Topics in Cryptology - CT-RSA 2021
Cryptographers' Track at the RSA Conference 2021, Virtual Event, May 17-20, 2021, Proceedings
Published on 11. May 2021
XI, 684 pages
978-3-030-75539-3 (ISBN)
Description
This book constitutes the refereed proceedings of the Cryptographer's Track at the RSA Conference 2021, CT-RSA 2021, held in San Francisco, CA, USA, in May 2021.*
The 27 full papers presented in this volume were carefully reviewed and selected from 100 submissions.
CT-RSA is the track devoted to scientific papers on cryptography, public-key to symmetric-key cryptography and from crypto-graphic protocols to primitives and their implementation security.
*The conference was held virtually.
More details
Series
Edition
1st ed. 2021
Language
English
Place of publication
Cham
Switzerland
Publishing group
Springer International Publishing
Product notice
Reflowable
Illustrations
XI, 684 p. 148 illus., 51 illus. in color.
File size
25,55 MB
ISBN-13
978-3-030-75539-3 (9783030755393)
DOI
10.1007/978-3-030-75539-3
Schweitzer Classification
Other editions
Additional editions
Kenneth G. Paterson
Topics in Cryptology - CT-RSA 2021
Cryptographers' Track at the RSA Conference 2021, Virtual Event, May 17-20, 2021, Proceedings
Book
05/2021
Springer
€128.39
Shipment within 7-9 days
Content
- Intro
- Preface
- Organization
- Contents
- Secure Fast Evaluation of Iterative Methods: With an Application to Secure PageRank
- 1 Introduction
- 2 Preliminaries
- 3 Banach Fixed Point Theorem and the Power Method
- 4 Stability of PageRank
- 4.1 Traditional Stability of PageRank
- 4.2 Stability Due to Approximate Computations
- 5 Effect of Early Termination of PageRank
- 6 A Multiparty Actively-Secure Protocol for the PageRank Algorithm
- A Converses to Banach's Fixed Point Theorem
- References
- Compilation of Function Representations for Secure Computing Paradigms
- 1 Introduction
- 2 M-Circuits
- 2.1 Defining an M-Circuit
- 2.2 Executing an M-Circuit
- 2.3 Compiling M-Circuits
- 2.4 Security of M-Circuits
- 3 M-Circuits for Multi-party Computation
- 4 M-Circuits for MPC-in-the-Head
- 4.1 The Underlying MPC Protocol
- 4.2 Sub-procedures for MPCitH
- 4.3 The Construction of HVZK Argument of Knowledge
- 5 Using Different Correlated Randomness Sources
- 5.1 Dot-Product Computation
- 5.2 Matrix Triples
- 5.3 Tiny-Tables
- 6 Sacrificing
- 7 Executable Gadgets
- References
- Oblivious TLS via Multi-party Computation
- 1 Introduction
- 2 Notation and Preliminaries
- 2.1 An Overview of TLS 1.3
- 2.2 Multiparty Computation Protocols
- 3 Overview of the Solution
- 4 Handshake Operations
- 4.1 Diffie-Hellman
- 4.2 Signature Generation
- 5 Record Layer Operations
- 5.1 AES-GCM
- 6 Security and Performance
- 6.1 Performance
- References
- Noisy Simon Period Finding
- 1 Introduction
- 2 Simon's Algorithm in the Noisy Case
- 3 Quantum Period Finding on IBM-Q16
- 3.1 Function Choice
- 3.2 Minimizing the Gate Count of fs
- 3.3 Experiments on IBM Q 16
- 4 Smoothing Techniques
- 4.1 Quality Measures Statistics
- 5 LSN is Polynomial Time Equivalent to LPN
- 6 Theoretical Error Handling for Simon's Algorithm
- 7 Practical Error Handling for Simon's Algorithm
- References
- A Bunch of Broken Schemes: A Simple yet Powerful Linear Approach to Analyzing Security of Attribute-Based Encryption
- 1 Introduction
- 1.1 Our Contribution
- 1.2 Technical Details
- 2 Preliminaries
- 2.1 Formal Definition of (Multi-authority) Ciphertext-Policy ABE
- 2.2 The Security Model and Our Attack Models
- 3 Warm-Up: Attacking DAC-MACS (YJR+13 )
- 4 Systematizing Our Methodology
- 4.1 The Common Structure Implies a More Concise Notation
- 4.2 Modeling Knowledge of Exponents - Extending Zp
- 4.3 Formal Definitions of the Attacks in the Concise Notations
- 4.4 Definitions of Multi-authority-specific Attacks
- 4.5 Our Heuristic Approach
- 5 Examples of Our Attacks Demonstrating the Approach
- 5.1 Example Without Corruption: The YJR+13 scheme
- 5.2 Example with Corruption: The YJ14 scheme
- 5.3 Example Without Corruption: The JLWW13 scheme
- 6 More Attacks, on Several Other Schemes
- 6.1 Single-Authority ABE
- 6.2 Multi-authority ABE
- 7 Discussion
- References
- Zero-Correlation Linear Cryptanalysis with Equal Treatment for Plaintexts and Tweakeys
- 1 Introduction
- 2 Preliminaries
- 3 Zero-Correlation Linear Cryptanalysis with Equal Treatment for Plaintexts, Keys, and Tweaks
- 4 Applications
- 4.1 Application to TWINE
- 4.2 Application to LBlock
- 4.3 Application to SKINNY
- 5 Conclusion
- A Zero-Correlation Linear Hulls for SKINNY-64/192
- References
- SoK: Game-Based Security Models for Group Key Exchange
- 1 Introduction
- 1.1 Systemizing Group Key Exchange Models
- 1.2 Basic Notions in Group Key Exchange
- 2 Syntax Definitions
- 2.1 Quantities
- 2.2 Setup Assumptions
- 2.3 Operations
- 2.4 Return Values
- 2.5 Our Syntax Proposal
- 3 Communication Models
- 3.1 Partnering
- 3.2 Our Partnering Proposal
- 4 Security Definitions
- 4.1 Our Security Proposal
- 5 Concluding Remarks and Open Problems
- References
- EPID with Malicious Revocation
- 1 Introduction
- 1.1 Related Works
- 1.2 Our Contributions
- 2 Preliminaries
- 3 Specification of EPID
- 3.1 Syntax
- 3.2 Security Model
- 4 Our First Construction
- 4.1 Description
- 4.2 Security Proofs
- 5 An Efficient Variant with Limited Concurrent Enrolments
- 5.1 Description
- 6 Conclusion
- References
- Signed Diffie-Hellman Key Exchange with Tight Security
- 1 Introduction
- 1.1 Our Contribution
- 1.2 Protocol Comparison
- 2 Preliminaries
- 3 Security Model for Two-Message Authenticated Key Exchange
- 4 Verifiable Key Exchange Protocols
- 4.1 Example: Plain Diffie-Hellman Protocol
- 5 Signed Diffie-Hellman, Revisited
- References
- Lattice-Based Proof of Shuffle and Applications to Electronic Voting
- 1 Introduction
- 1.1 Our Contribution
- 1.2 Related Work
- 2 Preliminaries
- 2.1 The Rings R and Rp
- 2.2 The Discrete Gaussian Distribution
- 3 Lattice-Background: Commitments and ZK Proofs
- 3.1 Lattice-Based Commitments
- 3.2 Zero-Knowledge Proof of Linear Relations
- 4 Protocol: Zero-Knowledge Proof of Correct Shuffle
- 5 Applications to Electronic Voting
- 5.1 Verifiable Encryption
- 5.2 Return Codes
- 5.3 The Voting Scheme
- 6 Performance
- 6.1 Size
- 6.2 Timings
- 6.3 Comparison
- References
- More Efficient Shuffle Argument from Unique Factorization
- 1 Introduction
- 2 Preliminaries
- 3 Coefficient-Product Argument
- 4 A Characterization of Permutation Matrices
- 5 Shuffle Argument
- 6 Efficiency
- 7 Discussions
- References
- Cryptanalysis of a Dynamic Universal Accumulator over Bilinear Groups
- 1 Introduction
- 2 Au et al. Dynamic Universal Accumulator
- 2.1 Security Model and Attack Scenarios
- 3 Breaking Collision Resistance in the -Based Construction
- 4 The -Recovery Attack for the -Based Construction
- 4.1 Recovering fV()
- 4.2 Recovering
- 4.3 Estimating the Minimum Number of Witnesses Needed
- 5 Improving the -Recovery Attack
- 5.1 The Random-y Sieving Attack
- 5.2 The Chosen-y Sieving Attack
- 6 Experimental Results
- 7 Weak Non-membership Witnesses
- 8 Preventing Witness Forgery in the CRS-Based Construction
- 8.1 How to Ensure Some Accumulated Elements Remain Unknown
- 8.2 Recovering the CRS
- 9 Conclusions
- References
- FAN: A Lightweight Authenticated Cryptographic Algorithm
- 1 Introduction
- 2 Specification of FAN
- 2.1 Notations
- 2.2 State and Functions
- 2.3 Initialization
- 2.4 Processing Associated Data
- 2.5 Encryption
- 2.6 Finalization
- 2.7 Decryption and Verification
- 3 Design Rationale
- 3.1 Structure
- 3.2 S-Box
- 3.3 L-Layer
- 3.4 AEAD Mode
- 4 Security Analysis
- 4.1 Related Key Chosen IV Attack
- 4.2 Cube Attack
- 4.3 Randomness Test
- 4.4 Guess-and-Determine Attack
- 4.5 Time-Memory-Data Tradeoff Attack
- 4.6 Differential Attack
- 4.7 Correlation Attack
- 4.8 Algebraic Attack
- 4.9 Side-Channel Attack
- 4.10 Internal State Collision
- 4.11 Attacks on the Finalization
- 5 Performance
- 5.1 Software Performance
- 5.2 Hardware Performance
- 6 Conclusion
- 7 Appendix 1: Test Vector
- 8 Appendix 2: AES MixColumn with 92 XOR Gates
- 9 Appendix 3: Comparison Outline Diagram for Different Phases
- 10 Appendix 4: Gate Count for Fan
- References
- Related-Key Analysis of Generalized Feistel Networks with Expanding Round Functions
- 1 Introduction
- 2 Preliminaries
- 2.1 (Multi-user) RKA Security
- 2.2 The H-Coefficient Technique
- 3 Security Analysis of Expanding Feistel Networks
- 3.1 Bad Transcripts
- 3.2 Analyzing Good Transcripts
- 4 Security Analysis of Alternating Feistel Networks
- 4.1 Bad Transcripts
- 4.2 Analyzing Good Transcripts
- 4.3 AFN Using a Tweakable Round Function and Single Key
- 5 Conclusion
- References
- The Key-Dependent Message Security of Key-Alternating Feistel Ciphers
- 1 Introduction
- 2 Preliminaries
- 3 KDM Security and a Generic Lemma
- 3.1 Definitions
- 3.2 A Generic Lemma
- 4 Four-Round KAF
- 5 Attacks
- 5.1 Necessity of Offset-Freeness
- 5.2 Sliding Attacks
- 6 Discussion
- References
- Mesh Messaging in Large-Scale Protests: Breaking Bridgefy
- 1 Introduction
- 1.1 Contributions
- 2 Preliminaries
- 2.1 Reverse Engineering
- 2.2 Primitives Used
- 2.3 Related Work
- 2.4 Alternative Mesh Applications
- 3 Bridgefy Architecture
- 3.1 Bluetooth Messages
- 3.2 Handshake Protocol
- 3.3 Routing via the Bridgefy Server
- 4 Attacks
- 4.1 Privacy
- 4.2 Authenticity
- 4.3 Confidentiality
- 4.4 Denial of Service
- 5 Discussion
- 5.1 Responsible Disclosure
- References
- Inverse-Sybil Attacks in Automated Contact Tracing
- 1 Introduction
- 1.1 Automated Contact Tracing
- 1.2 False Positives
- 2 Protocol 1: Decentralized, Non-Interactive Exchange
- 2.1 Toy Protocol
- 2.2 Description of Protocol 1
- 3 Security of Protocol 1
- 3.1 Security Game
- 3.2 Security of Protocol 1
- 4 Protocol 2: Decentralized, Using Location for Chaining
- 4.1 Protocol Description
- 4.2 Correctness, Privacy and Epochs
- 5 Security of Protocol 2
- 5.1 Security Against Replay and Relay Attacks
- 5.2 Security Against Inverse-Sybil Attacks
- References
- On the Effectiveness of Time Travel to Inject COVID-19 Alerts
- 1 Introduction
- 2 How GAEN Works
- 3 Summary of Techniques for False Alert Injection
- 4 Time-Traveling Phones
- 4.1 Set Clock Manually
- 4.2 Rogue NTP Server
- 4.3 Rogue Base Station
- 4.4 Rogue GNSS
- 5 Master of Time Attack
- 6 Experiments
- 6.1 Rogue NTP Server
- 6.2 Rogue Base Station
- 6.3 Experimenting the Attack with a Journalist
- 6.4 Other GAEN-based Apps
- 7 KISS Attack
- 7.1 Still-Valid Keys
- 7.2 Consequences of Interoperability
- 8 My-Number Attack
- 9 Countermeasures
- 10 Conclusion
- References
- SoK: How (not) to Design and Implement Post-quantum Cryptography
- 1 Introduction
- 1.1 Our Findings
- 2 The Raw Material: Hard Problems
- 2.1 Baseline: Problems that are not Post-quantum
- 2.2 Problems on Lattices
- 2.3 Problems on Codes
- 2.4 Problems on Multivariate Systems
- 2.5 Problems on One-Way and Hash Functions
- 2.6 Problems on Isogenies
- 2.7 Summary of Problems
- 3 Paradigms are Guidelines, not Panaceas
- 3.1 Schnorr Signatures over Lattices
- 3.2 The SQISign Approach for Signatures
- 3.3 Beyond High Soundness Signatures
- 3.4 Full Domain Hash Signatures
- 3.5 Diffie-Hellman and El Gamal
- 4 Return of Symmetric Cryptography
- 4.1 Hash-Based Signatures
- 4.2 Signatures Based on ZKPs and OWFs
- 5 The Implementation Challenges in PQC
- 5.1 Decryption Failures and Reaction Attacks
- 5.2 Implementation Attacks in PQC
- 5.3 Side-Channels and Countermeasures
- References
- Dual Lattice Attacks for Closest Vector Problems (with Preprocessing)
- 1 Introduction
- 1.1 Contributions
- 2 Preliminaries
- 2.1 Lattices
- 2.2 Heuristic Assumptions
- 2.3 Lattice Algorithms and Cost Models
- 2.4 Model
- 3 Algorithms
- 3.1 The Aharonov-Regev Decoder
- 3.2 The Neyman-Pearson Decoder
- 3.3 The Simple Decoder
- 3.4 Distinguishing Algorithms
- 3.5 Search Algorithms
- 3.6 Choosing the Set of Dual Vectors W
- 4 Asymptotics
- 4.1 Output Distributions of the Decoders
- 4.2 Closest Vector Problems with Preprocessing
- 4.3 Closest Vector Problems Without Preprocessing
- 5 Experiments
- 5.1 Setup
- 5.2 Evaluating the Distinguishers
- 5.3 Evaluating the Search Algorithms
- References
- On the Hardness of Module-LWE with Binary Secret
- 1 Introduction
- 2 Preliminaries
- 2.1 Algebraic Number Theory Background
- 2.2 Lattices
- 2.3 Probabilities
- 2.4 Ring Leftover Hash Lemma
- 2.5 Module Learning with Errors
- 3 Hardness of M-LWE with Binary Secret
- 3.1 Choice of Embedding for Binary Secrets
- 3.2 First-is-Errorless M-LWE
- 3.3 Extended M-LWE
- 3.4 Reduction to bin-M-LWE
- References
- Multi-party Revocation in Sovrin: Performance through Distributed Trust
- 1 Introduction
- 1.1 Our Techniques
- 1.2 Our Contribution
- 1.3 Related Work
- 2 Preliminaries
- 2.1 UC Security and ABB
- 2.2 SPDZ, Shamir, and Derived Protocols
- 2.3 Accumulators
- 2.4 Pairing-Based Accumulator
- 2.5 UC Secure Accumulators
- 3 Multi-Party Public-Key Accumulators
- 3.1 Dynamic (Threshold) Secret-Shared Accumulator from the q-SDH Assumption
- 3.2 SPDZ vs. Shamir Secret Sharing
- 4 Implementation and Performance Evaluation
- 4.1 Evaluation of MPC-q-SDH
- 4.2 Further Improvement
- 5 Applications
- 5.1 Credential Revocation in Distributed Credential Systems
- 5.2 Privacy-Preserving Certificate-Transparency Logs
- References
- Balancing Privacy and Accountability in Blockchain Identity Management
- 1 Introduction
- 2 Preliminaries and Building Blocks
- 2.1 Notation
- 2.2 Pseudorandom Functions
- 2.3 Blind Signature Schemes
- 2.4 (Ad-Hoc) Threshold Encryption Scheme
- 3 System Design
- 4 ID-Layer Formalization
- 4.1 The ID Layer Functionality
- 4.2 Issuing Credentials - The Functionality
- 5 Formal Protocols Specifications
- 5.1 Identity Layer Protocol
- 5.2 Proof of Security for Identity Layer
- 5.3 Credential Issue Protocol
- 5.4 Proof of Security for Issue Protocol
- 6 Putting Everything Together
- References
- Non-interactive Half-Aggregation of EdDSA and Variants of Schnorr Signatures
- 1 Introduction
- 1.1 Our Contributions
- 2 Proof-of-knowledge for a Collection of Signatures
- 2.1 Schnorr/EdDSA Signatures
- 2.2 Three-Move (Sigma) Protocol
- 2.3 Proof-of-knowledge
- 3 Non-interactive Half-Aggregation of Schnorr/EdDSA Signatures
- 3.1 Aggregate Signature Security
- 3.2 Half-Aggregation
- 3.3 Half+-Aggregation
- 4 Deterministic Batch Verification of Schnorr Signatures
- 5 Impossibility of Non-interactive Compression by More Than a Half
- Appendix A Related work
- Appendix A.1 Security Proofs
- Appendix A.2 Multi-signatures
- Appendix A.3 Schnorr signature variants
- Appendix A.4 Non-Schnorr schemes
- Appendix A.5 Schnorr batching and aggregation
- Appendix B EdDSA signatures
- Appendix C Single signature security
- Appendix D Proof of Theorem 6
- Appendix E Proof of Theorem 8
- Appendix F Parameter selection for almost-half-aggregation
- Appendix G Formal analysis for the impossibility of non-interactive compression by more than a half
- References
- A Framework to Optimize Implementations of Matrices
- 1 Introduction
- 2 Preliminaries
- 2.1 Notations
- 2.2 Existing Heuristics for Optimizing Matrix Implementation
- 2.3 Techniques for Optimizing a Given Implementation
- 3 New Reduction for a Given Matrix Implementation
- 4 A General Framework of Optimization
- 5 Applications
- 5.1 Applications to Random Matrices
- 5.2 Applications to Cipher Matrices
- 6 Conclusion and Future Work
- References
- Improvements to RSA Key Generation and CRT on Embedded Devices
- 1 Introduction
- 1.1 Notation
- 2 Generating Prime Numbers
- 2.1 Naïve Algorithm
- 2.2 Sieving Algorithms
- 2.3 New Sampling Algorithm with Quadratic Residuosity
- 2.4 Applications
- 3 RSA-CRT Without q-1 Mod p
- 3.1 Inverse-Free RSA Mod pk q
- 3.2 Generalized Batching
- 4 RSA with Compressed Private Keys
- 5 Performance
- 5.1 Discussion
- 6 Future Work
- A Proof of Theorem1
- B Minimizing u
- B.1 Sparse Solutions to Linear Equations
- B.2 Multiple u
- B.3 Quadratic Minimization
- References
- On the Cost of ASIC Hardware Crackers: A SHA-1 Case Study
- 1 Introduction
- 2 Hash Functions and Cryptanalysis
- 2.1 SHA-1 and Related Attacks.
- 2.2 Birthday Search in Practice.
- 2.3 Differential Cryptanalysis
- 3 Hardware Birthday Cluster
- 3.1 Cluster Nodes
- 3.2 Hardware Design of Birthday Slaves
- 4 Verification
- 5 Hardware Differential Attack Cluster Design
- 5.1 Neutral Bits
- 5.2 Storage
- 5.3 Architecture
- 6 Chip Design
- 6.1 Chip Architecture
- 6.2 ASIC Fabrication and Running Cost
- 6.3 Results
- 6.4 Attack Rates and Execution Time
- 7 Cost Analysis and Comparisons
- 7.1 264 Birthday Attack
- 7.2 280 Birthday Attack
- 7.3 Chosen Prefix Differential Collision Attack
- 7.4 Limitations
- 8 Conclusion
- A Chip layout
- References
- Author Index
