International Association for Cryptologic Research

# IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) iacr.org. You can also get this service via

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

2012-06-03
21:17 [Pub][ePrint]

This paper is a short summary of a real world AES key extraction performed on a military grade FPGA marketed as \'virtually unbreakable\' and \'highly secure\'. We demonstrated that it is possible to extract the AES key from the Actel/Microsemi ProASIC3 chip in a time of 0.01 seconds using a new side-channel analysis technique called Pipeline Emission Analysis (PEA). This new technique does not introduce a new form of side-channel attacks (SCA), it introduces a substantially improved method of waveform analysis over conventional attack technology. It could be used to improve upon the speed at which all SCA can be performed, on any device and especially against devices previously thought to be unfeasible to break because of the time and equipment cost. Possessing the AES key for the ProASIC3 would allow an attacker to decrypt the bitstream or authenticate himself as a legitimate user and extract the bitstream from the device where no read back facility exists. This means the device is wide open to intellectual property theft, fraud and reverse engineering of the design to allow the introduction of a backdoor or Trojan. We show that with a very low cost hardware setup made with parts obtained from a local electronics distributor you can improve upon existing SCA up to a factor of x1,000,000 in time and at a fraction of the cost of existing SCA equipment.

21:17 [Pub][ePrint]

It is notoriously difficult to create hardware that is immune from side channel and tampering attacks. A lot of recent literature, therefore, has instead considered \\emph{algorithmic} defenses from such attacks.

In this paper, we show how to algorithmically secure any cryptographic functionality from continual split-state leakage and tampering attacks. A split-state attack on cryptographic hardware is one that targets separate parts of the hardware separately. Our construction does not require the hardware to have access to randomness. In contrast, prior work on protecting from continual combined leakage and tampering required true randomness for each update. Our construction is in the common reference string (CRS) model; the CRS must be hard-wired into the device. We note that prior negative results show that it is impossible to algorithmically secure a cryptographic functionality against a combination of arbitrary continual leakage and tampering attacks without true randomness; therefore restricting our attention to the split-state model is justified.

Our construction is simple and modular, and relies on a new construction, in the CRS model, of non-malleable codes with respect to split-state tampering functions, which may be of independent interest.

21:17 [Pub][ePrint]

We define and propose an efficient and provably secure construction of blind signatures with attributes. Prior notions of blind signatures did not yield themselves to the construction of anonymous credential systems, not even if we drop the unlinkability requirement of

anonymous credentials. Our new notion in contrast is a convenient building block for anonymous

credential systems. The construction we propose is efficient: it requires just a few exponentiations in a prime-order group in which the decisional Diffie-Hellman problem is hard. Thus, for

the ﬁrst time, we give a provably secure construction of anonymous credentials that can work in

the elliptic group setting without bilinear pairings. In contrast, prior provably secure constructions were based on the RSA group or on groups with pairings, which made them prohibitively

inefficient for mobile devices, RFIDs and smartcards. The only prior efficient construction that

could work in such elliptic curve groups, due to Brands, does not have a proof of security.

21:17 [Pub][ePrint]

Stream cipher ZUC plays a crucial role in the next generation of mobile communication as it has already been included by the 3GPP LTE-Advanced, which is a candidate standard for the 4G network. Through a long-time evaluation program, ZUC algorithm is thought to be robust enough to resist many existing cryptanalyses, but not for DPA, one of the most powerful threat of SCAs(Side Channel Analysis).Up to the present, almost all the work on DPA is for block ciphers, such as DES and AES, a very few work has been done on stream ciphers, such as ZUC algorithm, for particular reasons that would be illustrated in the later section. In this paper, we generally study the security of unprotected ZUC hardware implementation against DPA. Our theoretical analysis and experimental results show that ZUC algorithm is potentially vulnerable to this kind of attack. Furthermore, kinds of common countermeasures are discussed when we try to apply them to ZUC hardware implementations, both the security and tradeoffs are considered. The experiments are given in the last section to verify our conclusions, which would undoubtedly provide some guidance to the corresponding designers.

21:17 [Pub][ePrint]

Side-channel attacks have proven many hardware implementations of cryptographic algorithms to be vulnerable.

A recently proposed masking method, based on secret sharing and multi-party computation methods, introduces a set of sufficient requirements for implementations to be provably resistant against first-order DPA with minimal assumptions on the hardware.

The original paper doesn\'t describe how to construct the Boolean functions that are to be used in the implementation. In this paper, we derive the functions for all invertible $3 \\times 3$, $4 \\times 4$ S-boxes and the $6 \\times 4$ DES S-boxes. Our methods and observations can also be used to accelerate the search for sharings of larger (e.g. $8 \\times 8$) S-boxes. Finally, we investigate the cost of such protection.

21:17 [Pub][ePrint]

In TCC 2007, Adida and Wikstr\\\"{o}m proposed a novel approach to

shuffle, called a public shuffle,

in which a shuffler can perform shuffle publicly without needing information kept secret.

Their scheme uses an encrypted permutation matrix to shuffle

ciphertexts publicly.

This approach significantly reduces the cost of constructing a mix-net

to verifiable joint decryption. Though their method is successful in making

shuffle to be a public operation, their scheme

still requires that some trusted parties should choose a permutation

to be encrypted and construct zero-knowledge proofs on the

well-formedness of this permutation.

In this paper, we propose a method to construct a public shuffle

without relying on permutations and randomizers generated privately: Given an

$n$-tuple of ciphertext $(c_1,\\dots,c_n)$, our shuffle algorithm

computes $f_i(c_1,\\dots,c_n)$ for $i=1,\\dots,\\ell$ where each

$f_i(x_1,\\dots,x_n)$ is a symmetric polynomial in $x_1,\\dots,x_n$.

Depending on the symmetric polynomials we use, we propose two concrete constructions.

One is to use ring homomorphic encryption with constant ciphertext

complexity and the other is to use simple ElGamal encryption with

linear ciphertext complexity in the number of senders. Both

constructions are free of zero-knowledge proofs and publicly

verifiable.

21:17 [Pub][ePrint]

The UC approach of Canetti offers the advantage of stand-alone analysis while keeping security guaranties for arbitrary complex environment. When we implement by this approach first we have to ensure secure instance separation and based on this condition, we are allowed to carry out a stand-alone analysis. In this report we propose three issues related to instance separation in UC-context:

We consider the problem of universal composability in cases, when we cannot assume independence of instances. Next we formalize the interleaving attack and a related security notion. In time-aware protocols time-based separation of instances is one of the standard implementation techniques. We propose an event-driven clock model towards purely symbolic analysis of time-aware protocols.

21:17 [Pub][ePrint]

Despite the fact that we evidently have very good block ciphers at hand today, some fundamental questions on their security are still unsolved. One such fundamental problem is to precisely assess the security of a given block cipher with respect to linear cryptanalysis. In by far most of the cases we have to make (clearly wrong) assumptions, e.g., assume independent round-keys. Besides being unsatisfactory from a scientific perspective, the lack of fundamental understanding might have an impact on the performance of the ciphers we use. As we do not understand the security sufficiently enough, we often tend to embed a security margin -- from an efficiency perspective nothing else than wasted performance. The aim of this paper is to stimulate research on these foundations of block ciphers. We do this by presenting three examples of ciphers that behave differently to what is normally assumed. Thus, on the one hand these examples serve as counter examples to common beliefs and on the other hand serve as a guideline for future work.

21:17 [Pub][ePrint]

We provide the first two-party protocol allowing Alice and Bob to evaluate privately even against active adversaries any completely positive, trace-preserving map given as a quantum circuit upon their joint quantum input state. Our protocol leaks no more to any active adversary than an ideal functionality for the map, provided Alice and Bob have the cryptographic resources for active secure two-party classical computation.

15:06 [Conf][Crypto]

The list of accepted papers has been posted on the CRYPTO 2012 website.
http://www.iacr.org/conferences/crypto2012/acceptedpapers-2012.html

2012-06-01
13:45 [Event][New]

Submission: 1 July 2012