International Association for Cryptologic Research

# IACR News Central

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

2013-12-29
13:17 [Pub][ePrint]

Profiling power attacks like Template attack and Stochastic attack optimizes their performance by jointly evaluating the leakages of multiple sample points. However, such multivariate approaches are rare among non-profiling DPA attacks, since integration of the leakage of a higher Signal-to-Noise Ratio (SNR) sample point with the leakages of lower SNR sample points might result in a decrease in the overall performance. We study the issue of optimally combining the leakages of multiple sample points using a linear function in great details. In this work, our contributions are three-fold: 1) we first derive a relation between the success rate of a CPA attack and the SNR of the power traces, 2) we introduce a multivariate leakage model for Virtex-5 FPGA device, and 3) using the proposed multivariate leakage model, we derive the linear Finite Impulse Response (FIR) filter coefficients which maximizes the SNR of the output leakage, thus optimizes the success rate of the CPA attacks in a non-profiling setup.

13:17 [Pub][ePrint]

In this paper we propose an efficient and compact hardware implementation of a polynomial multiplier based on the Fast Fourier Transform (FFT) for use in ring-LWE cryptosystems. We optimize the forward wrapped convolution by merging the pre-processing and the FFT and propose an advanced memory access scheme which reduces the number

of memory accesses and the number of RAM slices used in the design.

These techniques result in a hardware implementation of a polynomial multiplier for the ring-LWE cryptosystem of dimension 256 that uses only 281 slices and one block RAM on a Virtex V.

Finally, we also propose a modification of a ring-LWE encryption system

that reduces the number of FTT operations from five to four resulting

in a near 20% speed-up.

13:17 [Pub][ePrint]

In this paper, we propose a new lightweight hash function

supporting three different digest sizes: 80, 96 and 128 bits,

providing preimage security from 64 to 120 bits, second preimage

and collision security from 40 to 60 bits. LHash requires about

817 GE and 1028 GE with a serialized implementation. In faster

implementations based on function $T$, LHash requires 989 GE and

1200 GE with 54 and 72 cycles per block, respectively.

Furthermore, its energy consumption evaluated by energy per bit is

also remarkable. LHash allows to make trade-offs among security,

speed, energy consumption and implementation costs by adjusting

parameters. The design of LHash employs a kind of Feistel-PG structure in

the internal permutation, and this structure can

utilize permutation layers on

nibbles to improve the diffusion speed. The adaptability of LHash

in different environments is good, since different versions of

LHash share the same basic computing module. The low-area

implementation comes from the hardware-friendly S-box and linear

diffusion layer. We evaluate the resistance of LHash against known

attacks and confirm that LHash provides a good security margin.

13:17 [Pub][ePrint]

A widespread security claim of the Bitcoin system, presented in the original Bitcoin whitepaper, states that the security of the system is guaranteed as long as there is no attacker in possession of half or more of the total computational power used to maintain the system. This claim, however, is proved based on theoretically flawed assumptions.

In the paper we analyze two kinds of attacks based on two theoretical flaws: the Block Discarding Attack and the Difficulty Raising Attack. We argue that the current theoretical limit of attacker\'s fraction of total computational power essential for the security of the system is in a sense not $\\frac{1}{2}$ but a bit less than $\\frac{1}{4}$, and outline proposals for protocol change that can raise this limit to be as close to $\\frac{1}{2}$ as we want.

The basic idea of the Block Discarding Attack has been noted as early as 2010, and lately was independently though-of and analyzed by both author of this paper and authors of a most recently pre-print published paper. We thus focus on the major differences of our analysis, and try to explain the unfortunate surprising coincidence. To the best of our knowledge, the second attack is presented here for the first time.

13:17 [Pub][ePrint]

Consider a joint distribution $(X,A)$ on a set ${\\cal X}\\times\\{0,1\\}^\\ell$. We show that for any family ${\\cal F}$ of distinguishers $f \\colon {\\cal X} \\times \\{0,1\\}^\\ell \\rightarrow \\{0,1\\}$, there exists a simulator $h \\colon {\\cal X} \\rightarrow \\{0,1\\}^\\ell$ such that

\\begin{enumerate}

\\item no function in ${\\cal F}$ can distinguish $(X,A)$ from $(X,h(X))$ with advantage $\\epsilon$,

\\item $h$ is only $O(2^{3\\ell}\\epsilon^{-2})$ times less efficient than the functions in ${\\cal F}$.

\\end{enumerate}

For the most interesting settings of the parameters (in particular, the cryptographic case where $X$ has superlogarithmic min-entropy, $\\epsilon > 0$ is negligible and ${\\cal F}$ consists of circuits of polynomial size), we can make the simulator $h$ \\emph{deterministic}.

As an illustrative application of this theorem, we give a new security proof for the leakage-resilient stream-cipher from Eurocrypt\'09. Our proof is simpler and quantitatively much better than the original proof using the dense model theorem, giving meaningful security guarantees if instantiated with a standard blockcipher like AES.

Subsequent to this work, Chung, Lui and Pass gave an interactive variant of our main theorem, and used it to investigate weak notions of Zero-Knowledge. Vadhan and Zheng give a more constructive version of our theorem using their new uniform min-max theorem.

13:17 [Pub][ePrint]

This paper is devoted to the characterization of hyper-bent functions.

Several classes of hyper-bent functions have been studied, such as

Charpin and Gong\'s $\\sum\\limits_{r\\in R}\\mathrm{Tr}_{1}^{n} (a_{r}x^{r(2^m-1)})$ and Mesnager\'s $\\sum\\limits_{r\\in R}\\mathrm{Tr}_{1}^{n}(a_{r}x^{r(2^m-1)}) +\\mathrm{Tr}_{1}^{2}(bx^{\\frac{2^n-1}{3}})$, where $R$ is a set of representations of the cyclotomic

cosets modulo $2^m+1$ of full size $n$ and $a_{r}\\in \\mathbb{F}_{2^m}$.

In this paper, we generalize their results and consider a class of Boolean functions of the form $\\sum_{r\\in R}\\sum_{i=0}^{2}Tr^n_1(a_{r,i}x^{r(2^m-1)+\\frac{2^n-1}{3}i}) +Tr^2_1(bx^{\\frac{2^n-1}{3}})$, where $n=2m$, $m$ is odd, $b\\in\\mathbb{F}_4$, and $a_{r,i}\\in \\mathbb{F}_{2^n}$.

With the restriction of $a_{r,i}\\in \\mathbb{F}_{2^m}$, we present the characterization of hyper-bentness of these functions with character sums. Further, we reformulate this characterization in terms of the number of points on

hyper-elliptic curves. For some special cases, with the help of Kloosterman sums and cubic sums, we determine the characterization for some hyper-bent functions including functions with four, six and ten traces terms. Evaluations of Kloosterman sums at three general points are used in the characterization. Actually, our results can generalized to the general

case: $a_{r,i}\\in \\mathbb{F}_{2^n}$. And we explain this for characterizing binomial, trinomial and quadrinomial hyper-bent functions.

13:17 [Pub][ePrint]

The most widely accepted models in the security proofs of Authenticated Key Exchange protocols are the Canetti-Krawczyk model and the extended Canetti-Krawczyk model. They are shown to be incomparable due to the subtleties that they admit different adversarial queries and the definitions of the queries are not specific and strict enough to allow a rigorous comparison be made. Concerning the security of one-round implicitly authenticated Diffie-Hellman key exchange protocols, we present a stronger security model that characterizes specific adversarial capabilities and encompass the Ephemeral Key Reveal and the Session-State Reveal simultaneously. To demonstrate the usability of our model, a new protocol based on the OAKE protocol is proposed, which satisfies the presented stronger security notion and at the same time attains high efficiency as the OAKE protocol. The protocol is proven secure in random oracle model under the gap Diffie-Hellman assumption.

13:17 [Pub][ePrint]

In Eurocrypt\'98, Blaze et al. introduced the concept of proxy re-encryption (PRE). It allows a semi-trusted proxy to convert a ciphertext originally intended for Alice into one which

can be decrypted by Bob, without the proxy knowing the corresponding plaintext. PRE has found many applications, such as in encrypted e-mail forwarding[8], distributed secure file systems[1,2], multicast[10] cloud computation etc. However, all the PRE schemes until now require the delegator (or the delegator and the delegatee cooperatively) to generate the re-encryption keys. We observe

that this is not the only way to generate the re-encryption keys, the encrypter also has the ability to generate re-encryption keys. Based on this observation, we introduce a new primitive: PRE^{+},

which is almost the same as the traditional PRE except the re-encryption keys generated by the encrypter. Interestingly, this PRE^{+} can be viewed as the dual of the traditional PRE. Compared

with PRE, PRE can easily achieve the non-transferable property and message-level based fine-grained delegation, while these two properties are very desirable in practical applications. We first

categorize PRE^{+} as the single-hop and multi-hop variant and discuss its potential applications, then we give the definition and security model for the single-hop PRE^{+}, construct a concrete scheme and

prove its security. Finally we conclude our paper with many interesting open problems.

13:17 [Pub][ePrint]

We show how to extract an arbitrary polynomial number of simultaneously hardcore bits from any one-way function. Our construction is based on differing-input obfuscation.

13:17 [Pub][ePrint]

We provide a general construction of a rational secret-sharing

protocol in which the secret can be reconstructed in expected three rounds.

Our construction converts any rational secret-sharing protocol

to a protocol with an expected three-round reconstruction in a black-box manner.

Our construction works in synchronous but non-simultaneous channels,

and preserves a strict Nash equilibrium of the original protocol.

Combining with an existing protocol,

we obtain a rational secret-sharing protocol

that achieves a strict Nash equilibrium with the optimal coalition resilience

of $\\ceil{\\frac{n}{2}}-1$ for expected constant-round protocols,

where $n$ is the number of players.

Although the coalition resilience of $\\ceil{\\frac{n}{2}}-1$ is shown to be optimal

as long as we consider constant-round protocols,

we circumvent this limitation by considering players

who do not prefer to reconstruct \\emph{fake} secrets.

By assuming such players,

we construct an expected constant-round protocol that achieves a strict Nash equilibrium

with coalition resilience of $n-1$.

We also extend our construction to a protocol that preserves \\emph{immunity}

to unexpectedly behaving (or malicious) players.

Then we obtain a protocol that achieves a Nash equilibrium

with coalition resilience of $\\ceil{\\frac{n}{2}}-t-1$

in the presence of $t$ unexpectedly behaving players for any constant $t \\geq 1$.

The same protocol also achieves a strict Nash equilibrium in the absence of malicious players.

2013-12-27
13:37 [Job][New]

Coding and Cryptography Group at the University of Tartu, Estonia, is looking for a research fellow for a project on design and decoding of LDPC codes. The ideal candidate will have strength in one or more of the following areas:

• LDPC codes and iterative decoding algorithms

• Optimization methods applied to error correction

• Mathematical foundations of coding theory

• Any area related to coding theory

The project is a collaboration with the University of Bergen, Norway, and the University of Valladolid, Spain. Salary is at least 2000 euro per month before taxes plus social benefits, depending on qualification and experience. Some travel money will also be provided. Cost of living in Estonia is quite low, see e.g. http://www.expatistan.com/cost-of-living. Employment contract is for two years.

A successful candidate should:

• Hold a Ph.D. degree

• Have a strong background in coding theory or a related field

• Have an international publication record at outstanding venues

To apply, please submit the following documents (by email):

• Application letter

• Research statement

• Curriculum vitae

• Publication list