International Association for Cryptologic Research

IACR News Central

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

2013-03-13
11:24 [Job][New]

The Information Security Group (ISG) at Royal Holloway, University of London is looking for outstanding young graduates to fill 10 well-funded doctoral studentships in Cyber Security starting in October 2013.

The ISG is one of the largest and longest-established academic research groups working in cyber security, with a community of 15 academic staff, 10 postdocs and 40 PhD students. The ISG has a wide range of research interests related to cyber security, including the basic components of security services, such as cryptographic algorithms and trusted hardware; management of cryptographic keys; the correctness of the design and implementation of security protocols; the design of security services for embedded systems, business information systems, telecommunications networks and critical infrastructure; the detection and analysis of malware; and the study of economics, psychology, organizational theory, design theory and sociology in the context of information and cyber security.

We will consider applications from candidates with undergraduate and master\\\'s qualifications in a wide range of disciplines, including, but not limited to, mathematics, computer science, and electrical and electronic engineering. Funding is provided by the EPSRC (the UK Engineering and Physical Sciences Research Council), so full studentships are available to UK residents only (see http://www.epsrc.ac.uk/skills/students/help/Pages/eligibility.aspx for further details).

Further details of the research interests of the ISG can be found at http://www.isg.rhul.ac.uk/bin/staff-dir.php. Informal enquiries about the studentships can be made to Dr Carlos Cid, Prof. Jason Crampton, Prof. Keith Martin or Prof. Kenny Paterson ({carlos.cid,jason.crampton,keith.martin,kenny.paterson}@rhul.ac.uk). Further information about applying for the PhD programme at Royal Holloway is available at http://www.rhul.ac.uk/studyhere/research

06:17 [Pub][ePrint]

In this paper we present a new method of choosing primitive elements for Brezing-Weng families of pairing friendly elliptic curves with small rho-value, and we improve on previously-known best rho-values of families for the cases k=16, 22, 28 and 46. Our construction uses fixed discriminants.

06:17 [Pub][ePrint]

We present a runtime environment for executing secure programs via a multi-party computation protocol in the preprocessing model. The runtime environment is general and allows arbitrary reactive computations to be performed. A particularly novel aspect is that it automatically determines the minimum number of rounds needed for a computation, and uses this to minimize the overall cost of the computation. Various experiments are reported on, on various non-trivial functionalities. We show how, by utilizing the ability of modern processors to execute multiple threads at a time, one can obtain various tradeoffs between latency and throughput.

06:17 [Pub][ePrint]

Universal hash functions are commonly used primitives for fast and secure message authentication in the form of Message Authentication Codes (MACs) or Authenticated Encryption with Associated Data (AEAD) schemes. These schemes are widely used and standardised, the most well known being McGrew and Viega\'s Galois/Counter Mode (GCM). In this paper we identify some properties of hash functions based on polynomial evaluation that arise from the underlying algebraic structure. As a result we are able to describe a general forgery attack, of which Saarinen\'s cycling attack from FSE 2012 is a special case. Our attack removes the requirement for long messages and applies regardless of the eld in which the hash function is evaluated. Furthermore we provide a common description of all published attacks against GCM, by showing that the existing attacks are the result of these algebraic properties of the polynomial-based hash function. Finally, we greatly expand the number of known weak GCM keys and show that almost every subset of the keyspace is a weak key class.

06:17 [Pub][ePrint]

We present an efficient key wrapping scheme that uses a single wide permutation and does not rely on block ciphers. The scheme is capable of wrapping keys up to 1400 bits long and processing arbitrarily long headers. Our scheme easily delivers the security level of 128 bits or higher with the master key of the same length. The permutation can be taken from the sponge hash functions such as SHA-3 (Keccak), Quark, Photon, Spongent.

We also present a simple proof of security within the concept of Deterministic Authenticated Encryption (DAE) introduced by Rogaway and

Shrimpton. We extend the setting by allowing the adversary to query the permutation and following the indifferentiability setting in the security proof of the sponge construction.

00:17 [Pub][ePrint]

We consider session key agreement (SKA) protocols operating in a public key infrastructure, with pre-specified peers, that take no session ID as input, and output only a session key. Despite much work on SKA, we argue that there is no good definition of security for this (very natural) protocol syntax. The difficulty is that in this setting the adversary may not be able to tell which processes share a key, and thus which session keys may be revealed without trivializing the security condition.

We consider security against adversaries that control all network traffic, can register arbitrary public keys, and can retrieve session keys. We do not attempt to mitigate damage from hardware failures, such as session-state compromise, as we aim to improve our understanding of this simpler setting. We give two natural but substantially different game based definitions of security and prove that they are equivalent. Such proofs are rare for SKA. The bulk of this proof consists of showing that, for secure protocols, only compatible processes can be made to share a key. This property is very natural but surprisingly subtle. For comparison, we give a version of our definition in which processes output session IDs and we give strong theorems relating these two types of definitions.

00:17 [Pub][ePrint]

We revisit the security of Fiat-Shamir signatures in the non-programmable random oracle model. The well-known proof by Pointcheval and Stern for such signature schemes (Journal of Cryptology, 2000) relies on the ability to re-program the random oracle, and it has been unknown if this property is inherent. Pailler and Vergnaud (Asiacrypt 2005) gave some first evidence of the hardness by showing via meta-reduction techniques that algebraic reductions cannot succeed in reducing key-only attacks against unforgeability to the discrete-log assumptions. We also use meta-reductions to show that the security of Schnorr signatures cannot be proven equivalent to the discrete logarithm problem without programming the random oracle. Our result also holds under the one-more discrete logarithm assumption but applies to a large class of reductions, we call *single-instance* reductions, subsuming those used in previous proofs of security in the (programmable) random oracle model. In contrast to algebraic reductions, our class allows arbitrary operations, but can only invoke a single resettable adversary instance, making our class incomparable to algebraic reductions.

Our main result, however, is about meta-reductions and the question if this technique can be used to further strengthen the separations above. Our answer is negative. We present, to the best of our knowledge for the first time, limitations of the meta-reduction technique in the sense that finding a meta-reduction for general reductions is most likely infeasible. In fact, we prove that finding a meta-reduction against a potential reduction is equivalent to finding a meta-meta-reduction\'\' against the strong existential unforgeability of the signature scheme. This means that the existence of a meta-reduction implies that the scheme must be insecure (against a slightly stronger attack) in the first place.

00:17 [Pub][ePrint]

Biclique attack, is a new cryptanalytic technique which brings new tools from the area of hash functions to the area of block cipher cryptanalysis. Till now, this technique is the only one able to analyze the full-round AES cipher in a single key scenario. In this paper, we introduce non-isomorphic biclique attack, a modified version of the original biclique attack. In this attack we obtain isomorphic groups of bicliques, each group contains several non-isomorphic bicliques of different dimensions. Actually, these bicliques are the results of an asymmetric key partitioning which is done according to two sets of key differences. Using this technique it is possible to get a chance to expand the length of bicliques or mount an attack with less data complexity. We found out the lightweight block cipher mCrypton is an appropriate candidate to be analyzed with this technique and bicliques up to five rounds can be constructed for this block cipher. Furthermore, we use two additional minor techniques, including pre-computation/re-computation in the bicliques construction and early abort technique in the matching stage, as well as a property observed in the diffusion layer of mCrypton to obtain more improvements for the complexity of our attacks on full-round mCrypton-96 and mCrypton-128.

2013-03-11
09:54 [Job][New]

The cryptology section at the department of applied mathematics and computer science at the Technical University of Denmark (DTU Compute) is looking for up to two Post-Docs and two Ph.D. students in the area of symmetric cryptology.

2013-03-09
22:17 [Pub][ePrint]

2048XKS-F (eXtended Key Schedule - Feistel) is a Feistel cipher with a block length of 2048 bit and a key size of 4096 bit or 8192 bit, respectively. It uses the round function of the Subtitution-Permutation-Networks (SPN)1024 [11] and 1024XKS [12]as the f-function. 4096XKS-F is a Feistel cipher with a block length of 4096 bit and a key size of 8192 bit or 16384 bit, respectively. It uses the round function of the Substitution-Permutation-Network (SPN) 2048XKS as the f-function. Both 2048XKS-F and 4096XKS-F have 32 rounds. Additionally, there are #define statements in the reference implementation tocontrol which of the functions are compiled first, e.g. the diffusion layer or the s-box layer. In total, there are 6 #define statements in each reference implementation, making up 64 different ciphers. 2048XKS-F and 4096XKS-F are designed for 32 bit microprocessors with an integer hardware multiplier.

22:17 [Pub][ePrint]

We revisit the problem of general-purpose \\emph{private function evaluation} (PFE) wherein a single party $P_1$ holds a circuit $\\C$, while each $P_i$ for $1 \\le i \\leq n$ holds a private input $x_i$, and the goal is for a subset (or all) of the parties to learn $\\C(x_1, \\ldots, x_n)$ but nothing else. We put forth a general framework for designing PFE where the task of hiding the circuit and securely evaluating its gates are addressed independently: First, we reduce the task of hiding the circuit topology to oblivious evaluation of a mapping that encodes the topology of the circuit, which we refer to as \\emph{oblivious extended permutation} (OEP) since the mapping is a generalization of the permutation mapping. Second, we design a subprotocol for private evaluation of a single gate (PFE for one gate), which we refer to as \\emph{private gate evaluation} (PGE). Finally, we show how to naturally combine the two components to obtain efficient and secure PFE.

We apply our framework to several well-known general-purpose MPC constructions, in each case, obtaining the most efficient PFE construction to date, for the considered setting. Similar to the previous work we only consider semi-honest adversaries in this paper.

\\begin{itemize} \\item In the \\emph{multiparty} case with dishonest majority, we apply our techniques to the seminal GMW protocol~\\cite{GMW87} and obtain the first general-purpose PFE with \\emph{linear complexity} in the circuit size.

\\item In the \\emph{two-party} case, we transform Yao\'s garbled circuit protocol~\\cite{yao86} into a constant-round two-party PFE. Depending on the instantiation of the underlying subprotocol, we either obtain a two-party PFE with linear complexity that improves on the only other work with similar asymptotic efficiency (Katz and Malka, ASIACRYPT 2011), or a two-party PFE that provides the best concrete efficiency to date despite not being linear.

\\item The above two constructions are for boolean circuits. In case of \\emph{arithmetic circuits}, we obtain the first PFE with linear complexity based on any additively homomorphic encryption scheme. \\end{itemize}

Though each construction uses different techniques, a common feature in all three is that the overhead of hiding the circuit $\\C$ is essentially equal to the cost of running the OEP protocol on a vector of size $|\\C|$. As a result, to improve efficiency, one can focus on lowering the cost of the underlying OEP protocol. OEP can be instantiated using a singly homomorphic encryption or any general-purpose MPC but we introduce a new construction that we show is significantly more efficient than these alternatives, in practice. The main building block in our OEP construction is an efficient protocol for \\emph{oblivious switching network evaluation} (OSN), a generalization of the previously studied oblivious shuffling problem which is of independent interest. Our results noticeably improve efficiency of the previous solutions to oblivious shuffling, yielding a factor of 25 or more gain in computation and communication.