[crypto] Fwd: CWG - 1 March programme

[R. Hirschfeld]

-------- Original Message --------
Subject: CWG - 1 March programme
Date: 2024-02-13 16:54
 From: "Guarise Vieira, Heloise" <h.guarise.vieira at tue.nl>
To:

Dear all,

We will host the next Crypto Working Group meeting on 1 March, from 
10:45 to 16h, at the Kargadoor, in Utrecht.

Below you will find the programme for this meeting.

We hope to see you there!

10:45h – One for All, All for Ascon: Ensemble-based Deep Learning 
Side-channel Analysis (Azade Rezaeezade)

Abstract:
In recent years, deep learning-based side-channel analysis (DLSCA) has 
become an active research topic within the side-channel analysis 
community. The well-known challenge of hyperparameter tuning in DLSCA 
encouraged the community to use methods that reduce the effort required 
to identify an optimal model. One of the successful methods is ensemble 
learning. While ensemble methods have demonstrated their effectiveness 
in DLSCA, particularly with AES-based datasets, their efficacy in 
analyzing symmetric-key cryptographic primitives with different 
operational mechanics remains unexplored.

Ascon was recently announced as the winner of the NIST lightweight 
cryptography competition. This will lead to broader use of Ascon and a 
crucial requirement for thorough side-channel analysis of its 
implementations. With these two considerations in view, we utilize an 
ensemble of deep neural networks to attack two implementations of Ascon. 
Using an ensemble of five multilayer perceptrons or convolutional neural 
networks, we could find the secret key for the Ascon-protected 
implementation with less than 3\,000 traces. To the best of our 
knowledge, this is the best currently known result. We can also identify 
the correct key with less than 100 traces for the unprotected 
implementation of Ascon, which is on par with the state-of-the-art 
results.

11:30h – coffee break

11:45h – Analysis of HWQCS and Layered-ROLLO-I (Alex Pellegrini)

Research in code based cryptography area led to the proposal of 
candidates to post-quantum competitions using both codes in the Hamming 
and rank metrics. In this talk I will present the cryptanalysis of 
Layered-ROLLO-I, a rank metric code-based cryptosystem submitted to the 
Korean post-quantum Cryptography Competition, and HWQCS, a Hamming 
metric signature scheme presented at ICISC 2023. I will show how to 
unwrap the layers of Layered-ROLLO-I reducing it to a weak version of 
ROLLO-I and also describe an efficient message recovery attack that only 
uses linear algebra. Moving to HWQCS, I will show that the signatures 
leak substantial secret information, give a statistical modeling of the 
leakage and finally use this knowledge to mount an efficient universal 
forgery attack.

12:30h – lunch

14h - Towards Compressed Permutation Oracle (Dominique Unruh)

Abstract:
Compressed oracles (Zhandry, Crypto 2019) are a powerful technique to 
reason about quantum random oracles, enabling a sort of lazy sampling in 
the presence of superposition queries.  A long-standing open question is 
whether a similar technique can also be used to reason about random 
(efficiently invertible) permutations.
In this work, we make a step towards answering this question.  We first 
define the compressed permutation oracle and illustrate its use.  While 
the soundness of this technique (i.e., the indistinguishability from a 
random permutation) remains a conjecture, we show a curious 2-for-1 
theorem: If we use the compressed permutation oracle methodology to show 
that some construction (e.g., Luby-Rackoff) implements a random 
permutation (or strong qPRP), then we get the fact that this methodology 
is actually sound for free.

14:45h – Coffee break

15h - Topology-Based Reconstruction Defences for Decentralised Learning 
(Florine Dekker)

Abstract:
Decentralised learning has recently gained traction as an alternative to 
federated learning in which both data and coordination are distributed 
over the users. To preserve the confidentiality of users' data, 
decentralised learning relies on differential privacy, multi-party 
computation, or a combination thereof. However, running multiple 
privacy-preserving summations in sequence may, counterintuitively, 
decrease privacy in what is known as a reconstruction attack. 
Unfortunately, current reconstruction countermeasures either do not 
consider correlated data, or have been designed for centralised systems 
and cannot trivially be adapted to the setting of decentralised 
learning.
In this work, we show that passive honest-but-curious adversaries can 
reconstruct other users' private data after several privacy-preserving 
summations. For example, in subgraphs with 18 users, we show that only 
three passive honest-but-curious adversaries succeed at reconstructing 
private data 11.0% of the time, requiring an average of 8.8 summations 
per adversary. The success rate is independent of the size of the full 
network. We consider weak adversaries, who do not control the graph 
topology, and can exploit neither the inner workings of the summation 
protocol nor the specifics of users' data.
We develop a mathematical understanding of how reconstruction relates to 
topology and propose the first decentralised countermeasure to 
reconstruction attacks as seen in decentralised learning. Specifically, 
we show that reconstruction requires a number of adversaries linear in 
the length of the network's shortest cycle. Consequently, reconstructing 
private data from privacy-preserving summations is impossible in acyclic 
networks.
Our work is a stepping stone for a formal theory of decentralised 
reconstruction defences through structured composition. Such a theory 
would generalise our countermeasure beyond summation, define 
confidentiality in terms of entropy, and describe the effects of 
(topology-aware) differential privacy.

15:45h – end of activities


Best regards,

--

[Image]

Heloise Vieira, PhD
Discrete Mathematics Cluster, Project Leader
Department of Mathematics and Computer Science
Phone number +31 (0)402474864

De Zaale, Eindhoven
05 MetaForum, MF 6.101