International Association for Cryptologic Research

# IACR News Central

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

2014-04-20
18:17 [Pub][ePrint]

Handycipher is a low-tech, randomized, symmetric-key, stream cipher, simple enough to permit pen-and-paper encrypting and decrypting of messages, while providing a significantly high level of security by using a nondeterministic encryption procedure, multiple encryption, and randomly generated session keys.

18:17 [Pub][ePrint]

FASER is a family of authenticated ciphers submitted to the CAESAR competition, which contains two parent ciphers: FASER128 and FASER256. In this work we only focus on FASER128 and present a key recovery attack to FASER128, which needs at most 64 key words and is realtime in a PC. The result shows that FASER128 is very insecure. What\'s more, our attack can be easily applied to FASER256 and break it entirely.

18:17 [Pub][ePrint]

In this paper we mount the cube attack on the Keccak sponge function. The cube attack, formally introduced in 2008, is an algebraic technique applicable to cryptographic primitives whose output can be described as a low-degree polynomial in the input. Our results show that 5- and 6-round Keccak sponge function is vulnerable to this technique. All the presented attacks have practical complexities and were verified on a desktop PC.

18:17 [Pub][ePrint]

Locally decodable codes (LDC)~\\cite{BFLS91,KT00} are error correcting codes that allow decoding (any) individual symbol of the message, by reading only few symbols of the codeword. Consider an application such as storage

solutions for large data, where errors may occur in the disks (or some disks may just crush). In such an application, it is often desirable to recover only small portions of the data (have random access). Thus, in such applications, using LDC provides enormous efficiency gains over standard error correcting codes (ECCs), that need to read the entire encoded message to learn even a single bit of information.

Typically, LDC\'s, as well as standard ECC\'s decode

the encoded messaged if upto some bounded fraction of the symbols had been modified. This corresponds to decoding strings of bounded Hamming distance from a valid codeword. An often more realistic metric is the edit distance, measuring the shortest sequence of insertions and deletions (indel.) of symbols leading from one word to another.

For example, (few) indel. modifications is a more realistic model for mutations occurring in a genome. Even more commonly, communication over the web may sustain deletions (lost packets) and insertions (noise).\\footnote{Edit distance is indeed \"more expressive\" then Hamming distance in the sense that $dist_E(x,y)\\leq 2dist_H(x,y)$ always holds, while edit distance 2 may translate to Hamming distance $n$. For instance, consider $x=1010\\ldots 10,y=0101\\ldots 1$.

}

Standard ECC\'s for edit distance have been previously considered~\\cite{SZ97}. Furthermore,~\\cite{SZ97} devised codes with

rate and distance (error tolerance) optimal upto constants.

LDC\'s, originally considered in the setting of PCP\'s~\\cite{BFLS91}, have found many additional applications, and generated a lot of fascinating work (see~\\cite{Yek11} and references within).

However, combining these two useful settings of LDC, and robustness

against indel. errors has never been considered.

In this work, we study the question of constructing LDC\'s for edit distance. We demonstrate a strong positive result - LDC\'s for edit distance can be achieved, with similar parameters to LDC\'s for Hamming distance. More precisely, we devise a generic transformation from LDC

for Hamming distance to LDC for edit distance with related parameters.

18:17 [Pub][ePrint]

In this paper, we present fault attack on Grain family of stream ciphers, an eStream finalist. The earlier fault attacks on Grain work on LFSR whereas our target for fault induction is the NFSR. Our attack requires a small number of faults to be injected; 150 only for Grain v1 and only 312 and 384 for Grain-128 and Grain-128a, respectively. The number of faults are much lesser than the earlier reported fault attacks; 1587 for Grain-128 and 1831 for Grain-128a.

18:17 [Pub][ePrint]

This paper presents differential fault analysis of the

MICKEY family of stream ciphers, one of the winners of eStream

project. The current attacks are of the best performance among

all the attacks against MICKEY ciphers reported till date. The

number of faults required with respect to state size is about

1.5 times the state size. We obtain linear equations to determine

state bits. The fault model required is reasonable. The fault model

is further relaxed without reproducing the faults and allowing

multiple bit faults. In this scenario, more faults are required

when reproduction is not allowed whereas, it has been shown

that the number of faults remains same for multiple bit faults.

18:17 [Pub][ePrint]

Scan chains, a design for testability (DFT)

feature, are included in most modern-day ICs. But, it

opens a side channel for attacking cryptographic chips.

We propose a methodology by which we can recover

internal states of any stream cipher using scan chains

without knowledge of its design. We consider conven-

tional scan-chain design which is normally not scram-

bled or protected in any other way. In this scenario

the challenge of the adversary is to obtain the corre-

spondence of output of the scan chain and the internal

state registers of the stream cipher. We present a math-

ematical model of the attack and the correspondence

between the scan chain-outputs and the internal state

bits have been proved under this model. We propose an

algorithm that through o-line and on-line simulation

forms bijection between the above mentioned sets and

thus nds the required correspondence. We also give an

estimate of the number of o-line simulations necessary

for nding the correspondence.

The proposed strategy is successfully applied to eS-

tream hardware based nalists MICKEY-128 2.0, Triv-

ium and Grain-128. To the best of our knowledge, this is

the rst scan based attack against full round Grain-128

and only the fourth reported cryptanalysis. This attack

on Trivium is better than that of the published scan-

attack on Trivium. This scan-based attack is also the

rst reported scan based cryptanalysis against MICKEY-

128 2.0.

18:17 [Pub][ePrint]

Security models for two-party authenticated key exchange (AKE) protocols have developed over time to provide security even when the adversary learns certain secret keys. In this work, we advance the modelling of AKE protocols by considering more granular, continuous leakage of long-term secrets of protocol participants: the adversary can adaptively request arbitrary leakage of long-term secrets even after the test session is activated, with limits on the amount of leakage per query but no bounds on the total leakage. We present a security model supporting continuous leakage even when the adversary learns certain ephemeral secrets or session keys, and give a generic construction of a two-pass leakage-resilient key exchange protocol that is secure in the model; our protocol achieves continuous, after-the-fact leakage resilience with not much more cost than a previous protocol with only bounded, non-after-the-fact leakage.

18:17 [Pub][ePrint]

We introduce the notion of *dual system groups*.

- We show how to derive compact HIBE by instantiating the dual system framework in Waters (Crypto \'09) and Lewko and Waters (TCC \'10) with dual system groups. Our construction provides a unified treatment of the prior compact HIBE schemes from static assumptions.

- We show how to instantiate dual system groups under the decisional subgroup assumption in composite-order groups and the decisional linear assumption ($d$-LIN) in prime-order groups. Along the way, we provide new tools for simulating properties of composite-order bilinear groups in prime-order groups. In particular, we present new randomization and parameter-hiding techniques in prime-order groups.

Combining the two, we obtain a number of new encryption schemes, notably

- a new construction of IBE in prime-order groups with shorter parameters;

- a new construction of compact HIBE in prime-order

groups whose structure closely mirrors the selectively secure HIBE

scheme of Boneh, Boyen and Goh (Eurocrypt \'05);

- a new construction of compact spatial encryption in prime-order groups.

18:17 [Pub][ePrint]

This paper introduces our dedicated authenticated encryption scheme ICEPOLE. ICEPOLE is a high-speed hardware-oriented scheme, suitable for high-throughput network nodes or generally any environment where specialized hardware (such as FPGAs or ASICs) can be used to provide high data processing rates. ICEPOLE-128 (the primary ICEPOLE variant) is very fast. On the modern FPGA device Virtex 6, a basic iterative architecture of ICEPOLE reaches 41 Gbits/s, which is over 10 times faster than the equivalent implementation of AES-128-GCM. The throughput-to-area ratio is also substantially better when compared to AES-128-GCM. We have carefully examined the security of the algorithm through a range of cryptanalytic techniques and our findings indicate that ICEPOLE offers high security level.

15:17 [Pub][ePrint]

A threshold password-authenticated key exchange (T-PAKE) protocol allows a set of n servers to collectively authenticate a client with a human-memorizable password such that any subset of size greater than a threshold t can authenticate the client, while smaller subsets of servers learn no information about the password. With its protection against offline dictionary attacks, T-PAKE provides a practical solution for an important real-life problem with password authentication. However, the proposed T-PAKE constructions cannot tolerate any misbehavior---not even a crash---by a participating server during a protocol execution; the protocol has to be re-executed until all participating servers behave correctly. This not only presents a fault management challenge for the servers, but more importantly also can leave the clients frustrated.

In this work, we present a novel T-PAKE protocol which solves the above fault management problem by employing a batched and offline phase of distributed key generation (DKG). Our protocol is secure against any malicious behavior from up to any t < n servers under the decisional Diffie-Hellman assumption in the random oracle model, and it ensures protocol completion for t < n/2. Moreover, it is efficient (16n + 7 exponentiations per client, 20n + 14 per server), performs explicit authentication in three communication rounds, and requires a significantly lesser number of broadcast rounds compared to previous secure T-PAKE constructions. We have implemented our protocol, and have verified its efficiency using micro-benchmark experiments. Our experimental results show that the protocol only introduces a computation overhead of few milliseconds at both the client and the server ends, and it is practical for use in real-life authentication scenarios.