International Association for Cryptologic Research

IACR News Central

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

2015-05-05
21:17 [Pub][ePrint]

Achieving high reliability across environmental variations and over aging in physical unclonable functions (PUFs) remains a challenge for PUF designers. The conventional method to improve PUF reliability is to use powerful error correction codes (ECC) to correct the errors in the raw response from the PUF core. Unfortunately, these ECC blocks generally have high VLSI overheads, which scale up quickly with the error correction capability. Alternately, researchers have proposed techniques to increase the reliability of the PUF core, and thus significantly reduce the required strength (and complexity) of the ECC. One method of increasing the reliability of the PUF core is to use normally detrimental IC aging effects to reinforce the desired (or \"golden\") response of the PUF by altering the PUF circuit characteristics permanently and hence making the PUF more reliable. In this work, we present a PUF response reinforcement technique based on hot carrier injection (HCI) which can reinforce the PUF golden response in short stress times (i.e., tens of seconds), without impacting the surrounding circuits, and that has high permanence (i.e., does not degrade significantly over aging). We present a self-contained HCI-reinforcement-enabled PUF circuit based on sense amplifiers (SA) which autonomously self-reinforces with minimal external intervention. We have fabricated a custom ASIC testchip in 65nm bulk CMOS with the proposed PUF design. Measured results show high reliability across environmental variations and accelerated aging, as well as good uniqueness and randomness. For example, 1600 SA elements, after being HCI stressed for 125s, show 100% reliability (zero errors) across ±20% voltage variations a temperature range of -20C to 85C.

12:49 [PhD][New]

Name: Nishant Doshi
Topic: Investigating Approaches for Improving the Ciphertext Policy Attribute Based Encryption
Category: public-key cryptography

Description:

In Ciphertext Policy Attribute Based Encryption (CP-ABE), a secret key of the user as well as the ciphertext (CT) is defined based on the attributes. A user is able to decrypt the ciphertext if and only if the attributes within a policy of ciphertext are satisfied by the attributes of the secret key. If we increase the number of attributes in the policy of ciphertext than the size of final ciphertext will also increase and subsequently leads to communication overhead as well as computational overhead at the receiver side. Hence, it is desirable to ensure constant ciphertext length in CP-ABE. However, the existing schemes in constant CT length proposed so far achieve only a selective security model i.e. the attacker must announce the target access policy before seeing the public parameter. This leads to a weaker security model. Therefore, we propose the fully secure CP-ABE, which requires the attribute set of ciphertext to be a subset of user’s secret key.

\r\n\r\n

One more limitation of the schemes in constant CT length proposed so far is that they are based on a single authority approach. To deal with a single point of failure in a such a scheme, we propose a multi-authority CP-ABE scheme, with the support for any arbitrary numbers of attribute authorities under a central authority.

\r\n\r\n

Additionally in the CP-ABE scheme, the receiver’s anonymity is sacrificed as the access structure of the ciphertext reveals the same. The obvious solution to this problem is to hide ciphertext-policy (hidden access structure). However, although this solution uses reasonably computable decryption policies, it generates the ciphertext of a size that is at least, linearly varying with the number of attributes.

\r\n\r\n

We investigate such issues and propose a novel approach to deal with constant ciphertext length. Thereafter we extend the same approach to provide support for the mult[...]

2015-05-04
15:24 [Job][New]

The professor is expected to conduct excellent research and teaching in the field of information security. Candidates are sought with extensive expertise in some of the following areas: Data Security and Privacy, Trustworthy Systems, Security Protocols and Cryptographic Methods, Security Engineering und Security Management, Provable Security, Certification of IT-Security.

We expect our new colleague to contribute to undergraduate and graduate teaching in the degree programs of Computer Science and Software Technology, in international master programs, as well as in courses for programs of other departments.

The requirements for employment listed in § 47 and § 50 Baden-Württemberg university law apply.

13:25 [PhD][New]

Name: Damien Vergnaud

13:24 [PhD][Update]

Name: Aurore Guillevic
Topic: Arithmetic of pairings on algebraic curves for cryptography
Category:public-key cryptography

Description: Since 2000 pairings became a very useful tool to design new protocols in cryptography. Short signatures and identity-based encryption became also practical thanks to these pairings. This thesis contains two parts. One part is about optimized pairing implementation on different elliptic curves according to the targeted protocol. Pairings are implemented on supersingular elliptic curves in large characteristic and on Barreto-Naehrig curves. The pairing library developed at Thales is used in a broadcast encryption scheme prototype. The prototype implements pairings over Barreto-Naehrig curves. Pairings over supersingular curves are much slower and have larger parameters. However these curves are interesting when implementing protocols which use composite-order elliptic curves (the group order is an RSA modulus). We implement two protocols that use pairings on composite-order groups and compare the benchmarks and the parameter size with their counterpart in a prime-order setting. The composite-order case is 30 up to 250 times much slower according to the considered step in the protocols: the efficiency difference in between the two cases is very important. A second part in this thesis is about two families of genus 2 curves. Their Jacobians are isogenous to the product of two elliptic curves over a small extension field. The properties of elliptic curves can be translated to the Jacobians thanks to this isogeny. Point counting is as easy as for elliptic curves in this case. We also construct two endomorphisms both on the Jacobians and the elliptic curves. These endomorphisms can be used for scalar multiplication improved with a four-dimensional Gallant-Lambert-Vanstone method.[...]

12:34 [PhD][New]

Name: Aurore Guillevic
Topic: Arithmetic of pairings on algebraic curves for cryptography
Category: public-key cryptography

Description: Since 2000 pairings became a very useful tool to design new protocols in cryptography. Short signatures and identity-based encryption became also practical thanks to these pairings. This thesis contains two parts. One part is about optimized pairing implementation on different elliptic curves according to the targeted protocol. Pairings are implemented on supersingular elliptic curves in large characteristic and on Barreto-Naehrig curves. The pairing library developed at Thales is used in a broadcast encryption scheme prototype. The prototype implements pairings over Barreto-Naehrig curves. Pairings over supersingular curves are much slower and have larger parameters. However these curves are interesting when implementing protocols which use composite-order elliptic curves (the group order is an RSA modulus). We implement two protocols that use pairings on composite-order groups and compare the benchmarks and the parameter size with their counterpart in a prime-order setting. The composite-order case is 30 up to 250 times much slower according to the considered step in the protocols: the efficiency difference in between the two cases is very important. A second part in this thesis is about two families of genus 2 curves. Their Jacobians are isogenous to the product of two elliptic curves over a small extension field. The properties of elliptic curves can be translated to the Jacobians thanks to this isogeny. Point counting is as easy as for elliptic curves in this case. We also construct two endomorphisms both on the Jacobians and the elliptic curves. These endomorphisms can be used for scalar multiplication improved with a four-dimensional Gallant-Lambert-Vanstone method.[...]

01:07 [Event][New]

Submission: 20 June 2015
From October 7 to October 10
Location: Tokyo, Japan

2015-05-02
20:21 [Event][New]

Submission: 15 April 2015
From July 21 to July 23
Location: İzmir, Turkey

20:15 [Job][New]

The Department of Pervasive Computing at Tampere University of Technology (TUT) is seeking applications for an open post-doc position, funded by a collaborative project within the TEKES Innovative Cities program (INKA). The specific role of TUT in the project is side-channel analysis of real-world devices and software. Qualified candidates should have interests in one or more of the following areas:

• side-channel analysis
• software-based side-channels
• cryptography engineering
• embedded security
• hardware-assisted security

The contract is for one year with the possibility of extension and TUT offers extremely competitive post-doc salaries. The start date is flexible and review of applications begins immediately and continues until the position is filled. Interested candidates should submit a CV via email.

2015-05-01
15:17 [Pub][ePrint]

Due to the rapid growth of the next generation networking and system technologies, computer networks require new design and management. In this context, security, and more specifically, access structures have been one of the major concerns. As such, in this article, sequential secret sharing (SQS), as an application of dynamic threshold schemes, is introduced. In this new cryptographic primitive, different (but related) secrets with increasing thresholds are shared among a set of players who have different levels of authority. Subsequently, each subset of the players can only recover the secret in their own level. Finally, the master secret will be revealed if all the secrets in the higher levels are first recovered. We briefly review the existing threshold modification techniques. We then present our construction and compare it with other hierarchical secret sharing schemes such as disjunctive and conjunctive multilevel secret sharing protocols.

15:17 [Pub][ePrint]

Accumulators provide a way to succinctly represent a set with elements drawn from a given domain, using an \\emph{accumulation value}. Subsequently, short proofs for the set-\\emph{membership} (or \\emph{non-membership}) of any element from the domain can be constructed and efficiently verified with respect to this accumulation value. Accumulators have been widely studied in the literature, primarily, as an \\emph{authentication} primitive:

a malicious prover (e.g., an untrusted server) should not be able to provide convincing proofs on false statements (e.g., successfully prove membership for a value not in the set) to a verifier that issues membership queries (of course, having no access to set itself).

In essence, in existing constructions the accumulation value acts as a (honestly generated) commitment\'\' to the set that allows selective opening\'\' as specified by membership queries---but with no hiding\'\' properties.

In this paper we revisit this primitive and propose a privacy-preserving enhancement. We define the notion of a \\emph{zero-knowledge accumulator} that provides the following very strong privacy notion: Accumulation values and proofs constructed during the protocol execution leak nothing about the set itself, or any subsequent updates to it (i.e., via element insertions/deletions). We formalize this property by a standard real/ideal execution game. An adversarial party that is allowed to choose the set and is given access to query and update oracles, cannot distinguish whether this interaction takes place with respect to the honestly executed algorithms of the scheme or with a simulator that is not given access to the set itself (and for updates, it does not even learn the type of update that occurred---let alone the inserted/deleted element). We compare our new privacy definition with other recently proposed similar notions showing that it is strictly stronger: We give a concrete example of the update-related information that can be leaked by previous definitions.

We provide a mapping of the relations between zero-knowledge accumulators and primitives that

are either set in the same security model or solve the same problem.

We formally show and discuss a number of implications among primitives, some of which are not immediately evident.

We believe this contribution is interesting on its own, as the area has received considerable attention recently (e.g., with the works of [Naor et al., TCC~2015] and [Derler et al., CT-RSA~2015]).

We then construct the first dynamic universal zero-knowledge accumulator. Our scheme is perfect zero-knowledge and is secure under the $q$-Strong Bilinear Diffie-Hellman assumption.

Finally, building on our dynamic universal zero-knowledge accumulator, we define a \\emph{zero-knowledge authenticated set collection} to handle more elaborate set operations (beyond set-membership). In particular, this primitive allows one to outsource a collection of sets to an untrusted server that is subsequently responsible for answering union, intersection and set difference queries over these sets issued by multiple clients. Our scheme provides proofs that are succinct and efficiently verifiable and, at the same time, leak nothing beyond the query result. In particular, it offers verification time that is asymptotically optimal (namely, the same as simply reading the answer), and proof construction that is asymptotically as efficient as existing state-of-the-art constructions--- that however, do not offer privacy.