International Association for Cryptologic Research

# IACR News Central

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

2012-09-27
15:17 [Pub][ePrint]

In the setting of cryptographic protocols, the corruption of a party has traditionally been viewed as a simple, uniform and atomic operation, where the adversary decides to get control over a party and this party immediately gets corrupted. In this paper, motivated by the fact that different players may require different resources to get corrupted, we put forth the notion of {\\em resource-based corruptions}, where the adversary must invest some resources in order to do so.

If the adversary has full information about the system configuration then resource-based corruptions would provide no fundamental difference from the standard corruption model. However, in a resource anonymous\'\' setting, in the sense that such configuration is hidden from the adversary, much is to be gained in terms of efficiency and security.

We showcase the power of such {\\em hidden diversity} in the context of secure multiparty computation (MPC) with resource-based corruptions and prove that it can effectively be used to circumvent known impossibility results. Specifically, if $OPT$ is the corruption budget that violates the completeness of MPC (the case when half or more of the players are corrupted), we show that if hidden diversity is available, the completeness of MPC can be made to hold against an adversary with as much as a $B\\cdot OPT$ budget, for any constant $B>1$. This result requires a suitable choice of parameters (in terms of number of players and their hardness to corrupt), which we provide and further prove other tight variants of the result when the said choice is not available. Regarding efficiency gains, we show that hidden diversity can be used to force the corruption threshold to drop from 1/2 to 1/3, in turn allowing the use of much more efficient (information-theoretic) MPC protocols.

We achieve the above through a series of technical contributions:

o The modeling of the corruption process in the setting of cryptographic protocols through {\\em corruption oracles} as well as the introduction of a notion of reduction to relate such oracles;

o the abstraction of the corruption game as a combinatorial problem and its analysis; and, importantly,

o the formulation of the notion of {\\em inversion effort preserving} (IEP) functions which is a type of direct-sum property, and the property of {\\em hardness indistinguishability}. While hardness indistinguishability enables the dissociation of parties\' identities and the resources needed to corrupt them, IEP enables the discretization of adversarial work into corruption tokens,

all of which may be of independent interest.

2012-09-26
05:31 [Event][New]

Submission: 1 February 2013
From October 10 to October 11
Location: Laurel, Maryland, USA

05:12 [Job][New]

Responsibilities:

• Serve as a highly visible industry expert on tamper-resistance and DPA countermeasures

• Design and implement DPA-resistant hardware blocks suitable for a variety of applications and device form factors

• Guide customers implementing DPA countermeasures and tamper resistance into their products and systems

• Consult with customers regarding their DPA-resistance certification needs

• Develop tools and training material around methodologies for DPA resistant hardware design

• Author whitepapers and technical papers related to tamper resistance, side-channel analysis and countermeasures

• Provide customer training on DPA

Qualifications:

• 8+ years of experience in tamper resistant hardware design and at least 5 years of experience in developing DPA resistant hardware and products that use algorithms such as DES, 3DES, AES, RSA and ECC.

• Deep knowledge of the statistics of DPA, sources of information leakage in hardware and engineering tradeoffs between different countermeasure choices

• Experience with getting multiple products evaluated for DPA resistance at EAL 5+

• External recognition as an expert in the area of tamper resistance, side-channel analysis and countermeasures, via publications, industry panels, contributions to standards working groups, etc.

• Very high degree of skill with Verilog (or VHDL) and digital design

• In depth understanding of front-end ASIC design flows, including design, simulation, synthesis and timing analysis

• Hardware development experience in UNIX/Linux environments, and with shell/perl scripting

• Excellent interpersonal, presentation and documentation skills

• MS/Ph.D in Electrical Engineering

Pluses: Experience in the following areas

• Mixed mode and analog simulations for assessing DPA resistance at the design stage

• Develo

05:12 [Job][New]

Responsibilities for this position include:

• Using, enhancing and developing cutting edge analysis techniques to perform side-channel leakage assessments of customer products and prototypes across a wide range of form factors and algorithms

• Documenting and/or publishing innovations in side-channel analysis and staying current with analysis techniques developed by other researchers

• Incorporating new analysis techniques and tools into CRI’s DPA Workstation product

• DPA Training: Instruct existing and prospective DPA countermeasure licensees and DPA workstation customers on topics related to DPA

• Authoring whitepapers, training material and tutorials on side-channel analysis and countermeasures

Qualifications: Education, Experience, Skills, Etc.

Requirements:

• MS/Ph.D in Electrical Engineering or Computer Science

• 3+ years experience in performing DPA on a range of real-world systems, form factors and algorithms, including experience with developing DPA test fixtures for embedded devices, setting up scopes and measurement apparatus, and applying signal processing and DPA techniques on the collected traces

• Exceptional C/C++ skills, working knowledge of Matlab or other signal processing tools, knowledge of multiple scripting languages

• Good written, oral and presentation skills – this position will require technical interactions with customers

Pluses:

• A strong record of scientific publications in the area of side-channel analysis and countermeasures and tamper resistance

• Experience with DPA-resistance certification

• Background in cryptography, tamper resistance (including fault analysis), signal processing or statistics

• Experience with embedded systems

2012-09-24
06:17 [Pub][ePrint]

In this paper, we propose an elaborate geometric approach to explain the group law on Jacobi quartic curves which are seen as the intersection of two quadratic surfaces in space. Using the geometry

interpretation we construct the Miller function. Then we present explicit formulae for the addition and doubling steps in Miller\'s algorithm to compute Tate pairing on Jacobi quartic curves. Both the addition step and doubling step of our formulae for Tate pairing computation on Jacobi curves are faster than previously proposed ones.

Finally, we present efficient formulas for Jacobi quartic curves with twists of degree 4 or 6. For twists of degree 4, both the addition steps and doubling steps in our formulas are faster than the fastest result on Weierstrass curves. For twists of degree 6, the addition steps of our formulae are faster than the fastest result on Weierstrass curves.

2012-09-22
15:17 [Pub][ePrint]

In this paper we attack round-reduced Keccak hash function with a technique called rotational cryptanalysis. We focus on Keccak variants proposed as SHA-3 candidates in the NIST\'s contest for a new standard of cryptographic hash function. Our main result is a preimage attack on 4-round Keccak and a 5-round distinguisher on Keccak-f[1600] permutation --- the main building block of Keccak hash function.

15:17 [Pub][ePrint]

In FSE 2005, \\emph{transparency order} was proposed as a parameter

for the robustness of S-boxes to \\emph{Differential Power Analysis} (DPA):lower \\emph{transparency order} implying more resistance. However most cryptographically strong Boolean functions have been found to have high \\emph{transparency order}. Also it is a difficult problem to search for Boolean functions which are strong cryptographically, and yet have low \\emph{transparency order}, the total search space for $(n,n)$-bit Boolean functions being as large as $n2^{2^n}$. In this paper we characterize \\emph{transparency order} for various classes of Boolean functions by computing the upper and lower bounds of \\emph{transparency order} for both

even and odd numbers of variables. The transparency order is defined in terms of \\emph{diffusion} properties of the structures of Boolean functions namely the number of bit flips in the output of the functions corresponding to the number of bit flips at the input of the function. The calculated bounds depend on the number of vectors flipping the input of S-box for which bias of probability of S-box output bit deviates from the value of 0.5. The \\emph{transparency order} is found to be high in the class of those Boolean functions which have larger cardinality of input differences for which the probability of output bit flip is 0.5. Also we find that instead of \\emph{propagation characteristics}, \\emph{autocorrelation

spectra} of the S-box function $F$ is a more qualifying candidate in deciding the characteristics of \\emph{transparency order}. The relations developed to characterize \\emph{transparency order} aid in our constrained random generation and search of a class of

balanced $8\\times8$ S-boxes with \\emph{transparency order} upper bounded by 7.8, \\emph{nonlinearity} in range $(104,110)$ and \\emph{absolute indicator values} of \\emph{GAC}

in range $(48,88)$.

15:17 [Pub][ePrint]

We propose two basic NIZK arguments, one for Hadamard product of two vectors, and another one for a shift of a vector. The first argument is based on the corresponding argument of Lipmaa (TCC 2012), but makes use of Fast Fourier Transform and Pippenger\'s multi-exponentiation algorithm to achieve quasilinear (as opposed quadratic) computational complexity. The shift argument seems to be novel.

Based on the new basic arguments, we propose a NIZK argument for subset sum. This seems to be the only known (direct) sublinear NIZK argument for some other NP-complete language than Circuit-SAT\\@. Moreover, it is significantly more efficient than the known sublinear Circuit-SAT arguments by Groth (Asiacrypt 2010) and Lipmaa. In addition, we show that the new arguments can be used to speed up the recent range argument by Chaabouni, Lipmaa and Zhang (FC 2012). Finally, we combine the subset sum argument and the range argument to propose a direct sublinear NIZK argument for another NP-complete language, decision knapsack.

15:17 [Pub][ePrint]

Batch signature verification detects whether a batch of signatures contains any forgeries. Batch forgery identification pinpoints the location of each forgery. Existing forgery-identification schemes vary in their strategies for selecting subbatches to verify (individual checks, binary search, combinatorial designs, etc.) and in their strategies for verifying subbatches. This paper exploits synergies between these two levels of strategies, reducing the cost of batch forgery identification for elliptic-curve signatures.

15:17 [Pub][ePrint]

Proofs of retrievability allow a client to store her data on a remote server (in the cloud\'\') and periodically execute an efficient audit protocol to check that all of the data is being maintained correctly and can be recovered from the server. For efficiency, the computation and communication of the server and client during an audit protocol should be significantly smaller than reading/transmitting the data in its entirety. Although the server is only asked to access a few locations of its storage during an audit, it must maintain full knowledge of all client data to be able to pass.

Starting with the work of Juels and Kaliski (CCS \'07), all prior solutions to this problem crucially assume that the client data is static and do not allow it to be efficiently updated. Indeed, they all store a redundant encoding of the data on the server, so that the server must delete a large fraction of its storage to `lose\' any actual content. Unfortunately, this means that even a single bit modification to the original data will need to modify a large fraction of the server storage, which makes updates highly inefficient.

Overcoming this limitation was left as the main open problem by all prior works.

In this work, we give the first solution providing proofs of retrievability for dynamic storage, where the client can perform arbitrary reads/writes on any location within her data by running an efficient protocol with the server. At any point in time, the client can execute an efficient audit protocol to ensure that the server maintains the latest version of the client data. The computation and communication complexity of the server and client in our protocols is only polylogarithmic in the size of the client\'s data. The starting point of our solution is to split up the data into small blocks and redundantly encode each block of data individually, so that an update inside any data block only affects a few codeword symbols. The main difficulty is to prevent the server from identifying and deleting too many codeword symbols belonging to any single data block. We do so by hiding where the various codeword symbols for any individual data lock are stored on the server and when they are being accessed by the client, using the algorithmic techniques of oblivious RAM.

2012-09-20
12:17 [Pub][ePrint]

In this paper, we revisit the private top-κ data aggregation problem. First we formally define the problem\'s security requirements as both data and user privacy goals. To achieve both goals, and to strike a balance between efficiency and functionality, we devise a novel cryptographic construction that comes in two schemes; a fully decentralized simple construction and its practical and semi-decentralized variant. Both schemes are provably secure in the semi-honest model. We analyze the computational and communi- cation complexities of our construction, and show that it is much more efficient than the existing protocols in the literature.