International Association for Cryptologic Research

# IACR News Central

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

2012-09-26
05:31 [Event][New]

Submission: 1 February 2013
From October 10 to October 11
Location: Laurel, Maryland, USA

05:12 [Job][New]

Responsibilities:

• Serve as a highly visible industry expert on tamper-resistance and DPA countermeasures

• Design and implement DPA-resistant hardware blocks suitable for a variety of applications and device form factors

• Guide customers implementing DPA countermeasures and tamper resistance into their products and systems

• Consult with customers regarding their DPA-resistance certification needs

• Develop tools and training material around methodologies for DPA resistant hardware design

• Author whitepapers and technical papers related to tamper resistance, side-channel analysis and countermeasures

• Provide customer training on DPA

Qualifications:

• 8+ years of experience in tamper resistant hardware design and at least 5 years of experience in developing DPA resistant hardware and products that use algorithms such as DES, 3DES, AES, RSA and ECC.

• Deep knowledge of the statistics of DPA, sources of information leakage in hardware and engineering tradeoffs between different countermeasure choices

• Experience with getting multiple products evaluated for DPA resistance at EAL 5+

• External recognition as an expert in the area of tamper resistance, side-channel analysis and countermeasures, via publications, industry panels, contributions to standards working groups, etc.

• Very high degree of skill with Verilog (or VHDL) and digital design

• In depth understanding of front-end ASIC design flows, including design, simulation, synthesis and timing analysis

• Hardware development experience in UNIX/Linux environments, and with shell/perl scripting

• Excellent interpersonal, presentation and documentation skills

• MS/Ph.D in Electrical Engineering

Pluses: Experience in the following areas

• Mixed mode and analog simulations for assessing DPA resistance at the design stage

• Develo

05:12 [Job][New]

Responsibilities for this position include:

• Using, enhancing and developing cutting edge analysis techniques to perform side-channel leakage assessments of customer products and prototypes across a wide range of form factors and algorithms

• Documenting and/or publishing innovations in side-channel analysis and staying current with analysis techniques developed by other researchers

• Incorporating new analysis techniques and tools into CRI’s DPA Workstation product

• DPA Training: Instruct existing and prospective DPA countermeasure licensees and DPA workstation customers on topics related to DPA

• Authoring whitepapers, training material and tutorials on side-channel analysis and countermeasures

Qualifications: Education, Experience, Skills, Etc.

Requirements:

• MS/Ph.D in Electrical Engineering or Computer Science

• 3+ years experience in performing DPA on a range of real-world systems, form factors and algorithms, including experience with developing DPA test fixtures for embedded devices, setting up scopes and measurement apparatus, and applying signal processing and DPA techniques on the collected traces

• Exceptional C/C++ skills, working knowledge of Matlab or other signal processing tools, knowledge of multiple scripting languages

• Good written, oral and presentation skills – this position will require technical interactions with customers

Pluses:

• A strong record of scientific publications in the area of side-channel analysis and countermeasures and tamper resistance

• Experience with DPA-resistance certification

• Background in cryptography, tamper resistance (including fault analysis), signal processing or statistics

• Experience with embedded systems

2012-09-24
06:17 [Pub][ePrint]

In this paper, we propose an elaborate geometric approach to explain the group law on Jacobi quartic curves which are seen as the intersection of two quadratic surfaces in space. Using the geometry

interpretation we construct the Miller function. Then we present explicit formulae for the addition and doubling steps in Miller\'s algorithm to compute Tate pairing on Jacobi quartic curves. Both the addition step and doubling step of our formulae for Tate pairing computation on Jacobi curves are faster than previously proposed ones.

Finally, we present efficient formulas for Jacobi quartic curves with twists of degree 4 or 6. For twists of degree 4, both the addition steps and doubling steps in our formulas are faster than the fastest result on Weierstrass curves. For twists of degree 6, the addition steps of our formulae are faster than the fastest result on Weierstrass curves.

2012-09-22
15:17 [Pub][ePrint]

In this paper we attack round-reduced Keccak hash function with a technique called rotational cryptanalysis. We focus on Keccak variants proposed as SHA-3 candidates in the NIST\'s contest for a new standard of cryptographic hash function. Our main result is a preimage attack on 4-round Keccak and a 5-round distinguisher on Keccak-f[1600] permutation --- the main building block of Keccak hash function.

15:17 [Pub][ePrint]

In FSE 2005, \\emph{transparency order} was proposed as a parameter

for the robustness of S-boxes to \\emph{Differential Power Analysis} (DPA):lower \\emph{transparency order} implying more resistance. However most cryptographically strong Boolean functions have been found to have high \\emph{transparency order}. Also it is a difficult problem to search for Boolean functions which are strong cryptographically, and yet have low \\emph{transparency order}, the total search space for $(n,n)$-bit Boolean functions being as large as $n2^{2^n}$. In this paper we characterize \\emph{transparency order} for various classes of Boolean functions by computing the upper and lower bounds of \\emph{transparency order} for both

even and odd numbers of variables. The transparency order is defined in terms of \\emph{diffusion} properties of the structures of Boolean functions namely the number of bit flips in the output of the functions corresponding to the number of bit flips at the input of the function. The calculated bounds depend on the number of vectors flipping the input of S-box for which bias of probability of S-box output bit deviates from the value of 0.5. The \\emph{transparency order} is found to be high in the class of those Boolean functions which have larger cardinality of input differences for which the probability of output bit flip is 0.5. Also we find that instead of \\emph{propagation characteristics}, \\emph{autocorrelation

spectra} of the S-box function $F$ is a more qualifying candidate in deciding the characteristics of \\emph{transparency order}. The relations developed to characterize \\emph{transparency order} aid in our constrained random generation and search of a class of

balanced $8\\times8$ S-boxes with \\emph{transparency order} upper bounded by 7.8, \\emph{nonlinearity} in range $(104,110)$ and \\emph{absolute indicator values} of \\emph{GAC}

in range $(48,88)$.

15:17 [Pub][ePrint]

We propose two basic NIZK arguments, one for Hadamard product of two vectors, and another one for a shift of a vector. The first argument is based on the corresponding argument of Lipmaa (TCC 2012), but makes use of Fast Fourier Transform and Pippenger\'s multi-exponentiation algorithm to achieve quasilinear (as opposed quadratic) computational complexity. The shift argument seems to be novel.

Based on the new basic arguments, we propose a NIZK argument for subset sum. This seems to be the only known (direct) sublinear NIZK argument for some other NP-complete language than Circuit-SAT\\@. Moreover, it is significantly more efficient than the known sublinear Circuit-SAT arguments by Groth (Asiacrypt 2010) and Lipmaa. In addition, we show that the new arguments can be used to speed up the recent range argument by Chaabouni, Lipmaa and Zhang (FC 2012). Finally, we combine the subset sum argument and the range argument to propose a direct sublinear NIZK argument for another NP-complete language, decision knapsack.

15:17 [Pub][ePrint]

Batch signature verification detects whether a batch of signatures contains any forgeries. Batch forgery identification pinpoints the location of each forgery. Existing forgery-identification schemes vary in their strategies for selecting subbatches to verify (individual checks, binary search, combinatorial designs, etc.) and in their strategies for verifying subbatches. This paper exploits synergies between these two levels of strategies, reducing the cost of batch forgery identification for elliptic-curve signatures.

15:17 [Pub][ePrint]

Proofs of retrievability allow a client to store her data on a remote server (in the cloud\'\') and periodically execute an efficient audit protocol to check that all of the data is being maintained correctly and can be recovered from the server. For efficiency, the computation and communication of the server and client during an audit protocol should be significantly smaller than reading/transmitting the data in its entirety. Although the server is only asked to access a few locations of its storage during an audit, it must maintain full knowledge of all client data to be able to pass.

Starting with the work of Juels and Kaliski (CCS \'07), all prior solutions to this problem crucially assume that the client data is static and do not allow it to be efficiently updated. Indeed, they all store a redundant encoding of the data on the server, so that the server must delete a large fraction of its storage to `lose\' any actual content. Unfortunately, this means that even a single bit modification to the original data will need to modify a large fraction of the server storage, which makes updates highly inefficient.

Overcoming this limitation was left as the main open problem by all prior works.

In this work, we give the first solution providing proofs of retrievability for dynamic storage, where the client can perform arbitrary reads/writes on any location within her data by running an efficient protocol with the server. At any point in time, the client can execute an efficient audit protocol to ensure that the server maintains the latest version of the client data. The computation and communication complexity of the server and client in our protocols is only polylogarithmic in the size of the client\'s data. The starting point of our solution is to split up the data into small blocks and redundantly encode each block of data individually, so that an update inside any data block only affects a few codeword symbols. The main difficulty is to prevent the server from identifying and deleting too many codeword symbols belonging to any single data block. We do so by hiding where the various codeword symbols for any individual data lock are stored on the server and when they are being accessed by the client, using the algorithmic techniques of oblivious RAM.

2012-09-20
12:17 [Pub][ePrint]

In this paper, we revisit the private top-κ data aggregation problem. First we formally define the problem\'s security requirements as both data and user privacy goals. To achieve both goals, and to strike a balance between efficiency and functionality, we devise a novel cryptographic construction that comes in two schemes; a fully decentralized simple construction and its practical and semi-decentralized variant. Both schemes are provably secure in the semi-honest model. We analyze the computational and communi- cation complexities of our construction, and show that it is much more efficient than the existing protocols in the literature.

12:17 [Pub][ePrint]

The aim of this paper is to improve the implementation of RSA algorithm in some certain situations. This improvement is based on the ideas of H. Ren-Junn, S. Feng-Fu, Y. Yi-Shiung and C. Chia-Yao and allows us to speed up the transmission of data between various nodes in networks. We realized our idea in the C{\\#} language and in the database that was created by SQL Server 2008 R2. Identical database must be used in all networks gateways. The special protocol (RSA Handshake Database Protocol) was designed for controlling the creation of this database. Each gateway, that runs a RSA-Key Generations Offline procedure, is controlled according to specific issues and necessaries. This stage is called RSA-Key Generations Offline. We propose the new method for exchanging values of the keys among gateways. Roughly speaking gateways exchange indexes (Indexes Exchange) that refer to fields that contain the values of public and private keys.