55 research outputs found
QCB: Efficient quantum-secure authenticated encryption
It was long thought that symmetric cryptography was only
mildly affected by quantum attacks, and that doubling the key length
was sufficient to restore security. However, recent works have shown that
Simon’s quantum period finding algorithm breaks a large number of MAC
and authenticated encryption algorithms when the adversary can query
the MAC/encryption oracle with a quantum superposition of messages.
In particular, the OCB authenticated encryption mode is broken in this
setting, and no quantum-secure mode is known with the same efficiency
(rate-one and parallelizable).
In this paper we generalize the previous attacks, show that a large class
of OCB-like schemes is unsafe against superposition queries, and discuss
the quantum security notions for authenticated encryption modes. We
propose a new rate-one parallelizable mode named QCB inspired by TAE
and OCB and prove its security against quantum superposition queries
Transcriptional regulation of the IGF signaling pathway by amino acids and insulin-like growth factors during myogenesis in Atlantic salmon
The insulin-like growth factor signalling pathway is an important regulator of skeletal muscle growth. We examined the mRNA expression of components of the insulin-like growth factor (IGF) signalling pathway as well as Fibroblast Growth Factor 2 (FGF2) during maturation of myotubes in primary cell cultures isolated from fast myotomal muscle of Atlantic salmon (Salmo salar). The transcriptional regulation of IGFs and IGFBP expression by amino acids and insulin-like growth factors was also investigated. Proliferation of cells was 15% d(-1) at days 2 and 3 of the culture, increasing to 66% d(-1) at day 6. Three clusters of elevated gene expression were observed during the maturation of the culture associated with mono-nucleic cells (IGFBP5.1 and 5.2, IGFBP-6, IGFBP-rP1, IGFBP-2.2 and IGF-II), the initial proliferation phase (IGF-I, IGFBP-4, FGF2 and IGF-IRb) and terminal differentiation and myotube production (IGF2R, IGF-IRa). In cells starved of amino acids and serum for 72 h, IGF-I mRNA decreased 10-fold which was reversed by amino acid replacement. Addition of IGF-I and amino acids to starved cells resulted in an 18-fold increase in IGF-I mRNA indicating synergistic effects and the activation of additional pathway(s) leading to IGF-I production via a positive feedback mechanism. IGF-II, IGFBP-5.1 and IGFBP-5.2 expression was unchanged in starved cells, but increased with amino acid replacement. Synergistic increases in expression of IGFBP5.2 and IGFBP-4, but not IGFBP5.1 were observed with addition of IGF-I, IGF-II or insulin and amino acids to the medium. IGF-I and IGF-II directly stimulated IGFBP-6 expression, but not when amino acids were present. These findings indicate that amino acids alone are sufficient to stimulate myogenesis in myoblasts and that IGF-I production is controlled by both endocrine and paracrine pathways. A model depicting the transcriptional regulation of the IGF pathway in Atlantic salmon muscle following feeding is proposed.Publisher PDFPeer reviewe
Selective-Opening Security in the Presence of Randomness Failures
We initiate the study of public-key encryption (PKE) secure against selective-opening attacks (SOA) in the presence of randomness failures, i.e., when the sender may (inadvertently) use low-quality randomness. In the SOA setting, an adversary can adaptively corrupt senders; this notion is natural to consider in tandem with randomness failures since an adversary may target senders by multiple means.
Concretely, we first treat SOA security of nonce-based PKE. After formulating an appropriate definition of SOA- secure nonce-based PKE,we provide efficient constructions in the non-programmable random-oracle model, based on lossy trapdoor functions.
We then lift our notion of security to the setting of hedged PKE, which ensures security as long as the sender\u27s seed, message, and nonce jointly have high entropy. This unifies the notions and strengthens the protection that nonce-based PKE provides against randomness failures even in the non-SOA setting.We lift our definitions and constructions of SOA-secure nonce-based PKE to the hedged setting as well
Adaptive Proofs Have Straightline Extractors (in the Random Oracle Model)
Abstract. The concept of adaptive security for proofs of knowledge was recently studied by Bernhard et al. They formalised adaptive security in the ROM and showed that the non-interactive version of the Schnorr protocol obtained using the Fiat-Shamir transformation is not adaptively secure unless the one-more discrete logarithm problem is easy. Their only construction for adaptively secure protocols used the Fischlin transformation [3] which yields protocols with straight-line extractors. In this paper we provide two further key insights. Our main result shows that any adaptively secure protocol must have a straight-line extractor: even the most clever rewinding strategies cannot offer any benefits against adaptive provers.
Then, we show that any Fiat-Shamir transformed SIGMA-protocol is not adaptively secure unless a related problem which we call the SIGMA-one-wayness problem is easy. This assumption concerns not just Schnorr but applies to a whole class of SIGMA-protocols including e.g. Chaum-Pedersen and representation proofs. We also prove that SIGMA-one-wayness is hard in the generic group model. Taken together, these results suggest that Fiat-Shamir transformed SIGMA-protocols should not be used in settings where adaptive security is important
Attacking the Knudsen-Preneel Compression Functions
Abstract. Knudsen and Preneel (Asiacrypt’96 and Crypto’97) introduced a hash function design in which a linear error-correcting code is used to build a wide-pipe compression function from underlying blockciphers operating in Davies-Meyer mode. Their main design goal was to deliver compression functions with collision resistance up to, and even beyond, the block size of the underlying blockciphers. In this paper, we (re)analyse the preimage resistance of the Knudsen-Preneel compression functions in the setting of public random func-tions. We give a new preimage attack that is based on two observations. First, by using the right kind of queries it is possible to mount a non-adaptive preimage attack that is optimal in terms of query complexity. Second, by exploiting the dual code the subsequent problem of reconstructing a preimage from the queries can be rephrased as a problem related to the generalized birthday problem. As a consequence, the time complexity of our attack is intimately tied to the minimum distance of the dual code. Our new attack consistently beats the one given by Knudsen and Preneel (in one case our preimage attack even beats their collision attack) and demonstrates that the gap between their claimed collision resistance and the actual preimage resistance is surprisingly small. Moreover, our new attack falsifies their (conjectured) preimage resistance security bound and shows that intuitive bounds based on the number of ‘active ’ components can be treacherous. Complementing our attack is a formal analysis of the query complexity (both lower and upper bounds) of preimage-finding attacks. This analysis shows that for many concrete codes the time complexity of our attack is optimal.
On the Cryptographic Deniability of the Signal Protocol
Offline deniability is the ability to a-posteriori deny having participated in a particular communication session. This property has been widely assumed for the Signal messaging application, yet no formal proof has appeared in the literature. In this paper, we present what we believe is the first formal study of the offline deniability of the Signal protocol. Our analysis shows that building a deniability proof for Signal is non-trivial and requires strong assumptions on the underlying mathematical groups where the protocol is run.
To do so, we study various *implicitly authenticated* key exchange protocols including MQV, HMQV and 3DH/X3DH, the latter being the core key agreement protocol in Signal. We first present examples of mathematical groups where running MQV results in a provably non-deniable interaction. While the concrete attack applies only to MQV, it also exemplifies the problems in attempting to prove the deniability of other implicitly authenticated protocols, such as 3DH. In particular, it shows that the intuition that the minimal transcript produced by these protocols suffices for ensuring deniability does not hold. We then provide a characterization of the groups where deniability holds, defined in terms of a knowledge assumption that extends the Knowledge of Exponent Assumption (KEA).
We conclude the paper by showing two additional positive results. The first is a general theorem that links the deniability of a communication session to the deniability of the key agreement protocol starting the session. This allows us to extend our results on the deniability of 3DH/X3DH to the entire Signal communication session
Towards Non-Black-Box Separations of Public Key Encryption and One Way Function
Separating public key encryption from one way functions is one of the fundamental goals of complexity-based cryptography. Beginning with the seminal work of Impagliazzo and Rudich (STOC, 1989), a sequence of works have ruled out certain classes of reductions from public key encryption (PKE)---or even key agreement---to one way function. Unfortunately, known results---so called black-box separations---do not apply to settings where the construction and/or reduction are allowed to directly access the code, or circuit, of the one way function. In this work, we present a meaningful, non-black-box separation between public key encryption (PKE) and one way function.
Specifically, we introduce the notion of reductions (similar to the reductions of Baecher et al. (ASIACRYPT, 2013)), in which the construction accesses the underlying primitive in a black-box way, but wherein the universal reduction receives the efficient code/circuit of the underlying primitive as input and is allowed oracle access to the adversary . We additionally require that the number of oracle queries made to , and the success probability of are independent of the run-time/circuit size of the underlying primitive. We prove that there is no non-adaptive, reduction from PKE to one way function, under the assumption that certain types of strong one way functions exist. Specifically, we assume that there exists a regular one way function such that there is no Arthur-Merlin protocol proving that ``\u27\u27, where soundness holds with high probability over ``no instances,\u27\u27 , and Arthur may receive polynomial-sized, non-uniform advice. This assumption is related to the average-case analogue of the widely believed assumption
Taming the many EdDSAs
This paper analyses security of concrete instantiations of EdDSA by identifying exploitable inconsistencies between standardization recommendations and Ed25519 implementations. We mainly focus on current ambiguity regarding signature verification equations, binding and malleability guarantees, and incompatibilities between randomized batch and single verification. We give a formulation of Ed25519 signature scheme that achieves the highest level of security, explaining how each step of the algorithm links with the formal security properties. We develop optimizations to allow for more efficient secure implementations. Finally, we designed a set of edge-case test-vectors and run them by some of the most popular Ed25519 libraries. The results allowed to understand the security level of those implementations and showed that most libraries do not comply with the latest standardization recommendations. The methodology allows to test compatibility of different Ed25519 implementations which is of practical importance for consensus-driven applications
Upper and Lower Bounds for Continuous Non-Malleable Codes
Recently, Faust et al. (TCC\u2714) introduced the notion of continuous non-malleable codes (CNMC), which provides stronger security guarantees than standard non-malleable codes, by allowing an adversary to tamper with the codeword in continuous way instead of one-time tampering. They also showed that CNMC with information theoretic security cannot be constructed in 2-split-state tampering model, and
presented a construction of the same in CRS (common reference string) model using collision-resistant hash functions and non-interactive
zero-knowledge proofs.
In this work, we ask if it is possible to construct CNMC from weaker assumptions. We answer this question by presenting lower as well as upper bounds. Specifically, we show that it is impossible to construct 2-split-state CNMC, with no CRS, for one-bit messages from any falsifiable assumption, thus establishing the lower bound. We additionally provide an upper bound by constructing 2-split-state CNMC for one-bit messages, assuming only the existence of a family of injective one way functions.
We also present a construction of 4-split-state CNMC for multi-bit messages in CRS model from the same assumptions. Additionally, we present definitions of the following new primitives: (1) One-to-one commitments, and (2) Continuous Non-Malleable Randomness Encoders, which may be of independent interest
Blind Schnorr Signatures and Signed ElGamal Encryption in the Algebraic Group Model
The Schnorr blind signing protocol allows blind issuing of Schnorr signatures, one of the most widely used signatures. Despite its practical relevance, its security analysis is unsatisfactory. The only known security proof is rather informal and in the combination of the generic group model (GGM) and the random oracle model (ROM) assuming that the ``ROS problem\u27\u27 is hard. The situation is similar for (Schnorr-)signed ElGamal encryption, a simple CCA2-secure variant of ElGamal.
We analyze the security of these schemes in the algebraic group model (AGM), an idealized model closer to the standard model than the GGM. We first prove tight security of Schnorr signatures from the discrete logarithm assumption (DL) in the AGM+ROM. We then give a rigorous proof for blind Schnorr signatures in the AGM+ROM assuming hardness of the one-more discrete logarithm problem and ROS.
As ROS can be solved in sub-exponential time using Wagner\u27s algorithm, we propose a simple modification of the signing protocol, which leaves the signatures unchanged. It is therefore compatible with systems that already use Schnorr signatures, such as blockchain protocols. We show that the security of our modified scheme relies on the hardness of a problem related to ROS that appears much harder.
Finally, we give tight reductions, again in the AGM+ROM, of the CCA2 security of signed ElGamal encryption to DDH and signed hashed ElGamal key encapsulation to DL
- …