Cryptology ePrint Archive
Not a member yet
    24907 research outputs found

    A Chosen-Ciphertext Side-Channel Attack on Shuffled CRYSTALS-Kyber

    Get PDF
    The NIST Post-Quantum Cryptography (PQC) standardization has entered its fourth round, underscoring the critical importance of addressing side-channel attacks (SCA), a dominant threat in real-world cryptographic implementations, especially on embedded devices. This paper presents a novel chosen-ciphertext side-channel attack against CRYSTALS-Kyber (standardized as ML-KEM) implementations with Fisher-Yates shuffled polynomial reduction. We propose an efficient and fault-tolerant key recovery algorithm that, by crafting malicious ciphertexts, induces changes in the Hamming weight distribution of an intermediate polynomial\u27s coefficients (the output of the shuffled polynomial reduction during decapsulation), enabling recovery of secret key coefficients from these changes. To ensure robustness, we propose an error-correction strategy that leverages the Hamming weight classifier\u27s behavior to constrain and shrink the correction search space, maintaining effectiveness even with less accurate classifiers or in low-SNR environments. A Multi-Layer Perceptron (MLP) is employed for Hamming weight classification from side-channel traces, achieving 97.11% accuracy. We combine statistical analysis with explainable deep learning for precise trace segmentation during pre-processing. Experimental results demonstrate full key recovery with only an average of 10+354×310 + 354 \times 3 ciphertext queries and a success rate of 97.98%, reducing the adversarial effort by 95.36% compared to contemporary bit-flip techniques. Although shuffling aims to disrupt temporal correlations, our results show that statistical features persist and leak through shuffled implementations. This work reveals enduring SCA risks in shuffled implementations and informs a broader reassessment of PQC side-channel resilience

    Adaptively Secure Partially Non-Interactive Threshold Schnorr Signatures in the AGM

    Get PDF
    Very recently, Crites et al. (CRYPTO 2025) gave a proof for the full adaptive security of FROST (Komlo and Goldberg, SAC 2020), the state-of-the-art two-round threshold Schnorr signature scheme, which is currently used in real-world applications and is covered by an RFC standard. Their security proof, however, relies on the computational hardness of a new search problem they call “low-dimensional vector representation” (LDVR). In fact, the authors show that hardness of LDVR is necessary for adaptive security of a large class of threshold Schnorr signatures to hold, including FROST and its two-round variants. Given that LDVR is a new assumption and its hardness has not been seriously scrutinized, it remains an open problem whether a two-round threshold Schnorr signature with full adaptive security can be constructed based on more well-established assumptions. In this paper, we resolve this open problem by presenting ms-FROST. Our scheme is partially non-interactive and supports any t - 1 < n adaptive corruptions, where n is the number of signers and t is the signing threshold. Its security relies on the algebraic one-more discrete logarithm (AOMDL) assumption, the algebraic group model (AGM), and the random oracle model (ROM). Further, it achieves the strongest security notion (TS-UF-4) in the security hierarchy of Bellare et al. (CRYPTO 2022). To justify our use of the algebraic group model, we show an impossibility result: We rule out any black-box algebraic security reduction in the ROM from AOMDL to the adaptive TS-UF-0 security of ms-FROST

    Noisy Function Secret Sharing and its applications to Differentially Private computations

    Get PDF
    Function Secret Sharing (FSS) schemes enable to share secret functions between multiple parties, with notable applications in anonymous communication and privacy-preserving machine learning. While two-party schemes offer logarithmic key sizes, multi-party schemes remain less practical due to significantly larger keys. Although several approaches have been proposed to improve multi-party schemes, a significant efficiency gap remains between the two-party and multi-party settings. Our work introduces noisy FSS: a relaxation of FSS preserving the standard privacy guarantees but relaxing the correctness definition by allowing a small amount of noise in the output. We formally define noisy FSS and show how the noise introduced by the scheme can be leveraged to provide differential private outputs in statistics applications. To demonstrate the benefits of this relaxation, we adapt a scheme proposed by Corrigan-Gibbs et al. (S&P\u2715). While their scheme provides the smallest key sizes among multi-party schemes, they do not support some applications notably in statistics due to their non-linear share decoding. On the contrary, recent works such as Goel et al. (CRYPTO\u2725) have larger keys, but support all FSS applications. Our noisy adapted scheme offers the best of both worlds by matching the best key sizes, while providing the properties necessary to statistics applications

    Decoding Balanced Linear Codes With Preprocessing

    Get PDF
    Prange\u27s information set algorithm is a decoding algorithm for arbitrary linear codes. It decodes corrupted codewords of any F2\mathbb{F}_2-linear code CC of message length nn up to relative error rate O(logn/n)O(\log n / n) in poly(n)\mathsf{poly}(n) time. We show that the error rate can be improved to O((logn)2/n)O((\log n)^2 / n), provided: (1) the decoder has access to a polynomial-length advice string that depends on CC only, and (2) CC is nΩ(1)n^{-\Omega(1)}-balanced. As a consequence we improve the error tolerance in decoding random linear codes if inefficient preprocessing of the code is allowed. This reveals potential vulnerabilities in cryptographic applications of Learning Noisy Parities with low noise rate. Our main technical result is that the Hamming weight of HwHw, where HH is a random sample of *short dual* codewords, measures the proximity of a word ww to the code in the regime of interest. Given such HH as advice, our algorithm corrects errors by locally minimizing this measure. We show that for most codes, the error rate tolerated by our decoder is asymptotically optimal among all algorithms whose decision is based on thresholding HwHw for an arbitrary polynomial-size advice matrix HH

    Cryptanalysis of a Post-Quantum Signature Scheme Based on Number-Theoretic Assumptions

    Get PDF
    The asymmetric cryptographic constructions upon on number- theoretic hardness assumptions have become insecure, due to Shor’s quantum algorithm and they will be vulnerable to large scale quantum computers. Hence, the adaption to quantum-resistant cryptosystems is a major task. Digital signatures, being a fundamental primitive in nu- merous applications. Recently, a new approach by Nguyen et al. [9] has claimed post-quantum security by basing the signature algorithm’s se- curity on a variant of the discrete logarithm problem. In this paper, we present a cryptanalysis of this construction and demonstrate a practi- cal forgery attack that allows generating an unlimited number of valid signatures—without access to a signing oracle

    A Note on ``Designing Anonymous Signature-Based Identity Authentication Scheme for Ocean Multilevel Transmission\u27\u27

    Get PDF
    We show that the authentication scheme (IEEE Internet Things J., 24310-24322, 2024) cannot be practically implemented, because it misused the elliptic curve group law---point multiplication, which is represented as kPkP, where kk is an integer and PP is a point on an elliptic curve. But the scheme uses the false representation QiQjQ_iQ_j to construct verification equations, where QiQ_i and QjQ_j are two points. Besides, we find that an adversary can retrieve the target relay device\u27s secret key using the intercepted message via open channels

    Differential Meet-in-the-Middle Attacks on Feistel Ciphers

    Get PDF
    Differential meet-in-the-middle attacks, introduced by Boura et al. in 2023, propose a new way of dealing with differential distinguishers. It allows, in particular, to combine differential attacks with initial structures, that were usually used exclusively for meet-in-the-middle attacks. Several applications of this new technique have been published, but so far the results on Feistel constructions have not improved much upon previous best known attacks. In this paper, we apply them on Feistel constructions with all the improvements proposed so far, and we propose some additional new ideas to generically improve these kinds of attacks. We also propose an automatized tool for optimizing the attacks on Simon-like constructions. Our tool outputs a graphical representation of the attack that makes it very easy to verify. All this has allowed us to provide improved single-key key-recovery attacks on most of the variants of Simon, Simeck and CLEFIA-256, that increase the highest number of rounds attacked by 1 or 2 in nearly all the cases

    Predicting Module-Lattice Reduction

    Get PDF
    Is module-lattice reduction better than unstructured lattice reduction? This question was highlighted as \u27Q8\u27 in the Kyber NIST standardization submission (Avanzi et al., 2021), as potentially affecting the concrete security of Kyber and other module-lattice-based schemes. Foundational works on module-lattice reduction (Lee, Pellet-Mary, Stehlé, and Wallet, ASIACRYPT 2019; Mukherjee and Stephens-Davidowitz, CRYPTO 2020) confirmed the existence of such module variants of LLL and block-reduction algorithms, but focus only on provable worst-case asymptotic behavior. In this work, we present a concrete average-case analysis of module-lattice reduction. Specifically, we address the question of the expected slope after running module-BKZ, and pinpoint the discriminant ΔK\Delta_K of the number field at hand as the main quantity driving this slope. We convert this back into a gain or loss on the blocksize β\beta: module-BKZ in a number field KK of degree dd requires an SVP oracle of dimension β+log(ΔK/dd)β/(dlogβ)+o(β/logβ)\beta + \log(|\Delta_K| / d^d)\beta /(d\log \beta) + o(\beta / \log \beta) to reach the same slope as unstructured BKZ with blocksize β\beta. This asymptotic summary hides further terms that we predict concretely using experimentally verified heuristics. Incidentally, we provide the first open-source implementation of module-BKZ for some cyclotomic fields. For power-of-two cyclotomic fields, we have ΔK=dd|\Delta_K| = d^d, and conclude that module-BKZ requires a blocksize larger than its unstructured counterpart by d1+o(1)d-1+o(1). On the contrary, for all other cyclotomic fields we have ΔK<dd|\Delta_K| < d^d, so module-BKZ provides a sublinear Θ(β/logβ)\Theta(\beta/\log \beta) gain on the required blocksize, yielding a subexponential speedup of exp(Θ(β/logβ))\exp(\Theta(\beta/\log \beta))

    Towards formal verification and corrupted setup security for the SwissPost voting system

    Get PDF
    The Swiss Post voting system is one of the most advanced cryptographic voting protocols deployed for political elections, offering end-to-end verifiability and vote privacy. It provides significant documentation and independent scrutiny reports. Still, we argue that two significant pillars of trust need to be further developed. One is formal verification accompanied by machine-checked proofs. The second is security in presence of a corrupt setup component. In this work, we propose formal specifications of a simplified version of the Swiss Post voting protocol and initial verification results with the Tamarin prover. We also propose a revised protocol design that mitigates risks from a corrupt setup, and a prototype implementation of necessary zero-knowledge proofs

    Unique NIZKs and Steganography Detection

    Get PDF
    Non-interactive zero-knowledge (NIZK) proofs tend to be randomized and there are many possible proofs for any fixed NP statement. Can we have NIZKs with only a single unique valid proof per statement? Such NIZKs are known under strong cryptographic assumptions (indistinguishability obfuscation), and are conversely known to require strong cryptographic assumptions (witness encryption). In this work, following Lepinski, Micali, and shelat (TCC \u2705), we consider the following relaxed notion of unique NIZKs (UNIZKs): - We only require (computationally) unique proofs for NP statements with a (computationally) unique witness; an adversary that can produce two distinct proofs must also know two distinct witnesses. - We consider NIZKs with prover setup, where a potentially malicious prover initially publishes a public key pk\mathsf{pk} and keeps a corresponding secret key sk\mathsf{sk}, which it uses to produce arbitrarily many NIZK proofs π\pi in the future. While the public key pk\mathsf{pk} is not required to be unique, once it is fixed, all the subsequent proofs π\pi that the prover can produce should be unique. We show that both of these relaxations are needed to avoid witness encryption. Prior work constructed such UNIZKs under the quadratic residuosity assumption, and it remained an open problem to do so under any other assumptions. Here, we give a new construction of UNIZKs under the learning with errors (LWE) assumption. We also identify and fix a subtle circularity issue in the prior work. UNIZKs are a non-interactive version of steganography-free zero-knowledge of Abdolmaleki et al. (TCC \u2722). As an application of UNIZKs, we get a general steganography detection mechanism that can passively monitor arbitrary functionalities to detect steganographic leakage

    23,634

    full texts

    24,907

    metadata records
    Updated in last 30 days.
    Cryptology ePrint Archive
    Access Repository Dashboard
    Do you manage Open Research Online? Become a CORE Member to access insider analytics, issue reports and manage access to outputs from your repository in the CORE Repository Dashboard! 👇