Splitting Payments Locally While Routing Interdimensionally

Payment Channel Networks (PCNs) enable fast, scalable, and cheap payments by moving transactions off-chain, thereby overcoming debilitating drawbacks of blockchains. However, current algorithms exhibit frequent payment failures when a payment is routed via multiple intermediaries. One of the key challenges for designing PCNs is to drastically reduce this failure rate. In this paper, we design a Bitcoin-compatible protocol that allows intermediaries to split payments on the path. Intermediaries can thus easily adapt the routing to the local conditions, of which the sender is unaware. Our protocol provides both termination and atomicity of payments and provably guarantees that no participant loses funds even in the presence of malicious parties. An extended version of our basic protocol further provides unlinkability between two partial payments belonging to the same transaction, which – as we argue – is important to guarantee the success of split payments. Besides formally modeling and proving the security of our construction, we conducted an in-depth simulation-based evaluation of various routing algorithms and splitting methods. Concretely, we present Interdimensional SpeedyMurmurs, a modification of the SpeedyMurmurs protocol that increases the flexibility of the route choice combined with splitting. Even in the absence of splitting, Interdimensional SpeedyMurmurs increases the success ratio of transactions drastically in comparison to a Lightning-style protocol by close to 50%

Compact Lossy Trapdoor Functions and Selective Opening Security From LWE

Selective opening (SO) security is a security notion for public-key encryption schemes that captures security against adaptive corruptions of senders. SO security comes in chosen-plaintext (SO-CPA) and chosen-ciphertext (SO-CCA) variants, neither of which is implied by standard security notions like IND-CPA or IND-CCA security. In this paper, we present the first SO-CCA secure encryption scheme that combines the following two properties: (1) it has a constant ciphertext expansion (i.e., ciphertexts are only larger than plaintexts by a constant factor), and (2) its security can be proven from a standard assumption. Previously, the only known SO-CCA secure encryption scheme achieving (1) was built from an ad-hoc assumption in the RSA regime. Our construction builds upon LWE, and in particular on a new and surprisingly simple construction of compact lossy trapdoor functions (LTFs). Our LTF can be converted into an “all-but-many LTF” (or ABM-LTF), which is known to be sufficient to obtain SO-CCA security. Along the way, we fix a technical problem in that previous ABM-LTF-based construction of SO-CCA security

Generalized Fuzzy Password-Authenticated Key Exchange from Error Correcting Codes

Fuzzy Password-Authenticated Key Exchange (fuzzy PAKE) allows cryptographic keys to be generated from authentication data that is both fuzzy and of low entropy. The strong protection against offline attacks offered by fuzzy PAKE opens an interesting avenue towards secure biometric authentication, typo-tolerant password authentication, and automated IoT device pairing. Previous constructions of fuzzy PAKE are either based on Error Correcting Codes (ECC) or generic multi-party computation techniques such as Garbled Circuits. While ECC-based constructions are significantly more efficient, they rely on multiple special properties of error correcting codes such as maximum distance separability and smoothness. We contribute to the line of research on fuzzy PAKE in two ways. First, we identify a subtle but devastating gap in the security analysis of the currently most efficient fuzzy PAKE construction (Dupont et al., Eurocrypt 2018), allowing a man-in-the-middle attacker to test individual password characters. Second, we provide a new fuzzy PAKE scheme based on ECC and PAKE that provides a built-in protection against individual password character guesses and requires fewer, more standard properties of the underlying ECC. Additionally, our construction offers better error correction capabilities than previous ECC-based fuzzy PAKEs

The BSS model and cryptography

Real numbers are usually represented by various discrete objects such as floating points or partial decimal expansions. This is mainly because the clas- sical computability theory relates to computers which work with discrete data. Nevertheless, for theoretical purposes it is interesting to look at models of com- putation that deal with real numbers as with objects of unit size. A very natural such model was suggested by Blum, Shub and Smale in 1989. In 2012 Grigoriev and Nikolenko studied various cryptographic tasks involv- ing real numbers (for example, biometric authentication) and they considered the BSS machine model. In this work we focus on hard to invert functions in this model of computation. Our main theme is to analyse whether there are real functions of one variable that are easier to compute than to invert by a BSS machine.

BSS model a kryptografie

Real numbers are usually represented by various discrete objects such as floating points or partial decimal expansions. This is mainly because the clas- sical computability theory relates to computers which work with discrete data. Nevertheless, for theoretical purposes it is interesting to look at models of com- putation that deal with real numbers as with objects of unit size. A very natural such model was suggested by Blum, Shub and Smale in 1989. In 2012 Grigoriev and Nikolenko studied various cryptographic tasks involv- ing real numbers (for example, biometric authentication) and they considered the BSS machine model. In this work we focus on hard to invert functions in this model of computation. Our main theme is to analyse whether there are real functions of one variable that are easier to compute than to invert by a BSS machine. 1Department of AlgebraKatedra algebryMatematicko-fyzikální fakultaFaculty of Mathematics and Physic

Key dependent message security

V této práci se zabýváme šifrovacími schématy, která jsou dokazatelně bez- pečná i v případě, kdy šifrujeme zprávy, které závisejí na tajném klíči. Taková schémata nazýváme KDM-bezpečná. Nejprve zavádíme pojem KDM-bezpečnosti obecně a zkoumáme jeho vztah s jinými druhy bezpečnosti, zejména s IND-CPA-bezpečností. Poté popisujeme asymetrické i symetrické šifrovací schéma autorů Applebaum et al. (CRYPTO 2009) a dokazujeme KDM-bezpečnost těchto schémat s ohledem na množinu afinních funkcí. Klíčovým předpokladem bezpečnosti sestrojených schémat je těžkost pro- blému LWE, respektive jeho speciálního případu LPN. Tyto problémy blíže zkoumáme a rozebíráme jejich varianty. Dále se věnujeme i mřížkám a těžkým problémům na mřížkách, protože se redukují na problém LWE. 1In this work, we deal with cryptosystems which are provably secure even if we encrypt a key-dependent message. These cryptosystems are called KDM-secure. First, we define KDM-security and discuss its relationship with other kinds of security, especially IND-CPA-security. Thereafter, we construct the public- key and the symmetric-key encryption scheme of Applebaum et al. (CRYPTO 2009) and we prove KDM-security of these cryprosystems with respect to the set of affine functions. The security of our cryptosystems is based on the LWE problem and the LPN problem as its special case. We study these problems and their variants. Moreover, we give a brief introduction to lattices and hard lattice problems because there exist reductions from hard lattice problems to LWE. 1Department of AlgebraKatedra algebryFaculty of Mathematics and PhysicsMatematicko-fyzikální fakult

Key dependent message security

In this work, we deal with cryptosystems which are provably secure even if we encrypt a key-dependent message. These cryptosystems are called KDM-secure. First, we define KDM-security and discuss its relationship with other kinds of security, especially IND-CPA-security. Thereafter, we construct the public- key and the symmetric-key encryption scheme of Applebaum et al. (CRYPTO 2009) and we prove KDM-security of these cryprosystems with respect to the set of affine functions. The security of our cryptosystems is based on the LWE problem and the LPN problem as its special case. We study these problems and their variants. Moreover, we give a brief introduction to lattices and hard lattice problems because there exist reductions from hard lattice problems to LWE.

FastKitten: Practical Smart Contracts on Bitcoin

Smart contracts are envisioned to be one of the killer applications of decentralized cryptocurrencies. They enable self-enforcing payments between users depending on complex program logic. Unfortunately, Bitcoin – the largest and by far most widely used cryptocurrency – does not offer support for complex smart contracts. Moreover, simple contracts that can be executed on Bitcoin are often cumbersome to design and very costly to execute. In this work we present FastKitten, a practical framework for executing arbitrarily complex smart contracts at low costs over decentralized cryptocurrencies which are designed to only support simple transactions. To this end, FastKitten leverages the power of trusted computing environments (TEEs), in which contracts are run off-chain to enable efficient contract execution at low cost. We formally prove that FastKitten satisfies strong security properties when all but one party are malicious. Finally, we report on a prototype implementation which supports arbitrary contracts through a scripting engine, and evaluate performance through benchmarking a provably fair online poker game. Our implementation illustrates that FastKitten is practical for complex multi-round applications with a very small latency. Combining these features, FastKitten is the first truly practical framework for complex smart contract execution over Bitcoin