International Association for Cryptologic Research

IACR News Central

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

2014-05-22
09:17 [Pub][ePrint]

Key predistribution schemes for resource-constrained networks are methods for allocating symmetric keys to devices in such a way as to provide an efficient trade-off between key storage, connectivity and resilience. While there have been many suggested constructions for key predistribution schemes, a general understanding of the design principles on which to base such constructions is somewhat lacking. Indeed even the tools from which to develop such an understanding are currently limited, which results in many relatively ad hoc proposals in the research literature.

It has been suggested that a large edge-expansion coefficient in the key graph is desirable for efficient key predistribution schemes. However, attempts to create key predistribution schemes from known expander graph constructions have only provided an extreme in the trade-off between connectivity and resilience: namely, they provide perfect resilience at the expense of substantially lower connectivity than can be achieved with the same key storage.

Our contribution is two-fold. First, we prove that many existing key predistribution schemes produce key graphs with good expansion.

This provides further support and justification for their use, and confirms the validity of expansion as a sound design principle. Second, we propose the use of incidence graphs and concurrence graphs as tools to represent, design and analyse key predistribution schemes. We show that these tools can lead to helpful insights and new constructions.

09:17 [Pub][ePrint]

We construct the first (key-policy) attribute-based encryption (ABE) system with short secret keys: the size of keys in our system depends only on the depth of the policy circuit, not its size. Our constructions extend naturally to arithmetic circuits with arbitrary fan-in gates thereby further reducing the circuit depth. Building on this ABE system we obtain the first reusable circuit garbling scheme that produces garbled circuits whose size is the same as the original circuit {\\em plus} an additive $\\mathsf{poly}(\\secp,d)$ bits, where $\\secp$ is the security parameter and $d$ is the circuit depth. Save the additive $\\mathsf{poly}(\\secp,d)$ factor, this is the best one could hope for. All previous constructions incurred a {\\em multiplicative} $\\mathsf{poly}(\\secp)$ blowup. As another application, we obtain (single key secure) functional encryption with short secret keys.

We construct our attribute-based system using a mechanism we call {\\em fully key-homomorphic encryption} which is a public-key system that lets anyone translate a ciphertext encrypted under a public-key~$\\vx$ into a ciphertext encrypted under the public-key~$(f(\\vx),f)$ of the same plaintext, for any efficiently computable~$f$. We show that this mechanism gives an ABE with short keys. Security is based on the subexponential hardness of the learning with errors problem.

We also present a second (key-policy) ABE, using multilinear maps, with short ciphertexts: an encryption to an attribute vector~$\\vx$ is the size of $\\vx$ plus $\\mathsf{poly}(\\secp,d)$ additional bits. This gives a reusable circuit garbling scheme where the size of the garbled input is short, namely the same as that of the original input, {\\em plus} a $\\mathsf{poly}(\\secp,d)$ factor.

09:17 [Pub][ePrint]

Recently, Standaert et al. (Crypto\'13) advocated the notion of simulatable leakage

as a means to connect theoretical leakage resilience to practice.

They argued that using simulators based on actual physical devices, the

assumptions underlying their proofs of side channel resistance

become empirically verifiable\' as evaluation labs can scrutinise the indistinguishability

of the simulator by actually playing\' the games that involve real versus simulated leakage.

Standaert \\emph{et al.} proposed a concrete, block cipher based instantiation of a leakage

resilient pseudorandom generator. They provided a high level definition of a simulator based

on splicing two partial traces, and included detailed reasoning why their simulator (for AES-128) would resist state-of-the-art side channel attacks.

We exhibit a distinguisher against their simulator, thereby falsifying their hypothesis.

We demonstrate the efficacy of our distinguishing technique by experimental validation

using concrete implementations of the Standaert \\emph{et al.} simulator on several different platforms.

Our successful analysis is based on tracking\' consistency (and likewise spotting simulator

inconsistencies) in leakage traces by means of cross correlation.

By taking the cross correlation between trace points, we can estimate real-or-simulated based either on a single key that is used multiple times, or based on multiple runs of

Standaert\'s \\emph{et al.} security game with varying keys each used only once.

Since the game hybridizes (in the number of keys used), the latter implies that theoretically

our distinguisher already wins when a single key is used with a single trace of side channel leakage!

Finally, we propose several alternative simulators, based on splitting traces at points of low intrinsic cross-correlation, which are more promising w.r.t.~the cross-correlation distinguisher. Unfortunately, these new simulators come with significant caveats, and we conclude that the most natural way of producing simulated leakage is by using the underlying construction as is\' (but with a random key).

Provided the actual implementation has a low signal-to-noise ratio, we believe it practically infeasible to distinguish between real and simulated traces: when only a few very noisy leakages are made available to an attacker, signal processing techniques that rely on having sufficient observations are not applicable.

2014-05-21
10:16 [Job][New]

Four positions in Computer Science

• Two in any area of CS

• One in theory and algorithms

• One in HCI

You will have demonstrated that you are on track to become an outstanding researcher, carrying out innovative research to complement that currently being pursued in the Department. You will have already achieved international recognition and have a significant number of high quality publications in top venues. Our strategy is to grow our research portfolio and you will be expected to take a major role in achieving that goal.

In addition, you will be expected to take an active role in providing high quality and innovative teaching in areas of Computer Science according to your experience. We are looking to enhance our teaching in core computer science; both theoretical aspects (such as formal methods, complexity, information theory, theory of programming languages, automated theorem proving/protocol analysis), as well as engineering aspects (such as programming languages, operating systems, distributed computing and software engineering). Interest in developing innovative ways of integrating teaching and research, and linking our teaching with the general computing industry, is particularly welcomed. The Department operates a reduced teaching load policy for new staff to enable their research activities to be established.

Please include in your CV and covering letter two one page statements; One on your research plans and how they will impact on the research profile of the Department and one on the contributions that you can make to teaching in the Department, especially in respect of innovation in delivery and content.

2014-05-20
09:17 [Pub][ePrint]

This paper combines cryptographic voting and web page ranking and proves that it is possible to hold elections so as not to limit a voter by a list of candidates, to benefit from voter\'s personal experience in dealing with people, to make wide and proportional representation, and to achieve secrecy, including incoercibility, and verifiability of cryptographic voting systems.

09:17 [Pub][ePrint]

One of the most well known micropayment scheme is the PayWord scheme. It is designed to be onevendor, so if we apply it for multiple vendors, it does not protect against double spending. We extended the PayWord scheme, it supports shopping at multiple vendors without an on-line broker or an on-line secure database. The proposed credit-based system uses one hash chain, hence besides the secret signature key only the seed and a random value should be securely stored. Our scheme is analyzed in applied pi calculus, we prove that it fulfills payment approval, secure payment authorization, secrecy of payment information and unreusability.

2014-05-19
18:17 [Pub][ePrint]

Side channel and fault attacks take advantage from the fact that the behavior of crypto implementations can be observed and provide hints that simplify revealing keys. These attacks are normally prepared by analyzing devices that are identical to the real target. Here we propose to individualize the design of cryptographic devices in order to prevent attacks that use identical devices. We implemented three different designs that provide exactly the same cryptographic function, i.e. an ECC kP multiplication. The synthesis and power simulation results show clear differences in the area consumed as well as in the power traces. We envision that this type of protection mechanism is relevant e.g. for wireless sensor networks from which devices can easily be stolen for further analysis in the lab.

18:17 [Pub][ePrint]

We revisit the problem of finding small solutions to a collection of linear equations modulo an unknown divisor $p$ for a known composite integer $N$. In Asiacrypt\'08, Herrmann and May introduced a heuristic algorithm for this problem, and their algorithm has many interesting applications, such as factoring with known bits problem, fault attacks on RSA signatures, etc. In this paper, we consider two variants of Herrmann-May\'s equations, and propose some new techniques to solve them. Applying our algorithms, we obtain a few by far the best analytical/experimental results for RSA and its variants. Specifically,

\\begin{itemize}

\\item We improve May\'s results (PKC\'04) on small secret exponent attack on RSA variant with moduli $N = p^rq$ ($r\\geq 2$).

\\item We extend Nitaj\'s result (Africacrypt\'12) on weak encryption exponents of RSA and CRT-RSA.

\\end{itemize}

18:17 [Pub][ePrint]

With sensitive data being increasingly stored on mobile devices and

laptops, hard disk encryption is more important than ever. In

particular, being able to plausibly deny that a hard disk contains

certain information is a very useful and interesting research

goal. However, it has been known for some time that existing

hidden volume\'\' solutions, like TrueCrypt, fail in the face of an

adversary who is able to observe the contents of a disk on multiple,

separate occasions. In this work, we explore more robust

constructions for hidden volumes and present HIVE, which is

resistant to more powerful adversaries with multiple-snapshot

capabilities. In pursuit of this, we propose the first security

definitions for hidden volumes, and prove HIVE secure under these

definitions. At the core of HIVE, we design a new write-only

Oblivious RAM. We show that, when only hiding writes, it is

possible to achieve ORAM with optimal O(1) communication complexity

and only poly-logarithmic user memory. This is a significant

improvement over existing work and an independently interesting

result. We go on to show that our write-only ORAM is specially

equipped to provide hidden volume functionality with low overhead

and significantly increased security. Finally, we implement HIVE as

a Linux kernel block device to show both its practicality and

usefulness on existing platforms.

18:17 [Pub][ePrint]

Enabling private database queries is an important and challenging research problem with many real-world applications. The goal is for the client to obtain the results of its queries without learning anything else about the database, while the outsourced server learns nothing about the queries or data, including access patterns. The secure-computation-over-ORAM architecture offers a promising approach to this problem, permitting sub-linear time processing of the queries (after pre-processing) without compromising security.

In this work we examine the feasibility of this approach, focusing specifically on secure-computation protocols based on somewhat-homomorphic encryption (SWHE). We devised and implemented secure two-party protocols in the semi-honest model for the path-ORAM protocol of Stefanov et al. This provides access by index or keyword, which we extend (via pre-processing) to limited conjunction queries and range queries. Some of our sub-protocols may be interesting in their own right, such as our new protocols for encrypted comparisons and blinded permutations.

We implemented our protocols on top of the HElib homomorphic encryption library. Our basic single-threaded implementation takes about 30 minutes to process a query on a database with $2^{22}$ records and 120-bit long keywords, providing a cause for optimism about the viability of this direction, and we expect a better optimized implementation to be much faster.

18:17 [Pub][ePrint]

In this paper, we present a variant of Diem\'s $\\widetilde{O}(q)$ index calculus algorithm to attack the discrete logarithm problem (DLP) in Jacobians of genus 3 non-hyperelliptic curves over a finite field $\\mathbb{F}_q$. We implement this new variant in C++ and study the complexity in both theory and practice, making the logarithmic factors and constants hidden in the $\\widetilde{O}$-notation precise.

Our variant improves the computational complexity at the cost of a moderate increase in memory consumption, but we also improve the computational complexity even when we limit the memory usage to that of Diem\'s original algorithm. Finally, we examine how parallelization can help to reduce both the memory cost per computer and the running time for our algorithms.