International Association for Cryptologic Research

# IACR News Central

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

2013-12-17
16:17 [Pub][ePrint]

At Eurocrypt 2011, Wee presented a generalization of threshold public key encryption, threshold signatures, and revocation schemes arising from threshold extractable hash proof systems. In particular, he gave instances of his generic revocation scheme from the DDH assumption (which led to the Naor-Pinkas revocation scheme), and from the factoring assumption (which led to a new revocation scheme). We expand on Wee\'s work in two directions:

(a) We propose threshold extractable hash proof instantiations from the \"Extended Decisional Diffie-Hellman\" (EDDH) assumption due to Hemenway and Ostrovsky (PKC 2012). This in particular yields EDDH-based variants of threshold public key encryption, threshold signatures, and revocation schemes. In detail, this yields a DCR-based revocation scheme.

(b) We show that our EDDH-based revocation scheme allows for a mild form of traitor tracing (and, thus, yields a new trace-and-revoke scheme). In particular, compared to Wee\'s factoring-based scheme, our DCR-based scheme has the advantage that it allows to trace traitors.

16:17 [Pub][ePrint]

How is it possible to prevent the sharing of cryptographic

functions? This question appears to be fundamentally hard to address

since in this setting the owner of the key {\\em is} the adversary:

she wishes to share a program or device that (potentially only

partly) implements her main cryptographic functionality. Given that

she possesses the cryptographic key, it is impossible for her to be

{\\em prevented} from writing code or building a device that uses

that key. She may though be {\\em deterred} from doing so.

We introduce {\\em leakage-deterring} public-key cryptographic

primitives to address this problem. Such primitives have the feature

of enabling the embedding of owner-specific private data into the

partially functional) implementation of the primitive, the recovery

of the data can be facilitated. We formalize the notion of

leakage-deterring in the context of encryption, signature, and

identification and we provide efficient generic constructions that

facilitate the recoverability of the hidden data while retaining

privacy as long as no sharing takes place.

16:17 [Pub][ePrint]

In this paper, we consider an RSA modulus $N=pq$, where the prime factors $p$, $q$ are of the same size. We present an attack on RSA when the decryption exponent $d$ is in the form $d=Md_1+d_0$ where $M$ is a given positive integer and $d_1$ and $d_0$ are two suitably small unknown integers. In 1999, Boneh and Durfee~\\cite{BODU} presented an attack on RSA when $d 16:17 [Pub][ePrint] RFID (Radio Frequency Identification) is one of the most growing technologies among the pervasive systems. Non line of sight capability makes RFID systems much faster than its other contending systems such as barcodes and magnetic taps etc. But there are some allied security apprehensions with RFID systems. RFID security has been acquired a lot of attention in last few years as evinced by the large number of publications (over 2000). In this paper, a brief survey of eminent ultralightweight authentication protocols has been presented & then a four-layer security model, which comprises of various passive and active attacks, has been proposed. Cryptanalysis of these protocols has also been performed under the implications of the proposed security model 16:17 [Pub][ePrint] Key agreement allows multi-parties exchanging public information to create a common secret key that is known only to those entities over an insecure network. In recent years, several identity-based authenticated key agreement protocols have been proposed. In this study, we analyze three identity-based tripartite authenticated key agreement protocols. After the analysis, we found that these protocols do not possess the desirable security attributes. 16:17 [Pub][ePrint] Profiling power attacks like Template attack and Stochastic attack optimize their performance by jointly evaluating the leakages of multiple sample points. However, such multivariate approaches are rare among non-profiling Differential Power Analysis (DPA) attacks, since integration of the leakage of a higher SNR sample point with the leakage of lower SNR sample point might result in a decrease in the overall performance. One of the few successful multivariate approaches is the application of Principal Component Analysis (PCA) for non-profiling DPA. However, PCA also performs sub-optimally in the presence of high noise. In this paper, a multivariate model for an FPGA platform is introduced for improving the performances of non-profiling DPA attacks. The introduction of the proposed model greatly increases the success rate of DPA attacks in the presence of high noise. The experimental results on both simulated power traces and real power traces are also provided as an evidence. 16:17 [Pub][ePrint] In this paper we show that it is possible and, indeed, feasible to use secure multiparty computation for calculating the probability of a collision between two satellites. For this purpose, we first describe basic floating-point arithmetic operators (addition and multiplication) for multiparty computations. The operators are implemented on the SHAREMIND secure multiparty computation engine. We discuss the implementation details, provide methods for evaluating example elementary functions (inverse, square root, exponentiation of e, error function). Using these primitives, we implement a satellite conjunction analysis algorithm and give benchmark results for the primitives as well as the conjunction analysis itself. 16:17 [Pub][ePrint] This paper discusses combined modeling and side channel attacks on Strong Physical Unclonable Functions (Strong PUFs). We illustrate our method by the example of the two currently most secure (CCS 2010, IEEE T-IFS 2013) electrical Strong PUFs, so-called XOR Arbiter PUFs and Lightweight PUFs, and successfully attack them at sizes and complexities far beyond the reach of pure modeling techniques (CCS 2010, IEEE T-IFS 2013). Our approach makes use of the first power and timing side channels on PUFs reported in the literature. Both provide information on the single outputs of the many parallel Arbiter PUFs inside an XOR Arbiter PUF or Lightweight PUF, and indicate how many of these single outputs (in sum) were equal to one (and how many were equal to zero) before they entered the final XOR gate. Taken for itself, this side channel information is of little value. But if combined with suitably adapted machine learning techniques, it substantially changes attack performance: It reduces the empirically estimated complexities for modeling the above two PUFs from exponential (CCS 2010, IEEE T-IFS) to low degree polynomial. The practical viability of our attacks is firstly demonstrated by SPICE simulations, and by subsequent ML experiments on numerically simulated CRPs. We thereby confirm attacks on the two above PUFs for up to 16 XORs and challenge bitlengths of up to 512. Secondly, we execute a full experimental proof-ofconcept for our timing side channel, successfully attacking FPGA implementations of the two above PUF types for 8, 12, and 16 XORs, and bitlengths 64, 128, 256 and 512. We implement these sizes for the first time in the literature in silicon, and subsequently attack them successfully by our new methods. We remark that in recent works (CCS 2010, IEEE T-IFS 2013), 8 XOR architectures with bitlength 512 had been explicitly suggested as secure and beyond the reach of current attacks. Finally, we discuss efficient countermeasures against our power and timing side channels. They could and should be used to secure future Arbiter PUF generations against the latter. 16:17 [Pub][ePrint] In this paper we study the security of hash functions SM3 and BLAKE-256 against boomerang attack. SM3 is designed by X. Wang et al. and published by Chinese Commercial Cryptography Administration Office for the use of electronic certification service system in China. BLAKE is one of the five finalists of the NIST SHA-3 competition submitted by J.-P. Aumasson et al. For SM3, we present boomerang distinguishers for the compression function reduced to 34/35/36/37/38 steps out of 64 steps, with time complexities$2^{31.4}$,$2^{33.6}$,$2^{73.4}$,$2^{93}$and$2^{192}$respectively. Then we show some incompatible problems existed in the previous boomerang attacks on SM3. Meanwhile, we launch boomerang attacks on up to 7 and 8 rounds keyed permutation of BLAKE-256 which are the first valid$7$-round and$8\$-round boomerangs for BLAKE-256. Especially, since our distinguishers on 34/35-step compression function of SM3 and 7-round keyed permutation of BLAKE-256 are practical, we are able to obtain boomerang quartets of these attacks. As far as we know, these are the best results against round-reduced SM3 and BLAKE-256.

2013-12-16
22:17 [Pub][ePrint]

We construct an Identity-Based Key Encapsulation Mechanism (IB-KEM) in a generic \"leveled\" multilinear map setting and make it translated to the GGH framework, which defined an \"approximate\" version of a multilinear group family from ideal lattices. Then, we prove their security in the selective-ID model.