International Association for Cryptologic Research

# IACR News Central

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

2014-09-26
09:17 [Pub][ePrint]

In this paper, we investigate the Mixed-integer Linear Programming (MILP) modelling of the differential and linear behavior of a wide rang of block ciphers.

The differential and linear behavior of the transformations involved in a block cipher can be described by a set $P \\subseteq \\{0,1\\}^n \\subseteq \\mathbb{R}^n$.

We show that $P$ is exactly the set of all 0-1 solutions of the H-representation of the convex hull of $P$. In addition, we can find a small number of inequalities in the H-representation of the convex hull of $P$ such that the set of all 0-1 solutions of these inequalities equals $P$.

~~~~~~Based on these discoveries and MILP technique, we propose an automatic method for finding high probability (related-key) differential or linear characteristics of block ciphers. Compared with Sun {\\it et al.}\'s {\\it heuristic} method presented in Asiacrypt 2014, the new method is {\\it exact} for most ciphers in the sense that every feasible 0-1 solution of the MILP model generated by the new method corresponds to a valid characteristic, and therefore there is no need to repeatedly add valid cutting-off inequalities into the MILP model as is done in Sun {\\it et al.}\'s method; the new method is more powerful which allows us to get the {\\it exact lower bounds} of the number of differentially or linearly active S-boxes; and the new method is more efficient which is able to obtain characteristic enjoying higher probability or covering more rounds of a cipher with less computational effort.

~~~~~Moreover, by employing a type of specially constructed linear inequalities which can remove {\\it exactly one} feasible 0-1 solution from the feasible region of an MILP problem, we propose a method for automatic enumeration of {\\it all} (related-key) differential or linear characteristics with some predefined properties, {\\it e.g.}, characteristics with given input or/and output difference/mask, or with limited number of active S-boxes. Such a method is very useful in the

automatic (related-key) differential analysis, truncated (related-key) differential analysis, linear hull analysis, and the automatic construction of (related-key) boomerang/rectangle distinguishers.

~~~~~~The methods presented in this paper are implemented and extensive experiments are performed. To demonstrate the usefulness of these methods, we apply them to SIMON, PRESENT, Serpent, LBlock, DESL, and we obtain improved cryptanalytic results. For example, we find single-key differentials covering 16 and 22 rounds of SIMON48 and SIMON64 (block ciphers designed by the U.S. National Security Agency) respectively. These are the longest differentials for SIMON48 and SIMON64 published so far.

09:17 [Pub][ePrint]

Being required in many applications, modular exponentiations form the most expensive part of modern cryptographic primitives. It is a significant challenge for resource-constrained mobile devices to perform these heavy computations (e.g., mobile devices that require secure cryptographic computations or RFID tags). Cloud services can significantly enhance the computational capability of these devices. In this way, expensive computations at client side can significantly be reduced by means of secure outsourcing modular exponentiations to a potentially untrusted server S. In this paper, we study this problem which is an active research area of mobile and cloud computing, and mostly known as secure outsourced computation. We propose new efficient outsourcing algorithms for modular exponentiations using only one untrusted cloud service provider solving an open problem highlighted in [11]. These algorithms cover each possible case ranging from public-base & private-exponent, private-base & public-exponent, private-base & private-exponent to the most general private-basis & private-exponents simultaneous modular exponentiations. Our algorithms are the most efficient outsourced computation algorithms to date which use single untrusted server and have the best checkability (verifiability) property. Finally, we give two different real-life applications for outsourcing within the realm of Oblivious Transfer protocols and Blind Signatures.

09:17 [Pub][ePrint]

Physical Unclonable Functions (PUFs) are specialized circuits with applications including key generation and challenge-response authentication. PUF properties such as low cost and resistance to invasive attacks make PUFs well-suited to embedded devices. Yet, given how infrequently the specialized capabilities of a PUF may be needed, the silicon area dedicated to it is largely idle. This inefficient resource usage is at odds with the cost minimization objective of embedded devices. Motivated by this inefficiency, we propose the Bitline PUF -- a novel PUF that uses modified wordline drivers together with SRAM circuitry to enable challenge-response authentication. The number of challenges that can be applied to the Bitline PUF grows exponentially with the number of SRAM rows, and these challenges can be applied at any time without power cycling. This paper presents in detail the workings of the Bitline PUF, and shows that it achieves high throughput, low latency, and uniqueness across instances. Circuit simulations indicate that the Bitline PUF responses have a nominal bit-error-rate (BER) of 0.023 at 1.2 V supply and 27C, and that BER does not exceed 0.076 when supply voltage is varied from 1.1 V to 1.3 V, or when temperature is varied from 0C to 80C. Because the Bitline PUF leverages existing SRAM circuitry, its area overhead is only a single flip-flop and two logic gates per row of SRAM. The combination of high performance and low cost makes the Bitline PUF a promising candidate for commercial adoption and future research.

2014-09-24
13:26 [Event][New]

Submission: 22 November 2015
From June 30 to July 2

13:26 [Event][New]

Submission: 20 October 2014
From December 16 to December 17
Location: Beijing, China

2014-09-23
09:17 [Pub][ePrint]

LED and PHOTON are new ultra-lightweight cryptographic algorithms aiming at resource-constrained devices. In this article, we describe three different hardware architectures of the LED and PHOTON family optimized for Field-Programmable Gate Array (FPGA) devices. In the first architecture we propose a round-based implementation while the second is a fully serialized architecture performing operations on a single cell per clock cycle. Then, we propose a novel architecture that is designed with a focus on utilizing commonly available building blocks (SRL16). This new architecture, organized in a complex scheduling of the operations, seems very well suited for recent designs that use serial matrices. We implemented both the lightweight block cipher LED and the lightweight hash function PHOTON on the Xilinx FPGA series Spartan-3 (low-cost) and Artix-7 (high-end) devices and our new proposed architecture provides very competitive area-throughput trade-offs. In comparison with other recent lightweight block ciphers, the implementation results of LED show a significant improvement of hardware efficiency and we obtain the smallest known FPGA implementation (as of today) of any hash function.

09:17 [Pub][ePrint]

In this paper we define a trapdoor function called SBIM(Q) by using multivariate polynomials over the field of rational numbers $\\mathbb Q.$ The public key consists of $2n$ multivariate polynomials with $3n$ variables $y_1,\\dots,y_n,$ $z_1,\\dots,z_{2n}$. The $y_i$ variables take care for the information content, while the $z_i$ variables are for redundant information. Thus, for encryption of a plaintext of $n$ rational

numbers, a ciphertext of $2n$ rational numbers is used. The security is based on the fact that there are infinitely many solutions of a system with $2n$ polynomial equations of $3n$ unknowns.

The public key is designed by quasigroup transformations obtained from quasigroups presented in matrix form. The quasigroups presented in matrix form allow numerical as well as symbolic computations, and here we exploit that possibility. The private key consists of several $1\\times n$ and $n\\times n$ matrices over $\\mathbb Q$, and one $2n\\times 2n$ matrix.

09:17 [Pub][ePrint]

Search of rich Boolean function for designing a good cryptosystem

is most important. In this search from the infinite domain of integers,cases where rejection of integers for the existence of Generalized bent

function is very helpful. With the help of some necessary condition

of GBF here we show the non existence of [n,5] type Generalized Bent

functions.

2014-09-22
15:54 [Event][New]

From May 31 to June 5
Location: Sibenik, Croatia

2014-09-21
14:37 [PhD][New]

14:37 [PhD][Update]

Name: Elisabeth Oswald
Topic: On Side-Channel Attacks and the Application of Algorithmic Countermeasures
Category:implementation

Description: This thesis is devoted to the investigation of implementation attacks on di?erent types of cryptosystems. We focus on the passive types of such attacks, which exploit the running time, the power consumption or the electromagnetic radiation of the attacked device. In particular, most of the attacks which we will discuss in this thesis have been implemented in practice by using power consumption information. In the ?rst part of this thesis, we concentrate on the concepts on which sidechannel attacks are based. We demonstrate how such attacks can be applied to implementations of secret-key cryptosystems and how similar attacks can be used to break implementations of public-key cryptosystems as well. Besides the introductory chapter which addresses the currently exploited side-channels, this part also addresses the di?erent statistical methods which we used for our attacks and which models (or assumptions) we developed to perform attacks on di?erent types of cryptosystems. The second part of this thesis is concerned with the practical aspects of conducting side-channel attacks. We concentrate in this part on power-analysis attacks. Experimental attacks are described and some practical aspects of their realization are discussed. Our main contributions for this thesis are the introduction of a software-based approach to estimate the success for power analysis attacks, which has been published in [AO00], and the investigations on a speci?c type of countermeasures for securing implementations of elliptic curve cryptosystems, see [OA01] (joined work with M. Aigner) and [Osw03]. We developed a highly e?cient representation for the AES S-box [WOL02] (joint work with J. Wolkerstorfer and M. Lamberger). We also conducted experiments on applying power-analysis attcks on implementations of elliptic curve cryptosystems on FPGAs [OOP] (joint work with S. B. ¨ Ors and B. Preneel).Moreover, we have contributed to the NESSIE project by evaluating the vulnerability of some of the NESSI[...]