[crypto] Fwd: Re: [CWG] Crypto Working Group, December 1

R. Hirschfeld ray at unipay.nl
Mon Nov 27 21:55:08 CET 2023 


-------- Original Message --------
Subject: Re: [CWG] Crypto Working Group, December 1
Date: 2023-11-27 18:11
 From: Hülsing, Andreas <a.t.huelsing at tue.nl>
To: Hülsing, Andreas <a.t.huelsing at tue.nl>
Cc: simona s <simonas at cs.ru.nl>, "Amadori, A. (Alessandro)" 
<alessandro.amadori at tno.nl>, "Tanja Lange (tanja at hyperelliptic.org)" 
<tanja at hyperelliptic.org>, Zekeriya Erkin - EWI <Z.Erkin at tudelft.nl>

Here the complete program. Sorry for the spam.

CRYPTO WORKING GROUP

Friday, December 01, 2023
De Kargadoor (http://www.kargadoor.nl/utrecht/zaalverhuur.html)
Oudegracht 36, Utrecht

Program


10:45 - 11:30 Mario Marhuenda Beltran (RU)
               Generic Security of the SAFE API and Its Applications
      
11:30 - 11:45 Coffee / tea break

11:45 - 12:30 Andreas Hülsing (TU/e)
               SDitH in the QROM

12:30 - 14:00 Lunch break (lunch not included)

14:00 - 14:45 Yu-Hsuan Huang (CWI)
               On the (In)Security of the BUFF Transform

14:45 - 15:00 Coffee / tea break

15:00 - 15:45 Fiona Weber (TU/e)
            An Asymmetric Key-Update Mechanism for SDLSP


--------------------------------------------------------------------------------
Abstracts
--------------------------------------------------------------------------------

Mario Marhuenda Beltran (RU)

*Generic Security of the SAFE API and Its Applications*

We provide security foundations for SAFE, a recently introduced API 
framework for sponge-based hash functions tailored to prime-field-based 
protocols. SAFE aims to provide a robust and foolproof interface, has 
been implemented in the Neptune hash framework and some zero-knowledge 
proof projects, but currently lacks any security proof. Our results pave 
the way of using SAFE with the full taxonomy of hash functions, 
including SNARK-, lattice-, and x86-friendly hashes.

--------------------------------------------------------------------------------

Andreas Hülsing (TU/e)

*SDitH in the QROM*

The MPC in the Head (MPCitH) paradigm has recently led to significant 
improvements for signatures in the code-based setting. In this paper we 
consider some modifications to a recent twist of MPCitH, called 
Hypercube-MPCitH, that in the code-based setting provides the currently 
best known signature sizes. By compressing the Hypercube-MPCitH 
five-round code-based identification scheme into three-rounds we obtain 
two main benefits. On the one hand, it allows us to further develop 
recent techniques to provide a tight security proof in the 
quantum-accessible random oracle model (QROM), avoiding the catastrophic 
reduction losses incurred using generic QROM-results for Fiat-Shamir. On 
the other hand, we can reduce the already low-cost online part of the 
signature even further. In addition, we propose the use of proof-of-work 
techniques that allow to reduce the signature size. On the technical 
side, we develop generalizations of several QROM proof techniques and 
introduce a variant of the recently proposed extractable QROM.

--------------------------------------------------------------------------------

Yu-Hsuan Huang (CWI)

*On the (In)Security of the BUFF Transform*

The BUFF transform is a generic transformation for digital signature 
schemes, with the purpose of obtaining additional security properties 
beyond standard unforgeability, e.g., exclusive ownership and 
non-resignability. In the call for additional post-quantum signatures, 
these were explicitly mentioned by the NIST as ``additional desirable 
security properties'', and some of the submissions indeed refer to the 
BUFF transform with the purpose of achieving them, while some other 
submissions follow the design of the BUFF transform without mentioning 
it explicitly.

In this work, we show the following negative results regarding the 
non-resignability property in general, and the BUFF transform in 
particular. In the plain model, we observe by means of a simple attack 
that any signature scheme for which the message has a high entropy given 
the signature does not satisfy the non-resignability property (while 
non-resignability is trivially not satisfied if the message can be 
efficiently computed from its signature). Given that the BUFF transform 
has high entropy in the message given the signature, it follows that the 
BUFF transform does not achieve non-resignability whenever the random 
oracle is instantiated with a hash function, no matter what hash 
function.

When considering the random oracle model (ROM), the matter becomes 
slightly more delicate since prior works did not rigorously define the 
non-resignability property in the ROM. For the natural extension of the 
definition to the ROM, we observe that our impossibility result still 
holds, despite there having been positive claims about the 
non-resignability of the BUFF transform in the ROM. Indeed, prior claims 
of the non-resignability of the BUFF transform rely on faulty 
argumentation.

On the positive side, we prove that a salted version of the BUFF 
transform satisfies a slightly weaker variant of non-resignability in 
the ROM, covering both classical and quantum attacks, if the entropy 
requirement in the (weakened) definition of non-resignability is 
statistical; for the computational variant, we show yet another negative 
result.

--------------------------------------------------------------------------------

Fiona Weber (TU/e)

*An Asymmetric Key-Update Mechanism for SDLSP*

The Space Data Link Security Protocol (SDLSP) is used by various space 
agencies, including ESA and NASA, to secure civilian communication 
between mission-control and satellites.
So far this protocol is only using symmetric cryptography which 
restricts its ability to securely update secret keys and causes 
quadratic scaling for future use-cases like satellite-to-satellite 
communication.
We set out to design an asymmetric key-update/installation mechanism 
that resolves these issues.
Our protocol uses the multi-KEM approach that has become increasingly 
common as part of the move to post-quantum cryptography and is based on 
Post-Quantum Noise.
We analyzed and proved the security of this protocol in a simplified 
eCK-model that does not allow for corruption of ephemeral secrets.
This model has the advantage of being simpler than the more traditional 
eCK-models, while only ignoring security-aspects that many practitioners 
consider a problem of the OS.





________________________________
 From: Hülsing, Andreas <a.t.huelsing at tue.nl>
Sent: Monday, November 27, 2023 5:44 PM
To: Hülsing, Andreas <a.t.huelsing at tue.nl>
Cc: simona s <simonas at cs.ru.nl>; Amadori, A. (Alessandro) 
<alessandro.amadori at tno.nl>; Tanja Lange (tanja at hyperelliptic.org) 
<tanja at hyperelliptic.org>; Zekeriya Erkin - EWI <Z.Erkin at tudelft.nl>
Subject: [CWG] Crypto Working Group, December 1

Dear all,

Please find below the program for the next crypto working group that 
happens this Friday. Sorry for being late. We will send an update as 
soon as the last title and abstract are known.

Cheers,

Andreas


CRYPTO WORKING GROUP

Friday, December 01, 2023
De Kargadoor (http://www.kargadoor.nl/utrecht/zaalverhuur.html)
Oudegracht 36, Utrecht

Program


10:45 - 11:30 Mario Marhuenda Beltran (RU)
               Generic Security of the SAFE API and Its Applications
      
11:30 - 11:45 Coffee / tea break

11:45 - 12:30 Andreas Hülsing (TU/e)
               SDitH in the QROM

12:30 - 14:00 Lunch break (lunch not included)

14:00 - 14:45 Yu-Hsuan Huang (CWI)
               TBA

14:45 - 15:00 Coffee / tea break

15:00 - 15:45 Fiona Weber (TU/e)
            An Asymmetric Key-Update Mechanism for SDLSP


--------------------------------------------------------------------------------
Abstracts
--------------------------------------------------------------------------------

Mario Marhuenda Beltran (RU)

*Generic Security of the SAFE API and Its Applications*

We provide security foundations for SAFE, a recently introduced API 
framework for sponge-based hash functions tailored to prime-field-based 
protocols. SAFE aims to provide a robust and foolproof interface, has 
been implemented in the Neptune hash framework and some zero-knowledge 
proof projects, but currently lacks any security proof. Our results pave 
the way of using SAFE with the full taxonomy of hash functions, 
including SNARK-, lattice-, and x86-friendly hashes.

--------------------------------------------------------------------------------

Andreas Hülsing (TU/e)

*SDitH in the QROM*

The MPC in the Head (MPCitH) paradigm has recently led to significant 
improvements for signatures in the code-based setting. In this paper we 
consider some modifications to a recent twist of MPCitH, called 
Hypercube-MPCitH, that in the code-based setting provides the currently 
best known signature sizes. By compressing the Hypercube-MPCitH 
five-round code-based identification scheme into three-rounds we obtain 
two main benefits. On the one hand, it allows us to further develop 
recent techniques to provide a tight security proof in the 
quantum-accessible random oracle model (QROM), avoiding the catastrophic 
reduction losses incurred using generic QROM-results for Fiat-Shamir. On 
the other hand, we can reduce the already low-cost online part of the 
signature even further. In addition, we propose the use of proof-of-work 
techniques that allow to reduce the signature size. On the technical 
side, we develop generalizations of several QROM proof techniques and 
introduce a variant of the recently proposed extractable QROM.

--------------------------------------------------------------------------------

Yu-Hsuan Huang (CWI)

*TBA*



--------------------------------------------------------------------------------

Fiona Weber (TU/e)

*An Asymmetric Key-Update Mechanism for SDLSP*

The Space Data Link Security Protocol (SDLSP) is used by various space 
agencies, including ESA and NASA, to secure civilian communication 
between mission-control and satellites.
So far this protocol is only using symmetric cryptography which 
restricts its ability to securely update secret keys and causes 
quadratic scaling for future use-cases like satellite-to-satellite 
communication.
We set out to design an asymmetric key-update/installation mechanism 
that resolves these issues.
Our protocol uses the multi-KEM approach that has become increasingly 
common as part of the move to post-quantum cryptography and is based on 
Post-Quantum Noise.
We analyzed and proved the security of this protocol in a simplified 
eCK-model that does not allow for corruption of ephemeral secrets.
This model has the advantage of being simpler than the more traditional 
eCK-models, while only ignoring security-aspects that many practitioners 
consider a problem of the OS.

More information about the crypto mailing list