International Association for Cryptologic Research

# IACR News Central

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

2014-08-05
21:17 [Pub][ePrint]

Lattice-based cryptographic primitives are believed to offer resilience against attacks by quantum computers. We demonstrate the practicality of post-quantum key exchange by constructing ciphersuites for the Transport Layer Security (TLS) protocol that provide key exchange based on the ring learning with errors (R-LWE) problem; we accompany these ciphersuites with a rigorous proof of security. Our approach ties lattice-based key exchange together with traditional authentication using RSA or elliptic curve digital signatures: the post-quantum key exchange provides forward secrecy against future quantum attackers, while authentication can be provided using RSA keys that are issued by today\'s commercial certificate authorities, smoothing the path to adoption.

Our cryptographically secure implementation, aimed at the 128-bit security level, reveals that the performance price when switching from non-quantum-safe key exchange is not too high. With our R-LWE ciphersuites integrated into the OpenSSL library and using the Apache web server on a 2-core desktop computer, we could serve 506 RLWE-ECDSA-AES128-GCM-SHA256 HTTPS connections per second for a 10 KiB payload. Compared to elliptic curve Diffie--Hellman, this means an 8 KiB increased handshake size and a reduction in throughput of only 21%. This demonstrates that post-quantum key-exchange can already be considered practical.

2014-08-04
21:40 [Job][New]

A 4 year PhD student position is available at the Department of Informatics of the University of Bergen. Some of the possible research directions are coding theory, cryptography, Boolean functions, sequence design.

Information on application requirements and work conditions can be found at http://www.jobbnorge.no/ledige-stillinger/stilling/103925/stipendiat-i-informatikk

00:17 [Pub][ePrint]

A machine is said to be {\\em oblivious} if the sequences of memory accesses made by the machine for two inputs with the same running time are identically (or close to identically) distributed. Oblivious RAM (ORAM) compilers -- compilers that turn any RAM program $\\Pi$ into an oblivious RAM $\\Pi\'$, while incurring only a \"small\", polylogarithmic, slow-down -- have been extensively studied since the work of Goldreich and Ostrovsky (JACM 1996), and have numerous fundamental applications. These compilers, however, do not leverage parallelism: even if $\\Pi$ can be heavily parallelized, $\\Pi\'$ will be inherently sequential.

In this work, we present the first {\\em Oblivious Parallel RAM (OPRAM)} compiler, which compiles any PRAM into an oblivious PRAM while incurring only a polylogarithmic slowdown.

2014-08-03
13:39 [Job][Update]

Make the world smart and secure – join NXP!

NXP is the trusted partner to authenticate identities, secure transactions and provide convenient interactions by delivering Identification Solutions.

The business area Security & Connectivity develops secure solutions that connect people and objects. Its strong portfolio of advanced semiconductor technology, unmatched device performance, world-class security and complete answers approach is used worldwide for protecting personal information in bank cards, passports, and more.

You can be part of an ambitious team of professionals operating in an incredibly exciting industry to help the world be more connected and more secure.

We are looking for passionate, talented experts in the field of Crypto & Security. Examplary roles include:

• Firmware security engineers
• Vulnerability analysts
• Certification managers

• Currently we are hiring in San Jose (US), Eindhoven (NL), Glasgow (UK), Gratkorn (AT), Hamburg (DE) and Leuven (BE). There are more than 30 Crypto & Security positions for all sort of experience levels!

We are looking forward to your application via our Crypto & Security career website on LinkedIn.

2014-07-31
21:42 [Event][New]

Submission: 6 October 2014
From March 23 to March 25
Location: Warsaw, Poland

21:17 [Pub][ePrint]

This paper presents new speed records for multiprecision multiplication on the AVR ATmega family of 8-bit microcontrollers. For example, our software takes only 1976 cycles for the multiplication of two 160-bit integers; this is more than 15% faster than previous work. For 256-bit inputs, our software is not only the first to break through the 6000-cycle barrier; with only 4797 cycles it also breaks through the 5000-cycle barrier and is more than 21% faster than previous work.We achieve these speed records by carefully optimizing the Karatsuba multiplication technique for AVR ATmega. One might expect that subquadratic-complexity Karatsuba multiplication is only faster than algorithms with quadratic complexity for large inputs. This paper shows that it is in fact faster than fully unrolled product-scanning multiplication already for surprisingly small inputs, starting at 48 bits. Our results thus make Karatsuba multiplication the method of choice for high-performance implementations of elliptic-curve cryptography on AVR ATmega microcontrollers.

21:17 [Pub][ePrint]

The paper is about algorithms for the inhomogeneous short integer solution problem: Given A, b to find a short vector s such that As \\equiv b (mod q). We consider algorithms for this problem due to Camion and Patarin; Wagner; Schroeppel and Shamir; Howgrave-Graham and Joux; Becker, Coron and Joux. Our main results include: Applying the Hermite normal form (HNF) to get faster algorithms; A heuristic analysis of the HGJ and BCJ algorithms in the case of density greater than one; An improved cryptanalysis of the SWIFFT hash function.

12:17 [Pub][ePrint]

Structure-preserving signature schemes can be very useful in the construction of new cryptographic operations like blind signatures. Recently several of these schemes have been proposed. The security of signature-preserving signature schemes is still proved by hand, which can be a laborious task. One of the ways to prove security of these schemes algebraic analysis can be used. We present an approach to perform this analysis and the first tool, CheckSPS, that can do an algebraic security analysis of these schemes, using SMT solvers as backend. This can help in constructing new schemes and analyse existing schemes. Our tool can handle all the common security objectives for signature schemes, i.e. existential unforgeability and strong existential unforgeability, and all the common capabilities for adversaries, i.e. random message attacks, non-adaptive chosen message attacks and adaptive chosen message attacks. The tool is sound, so if an attack is found it is actually possible to construct a forged signature.

12:17 [Pub][ePrint]

Discrete Gaussian sampling is an integral part of many lattice

based cryptosystems such as public-key encryption, digital signature schemes and homomorphic encryption schemes. In this paper we propose a compact and fast Knuth-Yao sampler for sampling from a narrow discrete Gaussian distribution with very high precision. The designed samplers have a maximum statistical distance of $2^{-90}$ to a true discrete Gaussian distribution. In this paper we investigate various optimization techniques to achieve minimum area and cycle requirement. For the standard deviation 3.33, the most area-optimal implementation of the bit-scan operation based Knuth-Yao sampler consumes 30 slices on the Xilinx Virtex 5 FPGAs, and requires on average 17 cycles to generate a sample. We improve the speed of the sampler by using a precomputed table that directly maps the initial random bits into samples with very high probability. The fast sampler consumes 35 slices and spends on average 2.5 cycles to generate a sample. However the sampler architectures are not secure against timing and power analysis based attacks. In this paper we propose a random shuffle method to protect the Gaussian distributed polynomial against such attacks. The side channel attack resistant sampler architecture consumes 52 slices and spends on average 420 cycles to

generate a polynomial of 256 coefficients.

2014-07-30
09:17 [Pub][ePrint]

We provide a generic transformation from any \\emph{affine} message authentication code (MAC) to an identity-based encryption (IBE) scheme over pairing groups of prime order. If the MAC satisfies a security notion related to unforgeability against chosen-message attacks and, for example, the $k$-Linear assumption holds, then the resulting IBE scheme is adaptively secure. Our security reduction is tightness preserving, i.e., if the MAC has a tight security reduction so has the IBE scheme. Furthermore, the transformation also extends to hierarchical identity-based encryption (HIBE). We also show how to construct affine MACs with a tight security reduction to standard assumptions. This, among other things, provides the first tightly secure HIBE in the standard model.

09:17 [Pub][ePrint]

This paper uses cryptographic techniques to study the problem of zone enumeration in DNSSEC. DNSSEC is designed to prevent network attackers from tampering with domain name system (DNS) messages. The cryptographic machinery used in DNSSEC, however, also creates a new vulnerability -zone enumeration, where an adversary launches a small number of online DNSSEC queries and then uses offline dictionary attacks to learn which domain names are present or absent in a DNS zone. We explain why the current DNSSEC standard (with NSEC and NSEC3) suffers from zone enumeration: we use cryptographic lower bounds to prove that DNSSEC\'s three design goals -high performance, security against network attackers, and privacy against zone enumeration- cannot be satisfied simultaneously. We then introduce NSEC5, a new cryptographic construction that solves the problem of DNSSEC zone enumeration while matching our lower bounds and remaining faithful to the operational realities of DNSSEC. NSEC5 can be thought of as a variant of NSEC3, where the hash function is replaced with an RSA-based keyed-hashing scheme.