International Association for Cryptologic Research

# IACR News Central

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

2014-02-16
16:17 [Pub][ePrint]

Encryption and compression are frequently used together in both network and storage systems, for example in TLS. Despite often being used together, there has not been a formal framework for analyzing these combined systems; moreover, the systems are usually just a simple chaining of compression followed by encryption. In this work, we present the first formal framework for proving security in combined compression-encryption schemes and relate it to the traditional notion of semantic security. We call this entropy-restricted semantic security. Additionally, we present a new, efficient cipher, called the squeeze cipher, that combines compression and encryption into a single primitive and provably achieves our entropy-restricted security.

16:17 [Pub][ePrint]

In distance-bounding authentication protocols, a verifier confirms that a prover is (1) legitimate and (2) in the verifier\'s proximity. Proximity checking is done by running time-critical exchanges between both parties. This enables the verifier to detect relay attacks (a.k.a. mafia fraud). While most distance-bounding protocols

offer resistance to mafia and distance fraud as well as to impersonation attacks, only few protect the privacy of the authenticating prover.

One exception is the protocol due to Hermans, Peeters, and Onete developed in 2013, which offers strong privacy guarantees with respect to a Man-in-the-Middle adversary. However, this protocol provides no privacy guarantees for the prover with respect to a malicious verifier, who can fully identify the prover. Having in

mind possible verifier corruption or data leakage from verifiers to a centralized server, we suggest that stronger privacy properties are needed.

In this paper, we propose an efficient distance-bounding protocol that gives strong prover privacy guarantees even with respect to the verifier or to a centralized back-end server, storing prover information and managing revocation and registration. Specifically, we formally model and define prover anonymity, a property guaranteeing that verifiers infer only the legitimacy of the prover but not his identity, and deniability, which ensures that the back-end server cannot distinguish prover behavior from malicious verifier behavior (i.e., provers can deny that they authenticated). Finally, we present an efficient protocol that achieves these strong guarantees, give exact bounds for each of its security properties, and prove these statements formally.

16:17 [Pub][ePrint]

In 2013, Sun et al. showed that the related works\' authentication schemes proposed by [2-7] are vulnerable to an insider attack and fail to provide mutual authentication. These two attacks can be successfully plotted by an adversary, since the private key of the server can compute all the legal users\' private keys. They then proposed a new remote user authentication and key agreement scheme for the mobile client-server environment. However, we find that their scheme is still vulnerable to insider attack (Sun et al.) and how to avoid such an insider attack on the client-server environment is still an open problem.

16:17 [Pub][ePrint]

Algebraic manipulation detection (AMD) codes, introduced at EUROCRYPT 2008, may, in some sense, be viewed as {\\em keyless} combinatorial authentication codes that provide security in the presence of an {\\em oblivious}, {\\em algebraic} attacker.

Its original applications included robust fuzzy extractors, secure message transmission and robust secret sharing.

In recent years, however, a rather diverse array of additional applications in cryptography has emerged. In this paper we consider, for the first time, the regime of arbitrary positive constant error probability $\\epsilon$ in combination with unbounded cardinality $M$ of the message space. Adapting a known bound to this regime, it follows that the binary length $\\rho$ of the tag satisfies $\\rho\\geq \\log \\log M + \\Omega_{\\epsilon}(1)$. We shall call AMD codes meeting this lower bound {\\em optimal}. Known constructions, notably a construction based on dedicated polynomial evaluation codes, are a multiplicative factor~2 {\\em off} from being optimal. Bridging the gap to optimality efficiently turns out to be surprisingly nontrivial. Owing to our refinement of the mathematical perspective on AMD codes, which focuses on symmetries of codes, we propose novel constructive principles. This leads to an explicit construction of almost-optimal AMD codes and to an efficient randomized construction of optimal AMD codes, as we show in our main results. In all our results, the error probability $\\epsilon$ can be chosen as an arbitrarily small positive real number.

16:17 [Pub][ePrint]

A new Public-Key-Cryptosystem is presented from which we think that it will survive against possible attacks by Quantum-Computers in the future. We analyse its performance and its expected security.

2014-02-15
22:17 [Pub][ePrint]

While standard message authentication codes (MACs) guarantee authenticity of messages, they do not, in general, guarantee the anonymity of the sender and recipient. For example it may be easy for an observer to determine whether or not two authenticated messages were sent by the same party even without any information about the secret key used. However preserving any uncertainty an attacker may have about the identities of honest parties engaged in authenticated communication is an important goal of many cryptographic applications. For example this is stated as an explicit goal of modern cellphone authentication protocols~\\cite{3GPP} and RFID based authentication systems\\cite{Vaudenay10}.

In this work we introduce and construct a new fundamental cryptographic primitive called \\emph{key indistinguishable} (KI) MACs. These can be used to realize many of the most important higher-level applications requiring some form of anonymity and authenticity~\\cite{AHMPR14}. We show that much (though not all) of the modular MAC construction framework of~\\cite{DodisKPW12} gives rise to several variants of KI MACs. On the one hand, we show that KI MACs can be built from hash proof systems and certain weak PRFs allowing us to base security on such assumption as DDH, CDH and LWE. Next we show that the two direct constructions from the LPN assumption of~\\cite{DodisKPW12} are KI, resulting in particularly efficient constructions based on structured assumptions. On the other hand, we also give a very simple and efficient construction based on a PRF which allows us to base KI MACs on some ideal primitives such as an ideal compression function (using HMAC) or block-cipher (using say CBC-MAC). In particular, by using our PRF construction, many real-world implementations of MACs can be easily and cheaply modified to obtain a KI MAC. Finally we show that the transformations of~\\cite{DodisKPW12} for increasing the domain size of a MAC as well as for strengthening the type of unforgeability it provides also preserve (or even strengthen) the type of KI enjoyed by the MAC. All together these results provide a wide range of assumptions and construction paths for building various flavors of this new primitive.

22:17 [Pub][ePrint]

In this paper, we introduce a new class of double-block-length hash functions. Using the ideal cipher model, we prove that these hash functions, dubbed \\MJH, are asymptotically collision resistant up to $O(2^{n(1-\\epsilon)})$ query complexity for any $\\epsilon>0$ in the iteration, where $n$ is the block size of the underlying blockcipher.

When based on $n$-bit key blockciphers, our construction, being of rate 1/2, provides better provable security than MDC-2, the only known construction of a rate-1/2 double-length hash function based on an $n$-bit key blockcipher with non-trivial provable security.

Moreover, since key scheduling is performed only once per message block for MJH, our proposal significantly outperforms MDC-2 in efficiency.

When based on a $2n$-bit key blockcipher, we can use the extra $n$ bits of key to increase the amount of payload accordingly. Thus we get a rate-1 hash function that is much faster than existing proposals, such as Tandem-DM with comparable provable security. The proceedings version of this paper appeared in CT-RSA 2011.

22:17 [Pub][ePrint]

The secret information, which is embedded in integrated circuit (IC) devices such as a smart card, has the risk of theft by reverse engineering (RE). The circuit design of IC can be stolen by the RE, and the counterfeit can be illegally fabricated. Therefore, the secure IC device requires the circuit architecture protected from the RE attacks. This paper proposes the diffusion programmable device (DPD) architecture as a countermeasure against the RE. A look-up table circuit based on the DPD can generate desired logic function without changing the layout except diffusion layer. And, the logic function can be programmed by assigning the N-type or P-type dopant to a part of active region. A test chip using the DPD-LUT was prototyped with a 180nm CMOS technology. And, operations of vaious logic functions such as AND, OR, XOR and XNOR were confirmed through experiments.

20:12 [Job][New]

The group for Cryptography and Computer Algebra at the Technische Universität Darmstadt chaired by Prof. Dr. Johannes Buchmann is looking for a Ph.D. student. Candidates should have a superior Master\\\'s degree in mathematics, computer science, or related disciplines.

The opportunity to work in the area of cryptography --- more precisely, in lattice-based cryptography --- is given to the prospective Ph.D. student. Any prior experience in lattice-based cryprography is certainly an asset.

2014-02-14
19:17 [Pub][ePrint]

In 2013, Borghoff \\emph{et al}. introduced a slender-set linear

cryptanalysis on PRESENT-like ciphers with key-dependent secret

S-boxes. In this paper, we propose an improved slender-set linear

attack to PRESENT-like ciphers with secret S-boxes. We investigate

three new cryptanalytic techniques, and use them to recover the

secret S-boxes efficiently. Our first new idea is that we propose a

new technique to support consistency of partitions of the input to

the secret S-boxes. Our second new technique is that we present a

more efficient method to recover the coordinate functions of secret

The third new technique is that we propose a method of constructing

all correct coordinate function of secret S-boxes by pruning search

algorithm. In particular, we implemented a successful linear attack

on the full round Maya in practice. In our experiments, the correct

S-box can be recovered with $2^{36}$ known plaintexts, $2^{18.9}$

time complexity and negligible memory complexity at a success rate

of 87.5\\%. Our attack is the improvement and sequel of Borghoff\'s

work on PRESENT-like cipher with secret S-boxes.

19:17 [Pub][ePrint]

We extend the Tiny-OT two party protocol of Nielsen et al (CRYPTO 2012) to the case of $n$ parties in the dishonest majority setting. This is done by presenting a novel way of transferring pairwise authentications into global authentications. As a by product we obtain a more efficient manner of producing globally authenticated shares, which in turn leads to a more efficient two party protocol than that of Nielsen et al.