International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also receive updates via:

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

18:17 [Pub][ePrint] Fault Analysis of Grain Family of Stream Ciphers, by Sandip Karmakar and Dipanwita Roy Chowdhury

  In this paper, we present fault attack on Grain family of stream ciphers, an eStream finalist. The earlier fault attacks on Grain work on LFSR whereas our target for fault induction is the NFSR. Our attack requires a small number of faults to be injected; 150 only for Grain v1 and only 312 and 384 for Grain-128 and Grain-128a, respectively. The number of faults are much lesser than the earlier reported fault attacks; 1587 for Grain-128 and 1831 for Grain-128a.

18:17 [Pub][ePrint] Differential Fault Analysis of MICKEY Family of Stream Ciphers, by Sandip Karmakar and Dipanwita Roy Chowdhury

  This paper presents differential fault analysis of the

MICKEY family of stream ciphers, one of the winners of eStream

project. The current attacks are of the best performance among

all the attacks against MICKEY ciphers reported till date. The

number of faults required with respect to state size is about

1.5 times the state size. We obtain linear equations to determine

state bits. The fault model required is reasonable. The fault model

is further relaxed without reproducing the faults and allowing

multiple bit faults. In this scenario, more faults are required

when reproduction is not allowed whereas, it has been shown

that the number of faults remains same for multiple bit faults.

18:17 [Pub][ePrint] A Generic Scan Attack on Hardware based eStream Winners, by Sandip Karmakar and Dipanwita Roy Chowdhury

  Scan chains, a design for testability (DFT)

feature, are included in most modern-day ICs. But, it

opens a side channel for attacking cryptographic chips.

We propose a methodology by which we can recover

internal states of any stream cipher using scan chains

without knowledge of its design. We consider conven-

tional scan-chain design which is normally not scram-

bled or protected in any other way. In this scenario

the challenge of the adversary is to obtain the corre-

spondence of output of the scan chain and the internal

state registers of the stream cipher. We present a math-

ematical model of the attack and the correspondence

between the scan chain-outputs and the internal state

bits have been proved under this model. We propose an

algorithm that through o-line and on-line simulation

forms bijection between the above mentioned sets and

thus nds the required correspondence. We also give an

estimate of the number of o-line simulations necessary

for nding the correspondence.

The proposed strategy is successfully applied to eS-

tream hardware based nalists MICKEY-128 2.0, Triv-

ium and Grain-128. To the best of our knowledge, this is

the rst scan based attack against full round Grain-128

and only the fourth reported cryptanalysis. This attack

on Trivium is better than that of the published scan-

attack on Trivium. This scan-based attack is also the

rst reported scan based cryptanalysis against MICKEY-

128 2.0.

18:17 [Pub][ePrint] Continuous After-the-fact Leakage-Resilient Key Exchange (full version), by Janaka Alawatugoda and Colin Boyd and Douglas Stebila

  Security models for two-party authenticated key exchange (AKE) protocols have developed over time to provide security even when the adversary learns certain secret keys. In this work, we advance the modelling of AKE protocols by considering more granular, continuous leakage of long-term secrets of protocol participants: the adversary can adaptively request arbitrary leakage of long-term secrets even after the test session is activated, with limits on the amount of leakage per query but no bounds on the total leakage. We present a security model supporting continuous leakage even when the adversary learns certain ephemeral secrets or session keys, and give a generic construction of a two-pass leakage-resilient key exchange protocol that is secure in the model; our protocol achieves continuous, after-the-fact leakage resilience with not much more cost than a previous protocol with only bounded, non-after-the-fact leakage.

18:17 [Pub][ePrint] Dual System Groups and its Applications --- Compact HIBE and More, by Jie Chen and Hoeteck Wee

  We introduce the notion of *dual system groups*.

- We show how to derive compact HIBE by instantiating the dual system framework in Waters (Crypto \'09) and Lewko and Waters (TCC \'10) with dual system groups. Our construction provides a unified treatment of the prior compact HIBE schemes from static assumptions.

- We show how to instantiate dual system groups under the decisional subgroup assumption in composite-order groups and the decisional linear assumption ($d$-LIN) in prime-order groups. Along the way, we provide new tools for simulating properties of composite-order bilinear groups in prime-order groups. In particular, we present new randomization and parameter-hiding techniques in prime-order groups.

Combining the two, we obtain a number of new encryption schemes, notably

- a new construction of IBE in prime-order groups with shorter parameters;

- a new construction of compact HIBE in prime-order

groups whose structure closely mirrors the selectively secure HIBE

scheme of Boneh, Boyen and Goh (Eurocrypt \'05);

- a new construction of compact spatial encryption in prime-order groups.

18:17 [Pub][ePrint] ICEPOLE: High-speed, Hardware-oriented Authenticated Encryption, by Pawel Morawiecki and Kris Gaj and Ekawat Homsirikamol and Krystian Matusiewicz and Josef Pieprzyk and Marcin Rogawski and Marian Sre

  This paper introduces our dedicated authenticated encryption scheme ICEPOLE. ICEPOLE is a high-speed hardware-oriented scheme, suitable for high-throughput network nodes or generally any environment where specialized hardware (such as FPGAs or ASICs) can be used to provide high data processing rates. ICEPOLE-128 (the primary ICEPOLE variant) is very fast. On the modern FPGA device Virtex 6, a basic iterative architecture of ICEPOLE reaches 41 Gbits/s, which is over 10 times faster than the equivalent implementation of AES-128-GCM. The throughput-to-area ratio is also substantially better when compared to AES-128-GCM. We have carefully examined the security of the algorithm through a range of cryptanalytic techniques and our findings indicate that ICEPOLE offers high security level.

15:17 [Pub][ePrint] Introducing Fault Tolerance into Threshold Password-Authenticated Key Exchange, by Ivan Pryvalov and Aniket Kate

  A threshold password-authenticated key exchange (T-PAKE) protocol allows a set of n servers to collectively authenticate a client with a human-memorizable password such that any subset of size greater than a threshold t can authenticate the client, while smaller subsets of servers learn no information about the password. With its protection against offline dictionary attacks, T-PAKE provides a practical solution for an important real-life problem with password authentication. However, the proposed T-PAKE constructions cannot tolerate any misbehavior---not even a crash---by a participating server during a protocol execution; the protocol has to be re-executed until all participating servers behave correctly. This not only presents a fault management challenge for the servers, but more importantly also can leave the clients frustrated.

In this work, we present a novel T-PAKE protocol which solves the above fault management problem by employing a batched and offline phase of distributed key generation (DKG). Our protocol is secure against any malicious behavior from up to any t < n servers under the decisional Diffie-Hellman assumption in the random oracle model, and it ensures protocol completion for t < n/2. Moreover, it is efficient (16n + 7 exponentiations per client, 20n + 14 per server), performs explicit authentication in three communication rounds, and requires a significantly lesser number of broadcast rounds compared to previous secure T-PAKE constructions. We have implemented our protocol, and have verified its efficiency using micro-benchmark experiments. Our experimental results show that the protocol only introduces a computation overhead of few milliseconds at both the client and the server ends, and it is practical for use in real-life authentication scenarios.

15:17 [Pub][ePrint] Fine grain Cross-VM Attacks on Xen and VMware are possible!, by Gorka Irazoqui Apecechea and Mehmet Sinan Inci and Thomas Eisenbarth and Berk Sunar

  This work exposes further vulnerabilities in virtualized cloud servers by mounting Cross-VM cache attacks in Xen and VMware VMs targeting AES running in the victim VM. Even though there exists a rich literature on cache attacks on AES, so far only a single work, demonstrating a working attack on an ARM platform running a L4Re virtualization layer has been published. Here we show that AES in a number popular cryptographic libraries including OpenSSL, PolarSSL and Libgcrypt are vulnerable to Bernstein\'s correlation attack when run in Xen and VMware (bare metal version) VMs, the most popular VMs used by cloud service providers (CSP) such as Amazon and Rackspace. We also show that the vulnerability persists even if the VMs are placed on different cores in the same machine. The results of this study shows that there is a great security risk to AES and (data encrypted under AES) on popular cloud services.

03:07 [Event][New] ISC '14: Information Security Conference

  Submission: 25 June 2014
Notification: 31 July 2014
From October 12 to October 14
Location: Hong Kong, Hong Kong
More Information:

09:17 [Pub][ePrint] A practical state recovery attack on the stream cipher Sablier v1, by Xiutao FENG and Fan ZHANG

  Sablier is an authenticated encryption cipher submitted to the CAESAR competition, which is composed of the encryption Sablier v1 and the authentication \\textup{Au}. In this work we present a state recovery attack against the encryption Sablier v1 with time complexity about $2^{44}$ operations and data complexity about 24 of 16-bit keywords. Our attack is practical in the workstation. It is noticed that the update of the internal state of Sablier v1 is invertible, thus our attack can further deduce a key recovery attack and a forgery attack against the authenticated encryption Sablier. The result shows that Sablier v1 is far from the goal of its security design (80-bit level).

09:17 [Pub][ePrint] Security Analysis of an Identity-Based Strongly Unforgeable Signature Scheme, by Kwangsu Lee and Dong Hoon Lee

  Identity-based signature (IBS) is a specific type of public-key signature (PKS) where any identity string $ID$ can be used for the public key of a user. Although an IBS scheme can be constructed from any PKS scheme by using the certificate paradigm, it is still important to construct an efficient IBS scheme with short signature under the standard assumption without relying on random oracles. Recently, Kwon proposed an IBS scheme and claimed its strong unforgeability under the computational Diffie-Hellman (CDH) assumption. In this paper, we show that the security proof of Kwon is seriously flawed. To show the flaws, we first show that there exists a distinguisher that can distinguish the distribution of simulated signature from that of real signatures. Next, we also show that the simulator of Kwon\'s security argument cannot extract the solution of the CDH assumption even if there exists an adversary that forges the signature. Therefore, the security of the Kwon\'s IBS scheme is not related to the hardness of the CDH assumption.