HBNHB^N: An HB-like protocol secure against man-in-the-middle attacks

We construct a simple authentication protocol whose security is based solely on the problem of Learning Parity with Noise (LPN) which is secure against Man-in-the-Middle attacks. Our protocol is suitable for RFID devices, whose limited circuit size and power constraints rule out the use of more heavyweight operations such as modular exponentiation. The protocol is extremely simple: both parties compute a noisy bilinear function of their inputs. The proof, however, is quite technical, and we believe that some of our technical tools may be of independent interest

Efficient non-malleable codes and key derivation for poly-size tampering circuits

Non-malleable codes, defined by Dziembowski, Pietrzak, and Wichs (ICS '10), provide roughly the following guarantee: if a codeword c encoding some message x is tampered to c' = f(c) such that c' ≠ c , then the tampered message x' contained in c' reveals no information about x. The non-malleable codes have applications to immunizing cryptosystems against tampering attacks and related-key attacks. One cannot have an efficient non-malleable code that protects against all efficient tampering functions f. However, in this paper we show 'the next best thing': for any polynomial bound s given a-priori, there is an efficient non-malleable code that protects against all tampering functions f computable by a circuit of size s. More generally, for any family of tampering functions F of size F ≤ 2s , there is an efficient non-malleable code that protects against all f in F . The rate of our codes, defined as the ratio of message to codeword size, approaches 1. Our results are information-theoretic and our main proof technique relies on a careful probabilistic method argument using limited independence. As a result, we get an efficiently samplable family of efficient codes, such that a random member of the family is non-malleable with overwhelming probability. Alternatively, we can view the result as providing an efficient non-malleable code in the 'common reference string' model. We also introduce a new notion of non-malleable key derivation, which uses randomness x to derive a secret key y = h(x) in such a way that, even if x is tampered to a different value x' = f(x) , the derived key y' = h(x') does not reveal any information about y. Our results for non-malleable key derivation are analogous to those for non-malleable codes. As a useful tool in our analysis, we rely on the notion of 'leakage-resilient storage' of Davì, Dziembowski, and Venturi (SCN '10), and, as a result of independent interest, we also significantly improve on the parameters of such schemes

The chaining lemma and its application

We present a new information-theoretic result which we call the Chaining Lemma. It considers a so-called “chain” of random variables, defined by a source distribution X(0)with high min-entropy and a number (say, t in total) of arbitrary functions (T1,…, Tt) which are applied in succession to that source to generate the chain (Formula presented). Intuitively, the Chaining Lemma guarantees that, if the chain is not too long, then either (i) the entire chain is “highly random”, in that every variable has high min-entropy; or (ii) it is possible to find a point j (1 ≤ j ≤ t) in the chain such that, conditioned on the end of the chain i.e. (Formula presented), the preceding part (Formula presented) remains highly random. We think this is an interesting information-theoretic result which is intuitive but nevertheless requires rigorous case-analysis to prove. We believe that the above lemma will find applications in cryptography. We give an example of this, namely we show an application of the lemma to protect essentially any cryptographic scheme against memory tampering attacks. We allow several tampering requests, the tampering functions can be arbitrary, however, they must be chosen from a bounded size set of functions that is fixed a prior

Setting Up Efficient TFHE Parameters for Multivalue Plaintexts and Multiple Additions

Unlike traditional and/or standardized ciphers, TFHE offers much space for the setup of its parameters. Not only the parameter choice affects the plaintext space size and security, it also greatly impacts the performance of TFHE, in particular, its bootstrapping. In this paper, we provide an exhaustive description of TFHE, including its foundations, (functional) bootstrapping and error propagation during all operations. In addition, we outline a bootstrapping scenario without the key switching step. Based on our thorough summary, we suggest an approach for the setup of TFHE parameters with particular respect to bootstrapping efficiency. Finally, we propose twelve setups of real-world TFHE parameters for six different scenarios with and without key switching, respectively, and we compare their performance. N.b.: This is a technical paper, which is mainly intended for researchers interested in TFHE. However, due to its self-containment, it shall be accessible also for readers with a basic knowledge of TFHE

Tamper Detection against Unitary Operators

We consider (Enc, Dec) schemes which are used to encode a classical/quantum message $m$ and derive an $n$-qubit quantum codeword $\psi_m$. The quantum codeword $\psi_m$ can adversarially tamper via a unitary $U \in \mathcal{U}$ from some known tampering unitary family $\mathcal{U}$, resulting in $U \psi_m U^\dagger$. Firstly, we initiate the general study of quantum tamper detection codes, which must detect that tampering occurred with high probability. In case there was no tampering, we would like to output the message $m$ with a probability of $1$. We show that quantum tamper detection codes exist for both classical messages and quantum messages for any family of unitaries $\mathcal{U}$, such that $|\mathcal{U}| < 2^{2^{\alpha n}}$ for some known constant $\alpha \in (0,1)$ and all the unitaries satisfy one additional condition : \begin{itemize} \item Far from Identity : For each $U \in \mathcal{U}$, we require that its modulus of trace value isn't too much i.e. $|Trace(U)| \leq \phi N$, where $N=2^n.$ \end{itemize} Quantum tamper-detection codes are quantum generalizations of classical tamper detection codes studied by Jafargholi et al. \cite{JW15}. Additionally for classical message $m$, if we must either output message $m$ or detect that tampering occurred and output $\perp$ with high probability, we show that it is possible without the restriction of Far from Identity condition for any family of unitaries $\mathcal{U}$, such that $|\mathcal{U} | < 2^{2^{\alpha n}}$. We also provide efficient (Enc, Dec) schemes when the family of tampering unitaries are from Pauli group $\mathcal{P}_n$, which can be thought of as a quantum version of the algebraic manipulation detection (AMD) codes of Cramer et al. \cite{CDFPW08}

Lazy Modulus Switching for the BKW Algorithm on LWE

International audienceSome recent constructions based on LWE do not sample the secret uniformly at random but rather from some distribution which produces small entries. The most prominent of these is the binary-LWE problem where the secret vector is sampled from $\{0,1\}^{\ast}$ or $\{-1,0,1\}^{\ast}$. We present a variant of the BKW algorithm for binary-LWE and other small secret variants and show that this variant reduces the complexity for solving binary-LWE. We also give estimates for the cost of solving binary-LWE instances in this setting and demonstrate the advantage of this BKW variant over standard BKW and lattice reduction techniques applied to the SIS problem. Our variant can be seen as a combination of the BKW algorithm with a lazy variant of modulus switching which might be of independent interest

Key-Indistinguishable Message Authentication Codes

While standard message authentication codes (MACs) guarantee authenticity of messages, they do not, in general, guarantee the anonymity of the sender and recipient. For example it may be easy for an observer to determine whether or not two authenticated messages were sent by the same party even without any information about the secret key used. However preserving any uncertainty an attacker may have about the identities of honest parties engaged in authenticated communication is an important goal of many cryptographic applications. For example this is stated as an explicit goal of modern cellphone authentication protocols~\cite{3GPP} and RFID based authentication systems\cite{Vaudenay10}. In this work we introduce and construct a new fundamental cryptographic primitive called \emph{key indistinguishable} (KI) MACs. These can be used to realize many of the most important higher-level applications requiring some form of anonymity and authenticity~\cite{AHMPR14}. We show that much (though not all) of the modular MAC construction framework of~\cite{DodisKPW12} gives rise to several variants of KI MACs. On the one hand, we show that KI MACs can be built from hash proof systems and certain weak PRFs allowing us to base security on such assumption as DDH, CDH and LWE. Next we show that the two direct constructions from the LPN assumption of~\cite{DodisKPW12} are KI, resulting in particularly efficient constructions based on structured assumptions. On the other hand, we also give a very simple and efficient construction based on a PRF which allows us to base KI MACs on some ideal primitives such as an ideal compression function (using HMAC) or block-cipher (using say CBC-MAC). In particular, by using our PRF construction, many real-world implementations of MACs can be easily and cheaply modified to obtain a KI MAC. Finally we show that the transformations of~\cite{DodisKPW12} for increasing the domain size of a MAC as well as for strengthening the type of unforgeability it provides also preserve (or even strengthen) the type of KI enjoyed by the MAC. All together these results provide a wide range of assumptions and construction paths for building various flavors of this new primitive