International Association for Cryptologic Research

# IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) iacr.org. You can also get this service via

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

2013-06-10
21:17 [Pub][ePrint]

In this paper, we present a new class of public key cryptosystem based on Reed-Solomon codes, a member of the code based PKC(CBPKC), referred to as K(XII)SE(1)PKC. We show that K(XII)SE(1)PKC can be secure against the various attacks. Particularly we present a member of K(XII)SE(1)PKC constructed based on the Reed-Solomon code over the extension field , which is extensively used in the present day storage systems and the various digital transmission systems. In a sharp contrast with the conventional CBPKC that uses Goppa code, in K(XII)SE(1)PKC, we do not care for the security of the primitive polynominal that generates the Reed-Solomon code.The probabilistic scheme presented in this paper would yield a brand-new technique in the field of CBPKC.

21:17 [Pub][ePrint]

This work attempts to clarify to what extent simulation-based security (SIM-security) is achievable for functional encryption (FE) and its relation to the weaker indistinguishability-based security (IND-security). Our main result is a compiler that transforms any FE scheme for the general circuit functionality (which we denote by circuit-FE) meeting indistinguishability-based security (IND-security) to a circuit-FE scheme meeting SIM-security, where:

\\begin{itemize}

\\item In the random oracle model, the resulting scheme is secure for an unbounded number of encryption and key queries, which is the strongest security level one can ask for.

\\item In the standard model, the resulting scheme is secure for a bounded number of encryption and non-adaptive key queries, but an \\emph{unbounded} number of adaptive key queries. This matches known impossibility results and improves upon Gorbunov et al. [CRYPTO\'12] (which is secure for a \\emph{bounded} number of adaptive key queries).

\\end{itemize}

Our compiler is inspired by the celebrated Fiat-Lapidot-Shamir paradigm [FOCS\'90] for obtaining zero-knowledge proof systems from witness-indistinguishable proof systems.

As it is currently unknown whether circuit-FE meeting IND-security exists, the purpose of this result is to establish that it remains a good target for future research despite known deficiencies of IND-security [Boneh et al. -- TCC\'11, O\'Neill -- ePrint \'10].

We also give a tailored construction of SIM-secure hidden vector encryption (HVE) in composite-order bilinear groups.

Finally, we revisit the known negative results for SIM-secure FE, extending them to natural weakenings of the security definition and thus providing essentially a full picture of the (in)achievability of SIM-secure FE.

21:17 [Pub][ePrint]

The extended Canetti-Krawczyk (eCK) security models, are widely used to provide security arguments for authenticated key exchange protocols that capture leakage of various kinds of secret information like the long-term private key and session-specific secret state. In this paper, we study the open problem on constructing eCK secure AKE protocol without random oracles and NAXOS like trick. A generic construction GC-KKN satisfying those requirements is first given relying on standard cryptographic primitives following the guideline of efficiency. On the second a concrete protocol is proposed which is the first eCK secure protocol in the standard model under both standard assumptions and post-specified peer setting. Both proposed schemes can be more efficiently implemented with secure device than previous eCK secure protocols in the standard model, where the secure device might be normally used to store the long-term private key and to implement codes of protocol which require to be resilience of states leakage.

21:17 [Pub][ePrint]

While the symmetric-key cryptography community has now a good

experience on how to build a secure and efficient fixed permutation,

it remains an open problem how to design a key-schedule for block

ciphers, as shown by the numerous candidates broken in the related-key

model or in a hash function setting. Provable security against

differential and linear cryptanalysis in the related-key scenario is

an important step towards a better understanding of its construction.

Using a structural analysis, we show that the full AES-128 cannot be

proven secure unless the exact coefficients of the MDS matrix and the

S-Box differential properties are taken into account since its

structure is vulnerable to a related-key differential attack. We then

exhibit a chosen-key distinguisher for AES-128 reduced to 9 rounds,

which solves an open problem of the symmetric community. We obtain

these results by revisiting algorithmic theory and graph-based ideas

to compute all the best differential characteristics in SPN ciphers,

with a special focus on AES-like ciphers subject to related-keys. We

use a variant of Dijkstra\'s algorithm to efficiently find the most

efficient related-key attacks on SPN ciphers with an algorithm linear

in the number of rounds.

21:17 [Pub][ePrint]

TLS is the most important cryptographic protocol in the Internet. At CRYPTO 2012, Jager et al. presented the first proof of the unmodified TLS with ephemeral Diffie-Hellman key exchange (TLS-DHE) for mutual authentication. Since TLS cannot be proven secure under the classical definition of authenticated key exchange (AKE), they introduce a new security model called authenticated and confidential channel establishment (ACCE) that captures the security properties expected from TLS in practice. We extend this result in two ways. First we show that the cryptographic cores of the remaining ciphersuites, RSA encrypted key transport (TLS-RSA) and static Diffie-Hellman (TLS-DH), can be proven secure for mutual authentication in an extended ACCE model that also allows the adversary to register new public keys. In our security analysis we show that if TLS-RSA is instantiated with a CCA secure public key cryptosystem and TLS-DH is used in scenarios where a) the knowledge of secret key assumption holds or b) the adversary may not register new public keys at all, both ciphersuites can be proven secure in the standard model under standard security assumptions. Next, we present new and strong definitions of ACCE (and AKE) for server-only authentication which fit well into the general framework of Bellare-Rogaway-style models. We show that all three ciphersuites families do remain secure in this server-only setting. Our work identifies which primitives need to be exchanged in the TLS handshake to obtain strong security results under standard security assumptions (in the standard model) and may so help to guide future revisions of the TLS standard and make improvements to TLS\'s extensibility pay off.

21:17 [Pub][ePrint]

Xoring two permutations is a very simple way to construct pseudorandom functions from pseudorandom permutations. In~\\cite{P08a}, it is proved that we have security against CPA-2 attacks when $m \\ll O(2^n)$, where $m$ is the number of queries and $n$ is the number of bits of the inputs

and outputs of the bijections. In this paper, we will obtain similar (but slightly different) results by using the

standard H technique\'\' instead of the $H_{\\sigma}$ technique\'\'. It will be interesting to

compare the two techniques, their similarities and the differences between the proofs and the

results.

20:44 [PhD][New]

Name: Martin M. Lauridsen
Topic: Lightweight Cryptography
Category: secret-key cryptography

20:43 [PhD][New]

Name: Hao Chen

20:42 [PhD][New]

Name: Christian Rechberger

18:55 [Job][New]

PhD and Post-doc Positions in Computer Security

The University of Luxembourg in collaboration with the Luxembourg Government (CTIE) will start a new research project “Supporting e-Democracy” for which we have two PhD candidates and one Research Associate (post-doc) positions available. The positions are within the APSIA (Applied Security and Information Assurance) (http://wwwen.uni.lu/snt/research/apsia) research group led by Prof. Dr. P.Y. Ryan.

The successful candidates will be working in an exciting, international and multicultural environment in the heart of Europe.

Project Description

The successful candidates will be working within the research project “Supporting e-Democracy”, collaboration between the University of Luxembourg and the Luxembourg Government (CTIE).

The research will focus on (a) design and security analysis of accurate and robust communication systems in specific electoral systems (b) design of reliable and secure computer assisted counting of paper ballots, (c) design and analysis of verifiable, computer assisted voting systems and a broader e-democracy platform.

Candidates Profile

The candidates are expected to have:

• A previous degree in computer science or related subject;

• A proven (theoretical and practical) interest in security;

• Knowledge of Network and System security;

• Fluent written and oral English skills;

Applications

The candidates must apply online at the following addresses:

PhD positions (open until July 31st, 2013): http://recruitment.uni.lu/en/details.html?id=QMUFK026203F3VBQB7V7VV4S8&nPostingID=2253&nPostingTargetID=2935&mask=karriereseiten&lg=UK

Research Associate position (open until June 20th, 2013): http://recruitment.uni.lu/en/details.html?id=QMUFK026203F3VBQB7V7VV4S8&nPostingID=2254&nPostingTargetID=2893&mask=karriereseiten&lg=UK

Preneel et al.~(Crypto 1993) assessed 64 possible ways to construct a compression function out of a blockcipher. They conjectured that 12 out of these 64 so-called PGV constructions achieve optimal security bounds for collision resistance and preimage resistance. This was proven by Black et al.~(Journal of Cryptology, 2010), if one assumes that the blockcipher is ideal. This result, however, does not apply to non-ideal\'\' blockciphers such as AES. To alleviate this problem, we revisit the PGV constructions in light of the recently proposed idea of random-oracle reducibility (Baecher and Fischlin, Crypto 2011). We say that the blockcipher in one of the 12 secure PGV constructions reduces to the one in another construction, if \\emph{any} secure instantiation of the cipher, ideal or not, for one construction also makes the other secure. This notion allows us to relate the underlying assumptions on blockciphers in different constructions, and show that the requirements on the blockcipher for one case are not more demanding than those for the other. It turns out that this approach divides the 12 secure constructions into two groups of equal size, where within each group a blockcipher making one construction secure also makes all others secure. Across the groups this is provably not the case, showing that the sets of good\'\' blockciphers for each group are qualitatively distinct. We also relate the ideal ciphers in the PGV constructions with those in double-block-length hash functions such as Tandem-DM, Abreast-DM, and Hirose-DM. Here, our results show that, besides achieving better bounds, the double-block-length hash functions rely on weaker assumptions on the blockciphers to achieve collision and everywhere preimage resistance.