International Association for Cryptologic Research

# IACR News Central

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

2012-09-30
03:17 [Pub][ePrint]

The restricted identication protocol for the new German identity card basically provides a method to use pseudonyms such that they can be linked by individual service providers, but not across different service providers (even not malicious ones). The protocol can be augmented to allow also for signatures under the pseudonyms. In this paper, we thus view---and define---this idea more abstractly as

a new cryptographic signature primitive with some form of anonymity, and use the term domain-specific pseudonymous signatures. We then analyze the restricted identication solutions in terms of the formal

security requirements.

03:17 [Pub][ePrint]

The notion of plaintext awareness (PA) has many applications in public key cryptography: it offers unique, stand-alone security guarantees for public key encryption schemes, has been used as a sufficient condition for proving indistinguishability against adaptive chosen ciphertext attacks (INDCCA), and can be used to construct privacy-preserving protocols such as deniable authentication. Unlike many other security notions, plaintext awareness is very fragile when it comes to differences between the random oracle and standard models; for example, many implications involving PA in the random oracle model are not valid in the standard model and vice versa. Similarly, strategies for proving PA of schemes in one model cannot be adapted to the other model. Existing research addresses PA in detail only in the public key setting.

This paper gives the first formal exploration of plaintext awareness in the identity-based setting and, as initial work, proceeds in the random oracle model. The focus is laid mainly on identity-based key encapsulation mechanisms (IB-KEMs), for which the paper presents the first definitions of plaintext awareness, highlights the role of PA in proof strategies of INDCCA security, and explores relationships between PA and other security properties.

On the practical side, our work offers the first, highly efficient, general approach for building IB-KEMs that are simultaneously plaintext-aware and INDCCA-secure. Our construction is inspired by the Fujisaki-Okamoto (FO) transform, but demands weaker and more natural properties of its building blocks. This result comes from a new look at the notion of gamma-uniformity that was inherent in the original FO transform. We show that for IB-KEMs (and PK-KEMs) this assumption can be replaced with a weaker computational notion, which is in fact implied by one-wayness. Finally, we give the first concrete IB-KEM scheme that is PA and INDCCA-secure by applying our construction to a popular IB-KEM and optimizing it for better performance.

03:17 [Pub][ePrint]

In Eurocrypt 2010, Miccinacio initiated an investigation of cryptographically sound, symbolic security analysis with respect to coinductive adversarial knowledge, and demonstrated that under an adversarially passive model, certain security criteria (e.g. indistinguishability) may be given a computationally sound symbolic characterization, without the assumption of key acyclicity. Left open in his work was the fundamental question of the viability of extending the coinductive approach to prove computational soundness results in the presence of active adversaries.\'\' In this paper we make some initial steps toward answering this question in the affirmative with respect to an extension of a trace-based security model (proposed by Micciancio and Warinschi in TCC 2004) including asymmetric and symmetric encryption; in particular we prove that a random computational trace can be soundly abstracted by a coinductive symbolic trace with overwhelming probability, provided that both the underlying encryption schemes provide IND-CCA2 security (plus {ciphertext integrity} for the symmetric scheme), and that the diameter of the underlying coinductively-hidden subgraph is constant in every symbolic trace. This result holds even if the protocol allows arbitrarily nested applications of symmetric/asymmetric encryption, unrestricted transmission of symmetric keys, and adversaries who adaptively corrupt users, along with other forms of active attack.

As part of our proof, we formulate a game-based definition of encryption security allowing adaptive corruptions of keys and certain forms of adaptive key-dependent plaintext attack, along with other common forms of CCA2 attack. We prove that (with assumptions similar to above,) security under this game is implied by IND-CCA2 security. This also characterizes a provably benign form of cyclic encryption which can be achieved under standard notions of encryption security, which may be of independent interest.

2012-09-28
05:29 [Election]

## Candidates for Election in 2012

• Thomas Peyrin
I am really attached to the IACR and know its important role in promoting cryptography research. I've participated to several IACR PCs and will serve as co-GC of FSE'13. I will work on maintaining the high standards of IACR events and ensure the concerns of all cryptography sub-communities are considered.

• Anna Lysyanskaya
Statement: The IACR is my home research community, and I'd like to give back. My priorities are: (1) High quality research and its effective dissemination, (2) mentoring, (3) dialogue with related research communities, industry, standards and funding agencies.

• Thomas Berson
I have served the IACR since 1983 as Secretary, Treasurer, President, and Director. During that time we created conferences, workshops, literature, and community. Our present challenges include balance and tolerance in our evolving community. I know where we have been; I know where we are going. Please vote for me.

• Michel Abdalla
As an IACR member for more than a decade, I seek the opportunity to serve the community as a director. If elected, I'd like to help improve existing services provided by IACR, offer new services such as the organization of schools in cryptology, and promote worldwide dissemination of cryptologic research.

• Xavier Boyen
In gratitude for my decade in this vibrant community, my stewardship would, inter alia, promulgate open scholarly dissemination, facilitate balanced global outreach and participation, and explore mutually beneficial cross-community partnerships -- progressing carefully, always honoring the continuity of traditions that define us. Best decisions are consensual through meeting of the minds.

## Election Committee

• Josh Benaloh (Chair)
• David Pointcheval (Returning Officer)
• Greg Rose

2012-09-27
15:17 [Pub][ePrint]

Differential fault analysis (DFA) poses a significant threat to Advanced Encryption Standard (AES). It has been demonstrated that DFA can use only a single faulty ciphertext to reveal the secret key of AES in an average of 230 computation. Traditionally, concurrent error

detection (CED) is used to protect AES against DFA. However, we emphasize that conventional CED assumes a uniform distribution of faults, which is not a valid assumption in the context of DFA. In contrast, we show practical examples which highlight that an attacker

can inject specific and exploitable faults, thus threatening existing CED. This paper brings to the surface a new CED approach for cryptography, aimed at providing provable security by detecting all possible DFA-exploitable faults, which is a small subset of the entire fault space. We analyze the fault coverage of conventional CED against DFA-exploitable faults, and we find that the fault coverage of most of these techniques are significantly lower than

the one they claimed. We stress that for security, it is imperative that CED should provide 100% fault coverage for DFA-exploitable faults. We further propose an invariance-based CED which provides 100% provable security against all known DFA of AES.

15:17 [Pub][ePrint]

In this paper we analyze practical aspects of the differential fault attack on RSA published by Boneh, Demillo and Lipton from Bellcore. We focus on the CRT variant, which requires only one faulty signature to be entirely broken provided that no DFA countermeasures are in use. Usually the easiest approach for the attacker is to introduce a fault in one of the two RSA-CRT exponentiations. These are time-consuming and often clearly visible in the power profiles. However, protection of the exponentiations against faults does not always circumvent the Bellcore attack. Our goal is to investigate and classify other possible targets of the attack.

15:17 [Pub][ePrint]

Achieving both security and efficiency is the challenging issue for a data outsourcing service in the cloud computing.

Proof of Storage with Deduplication (POSD) is the first solution that addresses the issue for the cloud storage. However, the validity of the POSD scheme stands on the strong assumption that all clients are honest in terms of generating their keys. We present insecurity of the scheme

under new attack model that malicious clients exploit dishonestly manipulated keys. We also propose an improvement of the POSD scheme to mitigate our attack.

15:17 [Pub][ePrint]

We consider the client-server setting for the concurrent composition of secure protocols: in this setting, a single server interacts with multiple clients concurrently, executing with each client a specified protocol where only the client should receive any nontrivial output. Such a setting is easily motivated from an application standpoint. There are important special cases for which positive results are known - such as concurrent zero knowledge protocols - and it has been an open question explicitly asked, for instance, by Lindell [J. Cryptology\'08] - whether other natural functionalities such as Oblivious Transfer (OT) are possible in this setting.

In this work:

1. We resolve this open question by showing that unfortunately, even in this very limited concurrency setting, broad new impossibility results hold, ruling out not only OT, but in fact all nontrivial asymmetric functionalities. Our new negative results hold even if the inputs of all honest parties are fixed in advance, and the adversary receives no auxiliary information.

2. Along the way, we establish a new unconditional completeness result for asymmetric functionalities, where we characterize functionalities that are non-interactively complete secure against active adversaries. When we say that a functionality F is non-interactively complete, we mean that every other asymmetric functionality can be realized by parallel invocations of several copies of F, with no other communication in any direction. Our result subsumes a completeness result of Kilian [STOC\'00] that uses protocols which require additional interaction in both directions.

15:17 [Pub][ePrint]

In the setting of cryptographic protocols, the corruption of a party has traditionally been viewed as a simple, uniform and atomic operation, where the adversary decides to get control over a party and this party immediately gets corrupted. In this paper, motivated by the fact that different players may require different resources to get corrupted, we put forth the notion of {\\em resource-based corruptions}, where the adversary must invest some resources in order to do so.

If the adversary has full information about the system configuration then resource-based corruptions would provide no fundamental difference from the standard corruption model. However, in a resource anonymous\'\' setting, in the sense that such configuration is hidden from the adversary, much is to be gained in terms of efficiency and security.

We showcase the power of such {\\em hidden diversity} in the context of secure multiparty computation (MPC) with resource-based corruptions and prove that it can effectively be used to circumvent known impossibility results. Specifically, if $OPT$ is the corruption budget that violates the completeness of MPC (the case when half or more of the players are corrupted), we show that if hidden diversity is available, the completeness of MPC can be made to hold against an adversary with as much as a $B\\cdot OPT$ budget, for any constant $B>1$. This result requires a suitable choice of parameters (in terms of number of players and their hardness to corrupt), which we provide and further prove other tight variants of the result when the said choice is not available. Regarding efficiency gains, we show that hidden diversity can be used to force the corruption threshold to drop from 1/2 to 1/3, in turn allowing the use of much more efficient (information-theoretic) MPC protocols.

We achieve the above through a series of technical contributions:

o The modeling of the corruption process in the setting of cryptographic protocols through {\\em corruption oracles} as well as the introduction of a notion of reduction to relate such oracles;

o the abstraction of the corruption game as a combinatorial problem and its analysis; and, importantly,

o the formulation of the notion of {\\em inversion effort preserving} (IEP) functions which is a type of direct-sum property, and the property of {\\em hardness indistinguishability}. While hardness indistinguishability enables the dissociation of parties\' identities and the resources needed to corrupt them, IEP enables the discretization of adversarial work into corruption tokens,

all of which may be of independent interest.

2012-09-26
05:31 [Event][New]

Submission: 1 February 2013
From October 10 to October 11
Location: Laurel, Maryland, USA

05:12 [Job][New]

Responsibilities:

• Serve as a highly visible industry expert on tamper-resistance and DPA countermeasures

• Design and implement DPA-resistant hardware blocks suitable for a variety of applications and device form factors

• Guide customers implementing DPA countermeasures and tamper resistance into their products and systems

• Consult with customers regarding their DPA-resistance certification needs

• Develop tools and training material around methodologies for DPA resistant hardware design

• Author whitepapers and technical papers related to tamper resistance, side-channel analysis and countermeasures

• Provide customer training on DPA

Qualifications:

• 8+ years of experience in tamper resistant hardware design and at least 5 years of experience in developing DPA resistant hardware and products that use algorithms such as DES, 3DES, AES, RSA and ECC.

• Deep knowledge of the statistics of DPA, sources of information leakage in hardware and engineering tradeoffs between different countermeasure choices

• Experience with getting multiple products evaluated for DPA resistance at EAL 5+

• External recognition as an expert in the area of tamper resistance, side-channel analysis and countermeasures, via publications, industry panels, contributions to standards working groups, etc.

• Very high degree of skill with Verilog (or VHDL) and digital design

• In depth understanding of front-end ASIC design flows, including design, simulation, synthesis and timing analysis

• Hardware development experience in UNIX/Linux environments, and with shell/perl scripting

• Excellent interpersonal, presentation and documentation skills

• MS/Ph.D in Electrical Engineering

Pluses: Experience in the following areas

• Mixed mode and analog simulations for assessing DPA resistance at the design stage

• Develo