hardness of Learning with Errors), as well as subexponentially-secure one-way functions. \item Weak zero-knowledge for $NP$ in three messages under standard polynomial assumptions (following for example from fully-homomorphic encryption and factoring). \end{itemize} We also give, under polynomial assumptions, a two-message witness-hiding protocol for any language $L \in NP$ that has a witness encryption scheme. This protocol is also publicly verifiable. Our technique is based on a new {\em homomorphic trapdoor paradigm}, which can be seen as a non-black-box analog of the classic Feige-Lapidot-Shamir trapdoor paradigm

4-Round Concurrent Non-Malleable Commitments from One-Way Functions

How many rounds and which computational assumptions are needed for concurrent non-malleable commitments? The above question has puzzled researchers for several years. Recently, Pass in [TCC 2013] proved a lower bound of 3 rounds when security is proven through black-box reductions to falsifiable assumptions. On the other side, positive results of Goyal [STOC 2011], Lin and Pass [STOC 2011] and Goyal et al. [FOCS 2012] showed that one-way functions are sufficient with a constant (at least 6) number of rounds. More recently Ciampi et al. [CRYPTO 2016] showed that subexponentially strong one-way permutations are sufficient with just 3 rounds. In this work we almost close the above open question by showing a 4-round concurrent non-malleable commitment scheme that only needs one-way functions. Our main technique consists in showing how to upgrade basic forms of non-malleability (i.e., non-malleability w.r.t. non-aborting adversaries) to full-fledged non-malleability without penalizing the round complexity

Hardware Attacks against Hash-based Cryptographic Algorithms

This thesis surveys the current state of the art of hash-based cryptography with a view to finding vulnerabilities related to side-channel attacks and fault attacks. For side-channel investigation, we analyzed the power consumption of an Arduino Due microcontroller running a custom ARM implementation of SPHINCS-256---the most advanced digital signature scheme based on hash functions. Simple power analysis (SPA) was applied on a single trace to obtain a first insight into the implementation, and then on multiple traces to identify an initial data dependence of the power consumption on the hash functions involved in the instance. Based on this result, differential power analysis (DPA), with difference of means, V-test, and Pearson correlation, was applied to further investigate the leakage relating to BLAKE-256, as this function is used within SPHINCS-256 several times with the same secret key but applied on different known addresses. Concerning fault attacks, using instances of one-time signature (OTS) or few-times signatures (FTS) to sign a same message has been shown to theoretically make many schemes, such as LD-OTS, W-OTS, and HORS, existentially forgeable with non-invasive attacks. These vulnerabilities are fatal for the Merkle signature schemes which implement the tree chaining method (CMSS). When the schemes provide n/2 = 128 bits of quantum security, a universal forgery can be created with around q = 20 different faulty signatures. This thesis demonstrates a practical application of fault attacks to create this universal forgery using voltage glitching on the previously mentioned ARM implementation of SPHINCS-256. An invasive attack performing key recovery against W-OTS by forcing bits of two quantities to be zero is also described. Countermeasures to thwart all the described attacks are discussed

Decentralized Anonymous Payments

Decentralized payment systems such as Bitcoin record monetary transactions between pseudonyms in an append-only ledger known as a blockchain. Because the ledger is public, permanent, and readable by anyone, a user’s privacy depends solely on the difficulty of linking pseudonymous transactions either to each other or to real identities. Both academic work and commercial services have shown that such linking is, in fact, very easy. Anyone at any point in the future can download a user’s transaction history and analyze it. In this work, we propose and implement privacy preserving coins, payments, and payment channels that can be built atop a ledger. In particular we propose: * Zerocoin A blockchain based protocol for breaking the link between a transaction that receives non-anonymous funds and the subsequent transaction that spends it. * Zerocash The successor to Zerocoin, a blockchain based payment system supporting anonymous payments of arbitrary hidden value to other parties. While payments are recorded publicly in the blockchain, they reveal almost nothing else: the recipient learns only the amount paid but not the source and anyone else learns only that a payment of some value to someone took place. *Bolt A payment channel protocol that allows two parties to anonymously and securely make many unlinkable payments while only posting two messages to the blockchain. This protocol provides for instant payments while providing drastically improved scalability as every transaction is no longer recorded in the blockchain

Practical Zero-Knowledge Arguments from Structured Reference Strings

Zero-knowledge proofs have become an important tool for addressing privacy and scalability concerns in cryptographic protocols. For zero-knowledge proofs used in blockchain applications, it is desirable to have small proof sizes and fast verification. Yet by design, existing constructions with these properties such as zk-SNARKs also have a secret trapdoor embedded in a relation dependent structured reference string (SRS). Knowledge of this trapdoor suffices to break the security of these proofs. The SRSs required by zero-knowledge proofs are usually constructed with multiparty computation protocols, but the resulting parameters are specific to each individual circuit. In this thesis, we propose a model for constructing zero-knowledge arguments (i.e. zero-knowledge proofs with computational soundness) in which the generation of the SRS is directly considered in the security analysis. In our model the same SRS can be used across multiple applications. Further, the model is updatable i.e. users can update the universal SRS and the SRS is considered secure provided at least one of these users is honest. We propose two zero-knowledge arguments with updatable and universal SRSs, as well as a third which is neither updatable nor universal, but which through similar techniques achieves simulation extractability. The proposed arguments are practical, with proof sizes never more than a constant number of group elements. Verification for two of our constructions consist of a small number of pairing operations. For our other construction, which has the desirable property of a linear sized updatable and universal SRS, we describe efficient batching techniques so that verification is fast in the amortised setting