International Association for Cryptologic Research

# IACR News Central

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

2013-05-28
11:54 [Conf][AC]

## Asiacrypt 2012 General Chair Report

Xuejia Lai, March, 2013

Asiacrypt 2012 was held in Beijing, China from Dec.2 to Dec.6 2012. The conference organization was supported by China Association for Cryptologic Research, Shanghai Jiao Tong University, Tsinghua University and Labs of Information Security, China Academi of Science.

## Attendance

There are 325 registed participants from 31 countries in total, including 104 students.

Asiacrypt 2012 received funding with a total amount about $36,000, from 6 sponsors: Natural Science Foundation of China, Huawei Technologies, INTEL, NationZ Technologies and Aisino. With their generous support we were able to provide registrations for 36 students from China, besides the free registration for 10 student speakers. ## Conference facilities This year year, the conferece hall and the main hotel are at the same site, avoided walking through the cold wind in Beijing. ## Visa-inviation We made a conference stamp to produce formal invitation letters for 30 participants to obtain the visa, the process went quite smoothly, without "hard case", except for a few cases where we need to provide phone call, fax back confirmations. ## Proceedings Asiacrypt 2012 Proceedings was produced following the new IACR policy. The registration fee includeed a USB drive containing an electronic copy of the proceedings, and attendees need to pay extra for a paper proceedings. 70 copies of paper proceeding were all sold out at the conference. ## Other events Together with Asiacrypt 2012, The 8th China International Conference on Information Security and Cryptology (INSCRYPT 2012) was held before the main confernce, and the 2nd Workshop on International View of Cryptography and Security and Their Use in Practice: Focus on Mobile and Embedded Computing was held after the main confernce. 08:52 [Event][New] Submission: 20 June 2013 From August 11 to August 13 Location: Chicago, USA More Information: http://2013.diac.cr.yp.to 05:22 [Pub][ePrint] In this article it\'s discussed the analytic property of$\\zeta(s)$. The popular opinion is denied. 05:22 [Pub][ePrint] We study the problem on how to either prevent identity impersonation (IDI) attacks or limit its consequences by on-line detecting previously unidentified IDI attacks, where IDI attacks are normally caused by the leakage of identity related long-term key. Such problem has, up until now, lacked a provably good solution. We deal with this problem through the scenario on authenticated key exchange with synchronized state (AKESS). This work provides a security model for AKESS protocols, in which we particularly formalize the security of the synchronized state. We propose a two party execution state synchronization framework for symmetric case, based on which we propose a generic compiler for AKESS protocols. Our goal is to compile any existing passively secure key exchange (KE) protocol to AKESS protocol using synchronized state, without any modification on those KE protocols. The proposal is probably secure in the standard model under standard assumptions. 05:22 [Pub][ePrint] Ristenpart et al. showed that the limitation of the indifferentiability theorem of Maurer et al. which does not cover all multi stage security notions but covers only single stage security notions, defined a new concept (reset indifferentiability), and proved the reset indifferentiability theorem, which is an analogy of the indifferentiability theorem covers all security notions S: if H^U is reset indifferentiable from RO, for any security notion, a cryptosystem C is at least as secure in the U model as in the RO model. Unfortunately, they also proved the impossibility of H^U being reset indifferentiable from a RO where H is a one-pass hash function such as ChopMD and Sponge constructions. In this paper, we will propose a new proof of molular approach instead of the RO methodology, Reset Indifferentiability from Weakened Random Oracle, called as the WRO methodology, in order to ensure the security of C with H^U, salvaging ChopMD and Sponge. The concrete proof procedure of the WRO methodology is as follows: 1. Define a new concept of WRO instead of RO, 2. Prove that H^U is reset indifferentiable from a WRO, (here an example of H is ChopMD and Sponge), and 3. Prove that C is secure in the WRO model. As a result we can prove that C with H^U is secure by combining the results of Steps 2, 3, and the theorem of Ristenpart et al. Moreover, for public-key encryption (as cryptosystem C) and chosen-distribution attack we will prove that C(WRO) is secure, which implies the appropriateness of the new concept of the WRO model. 05:22 [Pub][ePrint] EAX$\'$(EAX-prime) is an authenticated encryption (AE) specified by ANSI C12.22 as a standard security function for Smart Grid. EAX$\'$is based on EAX proposed by Bellare, Rogaway, and Wagner. While EAX has a proof of security based on the pseudorandomness of the internal blockcipher, no published security result is known for EAX$\'$. This paper studies the security of EAX$\'$and shows that there is a sharp distinction in security of EAX$\'$depending on the input length. EAX$\'$encryption takes two inputs, called cleartext and plaintext, and we present various efficient attacks against EAX$\'$using single-block cleartext and plaintext. At the same time we prove that if cleartexts are always longer than one block, it is provably secure based on the pseudorandomness of the blockcipher. 05:22 [Pub][ePrint] Physically Uncloneable Functions (PUFs) [Pap01] are noisy physical sources of randomness. As such, they are naturally appealing for cryptographic applications, and have caught the interest of both theoreticians and practitioners. A major step towards understanding and securely using PUFs was recently taken in [Crypto 2011] where Brzuska, Fischlin, Schröder and Katzenbeisser model PUFs in the Universal Composition (UC) framework of Canetti [FOCS 2001]. Their model considers trusted PUFs only, and thus real-world adversaries can not create malicious PUFs, and can access the physical object only via the prescribed procedure. However,this does not accurately reect real-life scenarios, where an adversary could be able to create and use malicious PUFs, or access the PUF through other procedures. The goal of this work is to extend the model proposed in [Crypto 2011] in order to capture such real-world attacks. The main contribution of this work is the study of the Malicious PUFs model. Namely, we extend the PUF functionality of Brzuska et al. so that it allows the adversary to create arbitrarily malicious PUFs. Then, we provide positive results in this, more realistic, model. We show that, under computational assumptions, it is possible to UC-securely realize any functionality. Furthermore, we achieve unconditional (not UC) security with malicious PUFs, by showing a statistically hiding statistically binding commitment scheme that uses one PUF only, and such PUF can be malicious. As an additional contribution, we investigate another attack model, where adversaries access to a trusted PUF in a dierent way (i.e., not following the prescribed procedure). Technically this attack translates into the fact that the simulator cannot observe the queries made to an honest PUF. In this model, queries are oblivious to the simulator, and we call it the Oblivious Query model. We are able to achieve unconditionally UC-secure computation, even in this more severe model. This protocol is secure against stronger adversaries compared to the ones of Brzuska et al. Finally, we show the impossibility of UC secure computation in the combination of the above two new models, where the real-world adversary can create malicious PUFs and maliciously access to honest PUFs. Our work sheds light on the signicant power and applicability of PUFs in the design of cryptographic protocols modeling adversaries that misbehave with PUFs. 05:22 [Pub][ePrint] Since the introducing of extended Canetti-Krawczyk~(eCK) security model for two party key exchange, many protocols have been proposed to provide eCK security. However, most of those protocols are provably secure in the random oracle model or rely on special design technique well-known as the NAXOS trick. In contrast to previous schemes, we present an eCK secure protocol in the standard model, without NAXOS trick and without knowledge of secret key (KOSK) assumption for public key registration. The security proof of our scheme is based on standard pairing assumption, collision resistant hash functions, bilinear decision Diffie-Hellman (BDDH) and decision linear Diffie-Hellman (DLIN) assumptions, and pseudo-random functions with pairwise independent random source. Although our proposed protocol is based on bilinear groups, it doesn\'t need any pairing operations during protocol execution. 05:22 [Pub][ePrint] In this paper, we analyze the resistance of the lightweight ciphers PRESENT, LED, and KLEIN to biclique attacks. Primarily, we describe attacks on the full-round versions PRESENT-80, PRESENT-128, LED-64, LED-128, KLEIN-80, and KLEIN-96. Our attacks have time complexities of$2^{79.49}$,$2^{127.32}$,$2^{63.58}$,$2^{127.42}$,$2^{79.00}$, and$2^{95.18}\$ encryptions, respectively. In addition, we consider attacks

on round-reduced versions of PRESENT and LED, to show the security margin for which an adversary can obtain an advantage of at least a factor of two compared to exhaustive search.

05:22 [Pub][ePrint]

Garbled circuits, introduced by Yao in the mid 80s, allow computing a

function f on an input x without leaking anything about f or x besides f(x). Garbled circuits found numerous applications, but every known construction suffers from one limitation: it offers no security if used on multiple inputs x. In this paper, we construct for the first time reusable garbled circuits. The key building block is a new succinct single-key functional encryption scheme.

Functional encryption is an ambitious primitive: given an encryption

Enc(x) of a value x, and a secret key sk_f for a function f, anyone can compute f(x) without learning any other information about x. We

construct, for the first time, a succinct functional encryption

scheme for any polynomial-time function f where succinctness means

that the ciphertext size does not grow with the size of the circuit for f, but only with its depth. The security of our construction is based on the intractability of the Learning with Errors (LWE) problem and holds as long as an adversary has access to a single key sk_f (or even an a priori bounded number of keys for different functions).

Building on our succinct single-key functional encryption scheme, we

show several new applications in addition to reusable garbled circuits, such as a paradigm for general function obfuscation which we call token-based obfuscation, homomorphic encryption for a class of Turing machines where the evaluation runs in input-specific time rather than worst-case time, and a scheme for delegating computation which is publicly verifiable and maintains the privacy of the computation.

05:22 [Pub][ePrint]

With over 1.5~billion debit and credit cards in use worldwide, the EMV system (a.k.a. Chip-and-PIN\'\') has become one of the most important deployed cryptographic protocol suites. Recently, the EMV consortium has decided to upgrade the existing RSA based system with a new system relying on Elliptic Curve Cryptography (ECC). One of the central components of the new system is a protocol that enables a card to establish a secure channel with a card reader. In this paper we provide a security analysis of the proposed protocol, we propose minor changes/clarifications to the Request for Comments\'\' issued in Nov 2012, and demonstrate that the resulting protocol meets the intended security goals.

The structure of the protocol is one commonly encountered in practice: first run a key-exchange to establish a shared key (which performs authentication and key confirmation), only then use the channel to exchange application messages. Although common in practice, this structure takes the protocol out of the reach of most standard security models for key-exchange. Unfortunately, the only models that can cope with the above structure suffer from some drawbacks that make them unsuitable for our analysis. Our second contribution is to provide new security models for channel establishment protocols. Our models have a more inclusive syntax, are quite general, deal with a realistic notion of authentication (one-sided authentication as required by EMV), and do not suffer from the drawbacks that we identify in prior models.