International Association for Cryptologic Research

# IACR News Central

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

2015-02-12
03:30 [Job][New]

You are expected to support and strengthen our research activities in the area of security and privacy in Intelligent Transport Systems (ITS) and vehicular networking. In addition, you may contribute to topics like high-speed networking and physical-layer security. You will work in ongoing projects, as well as contribute to new project proposals. You will be involved in project management and support the supervision of PhD candidates.

The ideal candidate has experience in ITS security or vehicular networking, which is docu­mented by high-quality publications, a Ph.D. degree in computer science or a closely related discipline from an internationally renowned university, and a strong motivation to become part of our team. Proficient knowledge of written and spoken English is required. Conversational German skills are an advantage.

2015-02-11
14:30 [Event][New]

Submission: 29 July 2015
From December 16 to December 20
Location: Kolkata, India

07:17 [Pub][ePrint]

CryptDB has been proposed as a practical and secure

middleware to protect databases deployed on semi-honest

cloud servers. While CryptDB provides sufficient protection

under Threat-1, here we demonstrate that when CryptDB is

deployed to secure the cloud hosted database of a realistic web

application, an attacker to database or a Malicious Database

Administrator (mDBA) can easily steal information, and even

escalate his privilege to become the administrator of the

web application. Our attacks, fall under a restricted form

of Threat-2 where we only assume that the attackers or the

mDBA tampers with the CryptDB protected database and is

opens an ordinary user account through the web application.

Our attacks, are carried out assuming perfectly secure proxy

and application servers. Therefore, the attacks work without

recovering the master key residing on the proxy server. At

the root of the attack lies the lack of any integrity checks

for the data in the CryptDB database. We propose a number

of practical countermeasures to mitigate attacks targeting the

integrity of the CryptDB database. We also demonstrate that

the data integrity is not sufficient to protect the databases,

when query integrity and frequency attacks are considered.

02:59 [Event][New]

Submission: 31 March 2015
From August 24 to August 28
Location: Toulouse, France

01:17 [Pub][ePrint]

We consider secure two-party computation in a multiple-execution setting, where two parties wish to securely evaluate the same circuit multiple times. We design efficient garbled-circuit-based two-party protocols secure against malicious adversaries. Recent works by Lindell (Crypto 2013) and Huang-Katz-Evans (Crypto 2013) have obtained optimal complexity for cut-and-choose performed over garbled circuits in the single execution setting. We show that it is possible to obtain much lower amortized overhead for cut-and-choose in the multiple-execution setting.

Our efficiency improvements result from a novel way to combine a recent technique of Lindell (Crypto 2013) with LEGO-based cut-and-choose techniques (TCC 2009, Eurocrypt 2013). In concrete terms, for 40-bit statistical security we obtain a 2x improvement (per execution) in communication and computation for as few as 7 executions, and require only 8 garbled circuits (i.e., a 5x improvement) per execution for as low as 3500 executions. Our results suggest the exciting possibility that secure two-party computation in the malicious setting can be less than an order of magnitude more expensive than in the semi-honest setting.

2015-02-10
22:17 [Pub][ePrint]

Using EasyCrypt, we formalize a new modular security proof for one-round authenticated key exchange protocols in the random oracle model. Our proof improves earlier work by Kudla and Paterson (ASIACRYPT 2005) in three significant ways: we consider a stronger adversary model, we provide support tailored to protocols that utilize the Naxos trick, and we support proofs under the Computational DH assumption not relying on Gap oracles. Furthermore, our modular proof can be used to obtain concrete security proofs for protocols with or without adversarial key registration. We use this support to investigate, still using EasyCrypt, the connection between proofs without Gap assumptions and adversarial key registration. For the case of honestly generated keys, we obtain the first proofs of the Naxos and Nets protocols under the Computational DH assumption. For the case of adversarial key registration, we obtain machine-checked and modular variants of the well-known proofs for Naxos, Nets, and Naxos+.

22:17 [Pub][ePrint]

A main contribution of this paper is an improved analysis against HMAC instantiating with reduced Whirlpool. It recovers equivalent keys, which are often denoted as Kin and Kout, of HMAC with 7-round Whirlpool, while the previous best attack can work only for 6 rounds. Our approach is applying the meet-in-the-middle (MITM) attack on AES to recover MAC keys of Whirlpool. Several techniques are proposed to bypass different attack scenarios between a block cipher and a MAC, e.g., the chosen plaintext model of the MITM attacks on AES cannot be used for HMAC-Whirlpool. Besides, a larger state size and different key schedule designs of Whirlpool leave us a lot of room to study. As a result, equivalent keys of HMAC with 7-round Whirlpool are recovered with a complexity of (Data, Time, Memory) = (2^481.7, 2^482.3, 2^481).

22:17 [Pub][ePrint]

Structure-preserving signatures are schemes in which

public keys, messages, and signatures are all collections of source group elements of

some bilinear groups. In this paper, we introduce fully structure-preserving signature

schemes, with the additional requirement that even secret keys should be group elements.

This new type of structure-preserving signatures allows for

efficient non-interactive proofs of knowledge of the secret key and is

useful in designing cryptographic protocols with strong security guarantees

based on the simulation paradigm where the simulator has to extract the

secret keys on-line.

To gain efficiency, we construct shrinking structure-preserving trapdoor

commitments. This is by itself an important primitive and of independent

interest as it appears to contradict a known impossibility result. We argue that a relaxed binding

property lets us circumvent the impossibility result while still retaining the

usefulness of the primitive in important applications as mentioned above.

22:17 [Pub][ePrint]

Recently, obtaining vectorial Boolean bent functions of the form $Tr^{n}_{m}(P(x))$, where $P(x)\\in \\mathbb{F}_{2^{n}}[x]$, from Boolean bent functions of the form $Tr^{n}_{1}(P(x))$ has attracted several attentions and some open problems about this issue were proposed. This paper first provides three constructions of vectorial Boolean bent functions in the form $Tr^{n}_{m}(P(x))$, where two of them imply answers to two open problems proposed by E.Pasalic et al. and A.Muratovi\\\'{c}-Ribi\\\'{c} et al. respectively. And by analyzing known types of Boolean bent functions of the form $Tr^{n}_{1}(P(x))$, the existence and constructions of several types of vectorial Boolean bent functions in the form $Tr^{n}_{m}(P(x))$ are obtained.

22:17 [Pub][ePrint]

Fully homomorphic is an encryption scheme that allows for data to be stored and processed in an encrypted format, which gives the cloud provider a solution to host and process data without even knowing what the message is. In previous identity-based homomorphic encryption scheme, computing efficiency is complicated and expensive. In this work, based on Regev\'s work, we propose a sampling trapdoor one-way function in arbitrary cyclotomic rings . Then construct a leveled identity-based homomorphic encryption scheme from ring learning with errors, which has advantage in computational efficiency and key management, by using user\'s identity as the unique public key. This scheme is proved IND-CPA secure in the random oracle model, relied to hardness of decision ring learning with errors problem.

22:17 [Pub][ePrint]

COPA is a block-cipher-based authenticated encryption mode with a provable birthday-bound security under the assumption that the underlying block cipher is a strong pseudorandom permutation, and its instantiation with the AES block cipher is called AES-COPA. Marble is an AES-based COPA-like authenticated encryption algorithm with a full security. In this paper, we analyse the security of COPA and Marble against universal forgery attacks. We present beyond-birthday-bound (almost) universal forgery attacks on the COPA when used with constant or variable associate data, and present (almost) universal forgery attacks on the Marble when used without associated data or with (variable) associate data. Our attacks on the COPA with variable associate data have a complexity very near the birthday bound, and their applications to AES-COPA show that the security claim of AES-COPA against tag guessing may be not correct; and our attacks on the (newest as well as initial version of) Marble with associate data show that Marble does not provide a full security that the designer claimed. Like many recently published cryptanalytic results on message authentication algorithms with a provable birthday-bound security, our attacks on COPA do not violate its security proofs, but provide a comprehensive understanding of its security against universal forgery attack, show that the success probability of a universal forgery on the COPA is larger than the ideal bound $2^{-n}$ of the standard forgery-resistance, and boil down to an existing open question: Should a message authentication algorithm with a weaker security claim than the standard forgery-resistance be regarded as a sound design?