*12:29*[Event][New] CSF'13: 2013 IEEE 26th Computer Security Foundations Symposium

Submission: 6 February 2013

Notification: 5 April 2013

From June 26 to June 28

Location: New Orleans, USA

More Information: http://csf2013.seas.harvard.edu/index.html

Get an update on changes of the IACR web-page here. For questions, contact *newsletter (at) iacr.org*.
You can also receive updates via:

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

Submission: 6 February 2013

Notification: 5 April 2013

From June 26 to June 28

Location: New Orleans, USA

More Information: http://csf2013.seas.harvard.edu/index.html

2012-11-06

From June 10 to June 12

Location: Rocquencourt, France

More Information: http://cbc2013.inria.fr

Abstract A signature scheme is *fully leakage resilient* (Katz and Vaikuntanathan, ASIACRYPT’09) if it is existentially unforgeable under an adaptive chosen-message attack even in a setting where an adversary may obtain bounded (yet arbitrary) leakage information on *all intermediate values that are used throughout the lifetime of the system*. This is a strong and meaningful notion of security that captures a wide range of side-channel attacks. One of the main challenges in constructing fully leakage-resilient signature schemes is dealing with leakage that may depend on the random bits used by the signing algorithm, and constructions of such schemes are known only in the random-oracle model. Moreover, even in the random-oracle model, known schemes are only resilient to leakage of less than half the length of their signing key. In this paper we construct the first *fully* leakage-resilient signature schemes without random oracles. We present a scheme that is resilient to any leakage of length (1−*o*(1))*L* bits, where *L* is the length of the signing key. Our approach relies on generic cryptographic primitives, and at the same time admits rather efficient instantiations based on specific number-theoretic assumptions. In addition, we show that our approach extends to the continual-leakage model, recently introduced by Dodis, Haralambiev, Lopez-Alt and Wichs (FOCS’10), and by Brakerski, Tauman Kalai, Katz and Vaikuntanathan (FOCS’10). In this model the signing key is allowed to be refreshed, while its corresponding verification key remains fixed, and the amount of leakage is assumed to be bounded only in between any two successive key refreshes.

- Content Type Journal Article
- Pages 1-46
- DOI 10.1007/s00145-012-9136-3
- Authors
- Elette Boyle, Department of Mathematics, Massachusetts Institute of Technology, Cambridge, MA 02139, USA
- Gil Segev, Microsoft Research, Mountain View, CA 94043, USA
- Daniel Wichs, Department of Computer Science, New York University, New York, NY 10012, USA

- Journal Journal of Cryptology
- Online ISSN 1432-1378
- Print ISSN 0933-2790

2012-11-05

Verifiable secret sharing (VSS) is a vital primitive in secure distributed computing. It allows an untrusted dealer to verifiably share a secret among n parties in the presence of an adversary controlling at most t of them. VSS in the synchronous communication model has received tremendous attention in the cryptographic research community. Nevertheless, recent interest in deploying secure distributed computing over the Internet requires going beyond the synchronous communication model and thoroughly investigating VSS in the asynchronous communication model.

In this work, we consider the communication complexity of asynchronous VSS in the com- putational setting for the optimal resilience of n = 3t + 1. The best known asynchronous VSS protocol by Cachin et al. has O(n^2) message complexity and O(kn^3) communication complexity, where k is a security parameter corresponding to the size of the secret. We close the linear complexity gap between these two measures for asynchronous VSS by presenting two protocols with O(n^2) message complexity and O(kn^2) communication complexity. Our first protocol satisfies the standard VSS definition, and can be used in stand-alone VSS scenarios as well as in applications such as Byzantine agreement. Our second and more intricate protocol satisfies a stronger VSS definition, and is useful in all VSS applications including multiparty computation and threshold cryptography.

Subset sum or Knapsack problems of dimension $n$ are known to be hardest for knapsacks of density close to 1.These problems are NP-hard for arbitrary $n$. One can solve such problems either by lattice basis reduction or by optimized birthday algorithms. Recently Becker, Coron, Jou } [BCJ10] present a birthday algorithm that

follows Schroeppel, Shamir [SS81], and Howgrave-Graham, Joux [HJ10]. This algorithm solves 50 random knapsacks of dimension 80 and density close to 1 in roughly 15 hours on a 2.67 GHz PC.

We present an optimized lattice basis reduction algorithm that follows Schnorr, Euchne} [SE03] using pruning of Schnorr, H\\\"orner [SH95] that solves such random knapsacks of dimension 80 on average in less than a minute, and 50 such problems all together about 9.4 times faster and using much less space than [BCJ10] on another 2.67 GHz PC.

In this paper, we evaluate the security of lightweight block ciphers PRESENT, Piccolo and LED against biclique cryptanalysis. To recover the secret key of PRESENT-80/128, our attacks require $2^{79.76}$ full PRESENT-80 encryptions and $2^{127.91}$ full PRESENT-128 encryptions, respectively. Our attacks on Piccolo-80/128 require computational complexities of $2^{79.13}$ and $2^{127.35}$, respectively. The attack on a $29$-round reduced LED-64 needs $2^{63.58}$ 29-round reduced LED-64 encryptions. In the cases of LED-80/96/128, we propose the attacks on two versions. First, to recover the secret key of $45$-round reduced LED-80/96/128, our attacks require computational complexities of $2^{79.45}, 2^{95.45}$ and $2^{127.45}$, respectively. To attack the full version, we require computational complexities of $2^{79.37}, 2^{95.37}$ and $2^{127.37}$, respectively. However, in these cases, we need the full codebook. These results are superior to known biclique cryptanalytic results on them.

The area of proof-based verified computation (outsourced computation

built atop probabilistically checkable proofs and cryptographic

machinery) has lately seen renewed interest. Although recent work has

made great strides in reducing the overhead of naive applications of the

theory, these schemes still cannot be considered practical. The core

issue is that the work for the prover is immense, in general; it

is near-practical only for hand-compiled computations that can

be expressed in special forms.

This paper addresses that problem. Provided one is willing to batch

verification, we develop a protocol that

achieves the efficiency of the

best manually constructed protocols in the literature yet applies to all

computations.

Our protocol

is built on the observation that the

recently-proposed QAPs of Gennaro et al. (ePrint 2012/215) yield a

linear PCP that works with the efficient argument protocol of Setty et

al. (ePrint 2012/598, Security 2012, NDSS 2012), itself based on the

proposal of Ishai et al. (CCC 2007).

The consequence is a prover whose total work is not much more than

_linear_ in the running time of the computation.

We implement the protocol in the

context of a built system that includes a compiler and a parallel GPU

implementation. The result, as indicated by an experimental evaluation,

is a system that is _almost_ usable for real problems -- without

special-purpose tailoring.

The block cipher modes of operation that are widely used (CBC, CTR, CFB) are secure up to

the birthday bound; with a $w$-bit block cipher, they are secure if $w2^{w}$ or fewer bits of data are encrypted, and insecure above that bound. However, the detailed security

properties close to this bound are not widely appreciated, despite the fact that $64$-bit block ciphers are sometimes used in that domain. This work addresses the issue by describing and analyzing plaintext-recovery attacks that are effective close to that bound. We describe possible-plaintext attacks, which can learn unknown plaintext values that are encrypted with CBC, CFB, or OFB. We also introduce impossible plaintext cryptanalysis, which can recover information encrypted with CTR, and can improve attacks against the aforementioned modes as well. These attacks work at the birthday bound, or even slightly below that bound, when

the target plaintext values are encrypted under a succession of keys.

We initiate the cryptographic study of order-preserving symmetric encryption (OPE), a primitive suggested in the database community by Agrawal et al.~(SIGMOD \'04) for allowing efficient range queries on encrypted data. Interestingly, we first show that a straightforward relaxation of standard security notions for encryption such as indistinguishability against chosen-plaintext attack (IND-CPA) is unachievable by a practical OPE scheme. Instead, we propose a security notion in the spirit of pseudorandom functions (PRFs) and related primitives asking that an OPE scheme look ``as-random-as-possible\" subject to the order-preserving constraint.

We then design an efficient OPE scheme and prove its security under our notion based on pseudorandomness of an underlying blockcipher. Our construction is based on a natural relation we uncover between a random order-preserving function and the hypergeometric probability distribution.

In particular, it makes black-box use of an efficient sampling algorithm for the latter.

We further the study of order-preserving symmetric encryption (OPE), a primitive for allowing efficient range queries on encrypted data, recently initiated (from a cryptographic perspective) by Boldyreva et al.~(Eurocrypt \'09).

First, we address the open problem of characterizing what encryption via a random order-preserving function (ROPF) leaks about underlying data (ROPF being the ``ideal object\'\' in the security definition, POPF, satisfied by their scheme.)

In particular, we show that, for a database of randomly distributed plaintexts and appropriate choice of parameters, ROPF encryption leaks neither the precise value of any plaintext nor the precise distance between any two of them.

The analysis here introduces useful new techniques.

On the other hand, we show that ROPF encryption leaks approximate value of any plaintext as well as approximate distance between any two plaintexts, each to an accuracy of about square root of the domain size.

We then study schemes that are not order-preserving, but which nevertheless allow efficient range queries and achieve security notions stronger than POPF. In a setting where the entire database is known in advance of key-generation (considered in several prior works), we show that recent constructions of ``monotone minimal perfect hash functions\'\' allow to efficiently achieve (an adaptation of) the notion of IND-O(rdered) CPA also considered by Boldyreva et al., which asks that \\emph{only} the order relations among the plaintexts is leaked.

Finally, we introduce {\\em modular} order-preserving encryption (MOPE), in which the scheme of Boldyreva et al. is prepended with a random shift cipher. MOPE improves the security of OPE in a sense, as it does not leak any information about plaintext location.

We clarify that our work should not be interpreted as saying the original scheme of Boldyreva et al., or the variants that we introduce, are ``secure\'\' or ``insecure.\'\' Rather, the goal of this line of research is to help practitioners decide whether the options provide a suitable security-functionality tradeoff for a given application.

Tom Roeder at Microsoft Research has written an independent verifier for the Helios system. You can access it via the 2012 election page or via this link.