Revocable Hierarchical Attribute-based Signatures from Lattices

Attribute-based Signatures (ABS) allow users to obtain attributes from issuing authorities, and sign messages whilst simultaneously proving compliance of their attributes with a verification policy. ABS demands that both the signer and the set of attributes used to satisfy a policy remain hidden to the verifier. Hierarchical ABS (HABS) supporting roots of trust and delegation were recently proposed to alleviate scalability issues in centralised ABS schemes. An important yet challenging property for privacy-preserving ABS is revocation, which may be applied to signers or some of the attributes they possess. Existing ABS schemes lack efficient revocation of either signers or their attributes, relying on generic costly proofs.Moreover, in HABS there is a further need to support revocation of authorities on the delegation paths, which is not provided by existing HABS constructions. This paper proposes a direct HABS scheme with a Verifier-Local Revocation (VLR) property. We extend the original HABS security model to address revocation and develop a new attribute delegation technique with appropriate VLR mechanism for HABS, which also implies the first ABS scheme to support VLR. Moreover, our scheme supports inner-product signing policies, offering a wider class of attribute relations than previous HABS schemes, and is the first to be based on lattices, which are thought to offer post-quantum security

Unlinkable Delegation of WebAuthn Credentials

The W3C\u27s WebAuthn standard employs digital signatures to offer phishing protection and unlinkability on the web using authenticators which manage keys on behalf of users. This introduces challenges when the account owner wants to delegate certain rights to a proxy user, such as to access their accounts or perform actions on their behalf, as delegation must not undermine the decentralisation, unlinkability, and attestation properties provided by WebAuthn. We present two approaches, called remote and direct delegation of WebAuthn credentials, maintaining the standard\u27s properties. Both approaches are compatible with Yubico\u27s recent Asynchronous Remote Key Generation (ARKG) primitive proposed for backing up credentials. For remote delegation, the account owner stores delegation credentials at the relying party on behalf of proxies, whereas the direct variant uses a delegation-by-warrant approach, through which the proxy receives delegation credentials from the account owner and presents them later to the relying party. To realise direct delegation we introduce Proxy Signature with Unlinkable Warrants (PSUW), a new proxy signature scheme that extends WebAuthn\u27s unlinkability property to proxy users and can be constructed generically from ARKG. We discuss an implementation of both delegation approaches, designed to be compatible with WebAuthn, including extensions required for CTAP, and provide a software-based prototype demonstrating overall feasibility. On the performance side, we observe only a minor increase of a few milliseconds in the signing and verification times for delegated WebAuthn credentials based on ARKG and PSUW primitives. We also discuss additional functionality, such as revocation and permissions management, and mention usability considerations

Asynchronous Remote Key Generation for Post-Quantum Cryptosystems from Lattices

Asynchronous Remote Key Generation (ARKG), introduced by Frymann et al. at CCS 2020, allows for the generation of unlinkable public keys by third parties, for which corresponding private keys may be later learned only by the key pair\u27s legitimate owner. These key pairs can then be used in common public-key cryptosystems, including signatures, PKE, KEMs, and schemes supporting delegation, such as proxy signatures. The only known instance of ARKG generates discrete-log-based keys. In this paper, we introduce new ARKG constructions for lattice-based cryptosystems. The key pairs generated using our ARKG scheme can be applied to lattice-based signatures and KEMs, which have recently been selected for standardisation in the NIST PQ process, or as alternative candidates. In particular, we address challenges associated with the noisiness of lattice hardness assumptions, which requires a new generalised definition of ARKG correctness, whilst preserving the security and privacy properties of the former instantiation. Our ARKG construction uses key encapsulation techniques by Brendel et al. (SAC 2020) coined Split KEMs. As an additional contribution, we also show that Kyber (Bos et al., EuroS&P 2018) can be used to construct a Split KEM. The security of our protocol is based on standard LWE assumptions. We also discuss its use with selected candidates from the NIST process and provide an implementation and benchmarks

Generalised Asynchronous Remote Key Generation for Pairing-based Cryptosystems

Asynchronous Remote Key Generation (ARKG, introduced in ACM CCS 2020) allows for a party to create public keys for which corresponding private keys may be later computed by another intended party only. ARKG can be composed with standard public-key cryptosystems and has been used to construct a new class of privacy-preserving proxy signatures. The original construction of ARKG, however, generates discrete logarithm key pairs of the form $(x, g^x)$. In this paper we define a generic approach for building ARKG schemes which can be applied to a wide range of pairing-based cryptosystems. This construction is based on a new building block which we introduce and call Asymmetric Key Generation (AKG) along with its extension $\phi$-AKG where $\phi$ is a suitable mapping for capturing different key structures and types of pairings. We show that appropriate choice of $\phi$ allows us to create a secure ARKG scheme compatible with any key pair that is secure under the Uber assumption (EUROCRYPT 2004). To demonstrate the extensive range of our general approach, we construct ARKG schemes for a number of popular pairing-based primitives: Boneh-Lynn-Shacham (JoC 2004), Camenisch-Lysyanskaya (CRYPTO 2004), Pointcheval-Sanders (CT-RSA 2016), Waters (EUROCRYPT 2005) signatures and structure-preserving signatures on equivalence classes (ASIACRYPT 2014). For each scheme we give an implementation and provide benchmarks that show the feasibility of our techniques

Crypto Dark Matter on the Torus: Oblivious PRFs from shallow PRFs and FHE

Partially Oblivious Pseudorandom Functions (POPRFs) are 2-party protocols that allow a client to learn pseudorandom function (PRF) evaluations on inputs of its choice from a server. The client submits two inputs, one public and one private. The security properties ensure that the server cannot learn the private input and the client cannot learn more than one evaluation per POPRF query. POPRFs have many applications including password-based key exchange and privacy-preserving authentication mechanisms. However, most constructions are based on classical assumptions, and those with post-quantum security suffer from large efficiency drawbacks. In this work, we construct a novel POPRF from lattice assumptions and the “Crypto Dark Matter” PRF candidate (TCC’18) in the random oracle model. At a conceptual level, our scheme exploits the alignment of this family of PRF candidates, relying on mixed modulus computations, and programmable bootstrapping in the torus fully homomorphic encryption scheme (TFHE). We show that our construction achieves malicious client security based on circuit-private FHE, and client privacy from the semantic security of the FHE scheme. We further explore a heuristic approach to extend our scheme to support verifiability based on the difficulty of computing cheating circuits in low depth. This would yield a verifiable (P)OPRF. We provide a proof-of-concept implementation and benchmarks of our construction using the tfhe-rs software library. For the core online OPRF functionality, we require amortised 5.0kB communication per evaluation and a one-time per-client setup communication of 16.8MB

Asynchronous Remote Key Generation: An Analysis of Yubico\u27s Proposal for W3C WebAuthn

WebAuthn, forming part of FIDO2, is a W3C standard for strong authentication, which employs digital signatures to authenticate web users whilst preserving their privacy. Owned by users, WebAuthn authenticators generate attested and unlinkable public-key credentials for each web service to authenticate users. Since the loss of authenticators prevents users from accessing web services, usable recovery solutions preserving the original WebAuthn design choices and security objectives are urgently needed. We examine Yubico\u27s recent proposal for recovering from the loss of a WebAuthn authenticator by using a secondary backup authenticator. We analyse the cryptographic core of their proposal by modelling a new primitive, called Asynchronous Remote Key Generation (ARKG), which allows some primary authenticator to generate unlinkable public keys for which the backup authenticator may later recover corresponding private keys. Both processes occur asynchronously without the need for authenticators to export or share secrets, adhering to WebAuthn\u27s attestation requirements. We prove that Yubico\u27s proposal achieves our ARKG security properties under the discrete logarithm and PRF-ODH assumptions in the random oracle model. To prove that recovered private keys can be used securely by other cryptographic schemes, such as digital signatures or encryption schemes, we model compositional security of ARKG using composable games by Brzuska et al. (ACM CCS 2011), extended to the case of arbitrary public-key protocols. As well as being more general, our results show that private keys generated by ARKG may be used securely to produce unforgeable signatures for challenge-response protocols, as used in WebAuthn. We conclude our analysis by discussing concrete instantiations behind Yubico\u27s ARKG protocol, its integration with the WebAuthn standard, performance, and usability aspects

Phenotypic Characterization of EIF2AK4 Mutation Carriers in a Large Cohort of Patients Diagnosed Clinically With Pulmonary Arterial Hypertension.

BACKGROUND: Pulmonary arterial hypertension (PAH) is a rare disease with an emerging genetic basis. Heterozygous mutations in the gene encoding the bone morphogenetic protein receptor type 2 (BMPR2) are the commonest genetic cause of PAH, whereas biallelic mutations in the eukaryotic translation initiation factor 2 alpha kinase 4 gene (EIF2AK4) are described in pulmonary veno-occlusive disease/pulmonary capillary hemangiomatosis. Here, we determine the frequency of these mutations and define the genotype-phenotype characteristics in a large cohort of patients diagnosed clinically with PAH. METHODS: Whole-genome sequencing was performed on DNA from patients with idiopathic and heritable PAH and with pulmonary veno-occlusive disease/pulmonary capillary hemangiomatosis recruited to the National Institute of Health Research BioResource-Rare Diseases study. Heterozygous variants in BMPR2 and biallelic EIF2AK4 variants with a minor allele frequency of <1:10 000 in control data sets and predicted to be deleterious (by combined annotation-dependent depletion, PolyPhen-2, and sorting intolerant from tolerant predictions) were identified as potentially causal. Phenotype data from the time of diagnosis were also captured. RESULTS: Eight hundred sixty-four patients with idiopathic or heritable PAH and 16 with pulmonary veno-occlusive disease/pulmonary capillary hemangiomatosis were recruited. Mutations in BMPR2 were identified in 130 patients (14.8%). Biallelic mutations in EIF2AK4 were identified in 5 patients with a clinical diagnosis of pulmonary veno-occlusive disease/pulmonary capillary hemangiomatosis. Furthermore, 9 patients with a clinical diagnosis of PAH carried biallelic EIF2AK4 mutations. These patients had a reduced transfer coefficient for carbon monoxide (Kco; 33% [interquartile range, 30%-35%] predicted) and younger age at diagnosis (29 years; interquartile range, 23-38 years) and more interlobular septal thickening and mediastinal lymphadenopathy on computed tomography of the chest compared with patients with PAH without EIF2AK4 mutations. However, radiological assessment alone could not accurately identify biallelic EIF2AK4 mutation carriers. Patients with PAH with biallelic EIF2AK4 mutations had a shorter survival. CONCLUSIONS: Biallelic EIF2AK4 mutations are found in patients classified clinically as having idiopathic and heritable PAH. These patients cannot be identified reliably by computed tomography, but a low Kco and a young age at diagnosis suggests the underlying molecular diagnosis. Genetic testing can identify these misclassified patients, allowing appropriate management and early referral for lung transplantation

Phenotypic Characterization of <i>EIF2AK4</i> Mutation Carriers in a Large Cohort of Patients Diagnosed Clinically With Pulmonary Arterial Hypertension

Background: Pulmonary arterial hypertension (PAH) is a rare disease with an emerging genetic basis. Heterozygous mutations in the gene encoding the bone morphogenetic protein receptor type 2 ( BMPR2 ) are the commonest genetic cause of PAH, whereas biallelic mutations in the eukaryotic translation initiation factor 2 alpha kinase 4 gene ( EIF2AK4 ) are described in pulmonary veno-occlusive disease/pulmonary capillary hemangiomatosis. Here, we determine the frequency of these mutations and define the genotype-phenotype characteristics in a large cohort of patients diagnosed clinically with PAH. Methods: Whole-genome sequencing was performed on DNA from patients with idiopathic and heritable PAH and with pulmonary veno-occlusive disease/pulmonary capillary hemangiomatosis recruited to the National Institute of Health Research BioResource–Rare Diseases study. Heterozygous variants in BMPR2 and biallelic EIF2AK4 variants with a minor allele frequency of &lt;1:10 000 in control data sets and predicted to be deleterious (by combined annotation-dependent depletion, PolyPhen-2, and sorting intolerant from tolerant predictions) were identified as potentially causal. Phenotype data from the time of diagnosis were also captured. Results: Eight hundred sixty-four patients with idiopathic or heritable PAH and 16 with pulmonary veno-occlusive disease/pulmonary capillary hemangiomatosis were recruited. Mutations in BMPR2 were identified in 130 patients (14.8%). Biallelic mutations in EIF2AK4 were identified in 5 patients with a clinical diagnosis of pulmonary veno-occlusive disease/pulmonary capillary hemangiomatosis. Furthermore, 9 patients with a clinical diagnosis of PAH carried biallelic EIF2AK4 mutations. These patients had a reduced transfer coefficient for carbon monoxide (K co ; 33% [interquartile range, 30%–35%] predicted) and younger age at diagnosis (29 years; interquartile range, 23–38 years) and more interlobular septal thickening and mediastinal lymphadenopathy on computed tomography of the chest compared with patients with PAH without EIF2AK4 mutations. However, radiological assessment alone could not accurately identify biallelic EIF2AK4 mutation carriers. Patients with PAH with biallelic EIF2AK4 mutations had a shorter survival. Conclusions: Biallelic EIF2AK4 mutations are found in patients classified clinically as having idiopathic and heritable PAH. These patients cannot be identified reliably by computed tomography, but a low K co and a young age at diagnosis suggests the underlying molecular diagnosis. Genetic testing can identify these misclassified patients, allowing appropriate management and early referral for lung transplantation. </jats:sec

Comprehensive Rare Variant Analysis via Whole-Genome Sequencing to Determine the Molecular Pathology of Inherited Retinal Disease

Inherited retinal disease is a common cause of visual impairment and represents a highly heterogeneous group of conditions. Here, we present findings from a cohort of 722 individuals with inherited retinal disease, who have had whole-genome sequencing (n = 605), whole-exome sequencing (n = 72), or both (n = 45) performed, as part of the NIHR-BioResource Rare Diseases research study. We identified pathogenic variants (single-nucleotide variants, indels, or structural variants) for 404/722 (56%) individuals. Whole-genome sequencing gives unprecedented power to detect three categories of pathogenic variants in particular: structural variants, variants in GC-rich regions, which have significantly improved coverage compared to whole-exome sequencing, and variants in non-coding regulatory regions. In addition to previously reported pathogenic regulatory variants, we have identified a previously unreported pathogenic intronic variant in $\textit{CHM}$ in two males with choroideremia. We have also identified 19 genes not previously known to be associated with inherited retinal disease, which harbor biallelic predicted protein-truncating variants in unsolved cases. Whole-genome sequencing is an increasingly important comprehensive method with which to investigate the genetic causes of inherited retinal disease.This work was supported by The National Institute for Health Research England (NIHR) for the NIHR BioResource – Rare Diseases project (grant number RG65966). The Moorfields Eye Hospital cohort of patients and clinical and imaging data were ascertained and collected with the support of grants from the National Institute for Health Research Biomedical Research Centre at Moorfields Eye Hospital, National Health Service Foundation Trust, and UCL Institute of Ophthalmology, Moorfields Eye Hospital Special Trustees, Moorfields Eye Charity, the Foundation Fighting Blindness (USA), and Retinitis Pigmentosa Fighting Blindness. M.M. is a recipient of an FFB Career Development Award. E.M. is supported by UCLH/UCL NIHR Biomedical Research Centre. F.L.R. and D.G. are supported by Cambridge NIHR Biomedical Research Centre

Comprehensive Cancer-Predisposition Gene Testing in an Adult Multiple Primary Tumor Series Shows a Broad Range of Deleterious Variants and Atypical Tumor Phenotypes.

Multiple primary tumors (MPTs) affect a substantial proportion of cancer survivors and can result from various causes, including inherited predisposition. Currently, germline genetic testing of MPT-affected individuals for variants in cancer-predisposition genes (CPGs) is mostly targeted by tumor type. We ascertained pre-assessed MPT individuals (with at least two primary tumors by age 60 years or at least three by 70 years) from genetics centers and performed whole-genome sequencing (WGS) on 460 individuals from 440 families. Despite previous negative genetic assessment and molecular investigations, pathogenic variants in moderate- and high-risk CPGs were detected in 67/440 (15.2%) probands. WGS detected variants that would not be (or were not) detected by targeted resequencing strategies, including low-frequency structural variants (6/440 [1.4%] probands). In most individuals with a germline variant assessed as pathogenic or likely pathogenic (P/LP), at least one of their tumor types was characteristic of variants in the relevant CPG. However, in 29 probands (42.2% of those with a P/LP variant), the tumor phenotype appeared discordant. The frequency of individuals with truncating or splice-site CPG variants and at least one discordant tumor type was significantly higher than in a control population (χ2 = 43.642; p ≤ 0.0001). 2/67 (3%) probands with P/LP variants had evidence of multiple inherited neoplasia allele syndrome (MINAS) with deleterious variants in two CPGs. Together with variant detection rates from a previous series of similarly ascertained MPT-affected individuals, the present results suggest that first-line comprehensive CPG analysis in an MPT cohort referred to clinical genetics services would detect a deleterious variant in about a third of individuals.JW is supported by a Cancer Research UK Cambridge Cancer Centre Clinical Research Training Fellowship. Funding for the NIHR BioResource – Rare diseases project was provided by the National Institute for Health Research (NIHR, grant number RG65966). ERM acknowledges support from the European Research Council (Advanced Researcher Award), NIHR (Senior Investigator Award and Cambridge NIHR Biomedical Research Centre), Cancer Research UK Cambridge Cancer Centre and Medical Research Council Infrastructure Award. The University of Cambridge has received salary support in respect of EM from the NHS in the East of England through the Clinical Academic Reserve. The views expressed are those of the authors and not necessarily those of the NHS or Department of Health. DGE is an NIHR Senior Investigator and is supported by the all Manchester NIHR Biomedical Research Centre