International Association for Cryptologic Research

# IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) iacr.org. You can also get this service via

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

2013-11-03
19:17 [Pub][ePrint]

RFID tags are getting their presence noticeable on smartphones,

credit cards, toll payment devices, and other objects. They are

expected to become an important tool for e-commerce, logistics,

point-of-sale transactions, and so on, representing things\'\' and

human holding things\'\' in transactions. Since a huge amount of tags are expected to be needed to be attached to various objects,\'\' a low-cost tag manufacturing is necessary. Thus, it is hard to imagine they will implement hardware protection mechanisms (like co-processor, TPMs). Therefore, side-channel (leakage) attacks are a critical threat. Another threat that is well known in the RFID topic is tag tracing and violation of privacy.

In this paper, we consider physically unclonable functions (PUFs) as tamper resilient building block and propose security model with memory leaking adversary, trying to violate security and privacy of tags (we note that PUFs are structure-less and there is a hope they can be put on top of RFID chips more so than TPMs). We then design the first provably secure and provably private RFID authentication protocol withstanding information leakage from the non-volatile memory of the tag, and provides the two properties of: (1) security against impersonation, and (2) privacy protection against tag tracing.

19:17 [Pub][ePrint]

At CHES 2013 was presented a new block cipher called Zorro. Although it uses only 4 S-boxes per round, the designers showed the resistance of the cipher against various attacks, and concluded the cipher has a large security margin. In this paper, we give a key recovery attack on the full cipher in the single-key model that works for $2^{64}$ out of $2^{128}$ keys. Our analysis is based precisely on the fact that the non-linear layer has only 4 S-boxes. We exploit this twice in a two-stage attack: first, we show that Zorro has an equivalent description that does not have constants in the rounds, and then, we launch an internal differential attack on the newly described cipher. With computer verifications we confirm the correctness of the analysis.

Our attack is the first to use internal differentials for block ciphers, thus we adapt Daemen\'s attack on Even-Mansour construction

to the case of internal differentials (instead of differentials), which allows us to recovery to full key.

This work provides as well insights on alternative descriptions of general Zorro-type ciphers (incomplete non-linear layers),

the importance of well chosen constants, and the advantages of Daemen\'s attack.

19:17 [Pub][ePrint]

In this paper we propose a method which will preserve sum-

mary statistics of data organized in a two way table. We have shown that

fully homomorphic encryption is a powerful solution. However it has a

number of disadvantages which makes it impractical. We have proposed

a Restricted homomorphic encryption method which uses Pailier encryp-

tion and order preserving encryption. This new method can be used for

practical purposes owing to it\'s efficiency in terms of both speed and

storage.

19:17 [Pub][ePrint]

We present RASP, a new protocol for privacy-preserving range

search and sort queries on encrypted data in the face of an

untrusted data store. The contribution of RASP over related work

is twofold: first, RASP improves privacy guarantees by ensuring

that after a query for range [a,b] any new record added to the

data store is indistinguishable from random, even if the new

record falls within range [a,b]. Second, RASP is highly

practical, abstaining from expensive asymmetric cryptography and

bilinear pairings. Instead, RASP only relies on hash and block

cipher operations. The main idea of RASP is to build upon a new

update-oblivious bucket-based data structure. We allow for data

to be added to buckets without leaking into which bucket it has

been added. As long as a bucket is not explicitly queried, the

data store does not learn anything about bucket

contents. Furthermore, no information is leaked about data

additions following a query. Besides formally proving RASP\'s

privacy, we also present a practical evaluation of RASP using

Amazon Dynamo.

2013-10-30
09:30 [Job][New]

As an internationally active and highly growth-oriented company in the field of embedded security, ESCRYPT supports all industry segments in need of security solutions for embedded systems, including automotive, industrial control systems, energy, and consumer electronics. In this area, ESCRYPT, a 100-percent subsidiary of ETAS GmbH, a member of the Bosch Group, is a leading system house.

You will be the CEO/General Manager of ESCRYPT Inc., a branch of ESCRYPT with today around 10 people.

The position profile includes:

- Team leader to motivate the ESCRYPT employees

- Familiarity with small technology companies and ability to handle large stake-holders.

- Commercial and sales orientation: ability to drive the business and to manage business development

- Technical background to understand fundamentals of ESCRYPT’s business

PROFESSIONAL REQUIREMENTS

You must have BS Degree in Computer Science, Engineering, or a related technical field, as well as experience in team leadership, sales and business strategy. MS in Computer Science or Engineering, or an MBA is strongly preferred.

PERSONAL REQUIREMENTS

- Willing to work in a flexible team

- Reliability

- Independent and thoughtful

- Pleasant communication skills

WE OFFER

We offer opportunities for working independently and with self-reliance in a dynamic team whose members are highly qualified and internationally experienced. Your work environment will feature challenging and diversified tasks, flat hierarchies, and performance based-compensation in an appealing and open-minded corporate climate. We offer generous benefits.

Send us your full application with key number USA-1310GM by email to jobs (at) escrypt.com. We look forward to hearing from you!

CONTACT

Dr. Thomas Wollinger

tho

2013-10-28
21:17 [Pub][ePrint]

Verifiability is central to building protocols and systems with integrity. Initially, efficient methods employed the Fiat-Shamir

heuristics. Since 2008, the Groth-Sahai techniques have been the most efficient in constructing non-interactive witness indistinguishable and zero-knowledge proofs for algebraic relations. For the important task of proving membership in linear subspaces, Jutla and Roy (Asiacrypt 2013) gave significantly more efficient proofs in the quasi-adaptive setting (QA-NIZK). For membership of the row space of a $t \\times n$ matrix, their QA-NIZK proofs save $O(2t)$ group elements compared to Groth-Sahai. Here, we give QA-NIZK proofs made of a {\\it constant} number group elements -- regardless of the number of equations or the number of variables -- and additionally prove them {\\it unbounded} simulation-sound. Unlike previous unbounded simulation-sound Groth-Sahai-based proofs, our construction does not involve quadratic pairing product equations and does not rely on a chosen-ciphertext-secure encryption scheme. Instead, we build on structure-preserving signatures with homomorphic properties. We apply our methods to design new and improved CCA2-secure encryption schemes. In particular, we build the first efficient threshold CCA-secure keyed-homomorphic encryption scheme ({\\it i.e.}, where homomorphic operations can only be carried out using a dedicated evaluation key) with publicly verifiable ciphertexts.

21:17 [Pub][ePrint]

We describe an implementation of fast elliptic curve scalar multiplication, optimized for Diffie-Hellman Key Exchange at the 128-bit security level. The algorithms are compact (using only x-coordinates), run in constant time with uniform execution patterns, and do not distinguish between the curve and its quadratic twist; they thus have a built-in measure of side- channel resistance. The core of our construction is a suite of two-dimensional differential addition chains driven by efficient endomorphism decompositions, built on curves selected from a family of Q-curve reductions over F_{p^2} with p = 2^{127}-1. We include state-of-the-art experimental results for twist-secure, constant-time, x-coordinate-only scalar multiplication.

21:17 [Pub][ePrint]

Secure communication is a fundamental cryptographic primitive. Typically, security is achieved by relying on an existing credential infrastructure, such as a PKI or passwords, for identifying the end points to each other. But what can be obtained when no such credential infrastructure is available?

Clearly, when there is no pre-existing credential infrastructure, an adversary can mount successful man in the middle\'\' attacks by modifying the communication between the legitimate endpoints. Still, we show that not all is lost, as long as the adversary\'s control over the communication is not complete: We present relatively efficient key exchange and secure session protocols that provide the full guarantee of secure communication as long as the adversary fails to intercept even a single message between the legitimate endpoints.

To obtain this guarantee we strengthen the notion of key exchange to require that the keys exchanged in any two sessions are independent of each other as long as each session has at least one honest endpoint, even if both sessions has an adversarial endpoint. We call this notion credential-free key exchange. We then strengthen the existing notion of secure session protocols to provide the above guarantee given a CFKE (existing definitions and constructions are insufficient for this purpose). We provide two alternative definitions and constructions of CFKE, a game-based one with a construction in the RO model, and a UC one with a construction in the CRS model.

21:17 [Pub][ePrint]

Oblivious RAM (ORAM) has recently attracted a lot of interest since

it can be used to protect the privacy of data user\'s data access pattern from (honest but curious) outsourced storage. This is

best known multi-server ORAM scheme, our write-only ORAM schemes have lower (typically one order lower) communication cost, or achieve the same communication cost with the same client-side storage usage in single-server setting. (ii) the data owner\'s personal use: Our write-only ORAM schemes combined with PIR can be used as building blocks for some existing full functional ORAM schemes. This leads to the reduction of the communication costs for two full-functional ORAM schemes by the factors of $O(\\log N)$ and $O(\\sqrt{\\log N}\\times \\log\\log N)$, where $N$ is the maximum data item count. One of these resulting schemes has a communication cost of $O(l)$, where $l$ is data item length. This is typically one order lower than the previous best known ORAM scheme\'s cost, which is $O(\\log N \\times l)$. The other resulting scheme also achieves $O(\\log N \\times l)$ communication cost, but its client-side storage usage is several orders lower than the best known single-server ORAM\'s.

21:17 [Pub][ePrint]

This paper introduces a dedicated authenticated encryption algorithm AEGIS; AEGIS allows for the protection of associated data which makes it very suitable for protecting network packets. AEGIS-128L uses eight AES round functions to process a 32-byte message block (one step). AEGIS-128 uses five AES round functions to process a 16-byte message block (one step); AES-256 uses six AES round functions. The security analysis shows that these algorithms offer a high level of security. On the Intel Sandy Bridge Core i5 processor, the speed of AEGIS-128L, AEGIS-128 and AEGIS-256 is around 0.48, 0.66 and 0.7 clock cycles/byte (cpb) for 4096-byte messages, respectively. This is substantially faster than the AES CCM, GCM and OCB modes.

21:17 [Pub][ePrint]

It has become much easier to crack a password

hash with the advancements in the graphicalprocessing

unit (GPU) technology. An adversary can

recover a user\'s password using brute-force attack on

no server can detect any illegitimate user authentication

(if there is no extra mechanism used).

In this context, recently, Juels and Rivest published a

paper for improving the security of hashed passwords.

Roughly speaking, they propose an approach for user

authentication, in which some false passwords, i.e., \"honeywords\"

detect impersonation. Their solution includes an auxiliary

secure server called \"honeychecker\" which can distinguish

a user\'s real password among her honeywords and immediately

sets off an alarm whenever a honeyword is used.

In this paper, we analyze the security of the proposal and

provide some possible improvements which are easy to

implement