International Association for Cryptologic Research

IACR News Central

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

2014-07-22
09:17 [Pub][ePrint]

MDS matrices allow to build optimal linear diffusion layers in block ciphers. However, MDS matrices cannot be sparse and usually have a large description, inducing costly software/hardware implementations.

Recursive MDS matrices allow to solve this problem by focusing on MDS

matrices that can be computed as a power of a simple companion matrix,

thus having a compact description suitable even for constrained environments. However, up to now, finding recursive MDS matrices required to perform an exhaustive search on families of companion matrices, thus limiting the size of MDS matrices one could look for. In this article we propose a new direct construction based on shortened BCH codes, allowing to efficiently construct such matrices for whatever parameters. Unfortunately, not all recursive MDS matrices can be obtained from BCH codes, and our algorithm is not always guaranteed to find the best matrices for a given set of parameters.

09:17 [Pub][ePrint]

We propose the first practical attribute-based signature (ABS) scheme with attribute privacy without pairings in the random oracle model. Our strategy is in the Fiat-Shamir paradigm; we first provide a concrete construction of a $\\Sigma$-protocol of \\textit{boolean proof}, which is a generalization of the well-known $\\Sigma$-protocol of OR-proof, so that it can treat any monotone boolean formula instead of a single OR-gate. Then, we apply the Fiat-Shamir transformation to our $\\Sigma$-protocol of boolean proof and obtain a non-interactive witness-indistinguishable proof of knowledge system (NIWIPoK) which has a knowledge extractor in the random oracle model. Finally, by combining our NIWIPoK with a credential bundle scheme of the Fiat-Shamir signature, we obtain an attribute-based signature scheme (ABS) which possesses the property of attribute privacy. The series of constructions are obtained from a given $\\Sigma$-protocol and can be attained without pairings.

09:17 [Pub][ePrint]

In this paper, we present new classes of public key cryptosystem over $F_2^8$ based on Reed-Solomon codes, referred to as K(XVII)SE(1)PKC

and K(XVII)$\\Sigma \\Pi$PKC, a subclass of K(XVII)SE(1)PKC.

We show that K(XVII)SE(1)PKC over $F_2^8$ can be secure against the various attacks.

We also present K(XVII)$\\Sigma \\Pi$PKC over $F_2^8$, a subclass of K(XVII)SE(1)PKC.

We show that any assertion of successfull attack on K(XVII)SE(1)PKC including K(XVII)$\\Sigma \\Pi$PKC whose parameters are properly chosen

We thus conclude that K(XVII)SE(1)PKC and K(XVII)$\\Sigma \\Pi$PKC would be secure against the various attacks including LLL attack.

The schemes presented in this paper would yield brand-new techniques in the field of code-based PKC.

01:45 [Event][New]

Submission: 15 September 2014
From January 26 to January 30
Location: San Juan, Puerto Rico

2014-07-21
18:17 [Pub][ePrint]

Side-channel attacks are a powerful tool to discover the

cryptographic secrets of a chip or other device but only too often do they require too many traces or leave too many possible keys to

explore. In this paper we show that for side channel attacks on

discrete-logarithm-based systems significantly more unknown bits can

be handled by using Pollard\'s kangaroo method: if $b$ bits are

unknown then the attack runs in $2^{b/2}$ instead of $2^b$. If an

attacker has many targets in the same group and thus has reasons to

invest in precomputation, the costs can even be brought down to

$2^{b/3}$.

Usually the separation between known and unknown keybits is not this clear cut -- they are known with probabilities ranging between 100\\%

and 0\\%. Enumeration and rank estimation of cryptographic keys

based on partial information derived from cryptanalysis have become

important tools for security evaluations. They make the line between

a broken and secure device more clear and thus help security

evaluators determine how high the security of a device is. For

symmetric-key cryptography there has been some recent work on key

enumeration and rank estimation, but for discrete-logarithm-based

systems these algorithms fail because the subkeys are not

independent and the algorithms

cannot take advantage of the above-mentioned faster

attacks. We present $\\epsilon$-enumeration as a new method to

compute the rank of a key by using the probabilities together with

(variations of) Pollard\'s kangaroo algorithm and give experimental evidence.

06:29 [Event][New]

Submission: 30 July 2014
From September 25 to September 27
Location: Jabalpur, India

2014-07-19
18:17 [Pub][ePrint]

Since the advent of secret sharing scheme many researches have been allocated to study on this topic because it has a lot of application. For the first time Shamir and Blakley introduced the concepts of secret sharing. In their scheme, just one secret is shared. After a while, Harn present a scheme in which many secrets can be shared, but the secrets have to recover in predetermined order. In addition, in his scheme just one share is assigned to each participant. After a while, many scheme introduced such that they have not any constraint on the order of recovering secrets. These kind of scheme is called Multi Secret Sharing Scheme and it abbreviated by MSS. To the best of our knowledge, up until now, no exact definition for the security of MSS scheme has been presented. In this paper, a definition for secrecy of MSS scheme is introduced and a MSS scheme is presented based on Learning With Error (LWE). LWE is a one of lattice concepts which nowadays constitutes the core of many cryptographic constructions because the hardness of lattice problems is well studied and the hardness of these constructions can be reduced to NP-Hard problems. The advantage of using LWE is twofold, first is that the hardness of LWE is well understood, second working with it is very simple because just simple operations are used. At the end of the paper a verifiable version of presented MSS scheme is given. Verifiability is an important feature which has defined. In this kind of schemes, dishonest dealer or participants can be identified.

06:16 [Job][New]

We are seeking six (6) highly motivated faculty members to join the Institute starting September 2015. Applications are being accepted for two assistant professors in Computer Engineering, two assistant professors in Information Technology, one assistant professor in Cyber Security, and one associate professor in Computer Science. These are all full-time tenure-track/tenure-eligible positions with a nine-month service period. Each position requires a Ph.D. (or foreign equivalent) in one of the following domains: Computer Science, Computer Engineering, Electrical Engineering, Systems Engineering, Software Engineering, Information Systems, Information Technology, or a related field. For the Computer Engineering program, we seek candidates whose research focuses on hardware aspects of big data or cyber security (architecture, embedded systems). For Information Technology, we seek candidates with research foci in HCI, cyber security or systems integration, preferably mobile systems. We seek one assistant professor whose research focuses on cyber security and is applicable to all our programs. In Computer Science, we seek applicants with research strength in software engineering, distributed computing or operating systems, as well as experience in professional accreditation activities and assessment. Please see http://www.tacoma.uw.edu/institute-technology/ for more details. Questions related to these positions are to be directed to the search committee co-chairs, Dr. Bryan Goda, at 253 692 4581 or godab (at) uw.edu; or Dr. Ankur Teredesai, at 253 692 4806 or ankurt (at) uw.edu. Although these positions are contingent on available funding and will remain open until filled, applications received before October 1, 2014 will receive priority review.

2014-07-18
21:17 [Pub][ePrint]

We present a round-efficient black-box construction of a general MPC protocol that satisfies composability in the plain model. The security of our protocol is proven in angel-based UC framework under the minimal assumption of the existence of semi-honest oblivious transfer protocols. When the round complexity of the underlying oblivious transfer protocol is Round(OT), the round complexity of our protocol is max(\\tilde{O}(log^2 n), O(Round(OT))). Since constant-round semi-honest oblivious transfer protocols can be constructed under standard assumptions (such as the existence of enhanced trapdoor permutations), our result gives \\tilde{O}(log^2 n)-round protocol under these assumptions. Previously, only an O(max(n^{\\epsilon}, Round(OT))-round protocol was shown, where \\epsilon>0 is an arbitrary constant.

We obtain our MPC protocol by constructing a \\tilde{O}(log^2 n)-round CCA-secure commitment scheme in a black-box way under the assumption of the existence of one-way functions.

21:17 [Pub][ePrint]

By introducing extra shields on Shpilrain and Ushakov\'s Ko-Lee-like protocol based on the decomposition problem of group elements we propose two new key exchange schemes and then a number of public key cryptographic protocols. We show that these protocols are free of known attacks. Particularly,if the entities taking part in our protocols create their private keys composed by the generators of the Mihailova subgroups of Bn, we show that the safety of our protocols are very highly guarantied by the insolvability of subgroup membership problem of the Mihailova subgroups.

21:17 [Pub][ePrint]

In this paper we study the existing CRT-RSA countermeasures against fault-injection attacks.

In an attempt to classify them we get to achieve deep understanding of how they work.

We show that the many countermeasures that we study (and their variations) actually share a number of common features, but optimize them in different ways.

We also show that there is no conceptual distinction between test-based and infective countermeasures and how either one can be transformed into the other.

Furthermore, we show that faults on the code (skipping instructions) can be captured by considering only faults on the data.

These intermediate results allow us to improve the state of the art in several ways:

(a) we fix an existing and that was known to be broken countermeasure (namely the one from Shamir);

(b) we drastically optimize an existing countermeasure (namely the one from Vigilant) which we reduce to 3 tests instead of 9 in its original version, and prove that it resists not only one fault but also an arbitrary number of randomizing faults;

(c) we also show how to upgrade countermeasures to resist any given number of faults: given a correct first-order countermeasure, we present a way to design a provable high-order countermeasure (for a well-defined and reasonable fault model).

Finally, we pave the way for a generic approach against fault attacks for any modular arithmetic computations, and thus for the automatic insertion of countermeasures.