International Association for Cryptologic Research

# IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) iacr.org. You can also get this service via

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

2013-08-30
12:17 [Pub][ePrint]

The most widely used secure Internet communication standard TLS (Transport Layer Security) has an optional client certificate authentication feature that in theory has significant security advantages over HTML form-based password authentication. In this paper we discuss practical security and usability issues related to TLS client certificate authentication stemming from the server side and browser implementations. In particular we analyze Apache mod_ssl implementation on server side and the most popular browsers - Mozilla Firefox, Google Chrome and Microsoft Internet Explorer on client side. We complement our paper with a case study performed in Estonia where TLS client certificate authentication is widely used. We present our recommendations for TLS implementations on the client and server side to improve the security and usability of TLS client certificate authentication.

12:17 [Pub][ePrint]

In August 2012, the Stribog hash function was selected as the new Russian hash standard (GOST R 34.11-2012). Stribog is an AES-based primitive and is considered as an asymmetric reply to the new SHA-3. In this paper we investigate the collision resistance of the Stribog compression function and its internal cipher. Specifically, we present a message differential path for the internal block cipher that allows us to efficiently obtain a 5-round free-start collision and a 7.75 free-start near collision for the internal cipher with complexities $2^8$ and $2^{40}$, respectively. Finally, the compression function is analyzed and a 7.75 round semi free-start collision, 8.75 and 9.75 round semi free-start near collisions are presented along with an example for 4.75 round 49 out of 64 bytes near colliding message pair.

09:17 [Pub][ePrint]

In this article, we propose a new improvement of the rebound techniques, used for cryptanalyzing AES-like permutations during the past years. Our improvement, that allows to reduce the complexity of the attacks, increases the probability of the outbound part by considering a new type of differential paths. Moreover, we propose a new type of distinguisher, the multiple limited-birthday problem, based on the limited-birthday one, but where differences on the input and on the output might have randomized positions. We also discuss the generic complexity for solving this problem and provide a lower bound of it as well as we propose an efficient and generic algorithm for solving it. Our advances lead to improved distinguishing or collision results for many AES-based functions such as AES, ECHO, Grøstl, LED, PHOTON and Whirlpool.

09:17 [Pub][ePrint]

We examine the security of the 64-bit lightweight block cipher PRESENT-80 against related-key differential attacks. With a computer search we are able to prove that no related-key differential characteristic exists with probability higher than $2^{-64}$ for the full-round PRESENT-80.

To overcome the exponential (in the state and key sizes) computational complexity we use truncated differences, however as the key schedule is not nibble oriented, we switch to actual differences and apply early abort techniques to prune the tree-based search.

With a new method called extended split approach we are able to make the whole search feasible and we implement and run it in real time.

Our approach targets the PRESENT-80 cipher however, with small modifications can be reused for other lightweight ciphers as well.

09:17 [Pub][ePrint]

White-box cryptography has attracted a growing interest from researchers in the last decade. Several white-box implementations of standard block-ciphers (DES, AES) have been proposed but they have all been broken. On the other hand, neither evidence of existence nor proofs of impossibility have been provided for this particular setting. This might be in part because it is still quite unclear what

{white-box} cryptography really aims to achieve and which security properties are expected from white-box programs in applications. This paper builds a first step towards a practical answer to this question by translating folklore intuitions behind white-box cryptography into concrete security notions. Specifically, we introduce the notion of white-box compiler that turns a symmetric encryption scheme into randomized white-box programs, and we capture several desired security properties such as one-wayness, incompressibility and traceability for white-box programs. We also give concrete examples of white-box compilers that already achieve some of these notions. Overall, our results open new perspectives on the design of white-box programs that securely implement symmetric encryption.

09:17 [Pub][ePrint]

A (k; n) threshold secret image sharing scheme, abbreviated as (k; n)-TSISS, splits a secret image into n shadow images in such a way

that any k shadow images can be used to reconstruct the secret image

exactly. In 2002, for (k; n)-TSISS, Thien and Lin reduced the size of each

shadow image to 1/k of the original secret image. Their main technique

is by adopting all coefficients of a (k-1)-degree polynomial to embed the secret pixels. This benet of small shadow size has drawn many researcher\'s attention and their technique has been extensively used in

the following studies. In this paper, we rst show that this technique

is neither information theoretic secure nor computational secure. Furthermore, we point out the security defect of previous (k; n)-TSISSs for

sharing textual images, and then fix up this security defect by adding an

AES encryption process. At last, we prove that this new (k; n)-TSISS is

computational secure.

09:17 [Pub][ePrint]

It is a common wisdom that servers should better store the one-way hash of their clients\' passwords, rather than storing the password in the clear. This paper introduces Catena, a new one-way function for that purpose. Catena is sequentially memory-hard, which hinders massively parallel attacks on cheap memory-constrained hardware, such as recent \"graphical processing units\", GPUs. Furthermore, Catena has been designed to resist cache-timing attacks. This distinguishes Catena from scrypt, which is also sequentially memory-hard, but which we show to be vulnerable to cache-timing attacks. Additionally, Catena supports (1) client-independent updates (the server can increase the security parameters and update the password hash without user interaction or knowing the password), (2) a server relief protocol (saving the server\'s resources at the cost of the client), and (3) a variant Catena-KG for secure key derivation (to securely generate many cryptographic keys of arbitrary lengths such that compromising

some keys does not help to break others).

09:17 [Pub][ePrint]

In June 2013 the U.S. National Security Agency proposed two families of ultra-lightweight block ciphers, called Simon and Speck. In this paper we present the first cryptanalysis of round-reduced versions of Simon. We mount differential distinguishers and key-recovery attacks on up to 14/32, 17/36, 21/44, 26/54, and 32/72 rounds, for the 32-, 48-, 64-, 96-, and 128-bit versions, respectively. Furthermore, we briefly consider impossible-differential and rotational attacks. While our attacks are mostly academic, they demonstrate the drawback of the aggressive optimizations in Simon which allow powerful differential cryptanalysis.

09:17 [Pub][ePrint]

Helper data schemes are a security primitive used for privacy-preserving biometric databases and Physical Unclonable Functions.

One of the oldest known helper data schemes is the Code Offset Method (COM).

We propose an extension of the COM: the helper data is accompanied by many instances of fake helper data that is drawn from the same distribution as the real one.

While the adversary has no way to distinguish between them, the legitimate party has more information and *can* see the difference.

We use an LDPC code in order to improve the efficiency of the legitimate party\'s selection procedure.

Our construction provides a new kind of trade-off: more effective use of the source entropy, at the price of increased helper data storage.

We give a security analysis in terms of Shannon entropy and order-2 Renyi entropy.

09:17 [Pub][ePrint]

We present the first anonymous hierarchical identity based encryption (HIBE) scheme using

Type-3 pairings with adaptive security based on standard assumptions. Previous constructions

of anonymous HIBE schemes did not simultaneously achieve all these features.

The new construction uses dual pairing vector spaces using an identity hash earlier used by Boneh, Boyen and Goh.

The proof of security follows dual system approach based on decisional subspace assumptions

which are implied by Symmetric eXternal Diffie-Hellman (SXDH) assumption in Type-3 pairing groups.

09:17 [Pub][ePrint]

Secure Multiparty Computation (MPC) protocols allow a set of distrusting participants to securely compute a joint function

of their private inputs without revealing anything but the output of the function to each other. In 1991 Ostrovsky

and Yung introduced the \\emph{proactive security model}, where faults spread throughout the network, analogous

to the spread of a virus or a worm. More specifically, in the proactive security model, the adversary is not limited in the number of

parties it can corrupt but rather in the {\\em rate} of corruption with respect to a rebooting\'\' rate. In the same

paper, Ostrovsky and Yung showed that constructing a general purpose MPC protocol in the proactive security model is indeed feasible

when the rate of corruption is a constant fraction of the parties. Their result, however, was shown

only for stand-alone security and incurred a large polynomial communication overhead for each gate of the

computation. In contrast, protocols for classical\'\' MPC models (where the adversary is limited to corrupt in total up to a fixed

fraction of the parties) have seen dramatic progress in reducing communication complexity in recent years.

The question that we consider in this paper is whether continuous improvements of communication overhead in

protocols for the classical\'\' stationary corruptions model in the MPC literature can lead to communication complexity reductions in the

proactive security model as well. It turns out that improving communication complexity of proactive MPC protocols using modern

techniques encounters two fundamental roadblocks due to the nature of the mobile faults model: First, in the

proactive security model there is the inherent impossibility of bulk pre-computation\'\' to generate cryptographic material

that can be slowly consumed during protocol computation in order to amortize communication cost (the adversary can easily

discover pre-computed values if they are not refreshed, and refreshing is expensive); second, there is an apparent need for

double-sharing (which requires high communication overhead) of data in order to achieve proactive security guarantees.

Thus, techniques that were used to speed up classical MPC do not work, and new ideas are needed. That is exactly what we do in this paper: we show

a novel MPC protocol in the proactive security model that can tolerate a $\\frac13-\\epsilon$ (resp. $\\frac12-\\epsilon$) fraction of moving faults, is perfectly (resp. statistically) UC-secure, and

achieves near-linear communication complexity for each step of the computation. Our results match the asymptotic communication complexity of the best known results in the classical\'\' model

of stationary faults \\cite{DIK10}. One of the important building blocks that we introduce is a new near-linear

packed\'\' proactive secret sharing (PPSS) scheme, where the amortized communication and computational cost of maintaining

each individual secret share is just a constant. We believe that our PPSS scheme might be of independent interest.