International Association for Cryptologic Research

IACR News Central

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

2013-12-29
22:17 [Pub][ePrint]

In a public-key encryption scheme,

if a sender is not concerned about the security of a message and

is unwilling to generate costly randomness,

the security of the encrypted message can be compromised.

This is caused by the \\emph{laziness} of the sender.

In this work, we characterize \\emph{lazy parties} in cryptography.

Lazy parties are regarded as honest parties in a protocol,

but they are not concerned about the security of the protocol in

a certain situation.

In such a situation, they behave in an honest-looking way, and are unwilling to do a costly task.

We study, in particular, public-key encryption with lazy parties.

Specifically, as the first step toward understanding the behavior of lazy parties

in public-key encryption, we consider a rather simple setting in which

the costly task is to generate randomness used in algorithms,

and parties can choose either costly good randomness or cheap bad randomness.

We model lazy parties as rational players who behaves rationally to

maximize their utilities, and define a security game between lazy parties

A secure encryption scheme requires that the game is conducted by

lazy parties in a secure way if they follow a prescribed strategy,

and the prescribed strategy is a good equilibrium solution for the game.

Since a standard secure encryption scheme does not work for lazy parties,

we present some public-key encryption schemes that are secure for lazy parties.

13:17 [Pub][ePrint]

Many computers emit a high-pitched noise during operation, due to vibration in some of their electronic components. These acoustic emanations are more than a nuisance: they can convey information about the software running on the computer, and in particular leak sensitive information about security-related computations. In a preliminary presentation (Eurocrypt\'04 rump session), we have shown that different RSA keys induce different sound patterns, but it was not clear how to extract individual key bits. The main problem was that the acoustic side channel has a very low bandwidth (under 20 kHz using common microphones, and a few hundred kHz using ultrasound microphones), many orders of magnitude below the GHz-scale clock rates of the attacked computers.

In this paper we describe a new acoustic cryptanalysis key extraction attack, applicable to GnuPG\'s current implementation of RSA. The attack can extract full 4096-bit RSA decryption keys from laptop computers (of various models), within an hour, using the sound generated by the computer during the decryption of some chosen ciphertexts. We experimentally demonstrate that such attacks can be carried out, using either a plain mobile phone placed next to the computer, or a more sensitive microphone placed 4 meters away.

Beyond acoustics, we demonstrate that a similar low-bandwidth attack can be performed by measuring the electric potential of a computer chassis. A suitably-equipped attacker need merely touch the target computer with his bare hand, or get the required leakage information from the ground wires at the remote end of VGA, USB or Ethernet cables.

13:17 [Pub][ePrint]

We reformalize and recast dual-receiver encryption (DRE) proposed in CCS \'04, a public-key encryption (PKE) scheme for encrypting to two independent recipients in one shot. We start by defining the crucial soundness property for DRE, which ensures that two recipients will get the same decryption result. While conceptually simple, DRE with soundness turns out to be a powerful primitive for various goals for PKE, such as complete non-malleability (CNM) and plaintext-awareness (PA). We then construct practical DRE schemes without random oracles under the Bilinear Decisional Diffie-Hellman assumption, while prior approaches rely on random oracles or inefficient non-interactive zero-knowledge proofs. Finally, we investigate further applications or extensions of DRE, including DRE with CNM, combined use of DRE and PKE, strengthening two types of PKE schemes with plaintext equality test, off-the-record messaging with a stronger notion of deniability, etc.

13:17 [Pub][ePrint]

The Side Channel Analysis is now a classic way to retrieve a secret key in the smart-card world. Unfortunately, most of the ensuing attacks require the plaintext or the ciphertext used by the embedded algorithm. In this article, we present a new method for exploiting the leakage of a device without this constraint. Our attack is based on a study of the leakage distribution of internal data of a cryptographic function and can be performed not only at the beginning or the end of the algorithm, but also at every instant that involves the secret key. This paper focuses on the distribution study and the resulting attack. We also propose a way to proceed in a noisy context using smart distances. We validate our proposition by practical results on an AES128 software implemented on a ATMega2561 and on the DPA contest v4.

13:17 [Pub][ePrint]

The notion of differing-inputs obfuscation (diO) was introduced by Barak et al. (CRYPTO 2001). It guarantees that for any two circuits $C_0, C_1$, for which it is difficult to use their description and come up with an input $x$ on which they differ $C_0(x) \\neq C_1(x)$, it should also be difficult to distinguish the obfuscation of $C_0$ from that of $C_1$. This is a strengthening of indistinguishability obfuscation, where the above is only guaranteed for circuits that agree on all inputs: $C_0(x) = C_1(x)$ for all $x$. Two recent works of Ananth et al. (ePrint 2013) and Boyle et al. (TCC 2014) study the notion of diO in the setting where the attacker is also given some auxiliary information related to the circuits, showing that this notion leads to many interesting applications. One of these applications is extractable witness encryption, defined by Goldwasswer et al. (CRYPTO \'13), which in turn leads to constructions of functional encryption and reusable garbling schemes that work directly on Turing Machines rather than circuits.

In this work, we show that the existence of general-purpose diO with general auxiliary input leads to a surprising implausible\'\' consequence: in particular, it would show the impossibility of obfuscating a specific circuit $C^*$ with specific auxiliary input $\\aux^*$ in a way that hides some specific information. In particular, we put forth the assumption that such special-purpose obfuscation exists, and under this assumption, we show that general-purpose diO does not exist. This special-purpose obfuscation assumption isn\'t implied by diO itself and hence we do not get an unconditional impossibility result. However, the special-purpose obfuscation assumption is a falsifiable assumption which we do not know how to break for candidate obfuscation schemes. Showing the existence of general-purpose diO with general auxiliary input would necessitate showing how to break this assumption. We also give a similar result showing the impossibility of extractable witness encryption under the same special-purpose obfuscation assumption.

13:17 [Pub][ePrint]

The enforcement of sensitive policies in untrusted environments is still an open challenge for policy-based systems. On the one hand, taking any appropriate security decision requires access to these policies. On the other hand, if such access is allowed in an untrusted environment then confidential information might be leaked by the policies. The key challenge is how to enforce sensitive policies and protect content in untrusted environments. In the context of untrusted environments, we mainly distinguish between outsourced and distributed environments. The most attractive paradigms concerning outsourced and distributed environments are cloud computing and opportunistic networks, respectively.

In this dissertation, we present the design, technical and implementation details of our proposed policy-based access control mechanisms for untrusted environments. First of all, we provide full confidentiality of access policies in outsourced environments, where service providers do not learn private information about policies during the policy deployment and evaluation phases. Our proposed architecture is such that we are able to support expressive policies and take into account contextual information before making any access decision. The system entities do not share any encryption keys and even if a user is deleted, the system is still able to perform its operations without requiring any action. For complex user management, we have implemented a policy-based Role-Based Access Control (RBAC) mechanism, where users are assigned roles, roles are assigned permissions and users execute permissions if their roles are active in the session maintained by service providers. Finally, we offer the full-fledged RBAC policies by incorporating role hierarchies and dynamic security constraints.

In opportunistic networks, we protect content by specifying expressive access control policies. In our proposed approach, brokers match subscriptions against policies associated with content without compromising privacy of subscribers. As a result, an unauthorised broker neither gains access to content nor learns policies and authorised nodes gain access only if they satisfy fine-grained policies specified by publishers. Our proposed system provides scalable key management in which loosely-coupled publishers and subscribers communicate without any prior contact. Finally, we have developed a prototype of the system that runs on real smartphones and analysed its performance.

13:17 [Pub][ePrint]

We construct a 1-round delegation scheme (i.e., argument-system)

for every language computable in time t=t(n), where the running

time of the prover is poly(t) and the running time of the

verifier is n*polylog(t). In particular, for every language in P

we obtain a delegation scheme with almost linear time

verification. Our construction relies on the existence of a

computational sub-exponentially secure private information

retrieval (PIR) scheme.

The proof exploits a curious connection between the problem of

computation delegation and the model of multi-prover interactive

proofs that are sound against no-signaling (cheating) strategies,

a model that was studied in the context of multi-prover

interactive proofs with provers that share quantum entanglement,

and is motivated by the physical principle that information

cannot travel faster than light.

For any language computable in time t=t(n), we construct a

multi-prover interactive proof (MIP) that is sound against

no-signaling strategies, where the running time of the provers is

poly(t), the number of provers is polylog(t), and the running

time of the verifier is n*polylog(t).

In particular, this shows that the class of languages that have

polynomial-time MIPs that are sound against no-signaling

strategies, is exactly EXP. Previously, this class was only known

to contain PSPACE.

To convert our MIP into a 1-round delegation scheme, we use the

method suggested by Aiello et-al (ICALP, 2000), which makes use

of a PIR scheme. This method lacked a proof of security. We prove

that this method is secure assuming the underlying MIP is secure

against no-signaling provers.

13:17 [Pub][ePrint]

Electronic voting systems are among the most security critical distributed systems. Different trust concepts are implemented to mitigate the risk of conspiracies endangering security properties. These concepts render systems often very complex and end users no longer recognize whom they need to trust. Correspondingly, specific trust considerations are necessary to support users. Recently, resilience terms have been proposed in order to express, which entities can violate the addressed security properties in particular by illegal collaborations. However, previous works derived these resilience terms manually. Thus, successful attacks can be missed. Based on this approach, we propose a framework to formally and automatically derive these terms. Our framework comprises a knowledge calculus, which allows us to model knowledge and reason about knowledge of collaborating election entities. The introduced framework is applied to deduce previously manually derived resilience terms of three remote electronic voting systems, namely Polyas, Helios and the Estonian voting system. Thereby, we were able to discover mistakes in previous derivations.

13:17 [Pub][ePrint]

We develop new schemes for deterministically updating a stored

cryptographic key that provide security against an internal

adversary who can control the update computation and leak bounded

amounts of information to the outside world. Our schemes are much

more efficient than the previous schemes for this model, due to Dziembowski,

Kazana and Wichs (CRYPTO 2011). Specifically, our update operation

runs in time quasilinear in the key length, rather than quadratic,

while offering a similar level of leakage resilience.

In order to design our scheme, we strengthen the connections between

the model of Dziembowski et al. and pebbling games\'\', showing that

random-oracle-based key evolution schemes are secure as long as the

graph of the update function\'s calls to the oracle has

appropriate combinatorial properties. This builds on a connection

between pebbling and the random oracle model first established by

Dwork, Naor and Wee (CRYPTO 2005). Our scheme\'s efficiency relies on the

existence (which we show) of families of local\'\'

bipartite expander graphs of constant degree.

13:17 [Pub][ePrint]

Profiling power attacks like Template attack and Stochastic attack optimizes their performance by jointly evaluating the leakages of multiple sample points. However, such multivariate approaches are rare among non-profiling DPA attacks, since integration of the leakage of a higher Signal-to-Noise Ratio (SNR) sample point with the leakages of lower SNR sample points might result in a decrease in the overall performance. We study the issue of optimally combining the leakages of multiple sample points using a linear function in great details. In this work, our contributions are three-fold: 1) we first derive a relation between the success rate of a CPA attack and the SNR of the power traces, 2) we introduce a multivariate leakage model for Virtex-5 FPGA device, and 3) using the proposed multivariate leakage model, we derive the linear Finite Impulse Response (FIR) filter coefficients which maximizes the SNR of the output leakage, thus optimizes the success rate of the CPA attacks in a non-profiling setup.

13:17 [Pub][ePrint]

In this paper we propose an efficient and compact hardware implementation of a polynomial multiplier based on the Fast Fourier Transform (FFT) for use in ring-LWE cryptosystems. We optimize the forward wrapped convolution by merging the pre-processing and the FFT and propose an advanced memory access scheme which reduces the number

of memory accesses and the number of RAM slices used in the design.

These techniques result in a hardware implementation of a polynomial multiplier for the ring-LWE cryptosystem of dimension 256 that uses only 281 slices and one block RAM on a Virtex V.

Finally, we also propose a modification of a ring-LWE encryption system

that reduces the number of FTT operations from five to four resulting

in a near 20% speed-up.