International Association for Cryptologic Research

# IACR News Central

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

2013-05-28
05:22 [Pub][ePrint]

The stream cipher RC4 was designed by R.Rivest in $1987$, and it is a widely deployed cipher. Many predictive states of RC4 for some special indices $i$ were presented in the last $20$ years. In this paper, we present several long term predictive states. These states increase the probability to guess part of the internal state in a known plaintext attack and present a cryptanalytic weakness of RC4. This paper also analyzes possible long term bias in the keystream and further propose a search method for the long term predictive states.

05:22 [Pub][ePrint]

Halevi, Lindell, and Pinkas (CRYPTO 2011) recently proposed a model for secure computation that captures communication patterns that arise

in many practical settings, such as secure computation on the web. In their model, each party interacts only once, with a single centralized server. Parties do not interact with each other; in fact, the parties need not even be online simultaneously.

In this work we present a suite of new, simple and efficient protocols for secure computation in this \"one-pass\" model. We give protocols that obtain optimal privacy for the following general tasks:

-- Evaluating any multivariate polynomial $F(x_1, \\ldots ,x_n)$ (modulo a large RSA modulus N), where the parties each hold an input $x_i$.

-- Evaluating any read once branching program over the parties\' inputs.

As a special case, these function classes include all previous functions for which an optimally private, one-pass computation was known, as well as many new functions, including variance and other statistical functions, string matching, second-price auctions, classification algorithms and some classes of finite automata

and decision trees.

05:22 [Pub][ePrint]

This article aims to present dynamic cube attack on Grain-v1. Dynamic cube attack finds the secret key by using distinguishers gained from structural weakness. The main idea of dynamic cube attack lies in simplifying the output function. After making it simpler, dynamic cube attack will be able to exploit distinguishing attack for recovering the secret key. In this paper, we investigate Grain-v1 to which key recovery attack has never been applied because its feedback function is so sophisticated. we apply dynamic cube attack on it by utilizing both intelligent choices of Initial Value variables and appropriate simplifications. Our attack is done in feasible time complexity, and it recovers all bits of the key while the number of initialization rounds in Grain-v1 is decreased to 100. This attack is faster than exhaustive search by a factor $2^{32}$.

05:22 [Pub][ePrint]

In some wireless environments, minimizing the size of messages is paramount due to the resulting significant energy savings. We

present a new stateful symmetric encryption scheme: CCS or Chosen

Ciphertext Secure scheme. CCS has the property that modifications to

the ciphertext randomizes the resulting plaintext. Using this property,

we prove the scheme is CCA2 secure. Thus we obtain CCA2 encryption

schemes with minimal ciphertext expansion which are applicable to resource constrained wireless environments. For protocols that send short messages, our scheme is similar to Counter with CBC-MAC (CCM) for

computation but has much shorter messages (since we can use much

smaller or no MAC tags) for a similar level of security. A key idea is

that various protocol fields in the underlying plaintext act as an authentication tag given changes to the message ciphertext. To the best of our knowledge, CCS is the first scheme that achieves CCA2 security with only 2-3 bytes of ciphertext expansion.

05:22 [Pub][ePrint]

We revisit the problem of basing pseudorandom generators on regular one-way functions, and present the following constructions:

(1) For any known-regular one-way function (on $n$-bit inputs) that is known to be $\\eps$-hard to invert, we give a neat (and tighter) proof for the folklore construction of pseudorandom generator of seed length $\\Theta(n)$ by making a single call to the underlying one-way function.

(2) For any unknown-regular one-way function with known $\\eps$-hardness, we give a new construction with seed length $\\Theta(n)$ and $O(n/\\log{(1/\\eps)})$ calls. Here the number of calls is also optimal by matching the lower bounds of Holenstein and Sinha [FOCS 2012].

Both constructions require the knowledge about $\\eps$, but the dependency can be removed while keeping nearly the same parameters. In the latter case, we get a construction of pseudo-random generator from any unknown-regular one-way function using seed length $\\tilde{O}(n)$ and $\\tilde{O}(n/\\log{n})$ calls, where $\\tilde{O}$ omits a factor that can be made arbitrarily close to constant (e.g. $\\log\\log\\log{n}$ or even less). This improves the \\emph{randomized iterate} approach by Haitner, Harnik and Reingold [CRYPTO 2006] which requires seed length $O(n{\\log}{n})$ and $O(n/\\log{n})$ calls.

05:22 [Pub][ePrint]

Identity-based cryptography has attracted attention in the cryptographic research community in recent years. Despite the importance of cryptographic schemes for applications in business and law, the legal implications of identity-based cryptography have not yet been discussed. We investigate how identity-based signatures fit into the legal framework. We focus on the European Signature Directive, but also take the UNCITRAL Model Law on Electronic Signatures into account. In contrast to previous assumptions, identity-based signature schemes can, in principle, be used even for qualified electronic signatures, which can replace handwritten signatures in the member states of the European Union. We derive requirements to be taken into account in the development of future identity-based signature schemes.

05:22 [Pub][ePrint]

Computational privacy is a property of cryptographic

system that ensures the privacy of data (and/or operations)

while being processed at an untrusted server. Cryptography

has been an indispensable tool for computer security but its

readiness for this new generational shift of computing platform

i.e. Cloud Computing is still questionable.

Theoretical constructions like Fully Homomorphic Encryption,

Functional encryption, Server aided Multiparty Computation,

Verifiable Computation, Instance Hiding etc. are few

directions being pursued. These cryptographic techniques solve

Cloud privacy problems at different levels but most of them dont

fit well in overall scheme of things.

We state the privacy requirements for Cloud offerings in

various delivery methods. We discuss the challenges with current

cryptographic techniques being pursued by researchers and show

that they dont cater to blanket cover these privacy requirements.

We urge the need to find generalizations and connections

among these isolated techniques. As this might give more insights

into the underpinnings of Computational Privacy and lead to

better solutions.

05:22 [Pub][ePrint]

The incidence matrix between a set of monomials and a set of vectors in $\\F_2$ has a great importance in the study of coding theory, cryptography, linear algebra, combinatorics. The rank of these matrices are very useful while computing algebraic immunity($\\ai$) of Boolean functions in cryptography literature~\\cite{MPC04,DGM04}.

Moreover, these matrices are very sparse and well structured. Thus, for aesthetic reason finding rank of these matrices is also very interesting in mathematics.

In this paper, we have reviewed the existing algorithms with added techniques to speed up the algorithms and have proposed some new efficient algorithms for the computation of the rank of incidence matrix and solving the system of equations where the co-efficient matrix is an incidence matrix.Permuting the rows and columns of the incidence matrix with respect to an ordering, the incidence matrix can be converted to a lower block triangular matrix, which makes the computation in quadratic time complexity and linear space complexity. Same technique is used to check and computing low degree annihilators of an $n$-variable Boolean functions in faster time complexity than the usual algorithms. Moreover, same technique is also exploited on the Dalai-Maitra algorithm in~\\cite{DM06} for faster computation. On the basis of experiments, we conjecture that the $\\ai$ of $n$-variable inverse S-box is $\\lfloor\\sqrt{n}\\rfloor + \\lceil\\frac{n}{\\lfloor\\sqrt{n}\\rfloor}\\rceil-2$.

We have also shown the skepticism on the existing fastest algorithm

in~\\cite{ACGKMR06} to find $\\ai$ and lowest degree annihilators of a Boolean function.

05:22 [Pub][ePrint]

The goal of a profiling attack is to challenge the security of a cryptographic device in the worst case scenario. Though template attack are reputed as the strongest power analysis attack, they effectiveness is strongly dependent on the validity of the Gaussian assumption. This led recently to the appearance of nonparametric approaches, often based on machine learning strategies. Though these approaches outperform template attack, they tend to neglect the time series nature of the power traces. In this paper, we propose an original multi-class profiling attack that takes into account the temporal dependence of power traces. The experimental study shows that the time series analysis approach is competitive and often better than static classification alternatives.

05:22 [Pub][ePrint]

The security of most Internet applications relies on underlying public key infrastructures (PKIs) and thus on an ecosystem of certification authorities (CAs). The pool of PKIs responsible for the issuance and the maintenance of SSL certificates, called the Web PKI, has grown extremely large and complex. Herein, each CA is a single point of failure for the security, leading to an attack surface, the size of which is hardly assessable.

This paper approaches the issue if and how the attack surface can be reduced in order to reduce the risk of relying on a malicious certificate. In particular we consider the individualization of the set of trusted CAs. We present a tool called Rootopia, which allows to assess the respective part of the Web PKI relevant for a user.

Our analysis of browser histories of 22 Internet users reveals, that the major part of the PKI is completely irrelevant to a single user. The attack surface can be reduced by more than 90%, which shows the potential of the individualization of the set of trusted CAs. Furthermore, all the relevant CAs reside within a small set of countries. Our findings confirm, that we unnecessarily trust in a

huge number of CAs, exposing ourselves to unnecessary risks.

05:22 [Pub][ePrint]

Mixnets are one of the main approaches to deploy secret and verifiable electronic elections.

General-purpose verifiable mixnets however suffer from the drawback that the amount of data to be verified by observers increases linearly with the number of involved mix nodes, the number of decryptors, and the number of voters. Chase et al. proposed a verifiable mixnet at Eurocrypt 2012 based on so-called \\emph{malleable proofs} - proofs that do not increase with the number of mix nodes. In work published at PKC 2013, the same authors adapted malleable proofs to verifiable distributed decryption, resulting in a cryptographic voting scheme. As a result, the amount of data to be verified only increases linearly with the number of voters.

However, their scheme leaves several questions open which we address in this paper:

As a first contribution, we adapt a multi-party computation protocol to build a distributed key generation protocol for the encryption scheme underlying their voting scheme. As a second contribution, we decompress their abstract scheme description, identify elementary operations, and count the number of such operations required for mixing and verification. Based on timings for elementary operations, we extrapolate the running times of the mixing and verification processes, allowing us to assess the feasibility of their scheme. For the German case, we conclude that the replacement of postal voting by cryptographic voting based on malleable proofs is feasible on an electoral district level.