International Association for Cryptologic Research

# IACR News Central

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

2014-01-26
22:17 [Pub][ePrint]

So far, low probability differentials for the key schedule of block ciphers have been used as a straightforward proof of security against related-key differential attacks. To achieve the resistance, it is believed that for cipher with $k$-bit key it suffices the upper bound on the probability to be $2^{-k}$. Surprisingly, we show that this reasonable assumption is incorrect, and the probability should be (much) lower than $2^{-k}$. Our counter example is a related-key differential analysis of the block cipher CLEFIA-128. We show that although the key schedule of CLEFIA-128 prevents differentials with a probability higher than $2^{-128}$, the linear part of the key schedule that produces the round keys, and the Feistel structure of the cipher, allow to exploit particularly chosen differentials with a probability as low as $2^{-128}$. CLEFIA-128 has $2^{14}$ such differentials, which translate to $2^{14}$ pairs of weak keys. The probability of each differential is too low for attacks, but the weak keys have a special structure which allows with a divide-and-conquer approach to gain advantage of $2^7$ over generic attacks. We exploit the advantage and give a membership test for the weak-key class,

provide analysis in the hashing mode, and show the importance for the secret-key mode. The proposed analysis has been tested with computer experiments on small-scale variants of CLEFIA-128.

Our results do not threaten the practical use of CLEFIA.

14:59 [PhD][New]

Name: Constantin Catalin Dragan
Topic: Security of CRT-based Secret Sharing Schemes
Category: (no category)

Description:

The Chinese Remainder Theorem (CRT) is a very useful tool in many areas of theoretical and practical cryptography. One of these areas is the theory of threshold secret sharing schemes. A (t+1,n)-threshold secret sharing scheme is a method of partitioning a secret among n users by providing each user with a share of the secret such that any t+1 users can uniquely reconstruct the secret by pulling together their shares. Several threshold schemes based on CRT are known. These schemes use sequences of pairwise co-prime positive integers with special properties. The shares are obtained by dividing the secret or a secret-dependent quantity by the numbers in the sequence and collecting the remainders. The secret can be reconstructed by some sufficient number of shares by using CRT. It is well-known that the CRT-based threshold secret sharing schemes are not perfect (and, therefore, not ideal) but some of them are asymptotically perfect and asymptotically ideal and perfect zero-knowledge if sequences of consecutive primes are used for defining them.

\r\n\r\n

\r\nIn this thesis we introduce (k-)compact sequences of co-primes and their applications to the security of CRT-based threshold secret sharing schemes is thorough investigated. Compact sequences of co-primes may be significantly denser than sequences of consecutive primes of the same length, and their use in the construction of CRT-based threshold secret sharing schemes may lead to better security properties. Concerning the asymptotic idealness property for CRT-based threshold schemes, we have shown there exists a necessary and sufficient condition for the Goldreich-Ron-Sudan (GRS) scheme and Asmuth-Bloom scheme if and only if (1-)compact sequences of co-primes are used. Moreover, the GRS and Asmuth-Bloom schemes based on k-compact sequences of co-primes are asymptotically perfect and perfect zero-knowledge. The Mignotte scheme is far from being asymptotically perfect [...]

14:59 [PhD][New]

Name: Ferucio Laurentiu Tiplea

14:58 [PhD][New]

Name: Ruxandra F. Olimid
Topic: Secret Sharing-based Group Key Establishment
Category: (no category)

Description: Group applications permit multiple users to share resources or perform collaborative tasks while providing differentiate rights or responsibilities within the group. Examples include text communication, audio, video or web conferences, data sharing or collaborative computing.\r\n\r\n
\r\nSecurity represents an important aspect for group applications. It is a challenging task to deal with, especially when the group size is large and the members are spread across different (location or networks) areas, with diverse protection mechanisms. In order to obtain the main cryptographic properties as confidentiality, authenticity and integrity it is usually required that the group members previously share a common secret group key. This is achieved as theoutput of a group key establishment protocol.\r\n\r\n
\r\nThe thesis restricts to group key establishment protocols based on secret sharing, a primitive that divides a secret into multiple shares such that only authorized subset of shares allow reconstruction. Although secret sharing brings several advantages when it is used as a building block of group key establishment protocols, two important shortcomings currently exist: (1) several insecure proposals were published in the last years and (2) very few constructions rely on a security proof. We address both this issues in the present work.\r\n\r\n
\r\nThe first part of the dissertation focuses on the underlying secret sharing schemes. We review a non-classical approach of secret sharing, de ne a new visual secret sharing scheme and analyze the possibility of malicious manufacturing of the sharing device. The second part of the thesis concentrates on group key establishment constructions that use secret sharing. We introduce a multitude of attacks against recent protocols and therefore highlight the necessity of security proofs. We review the properties that impose a sufficient level of security and briefly analyze the formal models of security. Finally, we introduc[...]

14:58 [PhD][New]

2014-01-24
13:26 [Job][New]

Microsoft Research invites applications from graduate students and recent Ph.D.s for Postdoctoral and Internship positions in the Microsoft Research Cryptography Group. Number Theory candidates should have interest/experience in one or more of the following areas: algorithmic/arithmetic/algebraic number theory, elliptic and hyperelliptic curve cryptography, pairing-based cryptosystems, lattice-based cryptography. Cryptography candidates should have research interests in at least one of the following: protocols, security models, cryptanalysis, hash functions, applied or theoretical cryptography.

Post-docs and interns will be in residence at Microsoft Research Redmond, the main campus of Microsoft\\\'s basic research division with over four hundred researchers in dozens of areas of computer science research. Researchers benefit from close proximity to Microsoft product units, collaborative relations and joint seminars with University of Washington, and an active research environment. For more information about MSR Redmond and the Cryptography group see: http://research.microsoft.com/aboutmsr/labs/redmond/ and http://research.microsoft.com/crypto/

The post-doctoral positions offer a competitive salary, benefits, and a relocation allowance. The term is for two years; the start date is July 1, 2014. Post-docs will report to Dr. Kristin Lauter, Research Manager for the MSR Crypto Group. Internships for graduate students will be for 10-12 weeks in Summer 2014, with flexible start date.

13:26 [Job][New]

13:24 [Event][New]

Submission: 28 February 2014
From July 14 to July 16
Location: Vienna, Austria

2014-01-22
19:17 [Pub][ePrint]

In TPM2.0, a single signature primitive is proposed to sup-

port various signature schemes including Direct Anonymous Attestation

(DAA), U-Prove and Schnorr signature. This signature primitive is im-

plemented by several APIs. In this paper, we show these DAA-related

APIs can be used as a static Diffie-Hellman oracle thus the security

strength of these signature schemes can be weakened by 14-bit. We pro-

pose a novel property of DAA called forward anonymity and show how

to utilize these DAA-related APIs to break forward anonymity. Then we

propose new APIs which not only remove the Static Diffie-Hellman oracle

but also support the forward anonymity, thus significantly improve the

security of DAA and the other signature schemes supported by TPM2.0.

We prove the security of our new APIs under the discrete logarithm

assumption in the random oracle model. We prove that DAA satisfy for-

ward anonymity using the new APIs under the Decision Diffie-Hellman

assumption. Our new APIs are almost as efficient as the original APIs

in TPM2.0 specification and can support LRSW-DAA and SDH-DAA

together with U-Prove as the original APIs.

16:17 [Pub][ePrint]

The Fibonacci-to-Galois transformation is useful for reducing the propagation delay of feedback shift register-based stream ciphers and hash functions. In this paper, we extend it to handle Galois-to-Galois case as well as feedforward connections. This makes possible transforming Trivium stream cipher and increasing its keystream data rate by 27\\% without any penalty in area. The presented transformation might open new possibilities for cryptanalysis of Trivium, since it induces a class of stream ciphers which generate the same set of keystreams as Trivium, but have a different structure.

2014-01-21
16:17 [Pub][ePrint]

In this paper we study the problem that when a Boolean function can

be represented as the sum of two bent functions. This problem was

recently presented by N. Tokareva in studying the number of bent

functions. Firstly, many functions, such as

quadratic Boolean functions, Maiorana-MacFarland bent functions,

partial spread functions etc, are proved to be able to be

represented as the sum of two bent functions. Methods to construct

such functions from low dimension ones are also introduced. N.

Tokareva\'s main hypothesis is proved for $n\\leq 6$. Moreover,

two hypotheses which are equivalent to N. Tokareva\'s main hypothesis

are presented. These hypotheses may lead to new ideas or methods to

solve this problem. At last, necessary and sufficient conditions on

the problem when the sum of several bent functions is again a bent

function are given.