International Association for Cryptologic Research

# IACR News Central

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

2015-01-29
13:17 [Pub][ePrint]

A common countermeasure to thwart side-channel analysis attacks is algorithmic masking. For this, algorithms that mix Boolean and arithmetic operations need to either apply two different masking schemes with secure conversions or use dedicated arithmetic units that can process Boolean masked values. Several proposals have been published that can realize these approaches securely and efficiently in software. But to the best of our knowledge, no hardware design exists that fulfills relevant properties such as efficiency and security at the same time.

In this paper, we present two design strategies to realize a secure and efficient arithmetic adder for Boolean-masked values. First, we introduce an architecture based on the ripple-carry adder that targets low-cost applications. The second architecture is based on a pipelined Kogge-Stone adder and targets high-performance applications. In particular, all our implementations adopt the threshold implementation approach to improve their resistance against SCA attacks even in the presence of glitches. We evaluated the security of our designs practically against SCA using a non-specific statistical t-test. Based on our analysis, we show that our constructions not only achieve resistance against first- and (univariate) second-order attacks but also require fewer random bits per operation compared to any existing software-based approach.

13:17 [Pub][ePrint]

We give a new proof of the existence of public-coin concurrent zero-knowledge arguments for NP in the plain model under standard assumptions (the existence of one-to-one one-way functions and collision-resistant hash functions), which was originally proven by Goyal (STOC\'13).

In the proof, we use a new variant of the non-black-box simulation technique of Barak (FOCS\'01). An important property of our simulation technique is that the simulator runs in a straight-line manner in the fully concurrent setting. Compared with the simulation technique of Goyal, which also has such a property, the analysis of our simulation technique is (arguably) simpler.

13:17 [Pub][ePrint]

Invariant subspace attacks were introduced at CRYPTO 2011 to cryptanalyze PRINTcipher. The invariant subspaces for PRINTcipher were discovered in an ad hoc fashion, leaving a generic technique to discover invariant subspaces in other ciphers as an open problem. Here, based on a rather simple observation, we introduce a generic algorithm to detect invariant subspaces. We apply this algorithm to the CAESAR candidate iSCREAM, the closely related LS-design Robin, as well as the lightweight cipher Zorro. For all three candidates invariant subspaces were detected, and result in practical breaks of the ciphers. A closer analysis of independent interest reveals that these invariant subspaces are underpinned by a new type of self-similarity property. For all ciphers, our strongest attack shows the existence of a weak key set of density $2^{-32}$. These weak keys lead to a simple property on the plaintexts going through the whole encryption process with probability one. All our attacks have been practically verified on reference implementations of the ciphers.

13:17 [Pub][ePrint]

The iterated Even-Mansour cipher is a construction of a block cipher from $r$ public permutations $P_1,\\ldots,P_r$ which abstracts in a generic way the structure of key-alternating ciphers. The indistinguishability of this construction from a truly random permutation by an adversary with oracle access to the inner permutations $P_1,\\ldots,P_r$ has been investigated in a series of recent papers. This construction has also been shown to be (fully) indifferentiable from an ideal cipher for a sufficient number of rounds (five or twelve depending on the assumptions on the key-schedule). In this paper, we extend this line of work by considering the resistance of the iterated Even-Mansour cipher to xor-induced related-key attacks (i.e., related-key attacks where the adversary is allowed to xor any constant of its choice to the secret key) and to chosen-key attacks. For xor-induced related-key attacks, we first provide a distinguishing attack for two rounds, assuming the key-schedule is linear. We then prove that for a linear key-schedule, three rounds yield a cipher which is secure against xor-induced related-key attacks up to $O(2^{\\frac{n}{2}})$ queries of the adversary, whereas for a nonlinear key-schedule, one round is sufficient to obtain a similar security bound. We also show that the iterated Even-Mansour cipher with four rounds offers some form of provable resistance to chosen-key attacks, which is the minimal number of rounds to achieve this property. The main technical tool that we use to prove this result is \\emph{sequential indifferentiability}, a weakened variant of (full) indifferentiability introduced by Mandal \\emph{et al.} (TCC~2010).

08:06 [Event][New]

Submission: 31 August 2015
From November 25 to November 27
Location: Seoul, Korea

2015-01-28
23:18 [Job][New]

The Institute of Mathematics for Industry at Kyushu University (Fukuoka, JAPAN) invites applications for ONE ASSISTANT PROFESSOR POSITION (Jyokyo in Japanese) beginning April 2015. Candidates in all areas of mathematical cryptography who are interested in applications of mathematics to, and collaboration with, industry will be considered. We are looking for candidates, who possess a strong record of research achievements and expertise related to mathematical cryptography such as theory of cryptography, number theory, representation theory, computer algebra, quantum computation, graph theory, combinatorics, and so on. The selection will be based on the past achievements and/or the potential of the candidates to work in the area of mathematical cryptography.

Kyushu University is one of the major seven national universities in Japan, located in Fukuoka in the western part of Japan. The Institute of Mathematics for Industry (http://www.imi.kyushu-u.ac.jp/eng) consists of approximately 25 members, who are active in various areas of pure and applied mathematics and also in collaboration with industry.

For full information about the position and the application procedure, visit the URL below.

23:18 [Job][New]

The Cryptography Research group at Microsoft Research in Redmond seeks outstanding applicants for Post-doctoral Researcher and Researcher positions in all areas of cryptography. Post-doctoral Researcher positions start in summer 2015 and are for a term of 2 years. Required qualifications include a PhD in computer science or mathematics and experience in cryptography research. Particular areas of interest include: Secure Multi-party Computation, Searchable Encryption, and Homomorphic Encryption. Areas of interest in mathematics include lattice-based cryptography, cyclotomic number fields, elliptic-curve cryptography, pairing-based cryptography, factoring, discrete log, algorithmic number theory.

2015-01-27
23:16 [Event][New]

Submission: 15 February 2015
From May 26 to May 28
Location: Rabat, Morocco

13:17 [Pub][ePrint]

In this paper, we study the problem of automatically verifying higher-order masking countermeasures. This problem is important in practice (weaknesses have been discovered in schemes that were thought secure), but is inherently exponential: for $t$-order masking, it involves proving that every subset of $t$ intermediate variables is distributed independently of the secrets. Some type systems have been proposed to help cryptographers check their proofs, but many of these approaches are insufficient for higher-order implementations.

We propose a new method, based on program verification techniques, to check the independence of sets of intermediate variables from some secrets. Our new language-based characterization of the problem also allows us to design and implement several algorithms that greatly reduce the number of sets of variables that need to be considered to prove this independence property on \\emph{all} valid adversary observations. The result of these algorithms is either a proof of security or a set of observations on which the independence property cannot be proved. We focus on AES implementations to check the validity of our algorithms. We also confirm the tool\'s ability to give useful information when proofs fail, by rediscovering existing attacks and discovering new ones.

13:17 [Pub][ePrint]

Oblivious transfer (OT) is one of the most fundamental primitives in cryptography and is widely used in protocols for secure two-party and multi-party computation. As secure computation becomes more practical, the need for practical large scale oblivious transfer protocols is becoming more evident. Oblivious transfer extensions are protocols that enable a relatively small number of \"base-OTs\" to be utilized to compute a very large number of OTs at low cost. In the semi-honest setting, Ishai et al. (CRYPTO 2003) presented an OT extension protocol for which the cost of each OT (beyond the base-OTs) is just a few hash function operations. In the malicious setting, Nielsen et al. (CRYPTO 2012) presented an efficient OT extension protocol for the setting of active adversaries, that is secure in the random oracle model.

In this work, we present an OT extension protocol for the setting of malicious adversaries that is more efficient and uses less communication than previous works. In addition, our protocol can be proven secure in both the random oracle model, and in the standard model with a type of correlation robustness. Given the importance of OT in many secure computation protocols, increasing the efficiency of OT extensions is another important step forward to making secure computation practical.

13:17 [Pub][ePrint]

There is a growing need to develop lightweight cryptographic primitives suitable for resource-constrained devices permeating in increasing numbers into the fabric of life. Such devices are exemplified none more so than by batteryless radio frequency identification (RFID) tags in applications ranging from automatic identification and monitoring to anti-counterfeiting. Pandaka is a lightweight cipher together with a protocol proposed in INFOCOM 2014 for extremely resource limited RFID tags. It is designed to reduce the hardware cost (area of silicon) required for implementing the cipher by shifting the computationally intensive task of cryptographically secure random number generation to the reader. In this paper we evaluate Pandaka and demonstrate that the communication protocol contains flaws which completely break the security of the cipher and make Pandaka susceptible to de-synchronisation. Furthermore, we show that, even without the protocol flaws, we can use a guess and determine method to mount an attack on the cipher for the more challenging scenario of a known-plaintext attack with an expected complexity of only $2^{55}$. We conclude that Pandaka needs to be amended and highlight simple measures to prevent the above attacks.