International Association for Cryptologic Research

# IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) iacr.org. You can also receive updates via:

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

2014-12-18
04:17 [Pub][ePrint]

Side channel and fault attacks take advantage from the fact that the behavior of crypto implementations can be observed and provide hints that simplify revealing keys. These attacks use identical devices either for preparation of attacks or for measurements. By the preparation of attacks the structure and the electrical circuit of devices, that are identical to the target, is analyzed. By side channel attacks usually the same device is used many times for measurements, i.e. measurements on the identical device are made serially in time. Another way is to exploit the difference of side channel leakages; here two identical devices are used parallel, i.e. at the same time. In this paper we investigate the influence of the electrical circuit of a cryptographic implementation on the shape of the resulting power trace, because individualizing of circuits of cryptographic devices can be a new means to prevent attacks that use identical devices. We implemented three different designs that provide exactly the same cryptographic function, i.e. an ECC kP multiplication. For our evaluation we use two different FPGAs. The visualization of the routed design and measurement results show clear differences in the resources consumed as well as in the power traces.

04:17 [Pub][ePrint]

Bilinear groups are often used to create Attribute-Based Encryption (ABE) algorithms.

In particular, they have been used to create an ABE system with multi authorities, but limited to the ciphertext-policy instance.

Here, for the first time, we propose two multi-authority key-policy ABE systems.

In our first proposal, the authorities may be set up in any moment and without any coordination.

A party can simply act as an ABE authority by creating its own public parameters and issuing private keys to the users.

A user can thus encrypt data choosing both a set of attributes and a set of trusted authorities, maintaining full control unless all his chosen authorities collude against him.

In our second system, the authorities are allowed to collaborate to achieve shorter keys and parameters, enhancing the efficiency of encryption and decryption.

We prove our systems secure under algebraic assumptions on the bilinear groups: the bilinear Diffie-Hellmann assumption and an original variation of the former.

04:17 [Pub][ePrint]

Garbling schemes (aka randomized encodings of functions) represent a function F by a \"simpler\" randomized function F^ such that F^(x) reveals F(x) and no additional information about x. Garbling schemes have found applications in many areas of cryptography. Motivated by the goal of improving the efficiency of garbling schemes, we make the following contributions:

- We suggest a general new notion of partial garbling which unifies several previous notions from the literature, including standard garbling schemes, secret sharing schemes, and \"conditional disclosure of secrets\". This notion considers garbling schemes in which part of the input is public, in the sense that it can be leaked by F^.

- We present constructions of partial garbling schemes for (boolean and arithmetic) formulas and branching programs which take advantage of the public input to gain better efficiency.

- We demonstrate the usefulness of the new notion by presenting applications to efficient attribute-based encryption, delegation, and secure computation. In each of these applications, we obtain either new schemes for larger classes of functions or efficiency improvements from quadratic to linear. In particular, we obtain the first ABE scheme in bilinear groups for arithmetic formulas, as well as more efficient delegation schemes for boolean and arithmetic branching programs.

04:17 [Pub][ePrint]

The function field sieve, a subexponential algorithm of complexity L(1/3) that computes discrete logarithms in finite fields, has recently been improved to an algorithm of complexity L(1/4) and subsequently to a quasi-polynomial time algorithm. We investigate whether the new ideas also apply to index calculus algorithms for computing discrete logarithms in Jacobians of algebraic curves. While we do not give a final answer to the question, we discuss a number of ideas, experiments, and possible conclusions.

04:17 [Pub][ePrint]

We present Ring ORAM, a simple and low-latency ORAM construction that can be parameterized for either small or large client storage.

Simply by tuning parameters, Ring ORAM matches or exceeds the performance of the best-known small and large client storage schemes and can achieve a constant factor online bandwidth overhead over insecure systems.

We evaluate Ring ORAM in theory and in practice.

On the theory side, we prove that Ring ORAM matches the asymptotic bandwidth and client storage of Path ORAM, the prior-art scheme for small client storage.

Tuning parameters for small client storage, Ring ORAM reduces overall bandwidth relative to Path ORAM by a factor of $2.7\\times$ and reduces online bandwidth to constant (a $57\\times$ improvement over Path ORAM given realistic parameters).

Tuning parameters for large client storage, Ring ORAM outperforms Path ORAM (which is given equal storage) by $4.5\\times$ and SSS ORAM, the prior-art scheme for large client storage, by 16-33\\%.

Using secure processors as a case study for small client storage, Ring ORAM on average reduces ORAM response time by nearly $5\\times$ and improves workload completion time by $2.75\\times$, relative to Path ORAM.

In the large storage setting, running an enterprise file system trace with bursty requests, Ring ORAM adds negligible overhead to response time given a $>100$~Mbps network bandwidth.

By comparison, Burst ORAM incurs large overheads in response time unless network bandwidth $>350$~Mbps.

These results suggest that Ring ORAM is a compelling construction in both large client storage (e.g., file server) and small client storage (e.g., remote secure processor) settings.

04:17 [Pub][ePrint]

A Bitcoin wallet is a set of private keys known to a user and which allow that user to spend any Bitcoin associated with those keys. In a hierarchical deterministic (HD) wallet, child private keys are generated pseudorandomly from a master private key, and the corresponding child public keys can be generated by anyone with knowledge of the master public key. These wallets have several interesting applications including Internet retail, trustless audit, and a treasurer allocating funds among departments. A specification of HD wallets has even been accepted as Bitcoin standard BIP32.

Unfortunately, in all existing HD wallets---including BIP32 wallets---an attacker can easily recover the master private key given the master public key and any child private key. This vulnerability precludes use cases such as a combined treasurer-auditor, and some in the Bitcoin community have suspected that this vulnerability cannot be avoided.

We propose a new HD wallet that is not subject to this vulnerability. Our HD wallet can tolerate the leakage of up to m private keys with a master public key size of O(m). We prove that breaking our HD wallet is at least as hard as the so-called one more\'\' discrete logarithm problem.

04:17 [Pub][ePrint]

The lightweight encryption algorithm (LEA) is a 128-bit block cipher introduced in 2013. It is based on Addition, rotation, XOR operations for 32-bit words. Because of its structure,it is useful for several devices to achieve a high speed of encryption and low-power consumption.However, side-channel attacks on LEA implementations have not been examined.In this study, we perform a power analysis attack on LEA. We implemented LEA with 128-bit key size on FPGA in a straightforward manner. Our experimental results show that we can successfully retrieve a 128-bit master key by attacking a first round encryption.

04:17 [Pub][ePrint]

Fairness is a desirable property in secure computation; informally it means that if one party gets the output of the function, then all parties get the output.

Alas, an implication of Cleve\'s result (STOC 86) is that when there is no honest majority, in particular in the important case of the two-party setting, there exist

functions that cannot be computed with fairness. In a surprising result, Gordon et al.\\ (JACM 2011) showed that some interesting functions can be computed with fairness in the two-party setting, and re-opened the question of understanding which Boolean functions can be computed with fairness, and which cannot.

Our main result in this work is a complete characterization of the (symmetric)

Boolean functions that can be computed with fairness in the two-party setting; this settles an open problem of Gordon et al. The characterization is quite simple: A function can be computed with fairness \\emph{if and only if} the all one-vector or the all-zero vector are in the affine span of either the rows or the columns of the matrix describing the function. This is true for both deterministic and randomized functions. To prove the possibility result, we modify the protocol of Gordon et al.\\ (JACM 2011); the resulting protocol computes with full security (and in particular with fairness) all functions that are computable with fairness.

We extend the above result in two directions. First, we completely characterize the Boolean functions that can be computed with fairness in the multiparty case, when the number of parties is constant and at most half of the parties can be malicious.

Second, we consider the two-party setting with asymmetric Boolean functionalities, that is, when the output of each party is one bit, but the outputs are not necessarily the same. We generalize our aforementioned protocol for symmetric functions to handle asymmetric functions, and obtain a sufficient condition for computing such functions with fairness. In addition, we provide a necessary condition for fairness; however, a gap is left between these two conditions.

We then consider a specific asymmetric function in this gap area, and by designing a new protocol, we show that it is computable with fairness. However, we do not give a complete characterization for all functions that lie in this gap, and their classification remains open.

04:17 [Pub][ePrint]

Using the hard assumption of Ring-Decision Learning With Errors (DLWE) in the lattice, we propose a new authenticated key exchange (AKE) scheme which is based on Peikert\'s reconciliation technique. Under the CK model, the proposed scheme is provably secure. Compared with the traditional Diffie-Hellman (DH) authenticated key exchange (AKE) schemes, the proposed scheme not only has better efficiency and

stronger security but also resists quantum attacks because of the hard assumption on lattice problem. The comparisons between Ring-LWE based ones shows that the proposed scheme protects the shared session key with balanced key derivation function (KDF) compared with those current AKE schemes from LWE.

04:17 [Pub][ePrint]

We consider the scenario where a consumer can securely outsource their network telemetry data to a Cloud Service Provider and enable a third party to audit such telemetry for any security forensics. Especially we consider the use case of privacy preserving search in network log audits. In this paper we experiment with advances in Identity Based Encryption and Attribute-Based encryption schemes for auditing network logs.

04:17 [Pub][ePrint]

In this paper we introduce the first authenticated encryption scheme

based on a hash function, called COFFE. This research has been

motivated by the challenge to fit secure cryptography into constrained

devices -- some of these devices have to use a hash function, anyway,

and the challenge is to avoid the usage of an additional block cipher

to provide authenticated encryption. COFFE satisfies the common

security requirements regarding authenticated encryption, i.e., IND-CPA-

and INT-CTXT-security. Beyond that, it provides the following

additional security features: resistance against side-channel attacks

and INT-CTXT security in the nonce-misuse scenario. It also support

failure-friendly authentication under reasonable assumptions.