International Association for Cryptologic Research

# IACR News Central

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

2014-04-23
09:08 [Job][New]

USMobile products secure mobile communications for businesses, government and individuals. More specifically, USMobile products represent a major advance towards the protection of information (voice, video & data) as it travels over the Internet between mobile phones and the Cloud (i.e.- Data Centers).

The Company will release Scrambl3, its first product, in July 2014 that represents the first commercial implementation of the NSA\\\'s \\\'Fishbowl\\\' project. Two independent layers of Suite B encryption algorithms and Internet protocols are employed to create a \\\"Private Mobile Network.\\\" Visit www.USMobile-Inc.com. The site is password protected at this time, so use the following credentials: Name: testuser Password: testpasswd

2014-04-22
00:17 [Pub][ePrint]

Impossible differential cryptanalysis has been proved to be one of the most powerful techniques to attack block ciphers. Based on the impossible differential paths, we can usually add several rounds before or after to launch the key recovery attack. Impossible differential cryptanalysis is powerful not only because the number of rounds it can break is very competitive compared to other attacks, but also unlike differential attacks which are statistical attacks in the essential, impossible differential analysis does not require many statistical assumptions. In this paper, we investigate the key recovery attack part of the impossible differential cryptanalysis. We point out that when taking the (non-linear) key scheduling algorithm into consideration, we can further derive the redundancy among the subkeys, and thus can filter the wrong key at a rather early stage. This can help us control the time complexity and increase the number of rounds we can attack. As an application, we analyze recently proposed lightweight block cipher LBlock, and as a result, we can break 23 rounds with complexity $2^{77.4}$ encryptions without using the whole code block, which is by far the best attack against this cipher.

00:17 [Pub][ePrint]

Witness encryption was proposed by Garg, Gentry, Sahai, and Waters as

a means to encrypt to an instance, x, of an NP language and produce

a ciphertext. In such a system, any decryptor that knows of a witness w that

x is in the language can decrypt the ciphertext and learn the

message. In addition to proposing the concept, their work provided a candidate for a witness encryption scheme built using multilinear encodings. However, one

significant limitation of the work is that the candidate had no proof

of security (other than essentially assuming the scheme secure).

In this work we provide a proof framework for proving witness

encryption schemes secure under instance independent assumptions. At the

highest level we introduce the abstraction of positional witness

encryption which allows a proof reduction of a witness encryption

scheme via a sequence of 2^n hybrid experiments where n is the

witness length of the NP-statement. Each hybrid step proceeds by

looking at a single witness candidate and using the fact that it does not

satisfy the NP-relation to move the proof forward.

We show that this isolation strategy enables one to create a

witness encryption system that is provably secure from assumptions that

are (maximally) independent of any particular encryption instance.

We demonstrate the viability of our approach by implementing this strategy using

level n-linear encodings where n is the witness length. Our

complexity assumption has approximately n group elements,

but does not otherwise depend on the NP-instance x.

00:17 [Pub][ePrint]

In pairing-based cryptography, the security of protocols using composite order groups relies on the difficulty of factoring a composite number N. Boneh et al. proposed the Cocks-Pinch method to construct ordinary pairing-friendly elliptic curves having a subgroup of composite order N. Displaying such a curve as a public parameter implies revealing a square root of the complex multiplication discriminant -D modulo N. We exploit this information leak and the structure of the endomorphism ring of the curve to factor the RSA modulus, by computing a square root \\lambda of -D modulo one of its factors. Our attack is based on a generic discrete logarithm algorithm. We recommend that \\lambda should be chosen as a high entropy input parameter when running the Cocks-Pinch algorithm, in order to ensure protection from our attack.

00:17 [Pub][ePrint]

This paper designed a new extended chaotic map-based Identity-based encryption (ECM-IBE) scheme and Identity-based digital signature (ECM-IDS) scheme using extended chaotic maps. The security of the ECM-IBE scheme is based on the hardness assumption of chaotic maps-based decisional Diffie-Hellman (CDDH) problem, whereas the ECM-IDS scheme is secure based on the difficulties of chaotic maps-based discrete logarithm (CDL) problem.

00:17 [Pub][ePrint]

Inspired from the Identity-based cryptosystem proposed by Adi Shamir, and Boneh and Franklin, this paper designed a new Identity-based digital signature (ECM-IDS) scheme using extended chaotic maps. The ECM-IDS scheme is secure based on the difficulties of integer factorization problem.

00:17 [Pub][ePrint]

By combining the time-memory-data tradeoff (TMDTO) attack independently proposed by Babbage and Goli\\\'{c} (BG) with the BSW sampling technique, this paper explores to mount a new TMDTO attack on stream ciphers. The new attack gives a wider variety of trade-offs, compared with original BG-TMDTO attack. It is efficient when multiple data is allowed for the attacker from the same key with different IVs, even though the internal state size is twice the key size. We apply the new attack to MICKEY and Grain stream ciphers, and improves the existing TMDTO attacks on them. Our attacks on Grain v1 and Grain-128 stream ciphers are rather attractive in the respect that the online time, offline time and memory complexities are all better than an exhaustive key search, and the amount of keystream needed are completely valid. Finally, we generalize the new attack to a Guess and Determine-TMDTO attack on stream ciphers, and mount a Guess and Determine-TMDTO attack on SOSEMANUK stream cipher with the online time and offline time complexities both equal to $2^{128}$, which achieves the best time complexity level compared with all existing attacks on SOSEMANUK so far.

2014-04-21
21:17 [Pub][ePrint]

In 2013, the US National Security Agency proposed two new families of lightweight block ciphers: SIMON and SPECK. However, no security analysis was provided for these ciphers. Currently, linear and differential cryptanalytic results for SIMON ciphers are available in the literature, but no fault attacks on these two cipher families have been reported so far. In this paper, we present the first fault attack on SIMON and SPECK families. The attack assumes a fault model that can flip only one bit of the intermediate result. Using this attack the n-bit secret key used in SIMON cipher can be recovered using (n/2) bit faults on an average while the n-bit secret key of SPECK cipher can be recovered using (n/3) bit faults. Furthermore, we demonstrate a more practical attack on SIMON that employs a random byte fault model. This attack retrieves multiple bits of the key depending upon the Hamming weight of the byte fault. The average number of byte faults required to retrieve all n bits of the last round key is (n/8).

21:17 [Pub][ePrint]

In this paper, we present a new bit-parallel Montgomery multiplier for $GF(2^m)$ generated with irreducible trinomials. A newly proposed divide-and-conquer approach is applied to simplify the polynomial multiplication while the Montgomery squaring is induced to simplify the modular reduction. Meanwhile, this design effectively exploits the overlapped elements in squaring and reduction operation to reduce the space complexity. As a result, the proposed multiplier has about 25\\% reduced space complexity compared with previous multipliers, with a slight increase of time complexity. Among five binary fields recommended by NIST for the ECDSA (Elliptic Curve Digital Signature Algorithm), there exist two fields, i.e., $GF(2^{409})$, $GF(2^{233})$,

defined by trinomials. For these two fields, we show that our proposal outperforms the previous best known results if the space and time complexities are both considered.

21:17 [Pub][ePrint]

In this paper, we show two new constructions of chosen ciphertext secure (CCA secure) public key encryption (PKE) from general assumptions. The key ingredient in our constructions is an obfuscator for point functions with multi-bit output (MBPF obfuscators, for short), that satisfies some (average-case) indistinguishability-based security, which we call AIND security, in the presence of hard-to-invert auxiliary input. Specifically, our first construction is based on a chosen plaintext secure PKE scheme and an MBPF obfuscator satisfying the AIND security in the presence of computationally hard-to-invert auxiliary input. Our second construction is based on a lossy encryption scheme and an MBPF obfuscator satisfying the AIND security in the presence of statistically hard-to-invert auxiliary input. To clarify the relative strength of AIND security, we show the relations among security notions for MBPF obfuscators, and show that AIND security with computationally (resp. statistically) hard-to-invert auxiliary input is implied by the average-case virtual black-box (resp. virtual grey-box) property with the same type of auxiliary input. Finally, we show that a lossy encryption scheme can be constructed from an obfuscator for point functions (point obfuscator) that satisfies re-randomizability and a weak form of composability in the worst-case virtual grey-box sense. This result, combined with our second generic construction and several previous results on point obfuscators and MBPF obfuscators, yields a CCA secure PKE scheme that is constructed \\emph{solely} from a re-randomizable and composable point obfuscator. We believe that our results make an interesting bridge that connects CCA secure PKE and program obfuscators, two seemingly isolated but important cryptographic primitives in the area of cryptography.

21:17 [Pub][ePrint]

We present a new protocol for maliciously secure two-partycomputation based on cut-and-choose of garbled circuits using the recent idea of forge-and-loose\'\' which eliminates around a factor 3 of garbled circuits that needs to be constructed and evaluated. Our protocol introduces a new way to realize the \"forge-and-loose\" approach which avoids an auxiliary secure two-party computation protocol, does not rely on any number theoretic assumptions and parallelizes well in a same instruction, multiple data (SIMD) framework.

With this approach we prove our protocol universally composable-secure against a malicious adversary assuming access to oblivious transfer, commitment and coin-tossing functionalities in the random oracle model.

Finally, we construct, and benchmark, a SIMD implementation of this protocol using a GPU as a massive SIMD device. The findings compare favorably with all previous implementations of maliciously secure, two-party computation.