International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) iacr.org. You can also get this service via

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

2014-02-11
09:02 [Job][Update]

We are looking for an excellent PhD candidate to work in the area of information and communication security with a focus on authentication problems in constrained settings. This is particularly important for applications involving mobile phones, wireless communication and RFID systems, which suffer from restrictions in terms of power resources, network connectivity, computational capabilities, as well as potential privacy issues. The overall aim of the project will be to develop nearly optimal algorithms for achieving security and privacy while minimising resource use.

More concretely, part of the research will involve the analysis and development of authentication protocols in specific settings. This will include investigating resistance of both existing and novel protocols against different types of attacks, theoretically and experimentally. In addition to investigating established settings, such as RFID authentication, the research will also explore more general authentication problems, such as those that arise in the context of trust in social networks, smartphone applications and collaborative data processing. This will be done by grounding the work in a generalised decision-making framework. The project should result in the development of theory and authentication mechanisms for noisy, constrained settings that strike an optimal balance between reliable authentication, privacy-preservation and resource consumption. Some previous research related to this research project can be found here: http://lasecwww.epfl.ch/~katerina/Publications.html

Applicants for the position shall have a Master’s Degree or corresponding in Computer Science, Informatics, Telecommunications or in a related discipline. A master\\\'s degree in information security or cryptography is a bonus.

2014-02-10
16:17 [Pub][ePrint]

We consider secret key agreement by multiple parties observing correlated data and communicating interactively over an insecure communication channel. Our main contribution is a single-shot upper bound on the length of the secret keys that can be generated, without making any assumptions on the distribution of the underlying data. Heuristically, we bound the secret key length in terms of how far\" is the joint distribution of the initial observations of the parties and the eavesdropper from a distribution that renders the observations of the parties conditionally independent across some partition, when conditioned on the eavesdropper\'s side information.

The closeness of the two distributions is measured in terms of the exponent of the probability of error of type II for a binary hypothesis testing problem, thus bringing out a structural connection between secret key agreement and binary hypothesis testing. When the underlying data consists of an independent and identically distributed sequence, an application of our bound recovers several known upper bounds for the asymptotic rate of a secret key that can be generated, without requiring the agreement error probability or the security index to vanish to 0 asymptotically.

Also, we consider the following problem of secure function computation with trusted parties: Multiple parties observing correlated data seek to compute a function of their collective data. To this end, they communicate interactively over an insecure communication channel. It is required that the value of the function be concealed from an eavesdropper with access to the communication. When is such a secure computation of a given function feasible? Using the aforementioned upper bound, we derive a necessary condition for the existence of a communication protocol that allows the parties to reliably recover the value of a given function, while keeping this value concealed from an eavesdropper with access to (only) the communication.

16:17 [Pub][ePrint]

PRINCE is a lightweight block cipher proposed by Borghoff et al. at Asiacrypt 2012. Due to its originality, novel design and low number of rounds, it has already attracted the attention of a large number of

cryptanalysts. Several results on reduced versions have been published

to date; the best one is an attack on 8 rounds out of the total number

of 12. In this paper we improve this result by two rounds: we provide

an attack on 10 rounds of the cipher with a data complexity of $2^{57.94}$ and a time complexity of $2^{60.62}$, corresponding to 118.56 security bits, instead of 126 for the generic attacks. Our attack uses multiple differentials and exploits some properties of PRINCE for recovering the whole key. PRINCE is defined as a member of a family of ciphers, differing by the choice of an Sbox among a distinguished set. We also show that the security offered by all the members of the family is not equivalent, by identifying an Sbox for which our attack can be extended up to 11 rounds with a data complexity of $2^{59.81}$ and a time complexity of $2^{62.43}$.

16:17 [Pub][ePrint]

Due to the recent emergence of resource-constrained devices, cryptographers are facing the problem of designing dedicated lightweight ciphers. KLEIN is one of the resulting primitives, proposed at RFIDSec in 2011 by Gong et al. This family of software-oriented block ciphers has an innovative structure, as it combines 4-bit Sboxes with the AES MixColumn transformation, and has woken up the attention of cryptanalysts. Several security analyses have been published, in particular on the 64-bit key version. The best of these results could attack up to 8 rounds out of the total number of 12. In this paper we propose a new family of attacks that can cryptanalyze for the first time all the 12 rounds of the complete version of KLEIN-64. Our attacks use truncated differential paths and are based both on some of the notions developed in previous attacks and on our new ideas that allow to considerably improve the performance. To prove the validity of our attacks, we have implemented reduced-round versions of them. In particular we were able to reproduce a practical attack that recovers the whole key on 10 rounds, which also corresponds to the best practical attack against KLEIN-64.

16:17 [Pub][ePrint]

In this paper, we investigate matrices acting on finite commutative groups and rings; in fact, we study modules on ring of matrices over Z_N and also modules over the ring (F_2^t,\\oplus,\\land); these new algebraic constructions are a generalization of some of the constructions which were previously presented by the authors of this paper. We present new linearized and nonlinear MDS diffusion layers, based on this mathematical investigation. Then, we study some types of nonlinear number generators over Z_(2^n ) and we present a lower bound on the period of these new nonlinear number generators. As a consequence, we present nonlinear recurrent sequences over Z_(2^n ) with periods which are multiples of the period of the corresponding

sigma-LFSR\'s.

16:17 [Pub][ePrint]

In this paper, we present a new type of PKC, system-oriented PKC,referred to as K(I)SOPKC that can be well adapted to a secure and a high speed communication between various systems and organizations of the present day network society.

K(I)SOPKC is constructed on the basis of K(XIV)SE(1)PKC, a modified version of K(XII)SE(1)PKC, K(XIII)SE(1)PKC and ${\\rm K_p(XIII)SE(1)PKC}$.

16:17 [Pub][ePrint]

It is well known that the classical three- and four-round Feistel constructions are provably secure under chosen-plaintext and chosen-ciphertext attacks, respectively. However, irrespective of the number of rounds, no Feistel construction can resist related-key attacks where the keys can be offset by a constant. In this paper we show that, under suitable reuse of round keys, security under related-key attacks can be provably attained. Our modification is substantially simpler and more efficient than alternatives obtained using generic transforms, namely the PRG transform of Bellare and Cash (CRYPTO 2010) and its random-oracle analogue outlined by Lucks (FSE 2004).

Additionally we formalize Luck\'s transform and show that it does not always work if related keys are derived in an oracle-dependent way, and then prove it sound under appropriate restrictions.

16:17 [Pub][ePrint]

\\emph{Bootstrapping} is a technique, originally due to Gentry (STOC

2009), for refreshing\'\' ciphertexts of a somewhat homomorphic

encryption scheme so that they can support further homomorphic

operations. To date, bootstrapping remains the only known way of

obtaining fully homomorphic encryption for arbitrary unbounded

computations.

Over the past few years, several works have dramatically improved the

efficiency of bootstrapping and the hardness assumptions needed to

implement it. Recently, Brakerski and Vaikuntanathan~(ITCS~2014)

reached the major milestone of a bootstrapping algorithm based on

Learning With Errors for \\emph{polynomial} approximation factors.

Their method uses the Gentry-Sahai-Waters~(GSW)

cryptosystem~(CRYPTO~2013) in conjunction with Barrington\'s circuit

sequentialization\'\' theorem~(STOC~1986). This approach, however,

results in \\emph{very large} polynomial runtimes and approximation

factors. (The approximation factors can be improved, but at even

greater costs in runtime and space.)

In this work we give a new bootstrapping algorithm whose runtime and

associated approximation factor are both \\emph{small} polynomials.

Unlike most previous methods, ours implements an elementary and

efficient \\emph{arithmetic} procedure, thereby avoiding the

inefficiencies inherent to the use of boolean circuits and

Barrington\'s Theorem. For $2^{\\lambda}$ security under conventional

lattice assumptions, our method requires only a \\emph{quasi-linear}

$\\Otil(\\lambda)$ number of homomorphic operations on GSW ciphertexts,

which is optimal (up to polylogarithmic factors) for schemes that

encrypt just one bit per ciphertext. As a contribution of independent

interest, we also give a technically simpler variant of the GSW system

and a tighter error analysis for its homomorphic operations.

2014-02-07
16:17 [Pub][ePrint]

In this paper, we propose a new lightweight block cipher named RECT-

ANGLE. The main idea of the design of RECTANGLE is to allow lightweight

and fast implementations using bit-slice techniques. RECTANGLE uses an SP-

network. The substitution layer consists of 16 4×4 S-boxes in parallel. The per-

mutation layer is composed of 3 rotations. As shown in this paper, RECTAN-

GLE offers great performance in both hardware and software environment, which

proves enough flexibility for different application scenario. The following are 3

main advantages of RECTANGLE. First, RECTANGLE is extremely hardware-

friendly. For the 80-bit key version, a one-cycle-per-round parallel implementa-

tion only needs 1467 gates for a throughput of 246 Kbits/sec at 100KHz clock

and an energy efficiency of 1.11 pJ/bit. Second, RECTANGLE achieves a very

competitive software speed among the existing lightweight block ciphers due to

its bit-slice style. Using 128-bit SSE instructions, a bit-slice implementation of

RECTANGLE reaches an average encryption speed of about 5.38 cycles/byte for

messages around 1000 bytes. Last but not least. We propose new design criteria

for 4×4 S-boxes. RECTANGLE uses such a new type of S-box. Due to our care-

ful selection of the S-box and the asymmetric design of the permutation layer,

RECTANGLE achieves a very good security-performance tradeoff. Our exten-

sive and deep security analysis finds distinguishers for up to 14 rounds only, and

the highest number of rounds that we can attack, is 18 (out of 25).

16:17 [Pub][ePrint]

Diffusion layers, and specially perfect diffusion layers, are very important subject for cryptographic research. Main quest is a perfect diffusion layer with more optimal hardware and/or software implementations (if possible, the last needs to holds also for its inverse). Different structures can be used for representing these layers, but all are interconnected. We start with multipermutations as a tools for obtaining perfect diffusion, and we summarize the interconnections between them, MDS codes, Latin squares and quasigroups, orthogonal arrays and $m$-arcs. We give a new construction of perfect recursive diffusion layer from $r$-recursive MDS codes, or recursively $r$-differentiable quasigroups.

16:17 [Pub][ePrint]

In a mobile environment, a number of users act as a network nodes and communicate with one another to acquire location based information and services. This emerging paradigm has opened up new business opportunities and enables numerous applications such as road safety enhancement, service recommendations and mobile entertainment. A fundamental issue that impacts the success of these applications is the security and privacy concerns raised regarding the mobile users. In that, a malicious user or service provider can track the locations of a user traveled so that other malicious act can be carried out more effectively against the user. Therefore, the challenge becomes how to authenticate mobile users while preserving their actual identity and location privacy. In this work, we propose a novel randomized or privacy-preserving authentication protocol based on homomorphic encryption. The protocol allows individual users to self generate any number of authenticated identities to achieve full anonymity in mobile environment. The proposed protocol prevents users being tracked by any single party including peer users, service providers, authentication servers, and other infrastructure. Meanwhile, our protocol also provides traceability in case of any dispute. We have conducted experimental study which demonstrates

the efficiency of our protocol. Another advantage of the proposed protocol is lightweight computation and storage requirement, particularly suitable for any mobile devices with limited computation power and storage space.