International Association for Cryptologic Research

IACR News Central

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

2013-05-28
05:21 [Pub][ePrint]

For security applications in wireless sensor networks (WSNs), choosing best algorithms in terms of energy-efficiency and of small memory requirements is a real challenge because the sensor networks must be autonomous. In \\cite{EisenbarthGGHIKKNPRSO12,LawDH06}, the authors have benchmarked on a dedicated platform some block-ciphers and have deduced the best candidates to use in the context of small embedded platforms.

This article proposes to study on a dedicated platform of sensors most of the recent lightweight block ciphers as well as some conventional block ciphers. First, we describe the design of the chosen block ciphers with a security summary and we then present some implementation tests performed on our platform.

05:21 [Pub][ePrint]

We consider a class of two-party function evaluation protocols in which the parties are allowed to use ideal functionalities as well as a set of powerful primitives, namely commitments, homomorphic encryption, and certain zero-knowledge proofs. We illustrate that with these it is possible to capture protocols for oblivious transfer, coin-flipping, and generation of multiplication-triple.

We show how any protocol in our class can be compiled to a symbolic representation expressed as a process in an abstract process calculus, and prove a general computational soundness theorem implying that if the protocol realises a given ideal functionality in the symbolic setting, then the original version also realises the ideal functionality in the standard computational UC setting. In other words, the theorem allows us to transfer a proof in the abstract symbolic setting to a proof in the standard UC model.

Finally, we show that the symbolic interpretation is simple enough in a number of cases for the symbolic proof to be partly automated using the ProVerif tool.

05:21 [Pub][ePrint]

Lattice-based signature schemes constitute an interesting alternative to RSA and discrete logarithm based systems which may become insecure in the future, for example due to the possibility of quantum attacks. A particularly interesting scheme in this context is the GPV signature scheme [GPV08] combined with the trapdoor construction from Micciancio and Peikert [MP12] as it admits strong security proofs and is believed to be very efficient in practice. This paper confirms this belief and shows how to improve the GPV scheme in terms of space and running time and presents an implementation of the optimized scheme. A ring variant of this scheme is also introduced which leads to a more efficient construction. Experimental results show that GPV with the new trapdoor construction is competitive to the signature schemes that are currently used in practice.

05:21 [Pub][ePrint]

The development of a standardised testing methodology for side-channel resistance of cryptographic devices is an issue that has received recent focus from standardisation bodies such as NIST. Statistical techniques such as hypothesis and significance testing appear to be ideally suited for this purpose. In this work we evaluate the candidacy of three such tests: a \\emph{t}-test proposed by Cryptography Research Inc., and two mutual information-based tests. We compare the detection tests in a theoretical setting by conducting an \\emph{a priori} statistical power analysis, covering previously unforeseen problems arising from multiple hypothesis testing, and analyse the practical application of the tests through a case study using an implementation of the AES on an ARM7 microcontroller, demonstrating a trade-off between test genericity and data and computational complexity.

05:21 [Pub][ePrint]

We describe a quasi-linear algorithm for computing Igusa class polynomials of Jacobians of genus 2 curves via complex floating-point approximations of their roots. After providing an explicit treatment of the computations in quartic CM fields and their Galois closures, we pursue an approach due to Dupont for evaluating ϑ-constants in quasi-linear time using Newton iterations on the Borchardt mean. We report on experiments with our implementation and present an example with class number 17608.

05:21 [Pub][ePrint]

Composite-order bilinear groups provide many structural features that have proved useful for both constructing cryptographic primitives and as a technique in security reductions. Despite these convenient features, however, composite-order bilinear groups are less desirable than prime-order bilinear groups for reasons of efficiency. A recent line of work has therefore focused on translating these structural features from the composite-order to the prime-order setting; much of this work focused on two such features, projecting and canceling, in isolation, but a recent result due to Seo and Cheon showed that both features can be obtained simultaneously in the prime-order setting.

In this paper, we reinterpret the construction of Seo and Cheon in the context of dual pairing vector spaces, a tool previously used to simulate other desirable features of composite-order groups in the prime-order setting. In this way, we are able to obtain a unified framework that simulates all of the known composite-order features in the prime-order setting. We demonstrate the strength of this framework by showing that the addition of even a weak form of projecting on top of the pre-existing uses of dual pairing vector spaces can be leveraged to \"boost\" a fully IND-CPA secure identity-based encryption scheme to one that is fully IND-CCA1 secure.

05:21 [Pub][ePrint]

CLEFIA is a 128-bit block cipher proposed by Sony Corporation in 2007. Our paper introduces a new chosen text attack, impossible differential-linear attack, on iterated cryptosystems. The attack is efficient for full-round CLEFIA without whitening keys. In the paper, we construct a 14-round impossible differential distinguisher. Based on the distinguisher, we present an effective attack on full-round CLEFIA-128 with data complexity of $2^{126.52}$, recovering 91-bit subkeys in total. Besides, the results of 15/16/17-round CLEFIA-128 are given in the Appendix B/C/D. Our attack can also applied to CLEFIA-192 and CLEFIA-256.

05:21 [Pub][ePrint]

Few days ago Grigoriev and Shpilrain have proposed to build a system for transmission of information without a shared secret, or essentially a sort of public key cryptosystem, based on properties of physical systems.

In this paper we show that their second scheme based on capacitors is insecure and extremely easy to break in practice.

05:21 [Pub][ePrint]

In hardware, substitution boxes for block ciphers can be saved already masked in the implementation.

The masks must be chosen under two constraints:

their number is determined by the implementation area and their properties should allow to deny high-order zero-offset attacks of highest degree.

First, we show that this problem translates into a known trade-off in Boolean functions, namely

finding correlation-immune functions of lowest weight.

For instance, this allows to prove that a byte-oriented block cipher such as AES can be protected with only $16$ mask values against zero-offset correlation power attacks of orders $1$, $2$ and $3$.

Second, we study $d$th-order correlation-immune Boolean functions $\\F_2^n \\to \\F_2$ of low-weight

and exhibit such functions of minimal weight found by a satisfiability modulo theory tool.

In particular, we give the minimal weight for $n \\leq 10$.

Some of these results were not known previously, such as the minimal weight for

$(n=9, d=4)$ and

$(n=10, d \\in \\{4,5,6\\})$.

These results set new bounds for the minimal number of lines of binary orthogonal arrays.

In particular, we point out that the minimal weight $w_{n,d}$ of a $d$th-order correlation-immune function might not be increasing with the number of variables $n$.

05:21 [Pub][ePrint]

The generation of high quality random numbers is crucial to many cryptographic applications, including cryptographic protocols, secret of keys, nonces or salts. Their values must contain enough randomness to be unpredictable to attackers. Pseudo-random number generators require initial data with high entropy as a seed to produce a large stream of high quality random data. Yet, despite the importance of randomness, proper high quality random number generation is often ignored. Primarily embedded devices often suffer from weak random number generators. In this work, we focus on identifying and evaluating SRAM in commercial off-the-shelf microcontrollers as an entropy source for PRNG seeding. We measure and evaluate the SRAM start-up patterns of two popular types of microcontrollers, a STMicroelectronics STM32F100R8 and a Microchip PIC16F1825. We also present an efficient software-only architecture for secure PRNG seeding. After analyzing over 1 000 000 measurements in total, we conclude that of these two devices, the PIC16F1825 cannot be used to securely seed a PRNG. The STM32F100R8, however, has the ability to generate very strong seeds from the noise in its SRAM start-up pattern. These seeds can then be used to ensure a PRNG generates high quality data.

05:21 [Pub][ePrint]

Leakage-resilient cryptography aims at developing new algorithms for which physical security against side-channel attacks can be formally analyzed. Following the work of Dziembowski and Pietrzak at FOCS 2008, several symmetric cryptographic primitives have been investigated in this setting. Most of them can be instantiated with a block cipher as underlying component. Such an approach naturally raises the question whether certain block ciphers are better suited for this purpose. In order to answer this question, we consider a leakage-resilient re-keying function, and evaluate its security at different abstraction levels. That is, we study possible attacks exploiting specific features of the algorithmic description, hardware architecture and physical implementation of this construction. These evaluations lead to two main outcomes. First, we complement previous works on leakage-resilient cryptography and further specify the conditions under which they actually provide physical security. Second, we take advantage of our analysis to extract new design principles for block ciphers to be used in leakage-resilient primitives. While our investigations focus on side-channel attacks in the first place, we hope these new design principles will trigger the interest of symmetric cryptographers to design new block ciphers combining good properties for secure implementations and security against black box (mathematical) cryptanalysis.