International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) iacr.org. You can also get this service via

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

2012-08-05
15:17 [Pub][ePrint] On the Security of Dynamic Group Signatures: Preventing Signature Hijacking, by Yusuke Sakai and Jacob C.N. Schuldt and Keita Emura and Goichiro Hanaoka and Kazuo Ohta

  We identify a potential weakness in the standard security model for dynamic group signatures which appears to have been overlooked previously. More specifically, we highlight that even if a scheme provably meets the security requirements of the model, a malicious group member can potentially claim ownership of a group signature produced by an honest group member by forging a proof of ownership. This property leads to a number of vulnerabilities in scenarios in which dynamic group signatures are likely to be used. We furthermore show that the dynamic group signature scheme by Groth (ASIACRYPT 2007) does not provide protection against this type of malicious behavior.

To address this, we introduce the notion of \\emph{opening soundness} for group signatures which essentially requires that it is infeasible to produce a proof of ownership of a valid group signature for any user except the original signer. We then show a relatively simple modification of the scheme by Groth which allows us to prove opening soundness for the modified scheme without introducing any additional assumptions.

We believe that opening soundness is an important and natural security requirement for group signatures, and hope that future schemes will adopt this type of security.



15:17 [Pub][ePrint] TorScan: Tracing Long-lived Connections and Differential Scanning Attacks, by Alex Biryukov, Ivan Pustogarov, Ralf-Philipp Weinmann

  Tor is a widely used anonymity network providing low-latency communication capabilities. Around 400,000 users per day use Tor to route TCP traffic through a sequence of relays; three hops are selected from a pool of currently almost 3000 volunteer-operated Tor relays to comprise a route through the network for a limited time. In comparison to single-hop proxies, forwarding TCP streams through multiple relays increases the anonymity of the users significantly: each hop along the route only knows its successor and predecessor.

The anonymity provided by Tor heavily relies on the hardness of linking a user\'s entry and exit nodes. If an attacker gains access to the topological information about the Tor network instead of having to consider the network as a fully connected graph, this anonymity may be reduced. In fact, we have found ways to probe the connectivity of a Tor relay. We demonstrate how the resulting leakage of the Tor network topology can be used and present attacks to trace back a user from an exit relay to a small set of potential entry nodes.



15:17 [Pub][ePrint] Impossibility Results for Static Input Secure Computation, by Sanjam Garg and Abishek Kumarasubramanian and Rafail Ostrovsky and Ivan Visconti

  Consider a setting of two mutually distrustful parties Alice and Bob who want to securely

evaluate some function on pre­-specified inputs. The well studied notion of two­-party secure computation

allows them to do so in the stand­alone setting. Consider a deterministic function (e.g., 1­-out­-of­-2 bit

OT) that Alice and Bob can not evaluate trivially and which allows only Bob to receive the output. We

show that Alice and Bob can not securely compute any such function in the concurrent setting even

when their inputs are pre­-specified. Our impossibility result also extends to all deterministic functions in

which both Alice and Bob get the same output. Our results have implications in the bounded­-concurrent

setting as well.



15:17 [Pub][ePrint] Improved Publicly Verifiable Delegation of Large Polynomials and Matrix Computations, by Dario Fiore and Rosario Gennaro

  We present new protocols for {\\em publicly verifiable} secure outsourcing of polynomials and matrix multiplication, which can

be instantiated over RSA moduli, and proven secure under the DDH/RSA/Factoring Assumptions over such groups. Since all previous solutions are based on the use of bilinear maps, we demonstrate that publicly verifiable computation can be achieved even under different and standard assumptions.

Perhaps more interestingly, our solution can handle polynomials over finite fields of {\\em any} characteristic (starting from 2), and thus it can also support public verification of boolean formulas. This allows for a lot of flexibility, and it avoids the efficiency penalty of working bit by bit in fields larger than 2.

The core of our result is a new concept of Algebraic One-Way Functions which may be of independent interest.





2012-08-03
08:32 [Event][New] COSADE: Constructive Side-Channel Analysis and Secure Design

  Submission: 24 September 2012
Notification: 3 December 2012
From March 7 to March 8
Location: Paris, France
More Information: http://www.cosade.org




2012-08-02
15:17 [Pub][ePrint] A Publicly-Veriable Mix-net with Everlasting Privacy Towards Observers, by Denise Demirel and Jeroen van de Graaf

  In this paper we present a novel, publicly verifiable mixing

scheme which has everlasting privacy towards observers: all the information published on the bulletin board by the mixes (audit information etc) reveals no information about the identity of any of the messages published. The correctness of the mixing process is statistical: even if all authorities conspire, they cannot change the contents of any message without being detected with overwhelming probability. We accomplish this by encoding the messages submitted using so-called Pedersen commitments. Decoding (opening) these is possible because we create a parallel mix-net run by the same mixes to which the public has no access. This private mix-net uses the same permutations as the public one, but uses homomorphic encryption, which is used to send auxiliary information (messages, decommitment values) through the mix-net to allow decoding.



15:17 [Pub][ePrint] Security margin evaluation of SHA-3 contest finalists through SAT-based attacks, by Ekawat Homsirikamol and Pawel Morawiecki and Marcin Rogawski and Marian Srebrny

  In 2007, the U.S. National Institute of Standards and Technology (NIST) announced a public contest aiming at the selection of a new standard for a cryptographic hash function. In this paper, the security margin of five SHA-3 finalists is evaluated with an assumption that attacks launched on finalists should be practically verified. A method of attacks applied is called logical cryptanalysis where the original task is expressed as a SATisfiability problem instance. A new toolkit is used to simplify the most arduous stages of this type of cryptanalysis and helps to mount the attacks in a uniform way. In the context of SAT-based attacks, it has been shown that all the finalists have substantially bigger security margin than the current standards SHA-256 and SHA-1. Two other metrics, software performance and hardware efficiency are combined with security results to provide a more comprehensive picture of the SHA-3 finalists.





2012-08-01
06:17 [Pub][ePrint] Low complexity bit-parallel $GF(2^m)$ multiplier for all-one polynomials, by Yin Li and Gong-liang Chen and Xiao-ning Xie

  This paper presents a new bit-parallel multiplier for the finite

field $GF(2^m)$ generated with an irreducible all-one polynomial.

Redundant representation is used to reduce the time delay of the

proposed multiplier, while a three-term Karatsuba-like formula is

combined with this representation to decrease the space complexity.

As a result, the proposed multiplier requires about 10 percent fewer

AND/XOR gates than the most efficient bit-parallel multipliers using

an all-one polynomial, while it has almost the same time delay as

the previously proposed ones.



06:17 [Pub][ePrint] Revisiting Key Schedule\'s Diffusion In Relation With Round Function\'s Diffusion, by Jialin Huang and Xuejia Lai

  We study the weakness of key schedules from an observation: many existing attacks use the fact that the key schedules poorly distribute

key bits in the diffusion path of round function.

This reminds us of the importance of the diffusion\'s relation between key schedule and round function.

We present new cryptanalysis results by exploring such diffusion relation and propose a new criterion for necessary key schedule diffusion.

We discuss potential attacks and summarize the causes for key schedules without satisfying this criterion.

One major cause is that overlapping between the diffusion of key schedule and round function leads to information leakage of key bits.

Finally, a measure to estimate our criterion for recursive key schedules is presented.

Today designing key schedule still lacks practical and necessary principles.

For a practical key schedule with limited diffusion, our work adds more insight to its requirements and helps to maximize the security level.



06:17 [Pub][ePrint] Beyond eCK: Perfect Forward Secrecy under Actor Compromise and Ephemeral-Key Reveal, by Cas Cremers and Michèle Feltz

  We show that it is possible to achieve perfect forward secrecy in two-message or one-round key exchange (KE) protocols that satisfy even stronger security properties than provided by the extended Canetti-Krawczyk (eCK) security model. In particular, we consider perfect forward secrecy in the presence of adversaries that can reveal ephemeral secret keys and the long-term secret keys of the actor of a session (similar to Key Compromise Impersonation).

We propose two new game-based security models for KE protocols. First, we formalize a slightly stronger variant of the eCK security model that we call eCKw. Second, we integrate perfect forward secrecy into eCKw, which gives rise to the even stronger eCK-PFS model. We propose a security-strengthening transformation (i.e., a compiler) between our new models. Given a two-message Diffie-Hellman type protocol secure in eCKw, our transformation yields a two-message protocol that is secure in eCK-PFS. As an example, we show how our transformation can be applied to the NAXOS protocol.



06:17 [Pub][ePrint] Efficient Padding Oracle Attacks on Cryptographic Hardware, by Romain Bardou and Riccardo Focardi and Yusuke Kawamoto and Lorenzo Simionato and Graham Steel and Joe-Kai Tsay

  We show how to exploit the encrypted key import functions of a

variety of different cryptographic devices to reveal the imported

key. The attacks are padding oracle attacks, where error messages

resulting from incorrectly padded plaintexts are used as a side

channel. In the asymmetric encryption case, we modify and improve

Bleichenbacher\'s attack on RSA PKCS#1v1.5 padding, giving new

cryptanalysis that allows us to carry out the `million message

attack\' in a mean of 49 000 and median of 14 500 oracle calls in the

case of cracking an unknown valid ciphertext under a 1024 bit key

(the original algorithm takes a mean of 215 000 and a median of 163

000 in the same case). We show how implementation details of certain

devices admit an attack that requires only 9 400 operations on

average (3 800 median). For the symmetric case, we adapt Vaudenay\'s

CBC attack, which is already highly efficient. We demonstrate the

vulnerabilities on a number of commercially available cryptographic

devices, including security tokens, smartcards

and the Estonian electronic ID card. The attacks are

efficient enough to be practical: we give timing details for all

the devices found to be vulnerable, showing how our optimisations make a qualitative difference to the practicality of the attack.

We give mathematical analysis of the effectiveness of the attacks,

extensive empirical results, and a discussion of countermeasures and manufacturer reaction.