[crypto] Fwd: Re: [CWG] Crypto Working Group, December 1
R. Hirschfeld
ray at unipay.nl
Mon Nov 27 21:55:08 CET 2023
-------- Original Message --------
Subject: Re: [CWG] Crypto Working Group, December 1
Date: 2023-11-27 18:11
From: Hülsing, Andreas <a.t.huelsing at tue.nl>
To: Hülsing, Andreas <a.t.huelsing at tue.nl>
Cc: simona s <simonas at cs.ru.nl>, "Amadori, A. (Alessandro)"
<alessandro.amadori at tno.nl>, "Tanja Lange (tanja at hyperelliptic.org)"
<tanja at hyperelliptic.org>, Zekeriya Erkin - EWI <Z.Erkin at tudelft.nl>
Here the complete program. Sorry for the spam.
CRYPTO WORKING GROUP
Friday, December 01, 2023
De Kargadoor (http://www.kargadoor.nl/utrecht/zaalverhuur.html)
Oudegracht 36, Utrecht
Program
10:45 - 11:30 Mario Marhuenda Beltran (RU)
Generic Security of the SAFE API and Its Applications
11:30 - 11:45 Coffee / tea break
11:45 - 12:30 Andreas Hülsing (TU/e)
SDitH in the QROM
12:30 - 14:00 Lunch break (lunch not included)
14:00 - 14:45 Yu-Hsuan Huang (CWI)
On the (In)Security of the BUFF Transform
14:45 - 15:00 Coffee / tea break
15:00 - 15:45 Fiona Weber (TU/e)
An Asymmetric Key-Update Mechanism for SDLSP
--------------------------------------------------------------------------------
Abstracts
--------------------------------------------------------------------------------
Mario Marhuenda Beltran (RU)
*Generic Security of the SAFE API and Its Applications*
We provide security foundations for SAFE, a recently introduced API
framework for sponge-based hash functions tailored to prime-field-based
protocols. SAFE aims to provide a robust and foolproof interface, has
been implemented in the Neptune hash framework and some zero-knowledge
proof projects, but currently lacks any security proof. Our results pave
the way of using SAFE with the full taxonomy of hash functions,
including SNARK-, lattice-, and x86-friendly hashes.
--------------------------------------------------------------------------------
Andreas Hülsing (TU/e)
*SDitH in the QROM*
The MPC in the Head (MPCitH) paradigm has recently led to significant
improvements for signatures in the code-based setting. In this paper we
consider some modifications to a recent twist of MPCitH, called
Hypercube-MPCitH, that in the code-based setting provides the currently
best known signature sizes. By compressing the Hypercube-MPCitH
five-round code-based identification scheme into three-rounds we obtain
two main benefits. On the one hand, it allows us to further develop
recent techniques to provide a tight security proof in the
quantum-accessible random oracle model (QROM), avoiding the catastrophic
reduction losses incurred using generic QROM-results for Fiat-Shamir. On
the other hand, we can reduce the already low-cost online part of the
signature even further. In addition, we propose the use of proof-of-work
techniques that allow to reduce the signature size. On the technical
side, we develop generalizations of several QROM proof techniques and
introduce a variant of the recently proposed extractable QROM.
--------------------------------------------------------------------------------
Yu-Hsuan Huang (CWI)
*On the (In)Security of the BUFF Transform*
The BUFF transform is a generic transformation for digital signature
schemes, with the purpose of obtaining additional security properties
beyond standard unforgeability, e.g., exclusive ownership and
non-resignability. In the call for additional post-quantum signatures,
these were explicitly mentioned by the NIST as ``additional desirable
security properties'', and some of the submissions indeed refer to the
BUFF transform with the purpose of achieving them, while some other
submissions follow the design of the BUFF transform without mentioning
it explicitly.
In this work, we show the following negative results regarding the
non-resignability property in general, and the BUFF transform in
particular. In the plain model, we observe by means of a simple attack
that any signature scheme for which the message has a high entropy given
the signature does not satisfy the non-resignability property (while
non-resignability is trivially not satisfied if the message can be
efficiently computed from its signature). Given that the BUFF transform
has high entropy in the message given the signature, it follows that the
BUFF transform does not achieve non-resignability whenever the random
oracle is instantiated with a hash function, no matter what hash
function.
When considering the random oracle model (ROM), the matter becomes
slightly more delicate since prior works did not rigorously define the
non-resignability property in the ROM. For the natural extension of the
definition to the ROM, we observe that our impossibility result still
holds, despite there having been positive claims about the
non-resignability of the BUFF transform in the ROM. Indeed, prior claims
of the non-resignability of the BUFF transform rely on faulty
argumentation.
On the positive side, we prove that a salted version of the BUFF
transform satisfies a slightly weaker variant of non-resignability in
the ROM, covering both classical and quantum attacks, if the entropy
requirement in the (weakened) definition of non-resignability is
statistical; for the computational variant, we show yet another negative
result.
--------------------------------------------------------------------------------
Fiona Weber (TU/e)
*An Asymmetric Key-Update Mechanism for SDLSP*
The Space Data Link Security Protocol (SDLSP) is used by various space
agencies, including ESA and NASA, to secure civilian communication
between mission-control and satellites.
So far this protocol is only using symmetric cryptography which
restricts its ability to securely update secret keys and causes
quadratic scaling for future use-cases like satellite-to-satellite
communication.
We set out to design an asymmetric key-update/installation mechanism
that resolves these issues.
Our protocol uses the multi-KEM approach that has become increasingly
common as part of the move to post-quantum cryptography and is based on
Post-Quantum Noise.
We analyzed and proved the security of this protocol in a simplified
eCK-model that does not allow for corruption of ephemeral secrets.
This model has the advantage of being simpler than the more traditional
eCK-models, while only ignoring security-aspects that many practitioners
consider a problem of the OS.
________________________________
From: Hülsing, Andreas <a.t.huelsing at tue.nl>
Sent: Monday, November 27, 2023 5:44 PM
To: Hülsing, Andreas <a.t.huelsing at tue.nl>
Cc: simona s <simonas at cs.ru.nl>; Amadori, A. (Alessandro)
<alessandro.amadori at tno.nl>; Tanja Lange (tanja at hyperelliptic.org)
<tanja at hyperelliptic.org>; Zekeriya Erkin - EWI <Z.Erkin at tudelft.nl>
Subject: [CWG] Crypto Working Group, December 1
Dear all,
Please find below the program for the next crypto working group that
happens this Friday. Sorry for being late. We will send an update as
soon as the last title and abstract are known.
Cheers,
Andreas
CRYPTO WORKING GROUP
Friday, December 01, 2023
De Kargadoor (http://www.kargadoor.nl/utrecht/zaalverhuur.html)
Oudegracht 36, Utrecht
Program
10:45 - 11:30 Mario Marhuenda Beltran (RU)
Generic Security of the SAFE API and Its Applications
11:30 - 11:45 Coffee / tea break
11:45 - 12:30 Andreas Hülsing (TU/e)
SDitH in the QROM
12:30 - 14:00 Lunch break (lunch not included)
14:00 - 14:45 Yu-Hsuan Huang (CWI)
TBA
14:45 - 15:00 Coffee / tea break
15:00 - 15:45 Fiona Weber (TU/e)
An Asymmetric Key-Update Mechanism for SDLSP
--------------------------------------------------------------------------------
Abstracts
--------------------------------------------------------------------------------
Mario Marhuenda Beltran (RU)
*Generic Security of the SAFE API and Its Applications*
We provide security foundations for SAFE, a recently introduced API
framework for sponge-based hash functions tailored to prime-field-based
protocols. SAFE aims to provide a robust and foolproof interface, has
been implemented in the Neptune hash framework and some zero-knowledge
proof projects, but currently lacks any security proof. Our results pave
the way of using SAFE with the full taxonomy of hash functions,
including SNARK-, lattice-, and x86-friendly hashes.
--------------------------------------------------------------------------------
Andreas Hülsing (TU/e)
*SDitH in the QROM*
The MPC in the Head (MPCitH) paradigm has recently led to significant
improvements for signatures in the code-based setting. In this paper we
consider some modifications to a recent twist of MPCitH, called
Hypercube-MPCitH, that in the code-based setting provides the currently
best known signature sizes. By compressing the Hypercube-MPCitH
five-round code-based identification scheme into three-rounds we obtain
two main benefits. On the one hand, it allows us to further develop
recent techniques to provide a tight security proof in the
quantum-accessible random oracle model (QROM), avoiding the catastrophic
reduction losses incurred using generic QROM-results for Fiat-Shamir. On
the other hand, we can reduce the already low-cost online part of the
signature even further. In addition, we propose the use of proof-of-work
techniques that allow to reduce the signature size. On the technical
side, we develop generalizations of several QROM proof techniques and
introduce a variant of the recently proposed extractable QROM.
--------------------------------------------------------------------------------
Yu-Hsuan Huang (CWI)
*TBA*
--------------------------------------------------------------------------------
Fiona Weber (TU/e)
*An Asymmetric Key-Update Mechanism for SDLSP*
The Space Data Link Security Protocol (SDLSP) is used by various space
agencies, including ESA and NASA, to secure civilian communication
between mission-control and satellites.
So far this protocol is only using symmetric cryptography which
restricts its ability to securely update secret keys and causes
quadratic scaling for future use-cases like satellite-to-satellite
communication.
We set out to design an asymmetric key-update/installation mechanism
that resolves these issues.
Our protocol uses the multi-KEM approach that has become increasingly
common as part of the move to post-quantum cryptography and is based on
Post-Quantum Noise.
We analyzed and proved the security of this protocol in a simplified
eCK-model that does not allow for corruption of ephemeral secrets.
This model has the advantage of being simpler than the more traditional
eCK-models, while only ignoring security-aspects that many practitioners
consider a problem of the OS.
More information about the crypto
mailing list