Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) iacr.org. You can also receive updates via:
To receive your credentials via mail again, please click here.
You can also access the full news archive.
MICKEY family of stream ciphers, one of the winners of eStream
project. The current attacks are of the best performance among
all the attacks against MICKEY ciphers reported till date. The
number of faults required with respect to state size is about
1.5 times the state size. We obtain linear equations to determine
state bits. The fault model required is reasonable. The fault model
is further relaxed without reproducing the faults and allowing
multiple bit faults. In this scenario, more faults are required
when reproduction is not allowed whereas, it has been shown
that the number of faults remains same for multiple bit faults.
feature, are included in most modern-day ICs. But, it
opens a side channel for attacking cryptographic chips.
We propose a methodology by which we can recover
internal states of any stream cipher using scan chains
without knowledge of its design. We consider conven-
tional scan-chain design which is normally not scram-
bled or protected in any other way. In this scenario
the challenge of the adversary is to obtain the corre-
spondence of output of the scan chain and the internal
state registers of the stream cipher. We present a math-
ematical model of the attack and the correspondence
between the scan chain-outputs and the internal state
bits have been proved under this model. We propose an
algorithm that through o-line and on-line simulation
forms bijection between the above mentioned sets and
thus nds the required correspondence. We also give an
estimate of the number of o-line simulations necessary
for nding the correspondence.
The proposed strategy is successfully applied to eS-
tream hardware based nalists MICKEY-128 2.0, Triv-
ium and Grain-128. To the best of our knowledge, this is
the rst scan based attack against full round Grain-128
and only the fourth reported cryptanalysis. This attack
on Trivium is better than that of the published scan-
attack on Trivium. This scan-based attack is also the
rst reported scan based cryptanalysis against MICKEY-
- We show how to derive compact HIBE by instantiating the dual system framework in Waters (Crypto \'09) and Lewko and Waters (TCC \'10) with dual system groups. Our construction provides a unified treatment of the prior compact HIBE schemes from static assumptions.
- We show how to instantiate dual system groups under the decisional subgroup assumption in composite-order groups and the decisional linear assumption ($d$-LIN) in prime-order groups. Along the way, we provide new tools for simulating properties of composite-order bilinear groups in prime-order groups. In particular, we present new randomization and parameter-hiding techniques in prime-order groups.
Combining the two, we obtain a number of new encryption schemes, notably
- a new construction of IBE in prime-order groups with shorter parameters;
- a new construction of compact HIBE in prime-order
groups whose structure closely mirrors the selectively secure HIBE
scheme of Boneh, Boyen and Goh (Eurocrypt \'05);
- a new construction of compact spatial encryption in prime-order groups.
In this work, we present a novel T-PAKE protocol which solves the above fault management problem by employing a batched and offline phase of distributed key generation (DKG). Our protocol is secure against any malicious behavior from up to any t < n servers under the decisional Diffie-Hellman assumption in the random oracle model, and it ensures protocol completion for t < n/2. Moreover, it is efficient (16n + 7 exponentiations per client, 20n + 14 per server), performs explicit authentication in three communication rounds, and requires a significantly lesser number of broadcast rounds compared to previous secure T-PAKE constructions. We have implemented our protocol, and have verified its efficiency using micro-benchmark experiments. Our experimental results show that the protocol only introduces a computation overhead of few milliseconds at both the client and the server ends, and it is practical for use in real-life authentication scenarios.