International Association for Cryptologic Research

# IACR News Central

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

2014-09-04
06:17 [Pub][ePrint]

In this paper we introduce a new transformation method and a multiplication

algorithm for multiplying the elements of the field GF$(2^k)$

expressed in a normal basis. The number of XOR gates for the proposed

multiplication algorithm is

fewer than that of the optimal normal basis multiplication, not taking into

account the cost of forward and backward transformations. The algorithm is

more suitable for applications in which tens or hundreds of field multiplications

are performed before needing to transform the results back.

06:17 [Pub][ePrint]

White-box cryptography is an obfuscation technique to protect the secret key in the software implementations even if an adversary has full access to the implementation of the encryption algorithm and full control over its execution platforms.

This concept was presented in 2002 by Chow et al., and since then there have been many proposals to give solutions for the white-box cryptography.

However, the progress does not seem to be substantial in spite of its practical importance.

In fact, it is repeated that as a proposal on white-box implementation is announced, an attack of this implementation with lower complexity followed soon.

It is mainly because most cryptanalytic methods were just targeted to some specific implementations and there is no general attack tool for the white-box cryptography.

In this paper, we present a general analytic toolbox for white-box implementations which extracts the secret information obfuscated in the implementation.

For a general SLT cipher on $n$ bits with S-boxes on $m$ bits, one can remove the nonlinear encodings with complexity $O(\\frac{n}{m_Q}2^{3m_Q})$ using our attack tool, if $m_Q$-bit nonlinear encodings are used to obfuscate input/output values in the implementation.

Also, one can recover the affine encoding $A$ in time $O(\\frac{n}{m}\\cdot{m_A}^32^{3m})$ using our extended affine equivalence algorithm~(EAEA), if the inverse of the encoded round function $F$ on $n$ bits is given, where $m_A$ is the smallest integer $p$ such that $A$ or its similar matrix obtained by permuting rows and columns is a block diagonal matrix with a $p\\times p$ matrix as a block.

To avoid our attack, we need to consider a special encoding of large $m_A$, up to $n$. This results in storage blowing up in general. We suggest one approach with special affine encodings of $m_A=n$ that saves storage.

In that case, the EAEA has the complexity~$O\\left(\\min\\left\\{\\tfrac{n}{m}\\cdot {n}^{m+3}\\cdot2^{2m}, {n}\\cdot\\log{n}\\cdot {\\sqrt{2}}^{n}\\right\\}\\right)$, {which can be large up to $2^{74}$ and $2^{109}$ for $n=128$ and $256$, respectively, when $m=8$.

This gives an approach to design secure white-box implementation with practical storage.

We expect that our analytic toolbox initiates the research on white-box implementation design.}

06:17 [Pub][ePrint]

We present new ideas for decreasing the size of secure memory needed for hardware implementations of

hash-sequence based signatures proposed recently by Buldas, Laanoja and Truu (in the following referred to as BLT).

In their scheme, a message $m$ is signed by time-stamping a concatenation $m\\| z_t$ of the message and the one-time

pseudo-random password $z_t$ intended to sign messages at a particular time $t$.

The signature is valid only if the time-stamp points to the same time $t$. Hence, the one time passwords cannot be abused after their use.

To efficiently and securely implement such a scheme at the client side, dedicated hardware is needed and thereby, the solutions that save the (secure) memory and computational time are important. For such schemes, the memory consumption directly depends on the efficiency of the \\emph{hash sequence reversal algorithms}.

The best known reversal algorithm for the BLT scheme uses $O(\\log^2 \\ell)$ memory.

This means that for a signing key that is valid for one year (i.e. $\\ell\\approx 2^{25}$ with one-second time resolution), the device needs to store about $25^2=625$ hash

values which for SHA-256 hashing algorithm means about $20$ K bytes of secure memory.

Another problem with hash sequence reversal algorithms is that they mostly assume that the signature device is always

connected to the computer or has an independent power supply. This is a serious limitation for smart-card implementations of the scheme.

We show first that a mini Public Key Infrastructure in the signature device can be used to lower the memory consumption about twice.

There is a master key (i.e. a hash sequence) that is used to certify short term (about five minutes) signing keys

so that a signature consists of a short term certificate which is a hash chain in the master hash tree (used to authenticate the master hash sequence), and a hash chain that is used to authenticate a particular hash value $z_t$ in the sequence.

We also discuss how to implement hash sequence signatures in devices that have no power supply and are not regularly connected to

computers, such as smart-cards which are often used as personal digital signature devices. General-purpose cryptographic smart-cards also have many

restrictions that limit the use of hash sequence signatures. For example, their hashing speed is relatively low: up to 500 hashing steps per second;

their secure memory is of limited size, etc. This all combined with irregular usage patterns makes the use of hash sequence signatures questionable.

We show why the hash sequence signature (in its original form) cannot be used as the CA signature in the mini PKI solution.

Finally, we propose a new type of hash sequence signature that is more suitable for smart-card implementations.

06:17 [Pub][ePrint]

We consider the following problem: Assuming that Alice and Bob have an integer interval $[a, e]$ and an integer $b$ respectively, for a commitment $c$ to $b$, Alice and Bob jointly check whether $b$ is within $[a, e]$ without revealing their inputs, where either party may behave maliciously. A special case of the problem is the secure integer comparison in the malicious model. This problem mainly arises from location-based access control systems where one party needs to assure to the other party that its location is within some definite area.

Our main result is a constant-round protocol that exhibit the square of $\\log e$ communication and the square of $\\log e$ exponentiations with simulation-based security. At the heart of the construction is perfect $k$-ary index and corresponding zero-knowledge proof techniques.

We consider a more general case of the problem where the interval is substituted by a union of intervals.

2014-09-02
17:02 [Event][New]

Submission: 16 January 2015
From June 2 to June 5
Location: New York, USA

16:56 [Event][New]

From August 14 to August 18
Location: Santa Barbara, USA

16:56 [Event][New]

From August 16 to August 20
Location: Santa Barbara, USA

09:17 [Pub][ePrint]

It is a long-standing open problem to prove the existence of (deterministic) hard-core predicates for the Diffie-Hellman problem over finite fields, without resorting to the generic approaches for any one-way functions (e.g., the Goldreich-Levin hard-core predicates). Fazio et al. (FGPS, Crypto \'13) make important progress on this problem by defining a weaker Computational Diffie-Hellman (CDH) problem over $\\mathbb{F}_{p^2}$, i.e., Partial-CDH problem, and proving the unpredictability of every single bit of one of the coordinates of the secret Diffie-Hellman value. However, the existence of specific hard-core predicates for the regular CDH problems defined over finite fields remains unproven. This paper closes this gap and resolves all the open problems left in FGPS:

1. We prove that the Partial-CDH problem over finite fields $\\mathbb{F}_{p^2}$ is as hard as the regular CDH problem over the same fields.

2. We show a much stronger and more generalized result over finite fields $\\mathbb{F}_{p^2}$---not only the regular CDH problem over $\\mathbb{F}_{p^2}$ admits hard-core predicates but every individual bit of the CDH value is unpredictable.

3. We extend the Partial-CDH problem to define the $d$-th CDH problem over finite fields $\\mathbb{F}_{p^t}$ for any polynomial $t>1$ and for any $0\\leq d \\leq t-1$. We show that computing any single coordinate of the CDH value over $\\mathbb{F}_{p^t}$ is equivalent to computing the entire CDH value.

4. We prove that over finite fields $\\mathbb{F}_{p^t}$ for any polynomial~$t>1$, each $d$-th CDH problem except $d \\neq 0$ admits a large class of hard-core predicates, including every individual bit of the $d$-th coordinate. Hence almost all individual bits of the CDH value of the regular CDH problem over finite fields $\\mathbb{F}_{p^t}$ for $t>1$ are hard-core.

09:17 [Pub][ePrint]

In this paper, we discuss the adjacency graph of feedback shift registers (FSRs) whose characteristic polynomial can be written as $g=(x_0+x_1)*f$ for some linear function $f$. For $f$ contains an odd number of terms, we present a method to calculate the adjacency graph of FSR$_{(x_0+x_1)*f}$ from the adjacency graph of FSR$_f$. The parity of the weight of cycles in FSR$_{(x_0+x_1)*f}$ can also be determined easily. For $f$ contains an even number of terms, the theory is not so much complete. We need more information than the adjacency graph of FSR$_f$ to determine the adjacency graph of FSR$_{(x_0+x_1)*f}$.

Besides, some properties about the cycle structure of linear feedback shift registers (LFSR) are presented.

07:12 [Event][New]

Submission: 30 November 2014
From December 19 to December 22
Location: Chennai, India