International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also get this service via

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

00:17 [Pub][JoC] FlipIt: The Game of “Stealthy Takeover”


Abstract  Recent targeted attacks have increased significantly in sophistication, undermining the fundamental assumptions on which most cryptographic primitives rely for security. For instance, attackers launching an Advanced Persistent Threat (APT) can steal full cryptographic keys, violating the very secrecy of “secret” keys that cryptographers assume in designing secure protocols. In this article, we introduce a game-theoretic framework for modeling various computer security scenarios prevalent today, including targeted attacks. We are particularly interested in situations in which an attacker periodically compromises a system or critical resource completely, learns all its secret information and is not immediately detected by the system owner or defender. We propose a two-player game between an attacker and defender called FlipIt or The Game of “Stealthy Takeover.” In FlipIt, players compete to control a shared resource. Unlike most existing games, FlipIt allows players to move at any given time, taking control of the resource. The identity of the player controlling the resource, however, is not revealed until a player actually moves. To move, a player pays a certain move cost. The objective of each player is to control the resource a large fraction of time, while minimizing his total move cost. FlipIt provides a simple and elegant framework in which we can formally reason about the interaction between attackers and defenders in practical scenarios. In this article, we restrict ourselves to games in which one of the players (the defender) plays with a renewal strategy, one in which the intervals between consecutive moves are chosen independently and uniformly at random from a fixed probability distribution. We consider attacker strategies ranging in increasing sophistication from simple periodic strategies (with moves spaced at equal time intervals) to more complex adaptive strategies, in which moves are determined based on feedback received during the game. For different classes of strategies employed by the attacker, we determine strongly dominant strategies for both players (when they exist), strategies that achieve higher benefit than all other strategies in a particular class. When strongly dominant strategies do not exist, our goal is to characterize the residual game consisting of strategies that are not strongly dominated by other strategies. We also prove equivalence or strict inclusion of certain classes of strategies under different conditions. Our analysis of different FlipIt variants teaches cryptographers, system designers, and the community at large some valuable lessons: 1.  Systems should be designed under the assumption of repeated total compromise, including theft of cryptographic keys. FlipIt provides guidance on how to implement a cost-effective defensive strategy. 2.  Aggressive play by one player can motivate the opponent to drop out of the game (essentially not to play at all). Therefore, moving fast is a good defensive strategy, but it can only be implemented if move costs are low. We believe that virtualization has a huge potential in this respect. 3.  Close monitoring of one’s resources is beneficial in detecting potential attacks faster, gaining insight into attacker’s strategies, and scheduling defensive moves more effectively. Interestingly, FlipIt finds applications in other security realms besides modeling of targeted attacks. Examples include cryptographic key rotation, password changing policies, refreshing virtual machines, and cloud auditing.

  • Content Type Journal Article
  • Pages 1-59
  • DOI 10.1007/s00145-012-9134-5
  • Authors

    • Marten van Dijk, RSA Laboratories, Cambridge, MA, USA
    • Ari Juels, RSA Laboratories, Cambridge, MA, USA
    • Alina Oprea, RSA Laboratories, Cambridge, MA, USA
    • Ronald L. Rivest, Computer Science and Artificial Intelligence Laboratory, Massachusetts Institute of Technology, Cambridge, MA, USA

    • Journal Journal of Cryptology
    • Online ISSN 1432-1378
    • Print ISSN 0933-2790

From: Fri, 26 Oct 2012 12:00:56 GMT

15:17 [Pub][ePrint] Quantum-Secure Message Authentication Codes, by Dan Boneh and Mark Zhandry

  We construct the first Message Authentication Codes (MACs) that are existentially unforgeable against a quantum chosen message attack. These chosen message attacks model a quantum adversary\'s ability to obtain the MAC on a superposition of messages of its choice. We begin by showing that a quantum secure PRF is sufficient for constructing a quantum secure MAC, a fact that is considerably harder to prove than its classical analogue. Next, we show that a variant of Carter-Wegman MACs can be proven to be quantum secure. Unlike the classical settings, we present an attack showing that a pair-wise independent hash family is insufficient to construct a quantum secure one-time MAC, but we prove that a four-wise independent family is sufficient for one-time security.

15:17 [Pub][ePrint] Graph-Theoretic Algorithms for the ``Isomorphism of Polynomials\'\' Problem, by Charles Bouillaguet and Pierre-Alain Fouque and Amandine Véber

  We give three new algorithms to solve the ``isomorphism of

polynomial\'\' problem, which was underlying the hardness of

recovering the secret-key in some multivariate trapdoor one-way

functions. In this problem, the adversary is given two quadratic

functions, with the promise that they are equal up to linear changes

of coordinates. Her objective is to compute these changes of

coordinates, a task which is known to be harder than

Graph-Isomorphism. Our new algorithm build on previous work in a

novel way. Exploiting the birthday paradox, we break instances of

the problem in time $q^{2n/3}$ (rigorously) and $q^{n/2}$

(heuristically), where $q^n$ is the time needed to invert the

quadratic trapdoor function by exhaustive search. These results are

obtained by turning the algebraic problem into a combinatorial one,

namely that of recovering partial information on an isomorphism

between two exponentially large graphs. These graphs, derived from

the quadratic functions, are new tools in multivariate cryptanalysis.

15:17 [Pub][ePrint] On the (Non-)Reusability of Fuzzy Sketches and Extractors and Security Improvements in the Computational Setting, by Marina Blanton and Mehrdad Aliasgari

  Secure sketches and fuzzy extractors enable the use of biometric data in cryptographic applications by correcting errors in noisy biometric readings and producing cryptographic materials suitable for authentication, encryption, and other purposes. Such constructions work by producing a public sketch, which is later used to reproduce the original biometric and all derived information exactly from a noisy biometric reading. It has been previously shown that release of multiple sketches associated with a single biometric presents security problems for certain constructions. We continue the analysis to demonstrate that all other constructions in the literature are also prone to similar problems and cannot be safely reused. To mitigate the problem, we propose for each user to store one short secret string for all possible uses of her biometric, and show that simple constructions in the computational setting have numerous advantageous security and usability properties under standard hardness assumptions. Our constructions are generic in that they can be used with any existing secure sketch as a black box.

15:17 [Pub][ePrint] A New Approach to Discrete Logarithm Problem with Auxiliary Inputs, by Taechan Kim and Jung Hee Cheon

  Embedding an element of a finite field into auxiliary groups such as elliptic curve groups or extension fields of finite fields has been useful tool for analysis of cryptographic problems such as establishing the equivalence between the discrete logarithm problem and Diffie-Hellman problem or solving the discrete logarithm problem with auxiliary inputs (DLPwAI). Actually, Cheon\'s algorithm solving the DLPwAI can be regarded as a quantitative version of den Boer and Maurer. Recently, Kim showed in his dissertation that the generalization of Cheon\'s algorithm using embedding technique including Satoh\'s \\cite{Sat09} is no faster than Pollard\'s rho algorithm when $d\\nmid (p\\pm 1)$.

In this paper, we propose a new approach to solve DLPwAI concentrating on the behavior of function mapping between the finite fields rather than using an embedding to auxiliary groups. This result shows the relation between the complexity of the algorithm and the number of absolutely irreducible factors of the substitution polynomials, hence enlightens the research on the substitution polynomials.

More precisely, with a polynomial $f(x)$ of degree $d$ over $\\mathbf{F}_p$, the proposed algorithm shows the complexity $O\\left(\\sqrt{p^2/R}\\log^2d\\log p\\right)$ group operations to recover $\\alpha$ with $g, g^{\\alpha}, \\dots, g^{\\alpha^{d}}$, where $R$ denotes the number of pairs $(x, y)\\in\\mathbf{F}_p\\times \\mathbf{F}_p$ such that $f(x)-f(y)=0$. As an example using the Dickson polynomial, we reveal $\\alpha$ in $O(p^{1/3}\\log^2{d}\\log{p})$ group operations when $d|(p+1)$. Note that Cheon\'s algorithm requires $g, g^{\\alpha}, \\dots, g^{\\alpha^{d}}, \\dots, g^{\\alpha^{2d}}$ as an instance for the same problem.

15:17 [Pub][ePrint] Candidate Multilinear Maps from Ideal Lattices and Applications, by Sanjam Garg and Craig Gentry and Shai Halevi

  We describe plausible lattice-based constructions with properties that

approximate the sought-after multilinear maps in hard-discrete-logarithm

groups, and show that some applications of such multi-linear maps can

be realized using our approximations.

The security of our constructions relies on seemingly hard problems in

ideal lattices, which can be viewed as extensions of the assumed

hardness of the NTRU function.

08:26 [Event][New] ISCTURKEY: International Conference on Information Security and Cryptology

  Submission: 1 April 2013
Notification: 23 April 2013
From May 23 to May 24
Location: Ankara, Turkey
More Information:

08:25 [Event][New] ICIA2013: The Second International Conference on Informatics & Applications

  Submission: 5 August 2013
Notification: 15 September 2013
From September 23 to September 25
Location: Lodz, Poland
More Information:

00:17 [Pub][JoC] A One-Time Stegosystem and Applications to Efficient Covert Communication


Abstract  We present the first information-theoretic steganographic protocol with an asymptotically optimal ratio of key length to message length that operates on arbitrary covertext distributions with constant min-entropy. Our results are also applicable to the computational setting: our stegosystem can be composed over a pseudorandom generator to send longer messages in a computationally secure fashion. In this respect our scheme offers a significant improvement in terms of the number of pseudorandom bits generated by the two parties in comparison to previous results known in the computational setting. Central to our approach for improving the overhead for general distributions is the use of combinatorial constructions that have been found to be useful in other contexts for derandomization: almost t-wise independent function families.

  • Content Type Journal Article
  • Pages 1-22
  • DOI 10.1007/s00145-012-9135-4
  • Authors

    • Aggelos Kiayias, Department of Computer Science and Engineering, University of Connecticut, Storrs, CT, USA
    • Yona Raekow, Fraunhofer Institute for Algorithms and Scientific Computing, St. Augustin, Germany
    • Alexander Russell, Department of Computer Science and Engineering, University of Connecticut, Storrs, CT, USA
    • Narasimha Shashidhar, Department of Computer Science, Sam Houston State University, Huntsville, TX, USA

    • Journal Journal of Cryptology
    • Online ISSN 1432-1378
    • Print ISSN 0933-2790

From: Wed, 24 Oct 2012 17:55:35 GMT

15:17 [Pub][ePrint] Secure Outsourced Attribute-Based Signatures, by Jin Li, Xiaofeng Chen, Jingwei Li, Chunfu Jia, Duncan S. Wong, Willy Susilo

  Attribute-based signature (ABS) is a useful variant of digital signature, which enables users to sign messages over attributes without revealing any information other than the fact that they have attested to the messages. However, heavy computational cost is required during signing in existing work of ABS, which grows linearly with the size of the predicate formula. As a result, this presents a significant challenge for resource-limited users (such as mobile devices) to perform such heavy computation independently. Aiming at tackling the challenge above, we propose and formalize a

new paradigm called OABS, in which the computational overhead at user side is greatly reduced through outsourcing such intensive computation to an untrusted signing-cloud service provider (S-CSP). Furthermore, we apply this novel paradigm to existing ABS to reduce complexity and present two schemes, i) in the first OABS scheme, the number of exponentiations involving in signing is reduced from $O(d)$ to $O(1)$ (nearly three), where $d$ is the upper bound of threshold value defined in the predicate; ii) our second scheme is built on Herranz et al\'s construction with constant-size signatures. The number of exponentiations in signing is reduced from $O(d^2)$ to $O(d)$ and the communication overhead is $O(1)$. Security analysis demonstrates that both OABS schemes are secure in terms of the unforgeability and attribute-signer privacy definitions specified in the proposed security model. Finally, to allow for high efficiency and flexibility, we discuss extensions of OABS and show how to achieve accountability and outsourced verification as well.

15:17 [Pub][ePrint] Breaking Public Keys - How to Determine an Unknown RSA Public Modulus, by Hans-Joachim Knobloch

  Not surprisingly, the common use of any public key crypto system involves publishing the public key and keeping the private key secret. There are however a few applications where both the private and public key are kept secret, thereby effectively converting a public key crypto algorithm to a symmetric algorithm.

We show that if the RSA cryptosystem is used in such a symmetric application, it is possible to determine the public RSA modulus if the public exponent is known and short, such as 3 or F4=65537, and two or more plaintext/ciphertext (or, if RSA is used for signing, signed value/signature) pairs are known.