IACR Communications in Cryptology
Not a member yet
283 research outputs found
Sort by
Legacy Encryption Downgrade Attacks against LibrePGP and CMS
Full text link This work describes vulnerabilities in the specification of AEAD modes and Key Wrap in two cryptographic message formats. Firstly, this applies to AEAD packets as introduced in the novel LibrePGP specification that is implemented by the widely used GnuPG application. Secondly, we describe vulnerabilities in the AES-based AEAD schemes as well as the Key Wrap Algorithm specified in the Cryptographic Message Syntax (CMS). These new attacks exploit the possibility to downgrade AEAD or AES Key Wrap ciphertexts to valid legacy CFB- or CBC-encrypted related ciphertexts and require that the attacker learns the content of the legacy decryption result. This can happen in two principal ways: either due to the human recipient returning the decryption output to the attacker as a quote or due to a programmatic decryption oracle in the receiving system that reveals information about the plaintext. The attacks effect the decryption of low-entropy plaintext blocks in AEAD ciphertexts and, in the case of LibrePGP, also the manipulation of existing AEAD ciphertexts. For AES Key Wrap in CMS, full key decryption is possible. Some of the attacks require multiple successful oracle queries. The attacks thus demonstrate that CCA2 security is not achieved by the LibrePGP and CMS AEAD or Key Wrap encryption in the presence of a legacy cipher mode decryption oracle. The proper countermeasure to thwart the attacks is a key derivation that ensures the use of unrelated block cipher keys for the different encryption modes. </p
Advances in Reed-Solomon Code-Based Masking and Application to ML-KEM
Full text link Physical attacks such as Side-Channel Analysis (SCA) or Fault Injection Attacks (FIA) can recover sensitive data from cryptographic primitives otherwise thought theoretically secure. To counter such threats, generic countermeasures such as masking are studied. In this work, we provide some advances on one particular form of masking, Reed-Solomon Code-Based Masking (RS-CBM). Although its application to the AES primitive with Boolean logic has been investigated, we propose arithmetic gadgets and constrained conversions from arithmetic to boolean logic and back. We also investigate Cost-Amortisation (CA), a method to encode several sensitive data into one masked code word, and propose techniques to swap between an un-amortised masking and an amortised one. Security is experimentally verified by performing a Test Vector Leakage Assessment (TVLA) on a SAM4S target thanks to a Chipwhisperer Husky. We also provide formal proofs of security in the SNI model. Finally, we apply our gadgets to a post-quantum Key Encapsulation Mechanism (KEM), ML-KEM. Notably, we propose a full arithmetisation of the masked calculations of the message compression and of the ciphertext comparison of ML-KEM. </p
Strongly Secure Updatable Encryption Requires Public-Key Cryptography
Full text linkUpdatable encryption (UE), introduced by Boneh et al. (Crypto 2013), enables a secure rotation of symmetric encryption keys for outsourced encrypted data, without needing to download, decrypt, and re-encrypt the data. Many existing UE schemes, however, use public-key operations for the update step. This work investigates whether truly symmetric UE schemes can achieve modern UE security notions such as IND-ENC (indistinguishability of encryption) or IND-UPD (indistinguishability of updates) without relying on public-key primitives.Alamati et al. (Crypto 2019) showed that randomized update steps in IND-UPD-secure UE schemes already necessitate public-key cryptography if the update step is independent of the ciphertext. However, the IND-UPD security notion is usually not required for scenarios in which the history of updates is known, such that one may still hope to derive an IND-ENC secure solution based on symmetric encryption. We argue here that this is illusory for IND-ENC solutions with optimal leakage. Optimal leakage refers to the ideal situation where update steps only allow the computation of ciphertexts in the forward direction and do not leak anything about the updated keys. We show that such schemes inherently rely on public-key cryptography. </p
A Variation on Knellwolf and Meier\u27s Attack on the Knapsack Generator
Full text linkPseudo-random generators are deterministic algorithms that take as input a random secret seed and output a flow of random-looking numbers. The Knapsack Generator, presented by Rueppel and Massey in 1985, is one of the many attempts at designing a pseudo-random number generator that is cryptographically secure. It is based on the subset-sum problem, a variant of the knapsack optimization problem, which is considered computationally hard.At FSE 2011, Knellwolf and Meier found a way to go around this hard problem and exhibited a weakness of this generator. In addition to be able to distinguish the outputs from the uniform distribution, they designed an algorithm that retrieves a large portion of the secret. We present here an alternative version of the attack with similar costs retrieving an even larger portion of the secret on a larger range of parameters. </p
Simulatability versus Indistinguishability SOA: CCA Relations are Sampler-Dependent
Full text link Contrary to expectation, we show that there is no general reduction from simulation-based selective opening security (SSO) to indistinguishability-based selective opening security (ISO) in the CCA setting. In particular, we show that when restricted to certain message distributions, SSO-CCA is incomparable with ISO-CCA. This contrasts the CPA case, where SSO-CPA is known to be strictly stronger than ISO-CPA relative to any message sampler. Any sampler with high enough min-entropy suffices for this “semi-separation” to appear. On the other hand, we show that restricting to distributions with very low min-entropy gives rise to an implication. Our main result does not rely on the presence of selective openings, but rather follow from subtleties in the game structures. At a glance, this may seem to contradict known equivalences between indistinguishability, semantic security, and selective opening security under trivial openings. We reconcile the apparent contradiction by showing that the CCA landscape splits into a “high-entropy” and a “low-entropy” world, which for notions of SOA must be treated separately. </p
Application-Aware Approximate Homomorphic Encryption Configuring FHE for Practical Use
Full text linkFully Homomorphic Encryption (FHE) is a powerful tool for performing computations on encrypted data. The Cheon-Kim-Kim-Song (CKKS) scheme, an instantiation of approximate FHE, is particularly effective for privacy-preserving machine learning applications over real and complex numbers. Although CKKS offers clear efficiency advantages, confusion persists around accurately describing applications in FHE libraries and securely instantiating the scheme for these applications, particularly after the key recovery attacks by Li and Micciancio (EUROCRYPT\u2721) for the IND-CPA^D setting. There is presently a gap between the application-agnostic, generic definition of IND-CPA^D, and efficient, application-specific instantiation of CKKS in software libraries, which led to recent attacks by Guo et al. (USENIX Security\u2724).To close this gap, we introduce the notion of application-aware homomorphic encryption (AAHE) and devise related security definitions. This model corresponds more closely to how FHE schemes are implemented and used in practice, and provides a mechanism to identify and address potential vulnerabilities in popular libraries. We then propose an application specification language (ASL) and formulate guidelines for implementing the AAHE model to achieve IND-IND-CPA^D security for practical applications of CKKS. We present a proof-of-concept implementation of the ASL in the OpenFHE library showing how the attacks by Guo et al. can be countered. Moreover, we show that our new model and ASL can be used for the secure and efficient instantiation of exact FHE schemes and to counter the recent IND-IND-CPA^D attacks by Cheon et al. (CCS\u2724) and Checri et al. (CRYPTO\u2724). </p
Finding Balance in Unbalanced PSI: A New Construction from Single-Server PIR
Full text linkPrivate set intersection (PSI) enables two parties to jointly compute the intersection of their private sets without revealing any extra information to each other. In this work, we focus on the unbalanced setting where one party (a powerful server) holds a significantly larger set than the other party (a resource-limited client). We present a new protocol for this setting that achieves a better balance between low client-side storage and efficient online processing.We first formalize a general framework to transform Private Information Retrieval (PIR) into PSI with techniques used in prior works. Building upon recent advancements in Private Information Retrieval (PIR), specifically the SimplePIR construction (Henzinger et al., USENIX Security\u2723), combined with our tailored techniques, our construction shows a great improvement in online efficiency. Concretely, when the client holds a single element, our protocol achieves more than faster computation and over lower communication compared to the state-of-the-art unbalanced PSI based on leveled fully homomorphic encryption (Chen et al., CCS\u2721). The client-side storage is only in the order of tens of megabytes, even for a gigabyte-sized set on the server. Moreover, since the framework is generic, any future improvement in PIR can further improve our construction.</p
Binding Security of Implicitly-Rejecting KEMs and Application to BIKE and HQC
Full text link In this work, we continue the analysis of the binding properties of implicitly-rejecting key-encapsulation mechanisms (KEMs) obtained via the Fujisaki-Okamoto (FO) transform. These binding properties, in earlier literature known under the term robustness, thwart attacks that can arise when using KEMs in complex protocols. Recently, Cremers et al. (CCS\u2724) introduced a framework for binding notions, encompassing previously existing but also new ones. While implicitly-rejecting FO-KEMs have been analyzed with respect to multiple of these notions, there are still several gaps. We complete the picture by providing positive and negative results for the remaining notions. Further, we show how to apply our results to the code-based KEMs BIKE and HQC, which were round-4 candidates in NIST\u27s PQC standardization process. Through this, we close a second gap as our results complete the analysis of the binding notions for the NIST round-4 KEMs. Finally, we give a modified version of the FO transform that achieves all binding notions. </p
Quantum security analysis of Wave
Full text link Wave is a code-based digital signature scheme. Its hardness relies on the unforgeability of the signature and the indistinguishability of its public key, a parity check matrix of a ternary (U, U+V)-code. The best known attacks involve solving the Decoding Problem using the Information Set Decoding algorithm (ISD) to defeat these two problems. Our main contribution is the description of a quantum smoothed Wagner’s algorithm within the ISD framework, which improves the forgery attack on Wave in the quantum setting. We also recap the best known key and forgery attacks against Wave in both classical and quantum settings. For each one, we express their time complexity as function of Wave parameters and deduce its claimed security. </p
Binding Security of Explicitly-Rejecting KEMs via Plaintext Confirmation and Robust PKEs
Full text link We analyse the binding properties of explicitly-rejecting key-encapsulation mechanisms (KEMs) obtained by the Fujisaki-Okamoto (FO) transform. The framework for binding notions, introduced by [CDM24], generalises robustness and collision-freeness, and was motivated by the discovery of new types of attacks against KEMs. Implicitly-rejecting FO-KEMs have already been analysed with regards to the binding notions, with [KSW25b] providing the full picture. Binding notions for explicitly-rejecting FO-KEMs have been examined only partially, leaving several gaps. Moreover, the analysis of the explicit-rejection setting must account for additional binding notions that implicitly-rejecting KEMs cannot satisfy. We give mostly positive results for the explicitly-rejecting FO transform—though many notions require further robustness assumptions on the underlying PKE. We then show that the explicit FO transform with plaintext confirmation hash (HFO) achieves all notions and requires weaker robustness assumptions. Finally, we introduce a slightly modified version of the HFO transform that achieves all binding notions without requiring any robustness of the underlying PKE. </p