International Association for Cryptologic Research

# IACR News Central

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

2014-03-13
21:17 [Pub][ePrint]

We use multilinear maps to provide a solution to the long-standing problem of public-key broadcast encryption where all parameters in the system are small. In our constructions, ciphertext overhead, private key size, and public key size are all poly-logarithmic in the total number of users. The systems are fully secure against any number of colluders. All our systems are based on an O(logN)-way multilinear map to support a broadcast system for N users. We present three constructions based on different types of multilinear maps and providing different security guarantees. Our systems naturally give identity-based broadcast systems with short parameters.

18:14 [Event][New]

Submission: 2 April 2014
From September 7 to September 11
Location: Wroclaw, Poland

15:17 [Pub][ePrint]

In this paper we present JHAE, an authenticated encryption (AE) mode based on the JH hash mode. JHAE is a dedicated AE mode based on permutation. We prove that this mode, based on ideal permutation, is provably secure.

10:43 [Job][New]

TELECOM-ParisTech crypto group seeks 4 PhD students

TELECOM-ParisTech crypto group develops prototype solutions to fight against cyber and physical penetration of embedded devices.

Our contributions in this field of research are:

• Security building blocks:

• with security / cost tradeoffs (quantifiable), e.g. \\\"Low Entropy Masking Schemes\\\" (LEMS), where security and cost are tunable by the amount of injected randomness,

• resistance against invasive attacks (e.g., circuit editing, backside probing),

• processor aware of malware usual attack strategies

• Security policies:

How to implement a responsive \\\"security driver\\\" that collects all the alarms and take adequate actions?

Such piece of software is critical: it must be functionally validated and tamper resistant

• Formal proofs:

• Both security-oriented hardware and software codes must be proven, as compliant with their specification and implementing indeed the properties they are assumed to have

• Mathematical analysis of proposed countermeasures (e.g. LEMS)

We seek four PhD candidates on those subjects:

1. \\\"Calculer dans les codes comme contremesure aux attaques physiques\\\", https://edite-de-paris.fr/spip/spip.php?page=phdproposal&id=10213751

2. \\\"Native Protection of Processors against Cyber-Attacks\\\", https://edite-de-paris.fr/spip/spip.php?page=phdproposal&id=10253861

3. \\\"Insertion automatique de contre-mesures dans des circuits de sécurité\\\", https://edite-de-paris.fr/spip/spip.php?page=phdproposal&id=10213779

4. \\\"Attaques FIRE : Rétroconception de cryptographie secrète\\\", https://edite-de-paris.fr/spip/spip.php?page=phdproposal&id=10166999

Working language is French or English.

Positions are open until Aug 2014.

To ap

10:33 [Event][New]

Submission: 1 August 2014
From October 16 to October 17
Location: Istanbul, Turkey

2014-03-12
21:17 [Pub][ePrint]

Fischlin\'s transformation is an alternative to the standard Fiat-Shamir transform to turn a certain class of public key identification schemes into digital signatures (in the random oracle model).

We show that signatures obtained via Fischlin\'s transformation are existentially unforgeable even in case the adversary is allowed to get arbitrary (yet bounded) information on the entire state of the signer (including the signing key and the random coins used to generate signatures). A similar fact was already known for the Fiat-Shamir transform, however, Fischlin\'s transformation allows for a significantly higher leakage parameter than Fiat-Shamir.

Moreover, in contrast to signatures obtained via Fiat-Shamir, signatures obtained via Fischlin enjoy a tight reduction to the underlying hard problem. We use this observation to show (via simulations) that Fischlin\'s transformation, usually considered less efficient, outperforms the Fiat-Shamir transform in verification time for a reasonable choice of parameters. In terms of signing Fiat-Shamir is faster for equal signature sizes. Nonetheless, our experiments show that the signing time of Fischlin\'s transformation becomes, e.g., 22% of the one via Fiat-Shamir if one allows the signature size to be doubled.

21:17 [Pub][ePrint]

Sealed-Bid auction is an efficient and rational method to

establish the price in open market. However sealed-bid auctions are sub-

ject to bid-rigging attack. Receipt-free mechanisms were proposed to

prevent bid-rigging. The prior receipt-free mechanisms are based on two

assumptions; firstly, existence of untappable channel between bidders

and auction authorities. Secondly, mechanisms assume the authorities

to be honest (not colluding). Moreover the bandwidth required to com-

municate the receipt-free bids is huge. This paper presents a sealed-bid

auction mechanism to resist bid-rigging. The proposed method does not

assume untappable channel nor consider the authorities to be necessarily

honest. The proposed mechanism also manages the bandwidth efficiently,

and improves the performance of the system.

21:17 [Pub][ePrint]

In this paper, we present practical results of data leakages of CMOS devices via the temperature side channel---a side channel that has been widely cited in literature but not well characterized yet. We investigate the leakage of processed data by passively measuring the dissipated heat of the devices. The temperature leakage is thereby linearly correlated with the power leakage model but is limited by the physical properties of thermal conductivity and capacitance. We further present heating faults by operating the devices beyond their specified temperature ratings. The efficiency of this kind of attack is shown by a practical attack on an RSA implementation. Finally, we introduce data remanence attacks on AVR microcontrollers that exploit the Negative Bias Temperature Instability (NBTI) property of internal SRAM cells. We show how to recover parts of the internal memory and present first results on an ATmega162. The work encourages the awareness of temperature-based attacks that are known for years now but not well described in literature. It also serves as a starting point for further research investigations.

21:17 [Pub][ePrint]

We present a new side-channel attack path threatening state-of-the-art protected implementations of elliptic curves embedded scalar multiplications. Regular algorithms such as the double-and-add-always and the Montgomery ladder are commonly used to protect the scalar multiplication from simple side-channel analysis. Combining such algorithms with scalar and/or point blinding countermeasures lead to scalar multiplications protected from all known attacks. Scalar randomization, which consists in adding a random multiple of the group order to the scalar value, is a popular countermeasure due to its efficiency. Amongst the several curves defined for usage in elliptic curves products, the most used are those standardized by the NIST. The modulus, hence the orders, of these curves are sparse, primarily for efficiency reasons. In this paper, we take advantage of this specificity to present new attack paths and recover the secret scalar of state-of-the-art protected elliptic curve implementations.

21:17 [Pub][ePrint]

This paper studies the task of two-sources randomness extractors for elliptic curves defined over finite fields $K$, where $K$ can be a prime or a binary field. In fact, we introduce new constructions of functions over elliptic curves which take in input two random points from two differents subgroups. In other words, for a ginven elliptic curve $E$ defined over a finite field $\\mathbb{F}_q$ and two random points $P \\in \\mathcal{P}$ and $Q\\in \\mathcal{Q}$, where $\\mathcal{P}$ and $\\mathcal{Q}$ are two subgroups of $E(\\mathbb{F}_q)$, our function extracts the least significant bits of the abscissa of the point $P\\oplus Q$ when $q$ is a large prime, and the $k$-first $\\mathbb{F}_p$ coefficients of the asbcissa of the point $P\\oplus Q$ when $q = p^n$, where $p$ is a prime greater than $5$. We show that the extracted bits are close to uniform.

Our construction extends some interesting randomness extractors for elliptic curves, namely those defined in \\cite{op} and \\cite{ciss1,ciss2}, when $\\mathcal{P} = \\mathcal{Q}$. The proposed constructions can be used in any cryptographic schemes which require extraction of random bits from two sources over elliptic curves, namely in key exchange protole, design of strong pseudo-random number generators, etc.

2014-03-11
15:17 [Pub][ePrint]

The integral attack is one of the most powerful attack against block ciphers. In this paper, we propose two new techniques for the integral attack, the FFT technique and the key concealment technique. The FFT technique is useful for the integral attack with enormous chosen plaintexts. As the previous result using FFT, Collard et al. showed a new technique which reduces the complexity for the linear attack. In this paper, we review the result of Collard et al. to estimate the complexity in detail, and we show the complexity can be estimated from the number of times using the addition of integers. Moreover, we show that attacks using FFT can be applied to the integral attack. As applications, we show integral attacks against AES and CLEFIA. For AES, we show that 6-round AES can be attacked with about $2^{51.7} additions. For CLEFIA, we show that 12-round CLEFIA can be attacked with about$2^{86.9}\$ additions.