International Association for Cryptologic Research

# IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) iacr.org. You can also receive updates via:

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

2012-06-12
06:17 [Pub][ePrint]

Bergman\'s Ring $E_p$, parameterized by a prime number $p$,

is a ring with $p^5$ elements that cannot be embedded in a ring of matrices over any commutative ring.

This ring was discovered in 1974.

In 2011, Climent, Navarro and Tortosa described an efficient implementation of $E_p$

using simple modular arithmetic, and suggested that this ring may be a useful source

for intractable cryptographic problems.

We present a deterministic polynomial time reduction of the Discrete Logarithm Problem in $E_p$

to the classical Discrete Logarithm Problem in $\\Zp$, the $p$-element field.

In particular, the Discrete Logarithm Problem in $E_p$ can be solved, by conventional computers,

in sub-exponential time.

Along the way, we collect a number of useful basic reductions for the toolbox of discrete logarithm solvers.

06:17 [Pub][ePrint]

DECT is a standard for cordless phones. The intent of this thesis is to evaluate DECT security in a comprehensive way. To secure conversations over the air, DECT uses two proprietary algorithms, namely the DECT Standard Authentication Algorithm (DSAA) for authentication and key derivation, and the DECT Standard Cipher (DSC) for encryption. Both algorithms have been kept secret and were only available to DECT device manufacturers under a None Disclosure Agreement (NDA). The reader is first introduced into the DECT standard. The two algorithms DSAA and DSC have been reverse engineered and are then described in full detail. At first, attacks against DECT devices are presented, that are based on faults made by the manufacturers while implementing the DECT standard. In the next Chapters, attacks against the DSAA and the DSC algorithm are described, that recover the secret keys used by these algorithms faster than by brute force. Thereafter, a attack against the DECT radio protocol is described, that decrypts encrypted DECT voice calls. Finally, an outlook over the next release of the DECT standard is presented, that is expected to counter all attacks against DECT, that are described in this thesis.

06:17 [Pub][ePrint]

A hash function maps a variable length input into a fixed length output. The hash functions that are used in the information security related applications are referred as cryptographic hash functions. Hash functions are being used as building blocks of many complex cryptographic mechanisms and protocols. Construction of a hash function consists of two components. First component is a compression function and the second component is a domain extender. The various hash function design philosophies try to design the compression function from different angles. Two major categories of hash functions are: dedicated hash functions, and block cipher-based hash functions. These two kinds of design philosophies have been revisited in this paper. Two dedicated has functions from MD4 family - MD4, and SHA-256 constructions have been detailed in this paper. To limit the scope of this paper in this framework, discussions on attacks on hash functions, and SHA-3 finalists have been excluded here.

Keywords:

06:17 [Pub][ePrint]

We demonstrate that by using a recently proposed somewhat homomorphic encryption (SHE) scheme it is possible to delegate the execution of a machine learning (ML) algorithm to a compute service while retaining confidentiality of the training and test data. Since the computational complexity of the SHE scheme depends primarily on the number of multiplications to be carried out on the encrypted data, we devise a new class of machine learning algorithms in which the algorithm\'s predictions viewed as functions of the input data can be expressed as polynomials of bounded degree. We propose confidential ML algorithms for binary classification based on polynomial approximations to least-squares solutions obtained by a small number of gradient descent steps. We present experimental validation of the confidential ML pipeline and discuss the trade-offs regarding computational complexity, prediction accuracy and cryptographic security.

06:17 [Pub][ePrint]

3D integration is a promising advanced manufacturing process offering a variety of new hardware security protection opportunities. This paper presents a way of securing 3D ICs using Hamiltonian paths as hardware integrity verification sensors. As 3D integration consists in the stacking of many metal layers, one can consider surrounding a security-sensitive circuit part by a wire cage.

After exploring and comparing different cage construction strategies (and reporting preliminary implementation results on silicon), we introduce a \"hardware canary\". The canary is a spatially distributed chain of functions $F_i$ positioned at the vertices of a 3D cage surrounding a protected circuit. A correct answer $(F_n \\circ \\ldots \\circ F_1)(m)$ to a challenge $m$ attests the canary\'s integrity.

06:17 [Pub][ePrint]

In this paper, we consider the spectra of Boolean functions

with respect to the action of unitary transforms obtained by

taking tensor products of the Hadamard, denoted by $H$, and the

nega--Hadamard, denoted by $N$,

kernels. The set of all such transforms is denoted by $\\{H, N\\}^n$.

A Boolean function is said to be bent$_4$ if its spectrum

with respect to at least one unitary transform in $\\{H, N\\}^n$ is flat.

We prove that the maximum possible algebraic degree of a bent$_4$

function on $n$ variables is $\\lceil \\frac{n}{2} \\rceil$, and hence

solve an open problem posed by Riera and Parker [cf. IEEE-IT: 52(2)(2006) 4142--4159].

We obtain a relationship between bent and bent$_4$ functions which is

a generalization of the relationship between bent and negabent Boolean

functions proved by Parker and Pott [cf. LNCS: 4893(2007) 9--23].

06:17 [Pub][ePrint]

We develop a new methodology for utilizing the prior techniques to prove selective security for functional encryption systems as a direct ingredient in devising proofs of full security. This deepens the relationship between the selective and full security models and provides a path for transferring the best qualities of selectively secure systems to fully secure systems. In particular, we present a Ciphertext-Policy Attribute-Based Encryption scheme that is proven fully secure while matching the efficiency of the state of the art selectively secure systems.

06:17 [Pub][ePrint]

One of the key problems in Radio Frequency Identification(RFID) is security and privacy. Many RFID authentication protocols have been proposed to preserve security and privacy of the system. Nevertheless, most of these protocols are analyzed and it is shown that they can not provide security against some RFID attacks. RAPP is a new ultralightweight authentication protocol with permutation. In RAPP, only three operations are involved: bitwise XOR, left rotation and permutation. In this paper, we give an active attack on RAPP. We first collect some authentication messages through impersonating valid tag and readers; Then we forge valid reader to communicate with the tag about times. Using the property of the left rotation and permutation operation, we can deduce the relationship of bits of random number or secret keys at different positions, thus obtain all the secret shared by the reader and the tag.

06:17 [Pub][ePrint]

We propose a new multivariate probabilistic encryption scheme with decryption errors MQQ-ENC that belongs to the family of MQQ-based public key schemes. Similarly to MQQ-SIG, the trapdoor is constructed using quasigroup string transformations with multivariate quadratic quasigroups, and a minus modifier with relatively small and fixed number of removed equations. To make the decryption possible and also efficient, we use a universal hash function to eliminate possibly wrong plaintext candidates. We show that, in this way, the probability of erroneous decryption becomes negligible.

MQQ-ENC is defined over the fields $\\mathbb{F}_{2^k}$ for any $k \\geq 1$, and can easily be extended to any $\\mathbb{F}_{p^k}$, for prime $p$. One important difference from MQQ-SIG is that in MQQ-ENC we use left MQQs (LMQQs) instead of bilinear MQQs. Our choice can be justified by our extensive experimental analysis that showed the superiority of the LMQQs over the bilinear MQQs for the design of MQQ-ENC.

We apply the standard cryptanalytic techniques on MQQ-ENC, and from the results, we pose a plausible conjecture that the instances of the MQQ-ENC trapdoor are hard instances with respect to the MQ problem. Under this assumption, we adapt the Kobara-Imai conversion of the McEliece scheme for MQQ-ENC and prove that it provides $\\mathsf{IND-CCA}$ security despite the negligible probability of decryption errors.

We also recommend concrete parameters for MQQ-ENC for encryption of blocks of 128 bits for a security level of $\\mathcal{O}(2^{128})$.

06:17 [Pub][ePrint]

Elliptic curve cryptography (ECC) is an efficient public cryptosystem with

a short key size. For this reason it is suitable for implementing on memory-constraint

devices such as smart cards, mobile devices, etc. However, these devices leak information

about their private key through side channels (power consumption, electromagnetic

radiation, timing etc) during cryptographic processing. In this paper we have examined

countermeasures against a specific class of side channel attacks (power analysis) called

Zero-Value Point Attack (ZVP), using elliptic curve isomorphism and isogeny. We found

that these methods are an efficient way of securing cryptographic devices using ECC

against ZVP attack. Our main contribution is to extend the work of Akishita and Takagi

[3,2] to binary fields. We also provide a more detail analysis of the ZVP attack over

prime fields.

06:17 [Pub][ePrint]

We study signed bitwise differences and modular differences. We find a way to reduce signed bitwise differences that can be transformed into same modular differences. In this way, it needs arithmetic difference. We establish one-one relationship between modular differences and arithmetic difference. And establish one-one relationship between signed bitwise differences and arithmetic difference. Then it will reduce signed bitwise differences that can be transformed into same arithmetic difference. In this paper, we design a construction with ways we find. Given modular differences, some signed bitwise difference is uniquely determined.