References of "Vitto, Giuseppe 50032822"
     in
Bookmark and Share    
Full Text
See detailDynamic Universal Accumulator with Batch Update over Bilinear Groups
Vitto, Giuseppe UL; Biryukov, Alexei UL

E-print/Working paper (2021)

Detailed reference viewed: 44 (3 UL)
Full Text
See detailBreaking the $IKEp182 Challenge
Udovenko, Aleksei UL; Vitto, Giuseppe UL

E-print/Working paper (2021)

We report a break of the \$IKEp182 challenge using a meet-in-the-middle attack strategy improved with multiple SIKE-specific optimizations. The attack was executed on the HPC cluster of the University of ... [more ▼]

We report a break of the \$IKEp182 challenge using a meet-in-the-middle attack strategy improved with multiple SIKE-specific optimizations. The attack was executed on the HPC cluster of the University of Luxembourg and required less than 10 core-years and 256TiB of high-performance network storage (GPFS). Different trade-offs allow execution of the attack with similar time complexity and reduced storage requirements of only about 70TiB. [less ▲]

Detailed reference viewed: 44 (4 UL)
Full Text
See detailFactoring Primes to Factor Moduli: Backdooring and Distributed Generation of Semiprimes
Vitto, Giuseppe UL

E-print/Working paper (2021)

Detailed reference viewed: 78 (5 UL)
Full Text
Peer Reviewed
See detailCryptanalysis of a Dynamic Universal Accumulator over Bilinear Groups
Biryukov, Alexei UL; Udovenko, Aleksei UL; Vitto, Giuseppe UL

in Topics in Cryptology – CT-RSA 2021 (2021)

In this paper we cryptanalyse the two accumulator variants proposed by Au et al., which we call the alpha-based construction and the common reference string-based (CRS-based) construction. We show that if ... [more ▼]

In this paper we cryptanalyse the two accumulator variants proposed by Au et al., which we call the alpha-based construction and the common reference string-based (CRS-based) construction. We show that if non-membership witnesses are issued according to the alpha-based construction, an attacker that has access to multiple witnesses is able to efficiently recover the secret accumulator parameter alpha and completely break its security. More precisely, if p is the order of the underlying bilinear group, the knowledge of O(log p log log p) non-membership witnesses permits to successfully recover alpha. Further optimizations and different attack scenarios allow to reduce the number of required witnesses to O(log p), together with practical attack complexity. Moreover, we show that accumulator's collision resistance can be broken if just one of these non-membership witnesses is known to the attacker. We then show how all these attacks for the alpha-based construction can be easily prevented by using instead a corrected expression for witnesses. Although outside the original security model assumed by Au \etal but motivated by some possible concrete application of the scheme where the Manager must have exclusive rights for issuing witnesses (e.g. white/black list based authentication mechanisms), we show that if non-membership witnesses are issued using the CRS-based construction and the CRS is kept secret by the Manager, an attacker accessing multiple witnesses can reconstruct the CRS and compute witnesses for arbitrary new elements. In particular, if the accumulator is initialized by adding m secret elements, the knowledge of m non-membership witnesses allows to succeed in such attack. [less ▲]

Detailed reference viewed: 45 (11 UL)
Full Text
See detailAutomated Truncation of Differential Trails and Trail Clustering in ARX
Biryukov, Alexei UL; Cardoso Dos Santos, Luan UL; Feher, Daniel UL et al

E-print/Working paper (2021)

We propose a tool for automated truncation of differential trails in ciphers using modular addition, bitwise rotation, and XOR (ARX). The tool takes as input a differential trail and produces as output a ... [more ▼]

We propose a tool for automated truncation of differential trails in ciphers using modular addition, bitwise rotation, and XOR (ARX). The tool takes as input a differential trail and produces as output a set of truncated differential trails. The set represents all possible truncations of the input trail according to certain predefined rules. A linear-time algorithm for the exact computation of the differential probability of a truncated trail that follows the truncation rules is proposed. We further describe a method to merge the set of truncated trails into a compact set of non-overlapping truncated trails with associated probability and we demonstrate the application of the tool on block cipher Speck64. We have also investigated the effect of clustering of differential trails around a fixed input trail. The best cluster that we have found for 15 rounds has probability 2^−55.03 (consisting of 389 unique output differences) which allows us to build a distinguisher using 128 times less data than the one based on just the single best trail, which has probability 2^−62. Moreover, we show examples for Speck64 where a cluster of trails around a suboptimal (in terms of probability) input trail results in higher overall probability compared to a cluster obtained around the best differential trail. [less ▲]

Detailed reference viewed: 58 (7 UL)
Full Text
Peer Reviewed
See detailCryptanalysis of the Legendre PRF and generalizations
Beullens, Ward; Beyne, Tim; Udovenko, Aleksei UL et al

in IACR Transactions on Symmetric Cryptology (2020), 2020(1),

The Legendre PRF relies on the conjectured pseudorandomness properties of the Legendre symbol with a hidden shift. Originally proposed as a PRG by Damgård at CRYPTO 1988, it was recently suggested as an ... [more ▼]

The Legendre PRF relies on the conjectured pseudorandomness properties of the Legendre symbol with a hidden shift. Originally proposed as a PRG by Damgård at CRYPTO 1988, it was recently suggested as an efficient PRF for multiparty computation purposes by Grassi et al. at CCS 2016. Moreover, the Legendre PRF is being considered for usage in the Ethereum 2.0 blockchain. This paper improves previous attacks on the Legendre PRF and its higher-degree variant due to Khovratovich by reducing the time complexity from O(plogp/M) to O(plog^2p/M2) Legendre symbol evaluations when M≤p√4 queries are available. The practical relevance of our improved attack is demonstrated by breaking two concrete instances of the PRF proposed by the Ethereum foundation. Furthermore, we generalize our attack in a nontrivial way to the higher-degree variant of the Legendre PRF and we point out a large class of weak keys for this construction. Lastly, we provide the first security analysis of two additional generalizations of the Legendre PRF originally proposed by Damgård in the PRG setting, namely the Jacobi PRF and the power residue PRF. [less ▲]

Detailed reference viewed: 95 (10 UL)
Full Text
Peer Reviewed
See detailPrivacy Aspects and Subliminal Channels in Zcash
Biryukov, Alex UL; Feher, Daniel UL; Vitto, Giuseppe UL

in Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Securit (2019, November)

In this paper we analyze two privacy and security issues for the privacy-oriented cryptocurrency Zcash. First we study shielded transactions and show ways to fingerprint user transactions, including ... [more ▼]

In this paper we analyze two privacy and security issues for the privacy-oriented cryptocurrency Zcash. First we study shielded transactions and show ways to fingerprint user transactions, including active attacks.We introduce two new attacks which we call Danaan-gift attack and Dust attack. Following the recent Sapling update of Zcash protocol we study the interaction between the new and the old zk-SNARK protocols and the effects of their interaction on transaction privacy. In the second part of the paper we check for the presence of subliminal channels in the zk-SNARK protocol and in Pedersen Commitments. We show presence of efficient 70-bit channels which could be used for tagging of shielded transactions which would allow the attacker (malicious transaction verifier) to link transactions issued by a maliciously modified zk-SNARK prover, while would be indistinguishable from regular transactions for the honest verifier/user. We discuss countermeasures against both of these privacy issues. [less ▲]

Detailed reference viewed: 315 (20 UL)