International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) iacr.org. You can also receive updates via:

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

2014-09-04
09:17 [Pub][ePrint] Malicious Hashing: Eve\'s Variant of SHA-1, by Ange Albertini and Jean-Philippe Aumasson and Maria Eichlseder and Florian Mendel and Martin Schläffer

  We present collisions for a version of SHA-1 with modified constants, where the colliding payloads are valid binary files. Examples are given of colliding executables, archives, and images. Our malicious SHA-1 instances have round constants that differ from the original ones in only 40 bits (on average). Modified versions of cryptographic standards are typically used on closed systems (e.g., in pay-TV, media and gaming platforms) and aim to differentiate cryptographic components across customers or services. Our proof-of-concept thus demonstrates the exploitability of custom SHA-1 versions for malicious purposes, such as the injection of user surveillance features. To encourage further research on such malicious hash functions, we propose definitions of malicious hash functions and of associated security notions.



06:17 [Pub][ePrint] Reducing the Complexity of Normal Basis Multiplication, by Omer Egecioglu and Cetin Kaya Koc

  In this paper we introduce a new transformation method and a multiplication

algorithm for multiplying the elements of the field GF$(2^k)$

expressed in a normal basis. The number of XOR gates for the proposed

multiplication algorithm is

fewer than that of the optimal normal basis multiplication, not taking into

account the cost of forward and backward transformations. The algorithm is

more suitable for applications in which tens or hundreds of field multiplications

are performed before needing to transform the results back.



06:17 [Pub][ePrint] Analytic Toolbox for White-Box Implementations: Limitation and Perspectives, by Chung Hun Baek and Jung Hee Cheon and Hyunsook Hong

  White-box cryptography is an obfuscation technique to protect the secret key in the software implementations even if an adversary has full access to the implementation of the encryption algorithm and full control over its execution platforms.

This concept was presented in 2002 by Chow et al., and since then there have been many proposals to give solutions for the white-box cryptography.

However, the progress does not seem to be substantial in spite of its practical importance.

In fact, it is repeated that as a proposal on white-box implementation is announced, an attack of this implementation with lower complexity followed soon.

It is mainly because most cryptanalytic methods were just targeted to some specific implementations and there is no general attack tool for the white-box cryptography.

In this paper, we present a general analytic toolbox for white-box implementations which extracts the secret information obfuscated in the implementation.

For a general SLT cipher on $n$ bits with S-boxes on $m$ bits, one can remove the nonlinear encodings with complexity $O(\\frac{n}{m_Q}2^{3m_Q})$ using our attack tool, if $m_Q$-bit nonlinear encodings are used to obfuscate input/output values in the implementation.

Also, one can recover the affine encoding $A$ in time $O(\\frac{n}{m}\\cdot{m_A}^32^{3m})$ using our extended affine equivalence algorithm~(EAEA), if the inverse of the encoded round function $F$ on $n$ bits is given, where $m_A$ is the smallest integer $p$ such that $A$ or its similar matrix obtained by permuting rows and columns is a block diagonal matrix with a $p\\times p$ matrix as a block.

To avoid our attack, we need to consider a special encoding of large $m_A$, up to $n$. This results in storage blowing up in general. We suggest one approach with special affine encodings of $m_A=n$ that saves storage.

In that case, the EAEA has the complexity~$O\\left(\\min\\left\\{\\tfrac{n}{m}\\cdot {n}^{m+3}\\cdot2^{2m}, {n}\\cdot\\log{n}\\cdot {\\sqrt{2}}^{n}\\right\\}\\right)$, {which can be large up to $2^{74}$ and $2^{109}$ for $n=128$ and $256$, respectively, when $m=8$.

This gives an approach to design secure white-box implementation with practical storage.

We expect that our analytic toolbox initiates the research on white-box implementation design.}



06:17 [Pub][ePrint] Efficient Implementation of Keyless Signatures with Hash Sequence Authentication, by Ahto Buldas and Risto Laanoja and Ahto Truu

  We present new ideas for decreasing the size of secure memory needed for hardware implementations of

hash-sequence based signatures proposed recently by Buldas, Laanoja and Truu (in the following referred to as BLT).

In their scheme, a message $m$ is signed by time-stamping a concatenation $m\\| z_t$ of the message and the one-time

pseudo-random password $z_t$ intended to sign messages at a particular time $t$.

The signature is valid only if the time-stamp points to the same time $t$. Hence, the one time passwords cannot be abused after their use.

To efficiently and securely implement such a scheme at the client side, dedicated hardware is needed and thereby, the solutions that save the (secure) memory and computational time are important. For such schemes, the memory consumption directly depends on the efficiency of the \\emph{hash sequence reversal algorithms}.

The best known reversal algorithm for the BLT scheme uses $O(\\log^2 \\ell)$ memory.

This means that for a signing key that is valid for one year (i.e. $\\ell\\approx 2^{25}$ with one-second time resolution), the device needs to store about $25^2=625$ hash

values which for SHA-256 hashing algorithm means about $20$ K bytes of secure memory.

Another problem with hash sequence reversal algorithms is that they mostly assume that the signature device is always

connected to the computer or has an independent power supply. This is a serious limitation for smart-card implementations of the scheme.

We show first that a mini Public Key Infrastructure in the signature device can be used to lower the memory consumption about twice.

There is a master key (i.e. a hash sequence) that is used to certify short term (about five minutes) signing keys

so that a signature consists of a short term certificate which is a hash chain in the master hash tree (used to authenticate the master hash sequence), and a hash chain that is used to authenticate a particular hash value $z_t$ in the sequence.

We also discuss how to implement hash sequence signatures in devices that have no power supply and are not regularly connected to

computers, such as smart-cards which are often used as personal digital signature devices. General-purpose cryptographic smart-cards also have many

restrictions that limit the use of hash sequence signatures. For example, their hashing speed is relatively low: up to 500 hashing steps per second;

their secure memory is of limited size, etc. This all combined with irregular usage patterns makes the use of hash sequence signatures questionable.

We show why the hash sequence signature (in its original form) cannot be used as the CA signature in the mini PKI solution.

Finally, we propose a new type of hash sequence signature that is more suitable for smart-card implementations.



06:17 [Pub][ePrint] Efficient Interval Check in the Presence of Malicious Adversaries, by Genqiang Wu and Yeping He and Yi Lu and Liping Ding

  We consider the following problem: Assuming that Alice and Bob have an integer interval $[a, e]$ and an integer $b$ respectively, for a commitment $c$ to $b$, Alice and Bob jointly check whether $b$ is within $[a, e]$ without revealing their inputs, where either party may behave maliciously. A special case of the problem is the secure integer comparison in the malicious model. This problem mainly arises from location-based access control systems where one party needs to assure to the other party that its location is within some definite area.

Our main result is a constant-round protocol that exhibit the square of $\\log e$ communication and the square of $\\log e$ exponentiations with simulation-based security. At the heart of the construction is perfect $k$-ary index and corresponding zero-knowledge proof techniques.

We consider a more general case of the problem where the interval is substituted by a union of intervals.





2014-09-02
17:02 [Event][New] ACNS'15: 13th International Conference on Applied Cryptography and Network Security

  Submission: 16 January 2015
Notification: 17 March 2015
From June 2 to June 5
Location: New York, USA
More Information: http://acns2015.cs.columbia.edu/


16:56 [Event][New] Crypto: Crypto 2016

  From August 14 to August 18
Location: Santa Barbara, USA
More Information: http://www.iacr.org/conferences/


16:56 [Event][New] Crypto: Crypto 2015

  From August 16 to August 20
Location: Santa Barbara, USA
More Information: http://www.iacr.org/conferences/


09:17 [Pub][ePrint] Bits Security of the CDH Problems over Finite Fields, by Mingqiang Wang and Tao Zhan and Haibin Zhang

  It is a long-standing open problem to prove the existence of (deterministic) hard-core predicates for the Diffie-Hellman problem over finite fields, without resorting to the generic approaches for any one-way functions (e.g., the Goldreich-Levin hard-core predicates). Fazio et al. (FGPS, Crypto \'13) make important progress on this problem by defining a weaker Computational Diffie-Hellman (CDH) problem over $\\mathbb{F}_{p^2}$, i.e., Partial-CDH problem, and proving the unpredictability of every single bit of one of the coordinates of the secret Diffie-Hellman value. However, the existence of specific hard-core predicates for the regular CDH problems defined over finite fields remains unproven. This paper closes this gap and resolves all the open problems left in FGPS:

1. We prove that the Partial-CDH problem over finite fields $\\mathbb{F}_{p^2}$ is as hard as the regular CDH problem over the same fields.

2. We show a much stronger and more generalized result over finite fields $\\mathbb{F}_{p^2}$---not only the regular CDH problem over $\\mathbb{F}_{p^2}$ admits hard-core predicates but every individual bit of the CDH value is unpredictable.

3. We extend the Partial-CDH problem to define the $d$-th CDH problem over finite fields $\\mathbb{F}_{p^t}$ for any polynomial $t>1$ and for any $0\\leq d \\leq t-1$. We show that computing any single coordinate of the CDH value over $\\mathbb{F}_{p^t}$ is equivalent to computing the entire CDH value.

4. We prove that over finite fields $\\mathbb{F}_{p^t}$ for any polynomial~$t>1$, each $d$-th CDH problem except $d \\neq 0$ admits a large class of hard-core predicates, including every individual bit of the $d$-th coordinate. Hence almost all individual bits of the CDH value of the regular CDH problem over finite fields $\\mathbb{F}_{p^t}$ for $t>1$ are hard-core.



09:17 [Pub][ePrint] The Adjacency Graph of Some LFSRs, by Ming Li and Dongdai Lin

  In this paper, we discuss the adjacency graph of feedback shift registers (FSRs) whose characteristic polynomial can be written as $g=(x_0+x_1)*f$ for some linear function $f$. For $f$ contains an odd number of terms, we present a method to calculate the adjacency graph of FSR$_{(x_0+x_1)*f}$ from the adjacency graph of FSR$_f$. The parity of the weight of cycles in FSR$_{(x_0+x_1)*f}$ can also be determined easily. For $f$ contains an even number of terms, the theory is not so much complete. We need more information than the adjacency graph of FSR$_f$ to determine the adjacency graph of FSR$_{(x_0+x_1)*f}$.

Besides, some properties about the cycle structure of linear feedback shift registers (LFSR) are presented.



07:12 [Event][New] ASK 2014: The Fourth Asian Workshop on Symmetric Key Cryptography - Cryptology School

  Submission: 30 November 2014
From December 19 to December 22
Location: Chennai, India
More Information: http://ask2014.iiitd.ac.in/