*12:41*[PhD][New]

Get an update on changes of the IACR web-page here. For questions, contact *newsletter (at) iacr.org*.
You can also receive updates via:

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

Name: Daniel Wichs

Topic: Cryptographic Resilience to Continual Information Leakage

Category:foundations

Description: In this thesis, we study the question of achieving cryptographic security on devices that leak information about their internal secret state to an external attacker. This study is motivated by the prevalence of side-channel attacks, where the physical characteristics of a computation (e.g. timing, power-consumption, temperature, radiation, acoustics, etc.) can be measured, and may reveal useful information about the internal state of a device. Since some such leakage is inevitably present in almost any physical implementation, we believe that this problem cannot just be addressed by physical countermeasures alone. Instead, it should already be taken into account when designing the mathematical specication of cryptographic primitives and included in the formal study of their security. In this thesis, we propose a new formal framework for modeling the leakage available to an attacker. This framework, called the continual leakage model, assumes that an attacker can continually learn arbitrary information about the internal secret state of a cryptographic scheme at any point in time, subject only to the constraint that the rate of leakage is bounded. More precisely, our model assumes some abstract notion of time periods. In each such period, the attacker can choose to learn arbitrary functions of the current secret state of the scheme, as long as the number of output bits leaked is not too large. In our solutions, cryptographic schemes will continually update their internal secret state at the end of each time period. This will ensure that leakage observed in dierent time periods cannot be meaningfully combined to break the security of the cryptosystem. Although these updates modify the secret state of the cryptosystem, the desired functionality of the scheme is preserved, and the users can remain oblivious to these updates. We construct signatures, encryption, and secret sharing/storage schemes in this model.[...]

Name: Aleksandar Kircanski

Topic: Cryptanalysis of Symmetric Cryptographic Primitives

Category: secret-key cryptography

Description: Symmetric key cryptographic primitives are the essential building blocks in modern information security systems. The security argument for the majority of such primitives in use is only a heuristic one and therefore their respective security evaluation continually remains an open question. In this thesis, we provide cryptanalytic results for several relevant cryptographic hash functions and stream ciphers.\r\n\r\nFirst, we provide results concerning two standardized cryptographic hash functions: HAS-160 and SM3. We develop a new heuristic for finding compatible differential paths and apply it to the the Korean hash function standard HAS-160. Our heuristic leads to a practical second order collision over all of the HAS-160 function steps, which is the first practical complexity distinguisher for this function. In case of SM3, which is a design that builds upon the SHA-2 hash, we study second order collision attacks on reduced-round versions and point out a structural slide-rotational property that exists in the function.\r\n\r\nNext, we examine the security of the following three stream ciphers: Loiss, SNOW 3G and SNOW 2.0. By exploiting the differential properties of a particular component utilized in the Loiss cipher, we provide a key-recovery attack of practical complexity on Loiss in the related-key model. SNOW 3G stream cipher is used in 3rd Generation Partnership Project (3GPP) and the SNOW 2.0 cipher is an ISO/IEC standard (IS 18033-4). For both of these ciphers,we show that the initialization procedure admits a sliding property, resulting in several sets of related-key pairs. Our investigation leads to related-key key recovery attacks against SNOW 2.0 with 256-bit keys.\r\n\r\nFinally, we provide differential fault analysis attacks against two stream ciphers: HC-128 and Rabbit. In this type of attacks, the attacker is assumed to have physical influence over the device that performs the encryption and is able to introduce random faults into the computational p[...]

Proofs of computational effort were devised to control denial of service attacks.

Dwork and Naor (CRYPTO \'92), for example, proposed to use such proofs to discourage spam.

The idea is to couple each email message with a proof of work that demonstrates the sender performed some computational task.

A proof of work can be either CPU-bound or memory-bound. In a CPU-bound proof, the prover must

compute a CPU-intensive function that is easy to check by the verifier. A memory-bound proof, instead, forces the prover to access the main memory several times, effectively replacing

CPU cycles with memory accesses.

In this paper we put forward a new concept dubbed {\\em proof of space}. To compute such a proof, the prover must use a specified amount of space, i.e., we are not interested in the number of accesses to the main memory (as in memory-bound proof of work) but rather on the amount of actual memory the prover must employ to compute the proof.

We give a complete and detailed algorithmic description of our model. We develop a full theoretical analysis which uses combinatorial tools from Complexity Theory (like pebbling games) which are essential in studying space lower bounds.

We remark that a similar concept

has recently been described by Dziembowski et al. (Workshop held in Warsaw, 2013), however their proof-of-space paradigm

is more in line with memory-bound proof of work since the prover can trade off space with computation while our definition disallow this prospect.

We present two hierarchical identity-based encryption (HIBE) schemes, denoted as $\\ahibe$ and $\\hibe$,

from Type-3 pairings with constant sized ciphertexts. Scheme $\\ahibe$ is anonymous and $\\hibe$ is non-anonymous.

The constructions are obtained by extending the IBE scheme recently proposed by Jutla and Roy (Asiacrypt 2013).

Security is based on the standard decision Symmetric eXternal Diffie-Hellman (SXDH) assumption. In terms of provable

security properties, all previous

constructions of constant-size ciphertext HIBE schemes had one or more of the following drawbacks: secure in the weaker model of

selective-identity attacks; exponential security degradation in the depth of the HIBE; and use of non-standard assumptions.

The security arguments for $\\ahibe$ and $\\hibe$ avoid all of these drawbacks. Along with theoretically satisfying security,

the parameter sizes and efficiencies of the different algorithms of the two schemes compare very well with all previously known

constructions. Based on currently known techniques, $\\ahibe$ and $\\hibe$ fill an

important gap in the state-of-the-art on efficient (anonymous) HIBE constructions.

2013-12-02

Submission: 13 February 2014

Notification: 13 April 2014

From July 16 to July 18

Location: Amsterdam, Netherlands

More Information: http://petsymposium.org

The Computer Science Department at University College London has an open postdoctoral research position under the supervision of Jens Groth. The Research Associate is funded by an ERC Starting Grant on Efficient Cryptographic Arguments and Proofs with a flexible starting date and a duration of up to 2 years.

Candidates must have a PhD with a strong publication record in cryptography or theoretical computer science. Research experience in zero-knowledge proofs, probabilistically checkable proofs or lattice-based cryptography will be considered a plus.

University College London is one of Europe\\\'s highest ranked universities and has recently been recognized by the EPSRC and GCHQ as one of UK\\\'s Academic Centres of Excellence in Cyber Security Research. The Computer Science Department is one of the largest in the UK and is located at UCL\\\'s main campus in the centre of London.

2013-12-01

Since the introduction of side channel attacks in the nineties, a large amount of work has been devoted to their effectiveness and efficiency improvements. On the one side, general results and conclusions are drawn in theoretical frameworks, but the latter ones are often set in a too ideal context to capture the full complexity of an attack performed in real conditions. On the other side, practical improvements are proposed for specific contexts but the big picture is often put aside, which makes them difficult to adapt to different contexts. This paper tries to bridge the gap between both worlds. We specifically investigate which kind of issues is faced by a security evaluator when performing a state of the art attack. This analysis leads us to focus on the very common situation where the exact time of the sensitive processing is drown in a large number of leakage points. In this context we propose new ideas to improve the effectiveness and/or efficiency of the three considered attacks. In the particular case of stochastic attacks, we show that the existing literature, essentially developed under the assumption that the exact sensitive time is known, cannot be directly applied when the latter assumption is relaxed. To deal with this issue, we propose an improvement which makes stochastic attack a real alternative to the classical correlation power analysis. Our study is illustrated by various attack experiments performed on several copies of three micro-controllers with different CMOS technologies (respectively 350, 130 and 90 nanometers).

The Internet of Things (IoT) will be formed by smart objects and services interacting autonomously and in real-time. Recently, Alcaide et al. proposed a fully decentralized anonymous authentication protocol for privacy-preserving IoT target-driven applications. Their system is set up by an ad-hoc community of decentralized founding nodes. Nodes can interact, being participants of cyberphysical systems, preserving full anonymity. In this study, we point out that their protocol is insecure. The adversary can cheat the data collectors by impersonating a legitimate user.

Proofs of work (PoW) have been suggested by Dwork and Naor (Crypto\'92) as protection to a shared resource. The basic idea is to ask the service requestor to dedicate some non-trivial amount of computational work to every request. The original applications included prevention of spam and protection against denial of service attacks. More recently, PoWs have been used to prevent double spending in the Bitcoin digital currency system.

In this work, we put forward an alternative concept for PoWs -- so-called proofs of space (PoS), where a service requestor must dedicate a significant amount of disk space as opposed to computation. We construct secure PoS schemes in the random oracle model, using graphs with high \"pebbling complexity\" and Merkle hash-trees.

We initiate the investigation of {\\em gate}-tampering attacks against

cryptographic circuits. Our model is motivated by the plausibility of

tampering directly with circuit gates and by the increasing use of {\\em tamper

resilient gates} among the known constructions that are shown to be resilient

against {\\em wire-tampering} adversaries. We prove that gate-tampering is {\\em

strictly} stronger than wire-tampering. On the one hand, we show that there is

a gate-tampering strategy that perfectly simulates any given wire-tampering

strategy. On the other, we construct families of circuits over which it is

impossible for any wire-tampering attacker to simulate a certain gate-tampering

attack (that we explicitly construct). We also provide a tamper resilience

impossibility result that applies to both gate and wire tampering adversaries

and relates the amount of tampering to the depth of the circuit. Finally, we

show that defending against gate-tampering attacks is feasible by appropriately

abstracting and analyzing the circuit compiler of Ishai et al.

\\cite{Ishai:2006a} in a manner which may be of independent interest.

Specifically, we first introduce a class of compilers that, assuming certain

well defined tamper resilience characteristics against a specific class of

attackers, can be shown to produce tamper resilient circuits against that

same class of attackers. Then, we describe a compiler in this class for which

we prove that it possesses the necessary tamper-resilience characteristics

against gate-tampering attackers.