International Association for Cryptologic Research

# IACR News Central

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

2013-10-07
14:16 [Job][New]

The Cryptography group at the University of Tartu, Estonia, is looking for a researcher (postdoc) in cryptography, preferably with strengths on one of the following topics:

• Theory of cryptography
• Quantum cryptography
• Mathematics (applied to cryptography)
• Verification
• Any other area that complements the existing team

The Cryptography group in Tartu (senior members: Dominique Unruh, Helger Lipmaa, Sven Laur) does research on a variety of cryptography related topic, such as quantum cryptography, verification, foundations of cryptography, cryptographic protocols, e-voting, etc. On the coding theory side, we also have Vitaly Skachek.

Researchers at U Tartu are full faculty members. Salary is 2000 euro (cost of living in Estonia is quite low, see e.g. http://www.expatistan.com/cost-of-living), with an employment contract for three years.

A successful candidate should:

• Hold a phd degree
• Have a strong background in cryptography or a relevant related field
• Have an international publication record at outstanding venues

To apply, please submit the following documents (by email):

• Letter of motivation
• Research plan
• Two letters of reference (make sure they reach us by the application deadline)
• Curriculum vitae
• Publication list
• Phd degree

Deadline for applications: 1 November 2013

2013-10-06
21:24 [Event][New]

Submission: 15 March 2014
From May 21 to May 23
Location: Budapest, Hungary

2013-10-05
15:17 [Pub][ePrint]

Cryptographic applications, such as hashing, block ciphers and stream ciphers, make use of functions which are simple by some criteria (such as circuit implementations), yet hard to invert almost everywhere. A necessary condition for the latter property is to be sufficiently distant\'\' from linear, and cryptographers have proposed several measures for this distance. In this paper, we show that four common measures, nonlinearity, algebraic degree, annihilator immunity, and multiplicative complexity, are incomparable in the sense that for each pair of measures, $\\mu_1,\\mu_2$, there exist functions $f_1,f_2$ with $\\mu_1(f_1)> \\mu_1(f_2)$ but $\\mu_2(f_1)< \\mu_2(f_2)$. We also present new connections between two of these measures. Additionally, we give a lower bound on the multiplicative complexity of collision-free functions.

15:17 [Pub][ePrint]

In this paper, we describe new techniques in meet-in-the-middle attacks. Our basic technique is called a \\emph{linear key sieve} since it exploits as filtering conditions linear dependencies between key bits that are guessed from both sides of the attack. This should be contrasted with related previous attacks, which only exploited

a \\emph{linear state sieve} (i.e., linear dependencies between state bits that are computed from

both sides of the attack). We apply these techniques to the lightweight block cipher LED-64, and improve some of the best known attacks on step-reduced variants of this cipher in all attack models. As a first application of the linear key sieve, we describe a chosen plaintext attack on 2-step LED-64, which reduces the time complexity of the

best previously published attack on this variant from $2^{56}$ to $2^{48}$. Then, we present the first attack on 2-step LED-64 in the \\emph{known plaintext model}. In this attack, we show for the first time that the splice-and-cut technique (which inherently requires chosen messages) can also be applied in the known plaintext model, and we use the linear key sieve in order to obtain an attack with the same time complexity as our chosen plaintext attack. Finally, we describe a related-key attack on 3-step LED-64 which improves the best previously published attack (presented at Asiacrypt 2012) in all the complexity parameters of time/data/memory from $2^{60}$ to $2^{49}$. As our first two single-key attacks, the related-key attack is also based on the linear key sieve, but it uses additional techniques in differential meet-in-the-middle which are interesting in their own right.

15:17 [Pub][ePrint]

The relation between cryptographic key lengths and security depends on the cryptosystem used. This leads to confusion and to insecure parameter choices. In this note a universal security measure is proposed that puts all cryptographic primitives on the same footing, thereby making it easier to get comparable security across the board.

15:17 [Pub][ePrint]

Side-Channel Analysis (SCA) is commonly used to recover secret keys involved in the implementation of publicly known cryptographic algorithms. On the other hand, Side-Channel Analysis for Reverse Engineering (SCARE) considers an adversary who aims at recovering the secret design of some cryptographic algorithm from its implementation. Most of previously published SCARE attacks enable the recovery of some secret parts of a cipher design --{\\it e.g.} the substitution box(es)-- assuming that the rest of the cipher is known. Moreover, these attacks are often based on idealized leakage assumption where the adversary recovers noise-free side-channel information. In this paper, we address these limitations and describe a generic SCARE attack that can recover the full secret design of any iterated block cipher with common structure. Specifically we consider the family of Substitution-Permutation Networks with either a classical structure (as the AES) or with a Feistel structure. Based on a simple and usual assumption on the side-channel leakage we show how to recover all parts of the design of such ciphers. We then relax our assumption and describe a practical SCARE attack that deals with noisy side-channel leakages.

15:17 [Pub][ePrint]

We investigate the problem of algebraic manipulation detection (AMD) over a communication channel that partially leaks information to an adversary. We assume the adversary is computationally unbounded and there is no shared key or correlated randomness between the sender and the receiver. We introduce leakage-resilient (LR)-AMD codes to detect algebraic manipulation in this model.

We consider two leakage models. The first model, called \\emph{linear leakage}, requires the adversary\'s uncertainty (entropy) about the message (or encoding randomness) to be a constant fraction of its length. This model can be seen as an extension of the original AMD study by Cramer et al. \\cite{CDFPW08} to when some leakage to the adversary is allowed. We study \\emph{randomized strong} and \\emph{deterministic weak} constructions of linear (L)LR-AMD codes. We derive lower and upper bounds on the redundancy of these codes and show that known optimal (in rate) AMD code constructions can serve as optimal LLR-AMD codes. In the second model, called \\emph{block leakage}, the message consists of a sequence of blocks and at least one block remains with uncertainty that is a constant fraction of the block length. We focus on deterministic block (B)LR-AMD codes. We observe that designing optimal such codes is more challenging: LLR-AMD constructions cannot function optimally under block leakage. We thus introduce a new optimal BLR-AMD code construction and prove its security in the model.

We show an application of LR-AMD codes to tampering detection over wiretap channels. We next show how to compose our BLR-AMD construction, with a few other keyless primitives, to provide both integrity and confidentiality in transmission of messages/keys over such channels. This is the best known solution in terms of randomness and code redundancy. We discuss our results and suggest directions for future research.

15:17 [Pub][ePrint]

We present an adaptively secure functional encryption (FE) scheme based on

deterministic finite automata (DFA). The construction uses composite-order bilinear

pairings and is built upon the selectively secure DFA-based FE scheme of Waters (Crypto 2012).

The scheme is proven secure using the dual system methodology under static subgroup decision assumptions.

A dual system proof requires generating of semi-functional components from the instance.

In addition, these components must be shown to be properly distributed in an attacker\'s view.

This can be ensured by imposing a restriction on the automata and strings over which the

scheme is built i.e., every symbol can appear at most once in a string and in the set of

transition tuples of an automata.

First a basic construction with the restrictions is obtained and proved to be adaptively secure.

We then show how to extend this basic scheme to a full scheme where the restrictions can be relaxed

by placing a bound on the number of occurrences of any symbol in a string and in

the set of transitions. With the relaxed restrictions, our system

supports functionality defined by a larger class of regular languages.

15:17 [Pub][ePrint]

Block ciphers use Substitution boxes (S-boxes) to create confusion into the cryptosystems. Functions used as S-boxes should have low differential uniformity, high nonlinearity and algebraic degree larger than 3 (preferably strictly larger). They should be fastly computable; from this viewpoint, it is better when they are in even number of variables. In addition, the functions should be bijections in a Substitution-Permutation Network. Almost perfect nonlinear (APN) functions have the lowest differential uniformity 2 and the existence of APN bijections over $\\F_{2^n}$ for even $n\\ge 8$ is a big open problem. In the present paper, we focus on constructing differentially 4-uniform bijections suitable for designing S-boxes for block ciphers. Based on the idea of permuting the inverse function, we design a construction providing a large number of differentially 4-uniform bijections with maximum algebraic degree and high nonlinearity. For every even $n\\ge 12$, we mathematically prove that the functions in a subclass of the constructed class are CCZ-inequivalent to known differentially 4-uniform power functions and to quadratic functions. This is the first mathematical proof that an infinite class of differentially 4-uniform bijections is CCZ-inequivalent to known differentially 4-uniform power functions and to quadratic functions. We also get a general lower bound on the nonlinearity of our functions, which can be very high in some cases, and obtain three improved lower bounds on the nonlinearity for three special subcases of functions which are extremely large.

2013-10-04
23:47 [Event][New]

Submission: 10 March 2014