International Association for Cryptologic Research

# IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) iacr.org. You can also receive updates via:

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

2014-07-31
12:17 [Pub][ePrint]

Discrete Gaussian sampling is an integral part of many lattice

based cryptosystems such as public-key encryption, digital signature schemes and homomorphic encryption schemes. In this paper we propose a compact and fast Knuth-Yao sampler for sampling from a narrow discrete Gaussian distribution with very high precision. The designed samplers have a maximum statistical distance of $2^{-90}$ to a true discrete Gaussian distribution. In this paper we investigate various optimization techniques to achieve minimum area and cycle requirement. For the standard deviation 3.33, the most area-optimal implementation of the bit-scan operation based Knuth-Yao sampler consumes 30 slices on the Xilinx Virtex 5 FPGAs, and requires on average 17 cycles to generate a sample. We improve the speed of the sampler by using a precomputed table that directly maps the initial random bits into samples with very high probability. The fast sampler consumes 35 slices and spends on average 2.5 cycles to generate a sample. However the sampler architectures are not secure against timing and power analysis based attacks. In this paper we propose a random shuffle method to protect the Gaussian distributed polynomial against such attacks. The side channel attack resistant sampler architecture consumes 52 slices and spends on average 420 cycles to

generate a polynomial of 256 coefficients.

2014-07-30
09:17 [Pub][ePrint]

We provide a generic transformation from any \\emph{affine} message authentication code (MAC) to an identity-based encryption (IBE) scheme over pairing groups of prime order. If the MAC satisfies a security notion related to unforgeability against chosen-message attacks and, for example, the $k$-Linear assumption holds, then the resulting IBE scheme is adaptively secure. Our security reduction is tightness preserving, i.e., if the MAC has a tight security reduction so has the IBE scheme. Furthermore, the transformation also extends to hierarchical identity-based encryption (HIBE). We also show how to construct affine MACs with a tight security reduction to standard assumptions. This, among other things, provides the first tightly secure HIBE in the standard model.

09:17 [Pub][ePrint]

This paper uses cryptographic techniques to study the problem of zone enumeration in DNSSEC. DNSSEC is designed to prevent network attackers from tampering with domain name system (DNS) messages. The cryptographic machinery used in DNSSEC, however, also creates a new vulnerability -zone enumeration, where an adversary launches a small number of online DNSSEC queries and then uses offline dictionary attacks to learn which domain names are present or absent in a DNS zone. We explain why the current DNSSEC standard (with NSEC and NSEC3) suffers from zone enumeration: we use cryptographic lower bounds to prove that DNSSEC\'s three design goals -high performance, security against network attackers, and privacy against zone enumeration- cannot be satisfied simultaneously. We then introduce NSEC5, a new cryptographic construction that solves the problem of DNSSEC zone enumeration while matching our lower bounds and remaining faithful to the operational realities of DNSSEC. NSEC5 can be thought of as a variant of NSEC3, where the hash function is replaced with an RSA-based keyed-hashing scheme.

09:17 [Pub][ePrint]

Template Attacks consist of two stages, the profiling stage and the extraction stage. In order to improve the key-recovery efficiency of Template Attacks, a feasible way is to characterize signals and noises accurately. Under the assumption that a reference device is available, in the profiling stage, one can operate the reference device as many times as possible and samples a large number of power traces to help accurately characterize signals and noises at different interesting points. However, in some practical scenarios, it is not always the case and one can only record a limited number of power traces. In this paper, we show that one can still make Template Attacks practical and more powerful in the above scenario if he could obtain some kind of priori knowledge about the reference device. For example, the priori knowledge is some kind of priori distribution of the signal component in the instantaneous power consumption for fixed operation on fixed data. Evaluation results show that the priori knowledge poses potential threat to the physical security of cryptographic devices and this kind of threat can not be neglected.

09:17 [Pub][ePrint]

Membership encryption is a newly developed cryptographic primitive that combines membership proof and encryption into an unified setting. This paper presents a new flexible membership encryption scheme which is provably secure and significantly more efficient than the previous scheme. Further we apply our proposed membership encryption to construct a round optimal 1-out-of-$n$ priced oblivious transfer (POT) protocol which, unlike the existing 1-out-of-n POT schemes,is proven secure under the universally composable (UC) security model and thus preserves security when it is executed with multiple protocol instances that run concurrently in an adversarily controlled way. Moreover, using our membership encryption, the POT protocol exhibits constant

communication complexity on the buyer\'s side and $O(n)$ communication cost on the vendor\'s side, which is so far the best known in the literature.

09:17 [Pub][ePrint]

The SPEKE protocol is commonly considered one of the classic Password Authenticated Key Exchange (PAKE) schemes. It has been included in international standards (particularly, ISO/IEC 11770-4 and IEEE 1363.2) and has been deployed in commercial products. We observe that the original SPEKE specification is subtly different from those defined in the ISO/IEC 11770-4 and IEEE 1363.2 standards. We show that those differences have critical security implications. First of all, we present two new attacks on SPEKE: a relay attack and a key-malleability attack. The first attack allows an attacker to impersonate a user without knowing the password by engaging in two parallel sessions with the victim. The second attack allows an attacker to malleate the session key established between two honest users without being detected. Both attacks are applicable to the original SPEKE scheme. However, they are to some extent addressed in the ISO/IEC 11770-4 and IEEE 1363.2 standards, but in a vaguely defined manner. The vagueness makes it extremely difficult for a security-conscious developer to implement the protocol correctly. We propose countermeasures and suggest concrete changes to the standards.

09:17 [Pub][ePrint]

In their seminal work on non-malleable cryptography, Dolev, Dwork and Naor, showed how to construct a non-malleable commitment with logarithmically-many \"rounds\"/\"slots\", the idea being that any adversary may successfully maul in some slots but would fail in at least one. Since then new ideas have been introduced, ultimately resulting in constant-round protocols based on any one-way function. Yet, in spite of this remarkable progress, each of the known constructions of non-malleable commitments leaves something to be desired.

In this paper we propose a new technique that allows us to to construct a non-malleable protocol with only a single slot\", and to improve in at least one aspect over each of the previously proposed protocols. Two direct byproducts of our new ideas are a four round non-malleable commitment and a four round non-malleable zero-knowledge argument, the latter matching the round complexity of the best known zero-knowledge argument (without the non-malleability requirement). The protocols are based on the existence of one-way permutations (or alternatively one-way functions with an extra round) and admit very efficient instantiations via standard homomorphic commitments and sigma protocols.

Our analysis relies on algebraic reasoning, and makes use of error correcting codes in order to ensure that committers\' tags differ in many coordinates. One way of viewing our construction is as a method for combining many atomic sub-protocols in a way that simultaneously amplifies soundness and non-malleability, thus requiring much weaker guarantees to begin with, and resulting in a protocol which is much trimmer in complexity compared to the existing ones.

09:17 [Pub][ePrint]

We present a construction for non-interactive zero-knowledge proofs of

knowledge in the random oracle model from general sigma-protocols. Our

construction is secure against quantum adversaries. Prior

constructions (by Fiat-Shamir and by Fischlin) are only known to be

secure against classical adversaries, and Ambainis, Rosmanis, Unruh

(FOCS 2014) gave evidence that those constructions might not be secure

against quantum adversaries in general.

To prove security of our constructions, we additionally develop new

techniques for adaptively programming the quantum random oracle.

09:17 [Pub][ePrint]

We propose a new construction for achieving adaptively secure functional encryption for poly-sized circuits from indistinguishability obfuscation. Our reduction has polynomial loss to the underlying primitives. We develop a punctured programming approach to constructing and proving systems where outside of obfuscation we rely only on primitives constructable from pseudo random generators.

09:17 [Pub][ePrint]

In this paper, we propose an authenticated key exchange (AKE) protocol

from Ideal lattices. The protocol

is simple since it does not involve any other cryptographic primitives

to achieve authentication (e.g., signatures). This allows us

to establish a security proof solely based on the hardness of

the well-known ring-LWE problems, thus on some hard lattice problems in the worst-case (e.g., SVP and SIVP). We give the security proof of the proposed

AKE protocol in an enhanced variant of the original

Bellare-Rogaway (BR) model,

which additionally captures weak Perfect Forward Secrecy (wPFS),

in the random oracle (RO) model.

2014-07-29
18:09 [Job][New]

The Information Security Centre of Excellence (ISCX) at the Faculty of Computer Science, University of New Brunswick’s Fredericton Campus invites application for a Research Associate in the field of Cyber Security. The successful candidate will work with the members of ISCX to conduct original research, design, and development for the Intelligent Tools for an Automated Security Analysis and Risk Management for Large-Scale Systems project. This project will be carried out in collaboration with IBM Security Division and is mainly funded under the Atlantic Innovation Foundation (AIF) program. For more information on the project and ISCX, please see www.iscx.ca.

To be considered for the position the applicant should have a PhD degree in Computer Science. Some postdoctoral research experience is an asset. Good oral and written communication skills and the ability to work on a team project are essential.

This is a full-time position, available as of October 1, 2014 and will initially be for one year, with the possibility of renewal for three more years. Salary will depend upon the qualifications and experience of the successful applicant.

Interested applicants should submit a covering letter, along with a resume, and the name, address, phone and e-email addresses of three academic references. Review of applications will begin in August 1, 2014 and will continue until the position is filled.