Optimized Interpolation Attacks on LowMC

Dinur, Itai; Liu, Yunwen; Meier, Willi; Wang, Qingju

doi:10.1007/978-3-662-48800-3_22

Cited by 52 publications

(37 citation statements)

References 9 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Alternatively, we could use the LowMC cipher of [1] with only 2,268 AND gates. Due to recent attacks on LowMC [16,17], we choose to instantiate the PRF with AES. Recently, [29] proposed "MPC-friendly" PRFs that might provide more efficient primitives for OPRF-based PSI.…”

Section: Aes Gc-based Psi (Gc-psi)mentioning

confidence: 99%

Private Set Intersection for Unequal Set Sizes with Mobile Applications

Kiss

Liu

Schneider

et al. 2017

Proceedings on Privacy Enhancing Technologies

View full text Add to dashboard Cite

Private set intersection (PSI) is a cryptographic technique that is applicable to many privacysensitive scenarios. For decades, researchers have been focusing on improving its efficiency in both communication and computation. However, most of the existing solutions are inefficient for an unequal number of inputs, which is common in conventional client-server settings.In this paper, we analyze and optimize the efficiency of existing PSI protocols to support precomputation so that they can efficiently deal with such input sets. We transform four existing PSI protocols into the precomputation form such that in the setup phase the communication is linear only in the size of the larger input set, while in the online phase the communication is linear in the size of the smaller input set. We implement all four protocols and run experiments between two PCs and between a PC and a smartphone and give a systematic comparison of their performance. Our experiments show that a protocol based on securely evaluating a garbled AES circuit achieves the fastest setup time by several orders of magnitudes, and the fastest online time in the PC setting where AES-NI acceleration is available. In the mobile setting, the fastest online time is achieved by a protocol based on the Diffie-Hellman assumption.

show abstract

Section: Aes Gc-based Psi (Gc-psi)mentioning

confidence: 99%

Private Set Intersection for Unequal Set Sizes with Mobile Applications

Kiss

Liu

Schneider

et al. 2017

Proceedings on Privacy Enhancing Technologies

View full text Add to dashboard Cite

show abstract

“…Indeed, the best attacks on round-reduced versions of KATAN so far [29] are meet-in-the-middle attacks, that exploit the knowledge of the values of the first and the last internal states (due to the block-cipher setting). As this is not the case here, such attacks, as well as the recent interpolation attacks against LowMC [21], do not apply. The best attacks against KATAN, when excluding MitM techniques, are conditional differential attacks [40,41].…”

Section: Kreyviummentioning

confidence: 89%

“…However, the proposed instances of LowMC, namely LowMC-80 and LowMC-128, have recently had some security issues [21]. They actually present some weaknesses inherent in their low multiplicative complexity.…”

Section: Introductionmentioning

confidence: 99%

“…[20,22,5]. While these attacks are rather general, the improved variant used for breaking LowMC [21], named interpolation attack [38], specifically applies to block ciphers. Indeed it exploits the sparse algebraic normal form of some intermediate bit within the cipher using that this bit can be evaluated both from the plaintext in the forward direction and from the ciphertext in the backward direction.…”

Section: Introductionmentioning

confidence: 99%

“…Interpretation. First, we would like to recall that LowMC-128 must be considered in a different category because of the existence of a key-recovery attack with time complexity 2 118 and data complexity 2 73 [21]. However, it has been included in the table in order to show that the performances achieved by Trivium and Kreyvium are of the same order of magnitude.…”

mentioning

confidence: 99%

See 2 more Smart Citations

Stream Ciphers: A Practical Solution for Efficient Homomorphic-Ciphertext Compression

et al. 2018

View full text Add to dashboard Cite

In typical applications of homomorphic encryption, the first step consists for Alice to encrypt some plaintext m under Bob's public key pk and to send the ciphertext c = HE pk (m) to some third-party evaluator Charlie. This paper specifically considers that first step, i.e. the problem of transmitting c as efficiently as possible from Alice to Charlie. As previously noted, a form of compression is achieved using hybrid encryption. Given a symmetric encryption scheme E, Alice picks a random key k and sends a much smaller ciphertext c = (HE pk (k), E k (m)) that Charlie decompresses homomorphically into the original c using a decryption circuit C E −1 . In this paper, we revisit that paradigm in light of its concrete implementation constraints; in particular E is chosen to be an additive IV-based stream cipher. We investigate the performances offered in this context by Trivium, which belongs to the eSTREAM portfolio, and we also propose a variant with 128-bit security: Kreyvium. We show that Trivium, whose security has been firmly established for over a decade, and the new variant Kreyvium have an excellent performance.

show abstract

Higher Order Differentials, Integral Attacks and Variants

CANTEAUT

2023

Symmetric Cryptography 2

View full text Add to dashboard Cite

Optimized Interpolation Attacks on LowMC

Cited by 52 publications

References 9 publications

Private Set Intersection for Unequal Set Sizes with Mobile Applications

Private Set Intersection for Unequal Set Sizes with Mobile Applications

Stream Ciphers: A Practical Solution for Efficient Homomorphic-Ciphertext Compression

Higher Order Differentials, Integral Attacks and Variants

Contact Info

Product

Resources

About