International Association for Cryptologic Research

# IACR News Central

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

2014-05-28
18:17 [Pub][ePrint]

Participatory sensing enables new paradigms and markets for information collection based on the ubiquitous availability of smartphones, but also introduces privacy challenges for participating users and their data. In this work, we review existing security models for privacy-preserving participatory sensing and propose several improvements that are both of theoretical and practical significance.

We first address an important drawback of prior work, namely the lack of consideration of collusion attacks that are highly relevant for such multi-user settings. We explain why existing security models are insufficient and why previous protocols become insecure in the presence of colluding parties. We remedy this problem by providing new security and privacy definitions that guarantee meaningful forms of collusion resistance. We propose new collusion-resistant participatory sensing protocols satisfying our definitions: a generic construction that uses anonymous identity-based encryption (IBE) and its practical instantiation based on the Boneh-Franklin IBE scheme.

We then extend the functionality of participatory sensing by adding the ability to perform aggregation on the data submitted by the users, without sacrificing their privacy. We realize this through an additively-homomorphic IBE scheme which in turn is constructed by slightly modifying the Boneh-Franklin IBE scheme. From a practical point of view, the resulting scheme is suitable for calculations with small sensor readings/values such as temperature measurements, noise levels, or prices, which is sufficient for many applications of participatory sensing.

18:17 [Pub][ePrint]

Password-based authentication schemes are convenient, but vulnerable to simple dictionary attacks. Cryptographic secret keys are safe, but difficult to memorize. More recently, biometric information has been used for authentication schemes. Das proposed a biometric-based authentication scheme, but it has various vulnerabilities. Jiping et al. improved Das\'s scheme, but some vulnerabilities remain. In this paper, we analyze the cryptanalysis of Jiping et al.\'s authentication scheme and propose the security enhanced biometric-based user authentication scheme for the C/S System.

18:17 [Pub][ePrint]

We use various laws of classical physics to offer several solutions of Yao\'s millionaires\' problem without using any one-way functions. We also describe several informationally secure public key encryption protocols, i.e., protocols secure against passive computationally unbounded adversary. This introduces a new paradigm of decoy-based cryptography, as opposed to traditional\" complexity-based cryptography. In particular, our protocols do not employ any one-way functions.

2014-05-27
12:17 [Pub][ePrint]

Following the pioneering CRYPTO \'99 paper by Kocher et al., differential power analysis (DPA) was initially geared around low-cost computations performed using standard desktop equipment with minimal reliance on device-specific assumptions. In subsequent years, the scope was broadened by, e.g., making explicit use of (approximate) power models. An important practical incentive of so-doing is to reduce the data complexity of attacks, usually at the cost of increased computational complexity. It is this trade-off which we seek to explore in this paper. We draw together emerging ideas from several strands of the literature---high performance computing, post-side-channel global key enumeration, and effective combination of separate information sources---by way of advancing (non-profiled) standard DPA\' towards a more realistic threat model in which trace acquisitions are scarce but adversaries are well resourced. Using our specially designed computing platform (including our parallel and scalable DPA implementation, which allows us to work efficiently with as many as 2^{32} key hypotheses), we demonstrate some dramatic improvements that are possible for standard DPA\' when combining DPA outcomes for several intermediate targets. Unlike most previous information combining\' attempts, we are able to evidence the fact that the improvements apply even when the exact trace locations of the relevant information (i.e. the interesting points\') are not known a priori but must be searched simultaneously with the correct subkey.

12:17 [Pub][ePrint]

A three-factor authentication combines biometrics information with user password and smart card to provide security-enhanced user authentication. An proposed user authentication scheme improved Das\'s scheme. But An\'s scheme is not secure against denial of service attack in login phase, forgery attack. Li et al. pointed out them and proposed three-factor remote user authentication scheme with key agreement. However, Li et al\'s scheme still has some security problem. In this paper, we present a cryptanalysis and improvement of Li et al.\'s remote user authentication scheme.

12:17 [Pub][ePrint]

In this paper, we consider the multi-bit Differential Power Analysis (DPA) in the Hamming weight model. In this regard, we revisit the definition of Transparency Order (TO) from the work of Prouff (FSE 2005) and find that the definition has certain limitations. Although this work has been quite well referred in the literature, surprisingly, these limitations remained unexplored for almost a decade. The existing definition of TO (by Prouff) for an S-box

$F: \\F_2^n \\rightarrow \\F_2^m$ considers maximization on $\\beta \\in \\F_2^m$. However, we show that the expression suggested by Prouff is always maximum when $\\beta$ is either all-zero or all-one, that makes the maximization over all $\\beta \\in \\F_2^m$ redundant. Digging TO deeper, we note that the existing definition of TO assumes certain cross-correlation terms between the co-ordinate Boolean functions of $F$ as zero. This is not true in general and thus we need to accommodate these terms in the definition. Further the definition is based on the assumption that the co-ordinate functions in

the S-boxes are balanced (which is indeed logical for practical S-boxes), but unfortunately the measure has been calculated for bent functions (which are not balanced) in Prouff\'s paper and subsequent works. We analyse the definition from scratch, modify it and finally provide a substantially improved and logical definition that can theoretically capture DPA in Hamming weight model for hardware implementation with precharge logic. In this regard, our analysis comes with numerical data for AES S-Box and the family of S-Boxes described in the context of Prince.

12:17 [Pub][ePrint]

Using FPGAs to compute the discrete logarithms of elliptic curves is a well known method. However, until now only CPU clusters succeeded in computing new elliptic curve discrete logarithm records. This work presents a high-speed FPGA implementation that was used to compute the discrete logarithm of a 113-bit Koblitz curve. The core of the design is a fully unrolled, highly pipelined, self-sufficient Pollard\'s rho iteration function. An 18-core Virtex-6 FPGA cluster computed the discrete logarithm of a 113-bit Koblitz curve in extrapolated 24 days. Until now, no attack on such a large Koblitz curve succeeded using so minimal resources or in such a short time frame.

12:17 [Pub][ePrint]

State-of-the-art authenticated key exchange (AKE) protocols are proven secure in game-based security models. These models have considerably evolved in strength from the original Bellare-Rogaway model. However, so far only informal impossibility results, which suggest that no protocol can be secure against stronger adversaries, have been sketched. At the same time, there are many different security models being used, all of which aim to model the strongest possible adversary. In this paper we provide the first systematic analysis of the limits of game-based security models. Our analysis reveals that different security goals can be achieved in different relevant classes of AKE protocols. From our formal impossibility results, we derive strong security models for these protocol classes and give protocols that are secure in them. In particular, we analyse the security of AKE protocols in the presence of adversaries who can perform attacks based on chosen randomness, in which the adversary controls the randomness used in protocol sessions. Protocols that do not modify memory shared among sessions, which we call stateless protocols, are insecure against chosen-randomness attacks. We propose novel stateful protocols that provide resilience even against this worst case randomness failure, thereby weakening the security assumptions required on the random number generator.

12:17 [Pub][ePrint]

We present a new compact verifiable secret sharing scheme, based on

this we present the first construction of a homomorphic UC commitment

scheme that requires only cheap symmetric cryptography, except for a

small number of seed OTs. To commit to a $k$-bit string, the amortized

communication cost is $O(k)$ bits. Assuming a sufficiently efficient

pseudorandom generator, the computational complexity is $O(k)$ for the

verifier and $O(k^{1+\\epsilon})$ for the committer (where $\\epsilon 12:17 [Pub][ePrint] The Double-Base Number System (DBNS) uses two bases,$2$and$3$, in order to represent any integer$n$. A Double-Base Chain (DBC) is a special case of a DBNS expansion. DBCs have been introduced to speed up the scalar multiplication$[n]P$on certain families of elliptic curves used in cryptography. In this context, our contributions are twofold. First, given integers$n$,$a$, and$b$, we outline a recursive algorithm to compute the number of different DBCs with a \\lt{} dividing$2^a3^b$and representing$n$. A simple modification of the algorithm allows to determine the number of DBCs with a specified length as well as the actual expansions. In turn, this gives rise to a method to compute an optimal DBC representing$n$, i.e. an expansion with minimal length. Our implementation is able to return an optimal expansion for most integers up to$2^{60}$bits in a few minutes. Second, we introduce an original and potentially more efficient approach to compute a random scalar multiplication$[n]P$, called controlled DBC. Instead of generating a random integer$n$and then trying to find an optimal, or at least a short DBC to represent it, we propose to directly generate$n$as a random DBC with a chosen length$\\ell$and \\lt{}$2^a3^b$. To inform the selection of those parameters, in particular$\\ell$, which drives the trade-off between the efficiency and the security of the underlying cryptosystem, we enumerate the total number of DBCs having a certain length$\\ell$and a given \\lt{}$2^a3^b$. The comparison between this total number of DBCs and the total number of integers that we wish to represent a priori provides some guidance regarding the selection of suitable parameters. Our experiments indicate that the controlled DBC provides a speedup of at least$6.98\\%$and up to$8\\%$for sizes from$192$to$512$bits. Experiments involve elliptic curves defined over$\\F_p\$, using the Inverted Edwards coordinate system and state of the art

scalar multiplication techniques.

12:17 [Pub][ePrint]

A constrained pseudorandom function (CPRF) PRF allows to derive constrained evaluation keys that only allow to evaluate PRF on a subset of inputs. CPRFs have only recently been introduced independently by three groups of researchers. However, somewhat curiously, all of them could only achieve a comparatively weak, selective-challenge form of security (except for small input spaces, very limited forms of constrained keys, or with superpolynomial security reductions).

In this paper, we construct the first fully secure CPRF without any of the above restrictions. Concretely, we support bit-fixing\'\' constrained keys that hardwire an arbitrary subset of the input bits to fixed values, we support exponentially large input spaces, and our security reduction is polynomial. We require very heavyweight tools: we assume multilinear maps, indistinguishability obfuscation, and our proof is in the random oracle model. Still, our analysis is far from tautological, and even with these strong building blocks, we need to develop additional techniques and tools.

As a simple application, we obtain the first adaptively secure non-interactive key exchange protocols for large user groups.