International Association for Cryptologic Research

# IACR News Central

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

2015-02-23
22:17 [Pub][ePrint]

Authenticated encryption schemes guarantee both privacy and integrity, and have become the default level of encryption in modern protocols. One of the most popular authenticated encryption schemes today is AES-GCM due to its impressive speed. The current CAESAR competition is considering new modes for authenticated encryption that will improve on existing methods. One property of importance that is being considered more today is due to the fact that the nonce or IV repeats, then this can have disastrous effects on security. A (full) nonce misuse-resistant authenticated encryption scheme has the property that if the \\emph{same} nonce is used to encrypt the \\emph{same} message twice, then the same ciphertext is obtained and so the fact that the same message was encrypted is detected. Otherwise, full security is obtained -- even if the same nonce is used for different messages.

In this paper, we present a new fully nonce misuse-resistant authenticated encryption scheme that is based on carefully combining the GCM building blocks into the SIV paradigm of Rogaway and Shrimpton. We provide a full proof of security of our scheme, and an optimized implementation using the AES-NI and PCLMULQDQ instruction sets. We compare our performance to the highly optimized OpenSSL 1.0.2 implementation of GCM and show that our \\emph{nonce misuse-resistant} scheme is only 14\\% slower on Haswell architecture and 19\\% slower on Broadwell architecture. On Broadwell, GCM-SIV encryption takes only {\\em 0.92 cycles per byte}, and GCM-SIV decryption is exactly the same as GCM decryption taking only 0.77 cycles per byte. Beyond being very fast, our new mode of operation uses the same building blocks as GCM and so existing hardware and software can be utilized to easily deploy GCM-SIV. We conclude that GCM-SIV is a viable alternative to GCM, providing full nonce misuse-resistance at little cost.

22:17 [Pub][ePrint]

In recent years, there has been great interest in Functional Encryption (FE), a generalization of traditional encryption where a token enables a user to learn a specific function of the encrypted data and nothing else. In this paper we put forward a new generalization of FE that we call Mergeable FE (mFE). In a mFE system, given a ciphertext $c_1$ encrypting $m_1$ and a ciphertext $c_2$ encrypting $m_2$, it is possible to produce in an oblivious way (i.e., given only the public-key and without knowledge of the messages, master secret-key or any other auxiliary information) a ciphertext encrypting the string $m_1||m_2$ under the security constraint that this new ciphertext does not leak more information about the original messages than what may be leaked from the new ciphertext using the tokens. For instance, suppose that the adversary is given the token for the function $f(\\cdot)$ defined so that for strings $x\\in\\zu^n$, $f(x)=g(x)$ for some function $g:\\zu^n\\rightarrow\\zu$ and for strings $y=(x_1||x_2)\\in\\zu^{2n}$, $f(x_1||x_2)=g(x_1) \\vee g(x_2)$. Furthermore, suppose that the adversary gets a ciphertext $c$ encrypting $(x_1||x_2)$ that is the result of merging some ciphertexts $c_1$ and $c_2$ encrypting respectively $x_1$ and $x_2$, and suppose that the token for $f$ evaluates to $1$ on $c$. Then, the security of mFE guarantees that the adversary only learns the output $f(x_1,x_2) = g(x_1) OR g(x_2)=1$ and nothing else (e.g., the adversary should not learn whether $g(x_1)=1 or g(x_2)=1$). This primitive is in some sense FE with the best possible homomorphic properties and, besides being interesting in itself, it offers wide applications. For instance, it has as special case multi-inputs FE and thus indistinguishability obfuscation (iO) and extends the latter to support more efficiently homomorphic and re-randomizable properties. We construct mFE schemes supporting a single merging operation, one from indistinguishability obfuscation for Turing machines and one for messages of unbounded length from public-coin differing-inputs obfuscation. Finally, we discuss a construction supporting unbounded merging operations from new assumptions.

22:17 [Pub][ePrint]

Recent results have shown the usefulness of tamper-proof hardware tokens as a setup assumption for building UC-secure two-party computation protocols, thus providing broad security guarantees and allowing the use of such protocols as buildings blocks in the modular design of complex cryptography protocols. All these works have in common that they assume the tokens to be completely isolated from their creator, but this is a strong assumption. In this work we investigate the feasibility of cryptographic protocols in the setting where the isolation of the hardware token is weakened.

We consider two cases: (1) the token can relay messages to its creator, or (2) the creator can send messages to the token after it is sent to the receiver. We provide a detailed characterization for both settings, presenting both impossibilities and information-theoretically secure solutions.

03:08 [PhD][New]

Name: Jerzy Jaworski
Category: (no category)

03:08 [PhD][New]

Name: Przemyslaw Sokolowski
Topic: Contributions to cryptanalysis: design and analysis of cryptographic hash functions
Category: secret-key cryptography

Description:

A cryptographic hash function is a mechanism producing a fixed-length output of a message of arbitrary length. It fulfills a collection of security requirements guaranteeing that a hash function does not introduce any weakness into the system to which it is applied. The example applications of cryptographic hash functions include digital signatures and message authentication codes. This thesis analyzes cryptographic hash functions and studies the design principles in the construction of secure cryptographic hash functions.

We investigate the problem of building hash functions from block ciphers and the security properties of different structures used to design compression functions. We show that we can build open-key differential distinguishers for Crypton, Hierocrypt-3, SAFER++ and Square. We know that our attack on SAFER++ is the first rebound attack with standard differentials. To demonstrate the efficiency of proposed distinguishers, we provide formal proof of a lower bound for finding a differential pair that follows a truncated differential in the case of a random permutation. Our analysis shows that block ciphers used as the underlying primitive should also be analyzed in the open-key model to prevent possible collision attacks.

We analyze the IDEA-based hash functions in a variety of cipher modes. We present practical complexity collision search attacks and preimage attacks, where we exploit a null weak-key and a new non-trivial property of IDEA. We prove that even if a cipher is considered secure in the secret-key model, one has to be very careful when using it as a building block in the hashing modes.

Finally, we investigate the recent rotational analysis. We show how to extend the rotational analysis to subtractions, shifts, bit-wise Boolean functions, multi additions and multi subtractions. In particular, we develop formulae for calculation of probabilities of preserving the rotation property for multiple modular additions and subtra[...]

2015-02-22
13:11 [Event][New]

Submission: 20 March 2015
From June 11 to June 7
Location: Bucharest, Romania

05:37 [Event][New]

Submission: 20 March 2015
From June 15 to June 17
Location: Paris, France

05:37 [Event][New]

Submission: 20 March 2015
From June 15 to June 17
Location: Paris, France

2015-02-21
13:07 [Event][New]

Submission: 10 April 2015
From August 24 to August 25
Location: Heraklion, Crete, Greece

2015-02-20
08:08 [Event][New]

From October 12 to October 16
Location: Paris, France
MAC striping has been suggested as a technique to authenticate encrypted payloads using short tags. For an idealized MAC scheme, the probability of a selective forgery has been estimated as $\\binom{\\ell+m}{m}^{-1}\\cdot 2^{-m}$, when utilizing MAC striping with $\\ell$-bit payloads and $m$-bit tags. We show that this estimate is too optimistic. For $m\\le\\ell$ and any payload, we achieve a selective forgery with probability $\\ge \\binom{\\ell+m}{m}^{-1}$, and usually many orders of magnitude more than that.