International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also receive updates via:

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

03:17 [Pub][ePrint] PUFs: Myth, Fact or Busted? A Security Evaluation of Physically Unclonable Functions (PUFs) Cast in Silicon (Extended Version), by Stefan Katzenbeisser, Ünal Kocabas, Vladimir Rozic, Ahmad-Reza Sadeg

  Physically Unclonable Functions~(PUFs) are an emerging technology and have been proposed as central building blocks in a variety of cryptographic protocols and security architectures. However, the security features of PUFs are still under investigation: Evaluation results in the literature are difficult to compare due to varying test conditions, different analysis methods and the fact that representative data sets are publicly unavailable.

In this paper, we present the first large-scale security analysis of ASIC implementations of the five most popular intrinsic electronic PUF types, including arbiter, ring oscillator, SRAM, flip-flop and latch PUFs. Our analysis is based on PUF data obtained at different operating conditions from $96$ ASICs housing multiple PUF instances, which have been manufactured in TSMC 65nm CMOS technology. In this context, we present an evaluation methodology and quantify the robustness and unpredictability properties of PUFs. Since all PUFs have been implemented in the same ASIC and analyzed with the same evaluation methodology, our results allow for the first time a fair comparison of their properties.

03:17 [Pub][ePrint] Domain-Specific Pseudonymous Signatures for the German Identity Card, by Jens Bender and Özgür Dagdelen and Marc Fischlin and Dennis Kügler

  The restricted identication protocol for the new German identity card basically provides a method to use pseudonyms such that they can be linked by individual service providers, but not across different service providers (even not malicious ones). The protocol can be augmented to allow also for signatures under the pseudonyms. In this paper, we thus view---and define---this idea more abstractly as

a new cryptographic signature primitive with some form of anonymity, and use the term domain-specific pseudonymous signatures. We then analyze the restricted identication solutions in terms of the formal

security requirements.

03:17 [Pub][ePrint] Plaintext Awareness in Identity-Based Key Encapsulation, by Mark Manulis and Bertram Poettering and Douglas Stebila

  The notion of plaintext awareness (PA) has many applications in public key cryptography: it offers unique, stand-alone security guarantees for public key encryption schemes, has been used as a sufficient condition for proving indistinguishability against adaptive chosen ciphertext attacks (INDCCA), and can be used to construct privacy-preserving protocols such as deniable authentication. Unlike many other security notions, plaintext awareness is very fragile when it comes to differences between the random oracle and standard models; for example, many implications involving PA in the random oracle model are not valid in the standard model and vice versa. Similarly, strategies for proving PA of schemes in one model cannot be adapted to the other model. Existing research addresses PA in detail only in the public key setting.

This paper gives the first formal exploration of plaintext awareness in the identity-based setting and, as initial work, proceeds in the random oracle model. The focus is laid mainly on identity-based key encapsulation mechanisms (IB-KEMs), for which the paper presents the first definitions of plaintext awareness, highlights the role of PA in proof strategies of INDCCA security, and explores relationships between PA and other security properties.

On the practical side, our work offers the first, highly efficient, general approach for building IB-KEMs that are simultaneously plaintext-aware and INDCCA-secure. Our construction is inspired by the Fujisaki-Okamoto (FO) transform, but demands weaker and more natural properties of its building blocks. This result comes from a new look at the notion of gamma-uniformity that was inherent in the original FO transform. We show that for IB-KEMs (and PK-KEMs) this assumption can be replaced with a weaker computational notion, which is in fact implied by one-wayness. Finally, we give the first concrete IB-KEM scheme that is PA and INDCCA-secure by applying our construction to a popular IB-KEM and optimizing it for better performance.

03:17 [Pub][ePrint] Computational Soundness of Coinductive Symbolic Security under Active Attacks, by Mohammad Hajiabadi, Bruce M. Kapron

  In Eurocrypt 2010, Miccinacio initiated an investigation of cryptographically sound, symbolic security analysis with respect to coinductive adversarial knowledge, and demonstrated that under an adversarially passive model, certain security criteria (e.g. indistinguishability) may be given a computationally sound symbolic characterization, without the assumption of key acyclicity. Left open in his work was the fundamental question of ``the viability of extending the coinductive approach to prove computational soundness results in the presence of active adversaries.\'\' In this paper we make some initial steps toward answering this question in the affirmative with respect to an extension of a trace-based security model (proposed by Micciancio and Warinschi in TCC 2004) including asymmetric and symmetric encryption; in particular we prove that a random computational trace can be soundly abstracted by a coinductive symbolic trace with overwhelming probability, provided that both the underlying encryption schemes provide IND-CCA2 security (plus {ciphertext integrity} for the symmetric scheme), and that the diameter of the underlying coinductively-hidden subgraph is constant in every symbolic trace. This result holds even if the protocol allows arbitrarily nested applications of symmetric/asymmetric encryption, unrestricted transmission of symmetric keys, and adversaries who adaptively corrupt users, along with other forms of active attack.

As part of our proof, we formulate a game-based definition of encryption security allowing adaptive corruptions of keys and certain forms of adaptive key-dependent plaintext attack, along with other common forms of CCA2 attack. We prove that (with assumptions similar to above,) security under this game is implied by IND-CCA2 security. This also characterizes a provably benign form of cyclic encryption which can be achieved under standard notions of encryption security, which may be of independent interest.

05:29 [Election] List of Candidates


Candidates for Election in 2012

  • Thomas Peyrin
    I am really attached to the IACR and know its important role in promoting cryptography research. I've participated to several IACR PCs and will serve as co-GC of FSE'13. I will work on maintaining the high standards of IACR events and ensure the concerns of all cryptography sub-communities are considered.

  • Anna Lysyanskaya
    Statement: The IACR is my home research community, and I'd like to give back. My priorities are: (1) High quality research and its effective dissemination, (2) mentoring, (3) dialogue with related research communities, industry, standards and funding agencies.

  • Thomas Berson
    I have served the IACR since 1983 as Secretary, Treasurer, President, and Director. During that time we created conferences, workshops, literature, and community. Our present challenges include balance and tolerance in our evolving community. I know where we have been; I know where we are going. Please vote for me.

  • Michel Abdalla
    As an IACR member for more than a decade, I seek the opportunity to serve the community as a director. If elected, I'd like to help improve existing services provided by IACR, offer new services such as the organization of schools in cryptology, and promote worldwide dissemination of cryptologic research.

  • Xavier Boyen
    In gratitude for my decade in this vibrant community, my stewardship would, inter alia, promulgate open scholarly dissemination, facilitate balanced global outreach and participation, and explore mutually beneficial cross-community partnerships -- progressing carefully, always honoring the continuity of traditions that define us. Best decisions are consensual through meeting of the minds.

Election Committee

  • Josh Benaloh (Chair)
  • David Pointcheval (Returning Officer)
  • Greg Rose

15:17 [Pub][ePrint] Provably Secure Concurrent Error Detection Against Differential Fault Analysis, by Xiaofei Guo, Debdeep Mukhopadhyay and Ramesh Karri

  Differential fault analysis (DFA) poses a significant threat to Advanced Encryption Standard (AES). It has been demonstrated that DFA can use only a single faulty ciphertext to reveal the secret key of AES in an average of 230 computation. Traditionally, concurrent error

detection (CED) is used to protect AES against DFA. However, we emphasize that conventional CED assumes a uniform distribution of faults, which is not a valid assumption in the context of DFA. In contrast, we show practical examples which highlight that an attacker

can inject specific and exploitable faults, thus threatening existing CED. This paper brings to the surface a new CED approach for cryptography, aimed at providing provable security by detecting all possible DFA-exploitable faults, which is a small subset of the entire fault space. We analyze the fault coverage of conventional CED against DFA-exploitable faults, and we find that the fault coverage of most of these techniques are significantly lower than

the one they claimed. We stress that for security, it is imperative that CED should provide 100% fault coverage for DFA-exploitable faults. We further propose an invariance-based CED which provides 100% provable security against all known DFA of AES.

15:17 [Pub][ePrint] Bellcore attack in practice, by Andrey Sidorenko and Joachim van den Berg and Remko Foekema and Michiel Grashuis and Jaap de Vos

  In this paper we analyze practical aspects of the differential fault attack on RSA published by Boneh, Demillo and Lipton from Bellcore. We focus on the CRT variant, which requires only one faulty signature to be entirely broken provided that no DFA countermeasures are in use. Usually the easiest approach for the attacker is to introduce a fault in one of the two RSA-CRT exponentiations. These are time-consuming and often clearly visible in the power profiles. However, protection of the exponentiations against faults does not always circumvent the Bellcore attack. Our goal is to investigate and classify other possible targets of the attack.

15:17 [Pub][ePrint] Security weakness in the Proof of Storage with Deduplication, by Youngjoo Shin, Junbeom Hur, Kwangjo Kim

  Achieving both security and efficiency is the challenging issue for a data outsourcing service in the cloud computing.

Proof of Storage with Deduplication (POSD) is the first solution that addresses the issue for the cloud storage. However, the validity of the POSD scheme stands on the strong assumption that all clients are honest in terms of generating their keys. We present insecurity of the scheme

under new attack model that malicious clients exploit dishonestly manipulated keys. We also propose an improvement of the POSD scheme to mitigate our attack.

15:17 [Pub][ePrint] New Impossibility Results for Concurrent Composition and a Non-Interactive Completeness Theorem for Secure Computation, by Shweta Agrawal and Vipul Goyal and Abhishek Jain and Manoj Prabhakaran and Am

  We consider the client-server setting for the concurrent composition of secure protocols: in this setting, a single server interacts with multiple clients concurrently, executing with each client a specified protocol where only the client should receive any nontrivial output. Such a setting is easily motivated from an application standpoint. There are important special cases for which positive results are known - such as concurrent zero knowledge protocols - and it has been an open question explicitly asked, for instance, by Lindell [J. Cryptology\'08] - whether other natural functionalities such as Oblivious Transfer (OT) are possible in this setting.

In this work:

1. We resolve this open question by showing that unfortunately, even in this very limited concurrency setting, broad new impossibility results hold, ruling out not only OT, but in fact all nontrivial asymmetric functionalities. Our new negative results hold even if the inputs of all honest parties are fixed in advance, and the adversary receives no auxiliary information.

2. Along the way, we establish a new unconditional completeness result for asymmetric functionalities, where we characterize functionalities that are non-interactively complete secure against active adversaries. When we say that a functionality F is non-interactively complete, we mean that every other asymmetric functionality can be realized by parallel invocations of several copies of F, with no other communication in any direction. Our result subsumes a completeness result of Kilian [STOC\'00] that uses protocols which require additional interaction in both directions.

15:17 [Pub][ePrint] Resource-based Corruptions and the Combinatorics of Hidden Diversity, by Juan Garay and David Johnson and Aggelos Kiayias and Moti Yung

  In the setting of cryptographic protocols, the corruption of a party has traditionally been viewed as a simple, uniform and atomic operation, where the adversary decides to get control over a party and this party immediately gets corrupted. In this paper, motivated by the fact that different players may require different resources to get corrupted, we put forth the notion of {\\em resource-based corruptions}, where the adversary must invest some resources in order to do so.

If the adversary has full information about the system configuration then resource-based corruptions would provide no fundamental difference from the standard corruption model. However, in a resource ``anonymous\'\' setting, in the sense that such configuration is hidden from the adversary, much is to be gained in terms of efficiency and security.

We showcase the power of such {\\em hidden diversity} in the context of secure multiparty computation (MPC) with resource-based corruptions and prove that it can effectively be used to circumvent known impossibility results. Specifically, if $OPT$ is the corruption budget that violates the completeness of MPC (the case when half or more of the players are corrupted), we show that if hidden diversity is available, the completeness of MPC can be made to hold against an adversary with as much as a $B\\cdot OPT$ budget, for any constant $B>1$. This result requires a suitable choice of parameters (in terms of number of players and their hardness to corrupt), which we provide and further prove other tight variants of the result when the said choice is not available. Regarding efficiency gains, we show that hidden diversity can be used to force the corruption threshold to drop from 1/2 to 1/3, in turn allowing the use of much more efficient (information-theoretic) MPC protocols.

We achieve the above through a series of technical contributions:

o The modeling of the corruption process in the setting of cryptographic protocols through {\\em corruption oracles} as well as the introduction of a notion of reduction to relate such oracles;

o the abstraction of the corruption game as a combinatorial problem and its analysis; and, importantly,

o the formulation of the notion of {\\em inversion effort preserving} (IEP) functions which is a type of direct-sum property, and the property of {\\em hardness indistinguishability}. While hardness indistinguishability enables the dissociation of parties\' identities and the resources needed to corrupt them, IEP enables the discretization of adversarial work into corruption tokens,

all of which may be of independent interest.

05:31 [Event][New] CCH: 14th Cryptologic History Symposium

  Submission: 1 February 2013
Notification: 1 June 2013
From October 10 to October 11
Location: Laurel, Maryland, USA
More Information: