International Association for Cryptologic Research

# IACR News Central

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

2012-04-12
07:49 [News]

CryptoDB has been updated with best paper awards, coauthor relationships, and DOIs.

2012-04-11
21:17 [Pub][ePrint]

Helios 2.0 is a web-based end-to-end verifiable electronic voting system, suitable for use in low-coercion environments. In this paper we identify a vulnerability in Helios which allows an adversary to compromise the privacy of voters whom cast abstention votes. The vulnerability can be attributed to the absence of ballot independence and the use of homomorphic ElGamal encryption, in particular, these properties can be exploited by an adversary to construct a ballot related to an abstention vote cast by an honest voter and this ballot can be submitted by a corrupt voter to influence the election outcome, thereby introducing information that can be used to violate privacy. We demonstrate the attack by breaking privacy in a mock election using the current Helios implementation. It is unlikely that the vulnerability will be exploited in a real-world election and therefore our results are largely theoretical. Nonetheless, we cannot expect any computational proofs of ballot secrecy without fixing this vulnerability and, moreover, the attack methodology may be of interest -- in particular, it could represent a viable threat to existing protocols in the literature -- thus providing motivation to report these results.

21:17 [Pub][ePrint]

In this paper, we estimate the lower bounds on third-order

nonlinearities of some biquadratic monomial Boolean functions of the

form $Tr_1^n(\\lambda x^d)$ for all $x \\in \\mathbb F_{2^n}$, where

$\\lambda \\in \\BBF_{2^n}^{*}$,

\\begin{itemize}

\\item [{(1)}]$d = 2^i + 2^j + 2^k + 1$, $i, j, k$

are integers such that $i > j > k \\geq 1$ and $n > 2 i$.

\\item [{(2)}] $d = 2^{3\\ell} + 2^{2\\ell} + 2^{\\ell} + 1$, $\\ell$

is a positive integer such that $\\gcd (i, n) = 1$ and $n > 6$.

\\end{itemize}

21:17 [Pub][ePrint]

Today\'s smartphones and tablets offer compelling computing and storage capabilities enabling a variety of mobile applications with rich functionality. The integration of new interfaces, in particular near field communication~(NFC) opens new opportunities for new applications and business models, as the most recent trend in industry for payment and ticketing shows. These applications require storing and processing security-critical data on smartphones, making them attractive targets for a variety of attacks. The state of the art to enhance platform security concerns outsourcing security-critical computations to hardware-isolated Trusted Execution Environments~(TrEE). However, since these TrEEs are used by software running in commodity operating systems, malware could impersonate the software and use the TrEE in an unintended way. Further, existing NFC-based access control solutions for smartphones are either not public or based on strong assumptions that are hard to achieve in practice.

We present the design and implementation of a generic access control system for NFC-enabled smartphones based on a multi-level security architecture for smartphones. Our solution allows users to delegate their access rights and addresses the bandwidth constraints of NFC.

Our prototype captures electronic access to facilities, such as entrances and offices, and binds NFC operations to a software-isolated TrEE established on the widely used Android smartphone operating system. We provide a formal security analysis of our protocols and evaluated the performance of our solution.

21:17 [Pub][ePrint]

Dodis and Wichs introduced the notion of a non-malleable extractor to study the problem of privacy amplification with an active adversary. A non-malleable extractor is a much stronger version of a strong extractor. Given a weakly-random string $x$ and a uniformly random seed $y$ as the inputs, the non-malleable extractor $nmExt$ has the property that $nmExt(x,y)$ appears uniform even given $y$ as well as $nmExt(x,A(y))$, for an arbitrary function $A$ with $A(y) \\neq y$. Dodis and Wichs showed that such an object can be used to give optimal privacy amplification protocols with an active adversary.

Previously, there are only two known constructions of non-malleable extractors \\cite{DLWZ11, CRS11}. Both constructions only work for $(n, k)$-sources with $k>n/2$. Interestingly, both constructions are also two-source extractors.

In this paper, we present a strong connection between non-malleable extractors and two-source extractors. The first part of the connection shows that non-malleable extractors can be used to construct two-source extractors. If the non-malleable extractor works for small min-entropy and has a short seed length with respect to the error, then the resulted two-source extractor beats the best known construction of two-source extractors. This partially explains why previous constructions of non-malleable extractors only work for sources with entropy rate $>1/2$, and why explicit non-malleable extractors for small min-entropy may be hard to get.

The second part of the connection shows that certain two-source extractors can be used to construct non-malleable extractors. Using this connection, we obtain the first construction of non-malleable extractors for $k < n/2$. Specifically, we give an unconditional construction for min-entropy $k=(1/2-\\delta)n$ for some constant $\\delta>0$, and a conditional (semi-explicit) construction that can potentially achieve $k=\\alpha n$ for any constant $\\alpha>0$.

We also generalize non-malleable extractors to the case where there are more than one adversarial seeds, and show a similar connection between the generalized non-malleable extractors and two-source extractors.

Finally, despite the lack of explicit non-malleable extractors for arbitrarily linear entropy, we give the first 2-round privacy amplification protocol with asymptotically optimal entropy loss and communication complexity for $(n, k)$ sources with $k=\\alpha n$ for any constant $\\alpha>0$. This dramatically improves previous results and answers an open problem in \\cite{DLWZ11}.

21:17 [Pub][ePrint]

We present the first key-management functionality in the Universal Composability (UC) framework. It allows the enforcement of a wide range of security policies and can be extended by diverse key usage operations with no need to repeat the security proof. We illustrate its use by proving an implementation of a Security API secure with respect to arbitrary key-usage operations and explore a proof technique that allows the storage of cryptographic keys externally, a novel development in the UC framework.

18:17 [Pub][ePrint]

Forty years ago, Wiesner pointed out that quantum mechanics raises the striking possibility of money that cannot be counterfeited according to the laws of physics. We propose the first quantum money scheme that is (1) public-key, meaning that anyone can verify a banknote as genuine, not only the bank that printed it, and (2) cryptographically secure, under a \"classical\" hardness assumption that has nothing to do with quantum money. Our scheme is based on hidden subspaces, encoded as the zero-sets of random multivariate polynomials. A main technical advance is to show that the \"black-box\" version of our scheme, where the polynomials are replaced by classical oracles, is unconditionally secure. Previously, such a result had only been known relative to a quantum oracle (and even there, the proof was never published). Even in Wiesner\'s original setting -- quantum money that can only be verified by the bank -- we are able to use our techniques to patch a major security hole in Wiesner\'s scheme. We give the first private-key quantum money scheme that allows unlimited verifications and that remains unconditionally secure, even if the counterfeiter can interact adaptively with the bank. Our money scheme is simpler than previous public-key quantum money schemes, including a knot-based scheme of Farhi et al. The verifier needs to perform only two tests, one in the standard basis and one in the Hadamard basis -- matching the original intuition for quantum money, based on the existence of complementary observables. Our security proofs use a new variant of Ambainis\'s quantum adversary method, and several other tools that might be of independent interest.

18:17 [Pub][ePrint]

In this paper, we present several efficient fault attacks against implementations of RSA-CRT signatures that use modular exponentiation algorithms based on Montgomery multiplication. They apply to any padding function, including randomized paddings, and as such are the

first fault attacks effective against RSA-PSS.

The new attacks work provided that a small register can be forced to either zero, or a constant value, or a value with zero high-order bits. We show that these models are quite realistic, as such faults can be achieved against many proposed hardware designs for RSA signatures.

18:17 [Pub][ePrint]

We present a mechanized proof of the password-based protocol One-Encryption Key Exchange (OEKE) using the computationally-sound protocol prover CryptoVerif. OEKE is a non-trivial protocol, and thus mechanizing its proof provides additional confidence that it is correct.

This case study was also an opportunity to implement several important extensions of CryptoVerif, useful for proving many other protocols. We have indeed extended CryptoVerif to support the computational Diffie-Hellman assumption. We have also added support for proofs that rely on Shoup\'s lemma and additional game transformations. In particular, it is now possible to insert case distinctions manually and to merge cases that no longer need to be distinguished. Eventually, some improvements have been added on the computation of the probability bounds for attacks, providing better reductions. In particular, we improve over the standard computation of probabilities when Shoup\'s lemma is used, which allows us to improve the bound given in a previous manual proof of OEKE, and to show that the adversary can test at most one password per session of the protocol.

In this paper, we present these extensions, with their application to the proof of OEKE. All steps of the proof, both automatic and manually guided, are verified by CryptoVerif.

18:17 [Pub][ePrint]

Since the invention of the Rubik\'s cube by Ern\\\"o~Rubik in $1974$, similar puzzles have been produced, with various number of faces or stickers. We can use these toys to define several problems in computer science, such as go from one state of the puzzle to another one. In this paper, we will classify some of these problems based on the classic Rubik\'s cube or on generalized Rubik\'s Cube. And we will see how we can use them in Zero Knowledge Authentication with a public key in order to achieve a given complexity against the best known attacks (for example $2^{80}$ computations). The efficiency of these schemes, and their possible connection with

NP-complete problems will also be discussed.

18:17 [Pub][ePrint]

Hardware devices can be protected against side-channel attacks by introducing one random mask per sensitive variable.

The computation throughout is unaltered if the shares (masked variable and mask) are processed concomitantly, in two distinct registers.

Nonetheless, this setup can be attacked by a zero-offset second-order CPA attack.

The countermeasure can be improved by manipulating the mask through a bijection $F$,

aimed at reducing the dependency between the shares.

Thus $d$th-order zero-offset attacks, that consist in applying CPA on the $d$th power of the centered side-channel traces,

can be thwarted for $d \\geq 2$ at no extra cost.

We denote by $n$ the size in bits of the shares and call $F$ the transformation function,

that is a bijection of $\\mathbb{F}_2^n$.

In this paper, we explore the functions $F$ that thwart zero-offset HO-CPA of maximal order $d$.

We mathematically demonstrate that optimal choices for $F$ relate to optimal binary codes (in the sense of communication theory).

First, we exhibit optimal linear $F$ functions.

Second, we note that for values of $n$ for which non-linear codes exist with better parameters than linear ones.

These results are exemplified in the case $n=8$, the optimal $F$ can be identified:

it is derived from the optimal rate~$1/2$ binary code of size $2n$, namely the Nordstrom-Robinson $(16, 256, 6)$ code.

This example provides explicitly with the optimal protection that limits to one mask of byte-oriented algorithms such as AES or AES-based SHA-3 candidates.

It protects against all zero-offset HO-CPA attacks of order $d \\leq 5$.

Eventually, the countermeasure is shown to be resilient to imperfect leakage models.