Interpolation Cryptanalysis of Unbalanced Feistel Networks with Low Degree Round Functions

Arithmetisierungs-Orientierte Symmetrische Primitive (AOSPs) sprechen das bestehende Optimierungspotential bei der Auswertung von Blockchiffren und Hashfunktionen als Bestandteil von sicherer Mehrparteienberechnung, voll-homomorpher Verschlüsselung und Zero-Knowledge-Beweisen an. Die Konstruktionsweise von AOSPs unterscheidet sich von traditionellen Primitiven durch die Verwendung von algebraisch simplen Elementen. Zusätzlich sind viele Entwürfe über Primkörpern statt über Bits definiert. Aufgrund der Neuheit der Vorschläge sind eingehendes Verständnis und ausgiebige Analyse erforderlich um ihre Sicherheit zu etablieren. Algebraische Analysetechniken wie zum Beispiel Interpolationsangriffe sind die erfolgreichsten Angriffsvektoren gegen AOSPs. In dieser Arbeit generalisieren wir eine existierende Analyse, die einen Interpolationsangriff mit geringer Speicherkomplexität verwendet, um das Entwurfsmuster der neuen Chiffre GMiMC und ihrer zugehörigen Hashfunktion GMiMCHash zu untersuchen. Wir stellen eine neue Methode zur Berechnung des Schlüssels basierend auf Nullstellen eines Polynoms vor, demonstrieren Verbesserungen für die Komplexität des Angriffs durch Kombinierung mehrere Ausgaben, und wenden manche der entwickelten Techniken in einem algebraischen Korrigierender-Letzter-Block Angriff der Schwamm-Konstruktion an. Wir beantworten die offene Frage einer früheren Arbeit, ob die verwendete Art von Interpolationsangriffen generalisierbar ist, positiv. Wir nennen konkrete empfohlene untere Schranken für Parameter in den betrachteten Szenarien. Außerdem kommen wir zu dem Schluss dass GMiMC und GMiMCHash gegen die in dieser Arbeit betrachteten Interpolationsangriffe sicher sind. Weitere kryptanalytische Anstrengungen sind erforderlich um die Sicherheitsgarantien von AOSPs zu festigen

Quantum Cryptography Beyond Quantum Key Distribution

Quantum cryptography is the art and science of exploiting quantum mechanical effects in order to perform cryptographic tasks. While the most well-known example of this discipline is quantum key distribution (QKD), there exist many other applications such as quantum money, randomness generation, secure two- and multi-party computation and delegated quantum computation. Quantum cryptography also studies the limitations and challenges resulting from quantum adversaries---including the impossibility of quantum bit commitment, the difficulty of quantum rewinding and the definition of quantum security models for classical primitives. In this review article, aimed primarily at cryptographers unfamiliar with the quantum world, we survey the area of theoretical quantum cryptography, with an emphasis on the constructions and limitations beyond the realm of QKD.Comment: 45 pages, over 245 reference

A Primer on Cryptographic Multilinear Maps and Code Obfuscation

The construction of cryptographic multilinear maps and a general-purpose code obfuscator were two long-standing open problems in cryptography. It has been clear for a number of years that constructions of these two primitives would yield many interesting applications. This thesis describes the Coron-Lepoint-Tibouchi candidate construction for multilinear maps, as well as new candidates for code obfuscation. We give an overview of current multilinear and obfuscation research, and present some relevant applications. We also provide some examples and warnings regarding the inefficiency of the new constructions. The presentation is self-contained and should be accessible to the novice reader

Integer Polynomial Recovery from Outputs and its Application to Cryptanalysis of a Protocol for Secure Sorting

{We investigate the problem of recovering integer inputs (up to an affine scaling) when given only the integer monotonic polynomial outputs. Given $n$ integer outputs of a degree-$d$ integer monotonic polynomial whose coefficients and inputs are integers within known bounds and $n \gg d$, we give an algorithm to recover the polynomial and the integer inputs (up to an affine scaling). A heuristic expected time complexity analysis of our method shows that it is exponential in the size of the degree of the polynomial but polynomial in the size of the polynomial coefficients. We conduct experiments with real-world data as well as randomly chosen parameters and demonstrate the effectiveness of our algorithm over a wide range of parameters. Using only the polynomial evaluations at specific integer points, the apparent hardness of recovering the input data served as the basis of security of a recent protocol proposed by Kesarwani et al. for secure $k$-nearest neighbour computation on encrypted data that involved secure sorting. The protocol uses the outputs of randomly chosen monotonic integer polynomial to hide its inputs except to only reveal the ordering of input data. Using our integer polynomial recovery algorithm, we show that we can recover the polynomial and the inputs within a few seconds, thereby demonstrating an attack on the protocol of Kesarwani et al

Can We Access a Database Both Locally and Privately?

We consider the following strong variant of private information retrieval (PIR). There is a large database x that we want to make publicly available. To this end, we post an encoding X of x together with a short public key pk in a publicly accessible repository. The goal is to allow any client who comes along to retrieve a chosen bit x_i by reading a small number of bits from X, whose positions may be randomly chosen based on i and pk, such that even an adversary who can fully observe the access to X does not learn information about i. Towards solving the above problem, we study a weaker secret key variant where the data is encoded and accessed by the same party. This primitive, that we call an oblivious locally decodable code (OLDC), is independently motivated by applications such as searchable sym- metric encryption. We reduce the public-key variant of PIR to OLDC using an ideal form of obfuscation that can be instantiated heuristically with existing indistinguishability obfuscation candidates, or alternatively implemented with small and stateless tamper-proof hardware. Finally, a central contribution of our work is the first proposal of an OLDC candidate. Our candidate is based on a secretly permuted Reed-Muller code. We analyze the security of this candidate against several natural attacks and leave its further study to future work

Security, Scalability and Privacy in Applied Cryptography

In the modern digital world, cryptography finds its place in countless applications. However, as we increasingly use technology to perform potentially sensitive tasks, our actions and private data attract, more than ever, the interest of ill-intentioned actors. Due to the possible privacy implications of cryptographic flaws, new primitives’ designs need to undergo rigorous security analysis and extensive cryptanalysis to foster confidence in their adoption. At the same time, implementations of cryptographic protocols should scale on a global level and be efficiently deployable on users’ most common devices to widen the range of their applications. This dissertation will address the security, scalability and privacy of cryptosystems by presenting new designs and cryptanalytic results regarding blockchain cryptographic primitives and public-key schemes based on elliptic curves. In Part I, I will present the works I have done in regards to accumulator schemes. More precisely, in Chapter 2, I cryptanalyze Au et al. Dynamic Universal Accumulator, by showing some attacks which can completely take over the authority who manages the accumulator. In Chapter 3, I propose a design for an efficient and secure accumulator-based authentication mechanism, which is scalable, privacy-friendly, lightweight on the users’ side, and suitable to be implemented on the blockchain. In Part II, I will report some cryptanalytical results on primitives employed or considered for adoption in top blockchain-based cryptocurrencies. In particular, in Chapter 4, I describe how the zero-knowledge proof system and the commitment scheme adopted by the privacy-friendly cryptocurrency Zcash, contain multiple subliminal channels which can be exploited to embed several bytes of tagging information in users’ private transactions. In Chapter 5, instead, I report the cryptanalysis of the Legendre PRF, employed in a new consensus mechanism considered for adoption by the blockchain-based platform Ethereum, and attacks for further generalizations of this pseudo-random function, such as the Higher-Degree Legendre PRF, the Jacobi Symbol PRF, and the Power-Residue PRF. Lastly, in Part III, I present my line of research on public-key primitives based on elliptic curves. In Chapter 6, I will describe a backdooring procedure for primes so that whenever they appear as divisors of a large integer, the latter can be efficiently factored. This technique, based on elliptic curves Complex Multiplication theory, enables to eventually generate non-vulnerable certifiable semiprimes with unknown factorization in a multi-party computation setting, with no need to run a statistical semiprimality test common to other protocols. In Chapter 7, instead, I will report some attack optimizations and specific implementation design choices that allow breaking a reduced-parameters instance, proposed by Microsoft, of SIKE, a post-quantum key-encapsulation mechanism based on isogenies between supersingular elliptic curves

The Theory and Applications of Homomorphic Cryptography

Homomorphic cryptography provides a third party with the ability to perform simple computations on encrypted data without revealing any information about the data itself. Typically, a third party can calculate one of the encrypted sum or the encrypted product of two encrypted messages. This is possible due to the fact that the encryption function is a group homomorphism, and thus preserves group operations. This makes homomorphic cryptosystems useful in a wide variety of privacy preserving protocols. A comprehensive survey of known homomorphic cryptosystems is provided, including formal definitions, security assumptions, and outlines of security proofs for each cryptosystem presented. Threshold variants of several homomorphic cryptosystems are also considered, with the first construction of a threshold Boneh-Goh-Nissim cryptosystem given, along with a complete proof of security under the threshold semantic security game of Fouque, Poupard, and Stern. This approach is based on Shoup's approach to threshold RSA signatures, which has been previously applied to the Paillier and Damg\aa rd-Jurik cryptosystems. The question of whether or not this approach is suitable for other homomorphic cryptosystems is investigated, with results suggesting that a different approach is required when decryption requires a reduction modulo a secret value. The wide variety of protocols utilizing homomorphic cryptography makes it difficult to provide a comprehensive survey, and while an overview of applications is given, it is limited in scope and intended to provide an introduction to the various ways in which homomorphic cryptography is used beyond simple addition or multiplication of encrypted messages. In the case of strong conditional oblivious tranfser, a new protocol implementing the greater than predicate is presented, utilizing some special properties of the Boneh-Goh-Nissim cryptosystem to achieve security against a malicious receiver

Multi-Party Homomorphic Secret Sharing and Sublinear MPC from Sparse LPN

Over the past few years, homomorphic secret sharing (HSS) emerged as a compelling alternative to fully homomorphic encryption (FHE), due to its feasibility from an array of standard assumptions and its potential efficiency benefits. However, all known HSS schemes, with the exception of schemes built from FHE or indistinguishability obfuscation (iO), can only support two or four parties. In this work, we give the first construction of a multi-party HSS scheme for a non-trivial function class, from an assumption not known to imply FHE. In particular, we construct an HSS scheme for an arbitrary number of parties with an arbitrary corruption threshold, supporting evaluations of multivariate polynomials of degree $\log / \log \log$ over arbitrary finite fields. As a consequence, we obtain a secure multiparty computation (MPC) protocol for any number of parties, with (slightly) sub-linear per-party communication of roughly $O(S / \log \log S)$ bits when evaluating a layered Boolean circuit of size $S$. Our HSS scheme relies on the Sparse Learning Parity with Noise assumption, a standard variant of LPN with a sparse public matrix that has been studied and used in prior works. Thanks to this assumption, our construction enjoys several unique benefits. In particular, it can be built on top of any linear secret sharing scheme, producing noisy output shares that can be error-corrected by the decoder. This yields HSS for low-degree polynomials with optimal download rate. Unlike prior works, our scheme also has a low computation overhead in that the per-party computation of a constant degree polynomial takes $O(M)$ work, where $M$ is the number of monomials