*08:06*[Event][New] FSE 2015: 22nd International Workshop on Fast Software Encryption

Submission: 7 November 2014

Notification: 16 January 2015

From March 8 to March 11

Location: İstanbul, Turkey

More Information: http://light-sec.org/fse2015/

Get an update on changes of the IACR web-page here. For questions, contact *newsletter (at) iacr.org*.
You can also receive updates via:

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

Submission: 7 November 2014

Notification: 16 January 2015

From March 8 to March 11

Location: İstanbul, Turkey

More Information: http://light-sec.org/fse2015/

2014-07-09

In his seminal paper at STOC 2009, Gentry left it as a future work to investigate (somewhat) homomorphic encryption schemes with IND-CCA1 security. At SAC 2011, Loftus et al. showed an IND-CCA1 attack against the somewhat homomorphic encryption scheme presented by Gentry and Halevi at Eurocrypt 2011. At ISPEC 2012, Zhang, Plantard and Susilo showed an IND-CCA1 attack against the somewhat homomorphic encryption scheme developed by van Dijk et al. at Eurocrypt 2010. Both attacks recover the secret key of the encryption schemes.

In this paper, we continue this line of research and show that most existing somewhat homomorphic encryption schemes are not IND-CCA1 secure. In fact, we show that these schemes suffer from key recovery attacks (stronger than a typical IND-CCA1 attack), which allow an adversary to recover the private keys through a number of decryption oracle queries. The schemes, that we study in detail, include those by Brakerski and Vaikuntanathan at Crypto 2011 and FOCS 2011, and that by Gentry, Sahai and Waters at Crypto 2013. We also develop a key recovery attack that applies to the somewhat homomorphic encryption scheme by van Dijk et al., and our attack is more efficient and conceptually simpler than the one developed by Zhang et al.. Our key recovery attacks also apply to the scheme by Brakerski, Gentry and Vaikuntanathan at ITCS 2012, and we also describe a key recovery attack for the scheme developed by Brakerski at Crypto 2012.

Nonlinear feedback shift registers (NFSRs) are an important type of sequence generators used for building stream ciphers. The shift register used in Grain, one of eSTREAM finalists, is a cascade connection of two NFSRs, which is also known as nonlinear product-feedback shift registers proposed in 1970. This paper provides a series of algorithms to decompose a given NFSR into a cascade connection of two smaller NFSRs. By decomposing an NFSR into a cascade connection of two smaller NFSRs, some properties regarding cycle structure of the original NFSR could be known.

We extend the notion of verifiable random functions (VRF) to constrained VRFs, which generalize the concept of constrained pseudorandom functions, put forward by Boneh and Waters (Asiacrypt\'13), and independently by Kiayias et al. (CCS\'13) and Boyle et al. (PKC\'14), who call them delegatable PRFs and functional PRFs, respectively. In a standard VRF the secret key $\\sk$ allows one to evaluate a pseudorandom function at any point of its domain; in addition, it enables computation of a non-interactive proof that the function value was computed correctly. In a constrained VRF from the key $\\sk$ one can derive constrained keys $\\sk_S$ for subsets $S$ of the domain, which allow computation of function values and proofs only at points in $S$.

After formally defining constrained VRFs, we derive instantiations from the multilinear-maps-based constrained PRFs by Boneh and Waters, yielding a VRF with constrained keys for any set that can be decided by a polynomial-size circuit. Our VRFs have the same function values as the Boneh-Waters PRFs and are proved secure under the same hardness assumption, showing that verifiability comes at no cost. Constrained (functional) VRFs were stated as an open problem by Boyle et al.

2014-07-08

The notion of indifferentiability, which is a stronger version of the classic notion of indistinguishability, was introduced by Maurer, Renner, and Holenstein in 2003. Indifferentiability, among other things, gives us a way of ``securely replacing\" a random oracle of one type by a random oracle of a different type. Most indifferentiability proofs in the literature are very complicated, which makes them difficult to verify and in some cases, has even resulted in them being erroneous. In this paper, we use a simple yet rigorous proof technique for proving indifferentiability theorems. This technique is a generalization of the indistinguishability proof technique used by Bernstein in to prove the security of the Cipher Block Chaining (CBC) construction. We use this technique to prove the indifferentiability result for a very simple construction which processes just two blocks of input. This construction can be viewed as bearing close resemblance to the so called Sponge construction, on which the winner of SHA-3 competition is based. Also as a warm up, we prove the indistinguishability result for this construction using the coupling argument from probability theory. We also prove the non-indifferentiability result for the CBC construction and some of its standard variants, and survey the indifferentiability and non-indifferentiability results for the Merkle-Damg{\\aa}rd (MD) construction, some of its standard variants, and the Feistel construction, from the literature.

This work presents the first differential power analysis of an implementation of the McEliece cryptosystem. Target of this side-channel attack is a state-of-the-art FPGA implementation of the efficient QC-MDPC McEliece decryption operation as presented at DATE 2014. The presented cryptanalysis succeeds to recover the complete secret key after a few observed decryptions. It consists of a combination of a differential leakage analysis during the syndrome computation followed by an algebraic step that exploits the relation between the public and private key.

A presentation of a group with two generators having unsolvable word problem and an explicit countable presentation of Mihailova subgroup of F_2×F_2 with finite number of generators are given. Where Mihailova subgroup of F_2×F_2 enjoys the unsolvable subgroup membership problem.One then can use the presentation to create entities\' private key in a public key cryptsystem.

We investigate new models and constructions which allow

leakage-resilient signatures secure against existential forgeries,

where the signature is much shorter than the leakage bound.

Current models of leakage-resilient signatures against existential

forgeries demand that the adversary cannot produce a new valid

message/signature pair $(m, \\sigma)$ even after receiving some

$\\lambda$ bits of leakage on the signing key. If $\\vert \\sigma \\vert

\\le \\lambda$, then the adversary can just choose to leak a valid

signature $\\sigma$, and hence signatures must be larger than the

allowed leakage, which is impractical as the goal often is to have

large signing keys to allow a lot of leakage.

We propose a new notion of leakage-resilient signatures against

existential forgeries where we demand that the adversary cannot

produce $n = \\lfloor \\lambda / \\vert \\sigma \\vert \\rfloor + 1$

distinct valid message/signature pairs

$(m_1, \\sigma_1), \\ldots, (m_n, \\sigma_n)$ after receiving

$\\lambda$ bits of leakage. If $\\lambda =

0$, this is the usual notion of existential unforgeability. If $1

In this article, we propose a new comparison metric, the figure of adversarial merit (FOAM), which combines the inherent security provided by cryptographic structures and components with their implementation properties. To the best of our knowledge, this is the first such metric proposed to ensure a fairer comparison of cryptographic designs. We then apply this new metric to meaningful use cases by studying Substitution-Permutation Network permutations that are suited for hardware implementations, and we provide new results on hardware-friendly cryptographic building blocks. For practical reasons, we considered linear and differential attacks and we restricted ourselves to fully serial and round-based implementations. We explore several design strategies, from the geometry of the internal state to the size of the S-box, the field size of the diffusion layer or even the irreducible polynomial defining the finite field. We finally test all possible strategies to provide designers an exhaustive approach in building hardware-friendly cryptographic primitives (according to area or FOAM metrics), also introducing a model for predicting the hardware performance of round-based or serial-based implementations. In particular, we exhibit new diffusion matrices (circulant or serial) that are surprisingly more efficient than the current best known, such as the ones used in AES, LED and PHOTON.

The wide availability of inexpensive positioning systems made it possible to embed them into smartphones and other personal devices. This marked the beginning of location-aware applications, where users request personalized services based on their geographic position. The location of a user is, however, highly sensitive information: the user\'s privacy can be preserved if only the minimum amount of information needed to provide the service is disclosed at any time. While some applications, such as navigation systems, are based on the users\' movements and therefore require constant tracking, others only require knowledge of the user\'s position in relation to a set of points or areas of interest. In this paper we focus on the latter kind of services, where the location information is essentially used to determine membership in one or more geographic sets. We address this problem using Bloom Filters (BF), a compact data structure for representing sets. In particular, we present an extension of the original bloom filter idea: the Spatial Bloom Filter (SBF). SBF\'s are designed to manage spatial and geographical information in a space efficient way, and are well-suited for enabling privacy in location-aware applications. We show this by providing two multi-party protocols for privacy-preserving computation of location information, based on the known homomorphic properties of public key encryption schemes. The protocols keep the user\'s exact position private, but allow the provider of the service to learn when the user is close to specific points of interest, or inside predefined areas. At the same time, the points and areas of interest remain oblivious to the user.

Physical Unclonable Functions (PUFs) have emerged as a promising solution for securing resource-constrained embedded devices such as RFID-tokens. PUFs use the inherent physical differences of every chip to either securely authenticate the chip or generate cryptographic keys without the need of non-volatile memory. Securing non-volatile memory and cryptographic algorithms against hardware attacks is very costly and hence PUFs are believed to be a good alternative to traditional cryptographic algorithms and key generation on constrained embedded devices.

However, PUFs have shown to be vulnerable to model building attacks if the attacker has access to challenge and response pairs. In these model building attacks, machine learning is used to determine the internal parameters of the PUF to build an accurate software model. Nevertheless, PUFs are still a promising building block and several protocols and designs have been proposed that are believed to be resistant against machine learning attacks. In this paper we take a closer look at a two such protocols, one based on reverse fuzzy extractors[15] and one based on pattern matching [15,17]. We show that it is possible to attack these protocols using machine learning despite the fact that an attacker does not have access to direct challenge and response pairs. The introduced attacks demonstrate that even highly obfuscated responses or helper data can be used to attack PUF protocols.

Hence, our work shows that even protocols in which it would be computationally infeasible to compute enough challenge and response pairs for a direct machine learning attack can be attacked using machine learning.