International Association for Cryptologic Research

# IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) iacr.org. You can also get this service via

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

2013-03-28
15:17 [Pub][ePrint]

RFID is a leading technology that has been

rapidly deployed in several daily life applications such as

payment, access control, ticketing, and e-passport, which

requires strong security and privacy mechanisms. However,

RFID systems commonly have limited computational capacity,

poor resources and inefficient data management. Hence there

is a demanding urge to address these issues in the light

of some mechanism which can make the technology excel.

Cloud computing is one of the fastest growing segments of

IT industry which can provide a cost effective technology

and information solution to handling and using data collected

companies is placed in the cloud, concerns are beginning to

grow about just how safe an environment it is. Therefore, while

integrating RFID into the cloud, the security and privacy of

the tag owner must be considered.

Motivated by this need, we first provide a security and

privacy model for RFID technology in the cloud computing. In

this model, we first define the capabilities of the adversary and

then give the definitions of the security and privacy. After that

we propose an example of an RFID authentication protocol

in the cloud computing. We prove that the proposal is narrow

strong private+ in our privacy model.

15:17 [Pub][ePrint]

In this paper, we obtain a characterization of generalized Boolean functions based on spectral analysis. We investigate a relationship between the Walsh-Hadamard spectrum and $\\sigma_f$, the sum-of-squares-modulus indicator (SSMI) of the generalized Boolean function. It is demonstrated that $\\sigma_f = 2^{2n + s}$ for every $s$-plateaued generalized Boolean function in $n$ variables. Two classes of generalized semi-bent Boolean functions are constructed.% and it is demonstrated that their SSMI is over generalized $s$-plateaued Boolean functions is $2^{2n + s}$. We have constructed a class of generalized semi-bent functions in $(n+1)$ variables from generalized semi-bent functions in $n$ variables and identify a subclass of it for which $\\sigma_f$ and $\\triangle_{f}$ both have optimal value. Finally, some construction on generalized partially bent Boolean functions are given.

15:17 [Pub][ePrint]

Users frequently reuse their passwords when authenticating to various online services. Combined with the use of weak passwords or honeypot/phishing attacks, this brings high risks to the security of the user\'s account information. In this paper, we propose several protocols that can allow a user to use a single password to authenticate to multiple services securely. All our constructions provably protect the user from dictionary attacks on the password, and cross-site impersonation or honeypot attacks by the online service providers.

Our solutions assume the user has access to either an untrusted online cloud storage service (as per Boyen [14]), or a mobile storage device that is trusted until stolen. In the cloud storage scenario, we consider schemes that optimize for either storage server or online service performance, as well as anonymity and unlinkability of the user\'s actions. In the mobile storage scenario, we minimize the assumptions we make about the capabilities of the mobile device: we do not assume synchronization, tamper resistance, special or expensive hardware, or extensive cryptographic capabilities. Most importantly, the user\'s password remains secure even after the mobile device is stolen. Our protocols provide another layer of security against malware and phishing. To the best of our knowledge, we are the first to propose such various and provably secure password-based authentication schemes. Lastly, we argue that our constructions are relatively easy to deploy, especially if a few single sign-on services (e.g., Microsoft, Google, Facebook) adopt our proposal.

2013-03-27
15:19 [Job][New]

We invite applications for outstanding researchers to strengthen and broaden our research activities in security and privacy research.

Both recent Ph.D. graduates and well-established scientists are encouraged to apply. A premier center for commercial innovation, PARC, a Xerox company, is in the business of breakthroughs. We work closely with global enterprises, entrepreneurs, government agencies and partners, and other clients to invent, co-develop, and bring to market game-changing innovations by combining imagination, investigation, and return on investment for our clients. For 40 years, we have lived at the leading edge of innovation, merging inquiry and strategy to pioneer technological change. PARC was incorporated in 2002 as a wholly owned independent subsidiary of Xerox Corporation – enabling us to continue pioneering technological change but across a broader set of industries and clients today. See http://www.parc.com/about for more details on PARC.

Candidates in all areas of cyber security will be considered, with particular interest in:

• systems and network security
• security and privacy in big data analytics
• security in ubiquitous environments
• machine learning and security
• usable security
• privacy and applied cryptography

09:09 [Job][New]

The Information Security Centre of Excellence is looking for several stand-out PhD students who want to pursue research in the area of network security and collaborate closely with industry partners. The positions are fully-funded. To apply please send your detailed CV.

2013-03-26
15:17 [Pub][ePrint]

A new implementation of the GHASH function has been recently committed to a Git version of OpenSSL, to speed up AES-GCM. We identified a bug in that implementation, and made sure it was quickly fixed before trickling into an official OpenSSL trunk. Here, we use this (already fixed) bug as a real example that demonstrates the fragility of AES-GCM\'s authentication algorithm (GHASH). One might expect that incorrect MAC tag generation would only cause legitimate message-tag pairs to fail authentication (which is already a serious problem). However, since GHASH is a \"polynomial evaluation\" MAC, the bug can be exploited for actual message forgery.

15:17 [Pub][ePrint]

We demonstrate the high-speed computation of core elliptic curve operations with full protection against timing-type side-channel attacks. We use a state-of-the-art GLV-GLS curve in twisted Edwards form defined over a quadratic extension field of large prime characteristic, which supports a four dimensional decomposition of the scalar. We present highly optimized algorithms and formulas for speeding up the different arithmetic layers, including techniques especially suitable for high-speed, side-channel protected computation on GLV-based implementations. Analysis and performance results are reported for modern x64 and ARM processors. For instance, on an Intel Ivy Bridge processor we compute a variable-base scalar multiplication in 94,000 cycles, a fixed-base scalar multiplication in 53,000 cycles using a table of 6KB, and a double scalar multiplication in 118,000 cycles using a table of 3KB. Similarly, on an ARM Cortex-A15 processor we compute a variable-base scalar multiplication in 244,000 cycles, a fixed-base scalar multiplication in 116,000 cycles (table of 6KB), and a double scalar multiplication in 285,000 cycles (table of 3KB). All these numbers and the proposed techniques represent a significant improvement of the state-of-the-art performance of elliptic curve computations. Most remarkably, our optimizations allow us to reduce the cost of adding protection against timing attacks in the computation of variable-base scalar multiplication to around or below 10%.

15:17 [Pub][ePrint]

In Eurocrypt 2012, Lewko presented a fully secure IBE scheme in the

prime order setting based on the decisional linear assumption. We note that

some random factor involved in the ciphertext can further be used to hide yet another message

, and get a new fully secure IBE scheme with better message-ciphertext rate.

Similar to Lewko\'s

scheme, we use dual pairing vector space in prime order bilinear

groups to simulate the canceling and parameter hiding properties of

composite order settings. The security of our scheme is based on the

subspace assumption, which can be reduced to the decisional linear

assumption. We employ the dual system encryption technique in our

security proof.

15:17 [Pub][ePrint]

How can we encode a communication protocol between two parties to become resilient to adversarial errors on the communication channel? This question dates back to the seminal works of Shannon and Hamming from the 1940\'s, initiating the study of error-correcting codes (ECC). But, even if we encode each message in the communication protocol with a good\'\' ECC, the error rate of the encoded protocol becomes poor (namely $O(1/m)$ where $m$ is the number of communication rounds). Towards addressing this issue, Schulman (FOCS\'92, STOC\'93) introduced the notion of \\emph{interactive coding}.

We argue that whereas the method of separately encoding each message with an ECC ensures that the encoded protocol carries the same amount of information as the original protocol, this may no longer be the case if using interactive coding. In particular, the encoded protocol may completely leak a player\'s private input, even if it would remain secret in the original protocol. Towards addressing this problem, we introduce the notion of \\emph{knowledge-preserving interactive coding}, where the interactive coding protocol is required to preserve the knowledge\'\' transmitted in the original protocol. Our main results are as follows.

\\begin{itemize}

\\item The method of separately applying ECCs to each message is essentially optimal: No knowledge-preserving interactive coding scheme can have an error rate of $1/m$, where $m$ is the number of rounds in the original protocol.

\\item If restricting to computationally-bounded (polynomial-time) adversaries, then assuming the existence of one-way functions (resp. subexponentially-hard one-way functions), for every $\\epsilon>0$, there exists a knowledge-preserving interactive coding schemes with constant error rate and information rate $n^{-\\epsilon}$ (resp. $1/\\polylog(n)$) where $n$ is the security parameter; additionally to achieve an error of even $1/m$ requires the existence of one-way functions.

\\item Finally, even if we restrict to computationally-bounded adversaries, knowledge-preserving interactive coding schemes with constant error rate can have an information rate of at most $o(1/\\log n)$. This results applies even to \\emph{non-constructive} interactive coding schemes.

\\end{itemize}

15:17 [Pub][ePrint]

Since Kilian showed in 1988 that oblivious transfer (OT) is complete in the sense that every secure multi-party computation can be realized from this primitive, cryptographers are working on reduction of OT to various other primitives. A long standing open question in this context is the classification of finite stateless 2-party primitives (so-called \"cryptogates\"), i.e. trusted black boxes that can be jointly queried by two parties, have finite input and output alphabets, and do not change behavior depending on time or input history. Over the decades, completeness criteria have been found for deterministic cryptogates (i.e. primitives without internal randomness), noisy channels, and symmetric (i.e., both parties receive the same output) or asymmetric (i.e., only one party receives any output at all) randomized cryptogates. However, the known criteria for randomized primitives other than noisy channels only hold in presence of passive adversaries (i.e., even corrupted parties still follow the protocol).

We complete this line of research by providing simple but comprehensive combinatorial completeness criteria for ALL finite stateless 2-party primitives. I.e., for the first time there are completeness criteria for randomized primitives that are neither symmetric nor asymmetric (but give different outputs to the querying parties), and we overcome the limitation that previous results for randomized primitives with input from BOTH parties only regarded passive adversaries. A fundamental tool of our approach is a powerful lemma from real algebraic geometry, which allows us to base a cryptographic security proof on a rather \"game-theoretic\" approach.

As a corollary of our work, every non-complete example of a finite stateless 2-party primitive is essentially symmetric. This relationship between non-completeness and symmetric output behavior was previously only known for deterministic cryptogates.

15:17 [Pub][ePrint]

We propose here a non asymptotic complexity analysis of

some variants of information set decoding. In particular, we give this

analysis for the two recent variants { published by May, Meurer and

Thomae in 2011 and by Becker, Joux, May and Meurer in 2012 { for

which only an asymptotic analysis was available. The purpose is to

provide a simple and accurate estimate of the complexity to facilitate

the paramater selection for code-based cryptosystems. We implemented

those estimates and give a comparison at the end of the paper.