International Association for Cryptologic Research

IACR News Central

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

2015-04-20
03:17 [Pub][ePrint]

This paper presents new speed records for 128-bit secure elliptic-curve Diffie-Hellman key-exchange

software on three different popular microcontroller architectures. We consider a 255-bit curve proposed by Bernstein

known as Curve25519, which has also been adopted by the IETF. We optimize the X25519 key-exchange

protocol proposed by Bernstein in 2006 for AVR ATmega 8-bit microcontrollers, MSP430X 16-bit microcontrollers,

and for ARM Cortex-M0 32-bit microcontrollers. Our software for the AVR takes only 13 900 397 cycles

for the computation of a Diffe-Hellman shared secret, and is the first to perform this computation in less than

a second if clocked at 16 MHz for a security level of 128 bits. Our MSP430X software computes a shared secret

in 5 301 792 cycles on MSP430X microcontrollers that have a 32-bit hardware multiplier and in 7 933 296 cycles

on MSP430X microcontrollers that have a 16-bit multiplier. It thus outperforms previous constant-time ECDH

software at the 128-bit security level on the MSP430X by more than a factor of 1.2 and 1.15, respectively. Our

implementation on the Cortex-M0 runs in only 3 589 850 cycles and outperforms previous 128-bit secure ECDH

software by a factor of 3.

2015-04-19
21:17 [Pub][ePrint]

PAGES is a block cipher familiy basedon the design of Speck, see [1]. However, some intriguing design details of SPeck were not used in the design of PAGES. PAGES has a block size of 256 bit and comes in three versions:PAGES-512, PAGES-768 and PAGES-1024, where the number denotes the key length. The number of rounds is 64, 96, and 128, respectively. PAGES uses 128 bit variables, that is half of the block size.

21:17 [Pub][ePrint]

OAEP and other similar schemes proven secure in Random-Oracle Model require one or more hash functions with output size larger than those of standard hash functions. In this paper, we show that by utilizing popular Sponge constructions in OAEP framework, we can eliminate the need of such hash functions. We provide a new scheme in OAEP framework based on Sponge construction and call our scheme \\textit{Sponge based asymmetric encryption padding} (SpAEP). SpAEP is based on 2 functions: Sponge and SpongeWrap, and requires only standard output sizes proposed and standardized for Sponge functions. Our scheme is CCA2 secure for any trapdoor one-way permutation in the ideal permutation model for arbitrary length messages. Our scheme utilizes the versatile Sponge function to enhance the capability and efficiency of the OAEP framework. SpAEP with any trapdoor one-way permutation can also be used as a key encapsulation mechanism and a tag-based key encapsulation mechanism for hybrid encryption. Our scheme SpAEP utilizes the permutation model efficiently in the setting of public key encryption in a novel manner.

21:17 [Pub][ePrint]

In authenticated encryption schemes, there are two techniques for handling long ciphertexts while working within the constraints of a low buffer size: Releasing unverified plaintext (RUP) or Producing intermediate tags (PIT). In this paper, in addition to the two techniques, we propose another way to handle a long ciphertext with a low buffer size by storing and releasing only one (generally, or only few) intermediate state without releasing or storing any part of an unverified plaintext and without need of generating any intermediate tag.

In this paper we explain this generalized technique using our new construction sp-AELM. sp-AELM is a sponge based authenticated encryption scheme that provides support for limited memory devices. We also provide its security proof for privacy and authenticity in an ideal permutation model, using a code based game playing framework. Furthermore, we also present two more variants of sp-AELM that serve the same purpose and are more efficient than sp-AELM.

The ongoing CAESAR competition has 9 submissions which are based on the Sponge construction. We apply our generalized technique of storing single intermediate state to all these submissions, to determine their suitability with a Crypto module having limited memory. Our findings show that only ASCON and one of the PRIMATE\'s mode(namely GIBBON) satisifes the limited memory constraint using this technique, while the remaining 8 schemes (namely, Artemia, ICEPOLE, Ketje, Keyak, NORX, $\\pi$-Cipher, STRIBOB and two of the PRIMATEs mode: APE \\& HANUMAN) are not suitable for this scenario directly.

21:17 [Pub][ePrint]

Abstract: Broadcast or multicast is one of the most fundamental

concepts in data communication and distributed cryptography. A

central entity wishes to broadcast a secret data stream to a

dynamically changing privileged subset of recipients in such a

way that non-members of the privileged class cannot learn the

Algorithm (ASBA) based on threats analytics and case based

reasoning. It defines the security intelligence of an adaptively

secure broadcast comprehensively with a novel concept. It

recommends a set of intelligent model checking moves for the

verification of security intelligence of broadcasting mechanism.

The algorithm is analyzed from the perspectives of security

intelligence, communication complexity, computational

intelligence and efficiency of mechanism. The computational

intelligence is associated with the complexity of broadcast

scheduling, verification of security intelligence of broadcasting

system, key management strategies and payment function

computation. The cost of communication depends on number of

agents and subgroups in the broadcasting group and complexity of

data. The algorithm is applicable to the analysis of intelligent

mechanisms in static and dynamic networks, auction or

combinatorial auction for e-market, digital content distribution

21:17 [Pub][ePrint]

The problem of verifiable data streaming (VDS) considers a client with limited computational and storage capacities that streams an a-priori unknown number of elements to an untrusted server.

The client may retrieve and update any outsourced element. Other parties may verify each outsourced element\'s integrity using the client\'s public-key.

All previous VDS constructions incur a bandwidth and computational overhead on both client and server side, which is at least logarithmic in the number of transmitted elements.

We propose two novel, fundamentally different approaches to constructing VDS.

The first scheme is based on a new cryptographic primitive called Chameleon Vector Commitment (CVC).

A CVC is a trapdoor commitment scheme to a vector of messages where both commitments and openings have constant size.

Using CVCs we construct a tree-based VDS protocol that has constant computational and bandwidth overhead on the client side.

The second scheme shifts the workload to the server side by combining signature schemes with cryptographic accumulators.

Here, all computations are constant, except for queries, where the computational cost of the server is linear in the total number of updates.

21:17 [Pub][ePrint]

A family of hash functions is called correlation intractable\'\' if it is hard to find, given a random function in the family, an input-output pair that satisfies any sparse\'\' relation, namely any relation that is hard to satisfy for truly random functions. Correlation intractability captures a strong and natural Random Oracle-like property. However, it is widely considered to be unobtainable. Indeed, it was shown that correlation intractable functions do not exist for some length parameters [Canetti, Goldreich and Halevi, J.ACM 04]. Furthermore, no candidate constructions have been proposed in the literature for any setting of the parameters.

We construct a correlation intractable function ensemble that withstands all relations with a priori bounded polynomial complexity. We assume the existence of sub-exponentially secure indistinguishability obfuscators, puncturable pseudorandom functions, and input-hiding obfuscators for evasive circuits. The existence of the latter is implied by Virtual-Grey-Box obfuscation for evasive circuits [Bitansky et al, CRYPTO 14].

21:17 [Pub][ePrint]

Security models for two-party authenticated key exchange (AKE) protocols have developed over time to capture the security of AKE protocols even when the adversary learns certain secret values. Increased granularity of security can be modelled by considering partial leakage of secrets in the manner of models for leakage-resilient cryptography, designed to capture side-channel attacks. In this work, we use the strongest known partial-leakage-based security model for key exchange protocols, namely continuous after-the-fact leakage eCK (CAFL-eCK) model. We resolve an open problem by constructing the first concrete two-pass leakage-resilient key exchange protocol that is secure in the CAFL-eCK model.

21:17 [Pub][ePrint]

We study the possibility of computing cryptographic primitives in a fully-black-box arithmetic model over a finite field $\\F$. In this model, the input to a cryptographic primitive (e.g., encryption scheme) is given as a sequence of field elements, the honest parties are implemented by arithmetic circuits which make only a black-box use of the underlying field, and the adversary has a full (non-black-box) access to the field. This model captures many standard information-theoretic constructions.

We prove several positive and negative results in this model for various cryptographic tasks. On the positive side, we show that, under reasonable assumptions, computational primitives like commitment schemes, public-key encryption, oblivious transfer, and general secure two-party computation can be implemented in this model. On the negative side, we prove that garbled circuits, multiplicative-homomorphic encryption, and secure computation with low online complexity cannot be achieved in this model. Our results reveal a qualitative difference between the standard Boolean model and the arithmetic model, and explain, in retrospect, some of the limitations of previous constructions.

21:17 [Pub][ePrint]

We present a hardware architecture for all building blocks required in polynomial ring based fully homomorphic schemes and use it to instantiate the somewhat homomorphic encryption scheme YASHE. Our implementation is the first FPGA implementation that is designed for evaluating functions on homomorphically encrypted data (up to a certain multiplicative depth) and we illustrate this capability by evaluating the SIMON-64/128 symmetric key cipher in the encrypted domain. Our implementation provides a fast polynomial operations unit using CRT and NTT for multiplication combined with an optimized memory access scheme; a fast Barrett like polynomial reduction method that allows all possible polynomial moduli; an efficient divide and round unit required in the multiplication of ciphertexts and an efficient CRT unit. These building blocks can be easily reused to instantiate any other polynomial ring based fully homomorphic scheme, including the ones designed for SIMD operations, since no restricting assumptions have been made. These building blocks are integrated in a coprocessor with instructions to execute YASHE, which can be controlled by a computer for evaluating arbitrary functions (up to the multiplicative depth 44 and 128-bit security level). Our architecture was compiled (place-and-route analysis) for a single Xilinx Virtex-7 XC7V1140T FPGA, where it consumes 23\\,\\% of registers, 50\\,\\% of LUTs, 53\\,\\% of DSP slices, and 38\\,\\% of BlockRAM memory. The implementation evaluates SIMON-64/128 in approximately 157.7\\,s (at 143\\,MHz) and it processes 2048 ciphertexts at once giving a relative time of only 77\\,ms per block. This is 26.6 times faster than the leading software implementation on a 4-core Intel Core-i7 processor running at 3.4\\,GHz.

21:17 [Pub][ePrint]

The aim of this paper is to present an attack upon the protocol of Diaz et al. \\cite{Diaz}, which goal is to introduce a fair anonymity in the Tor network. This attack allows an attacker to impersonate Tor users with the complicity of an exit node.