International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) iacr.org. You can also receive updates via:

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

2015-05-25
15:17 [Pub][ePrint] Cryptanalysis of the LSH and SHA-V Hash Functions, by Yonglin Hao and Hongbo Yu

  In this paper, we study the security of two hash function families LSH and SHA-V.

We find that the wide-pipe MD structural LSH hash functions do not apply the traditional feeding forward operation.

This structural weakness enables us to launch free-start collision and pseudo-preimage attacks on full-round LSH hash functions with negligible complexities.

In order to evaluate the quality of the LSH round functions, we launch 14-round boomerang attacks on LSH-512 and LSH-256 hash functions with complexities $2^{308}$ and $2^{242}$ respectively.

We verify the correctness of our boomerang attacks by giving practical 11-round boomerang quartets.

These boomerang results indicate that the round functions of LSH are well designed.

Based on our analysis, we stress that the adoption of the feeding forward operation should be essential to the LSH hash functions despite of their well designed round functions.

The PMD structural SHA-V parallelizes two SHA-1-like streams and each stream processes independent 512-bit message blocks.

This structure enable us to utilize the divide-and-conquer strategy to find preimages and collisions.

Our preimage attack can be applied to full-round SHA-V with time \\& memory complexities $O(2^{80})$.

Our trivial collision attacks also requires $O(2^{80})$ complexities but, utilizing existing results on SHA-1, we can find a SHA-V collision with a time complexity $O(2^{61})$ and a negligible memory complexity.

These results indicate that there are weaknesses in both the structure and the round function of SHA-V.



15:17 [Pub][ePrint] Powers of Subfield Polynomials and Algebraic Attacks on Word-Based Stream Ciphers, by Sondre R{\\o}njom

  In this paper we investigate univariate algebraic attacks on filter generators over extension fields $\\F_q=\\F_{2^n}$ with focus on the Welch-Gong (WG) family of stream ciphers. Our main contribution is to break WG-5, WG-7, WG-8 and WG-16 by combining results on the so-called spectral immunity (minimum distance of certain cyclic codes) with properties of the WG type stream cipher construction. The spectral immunity is the univariate analog of algebraic immunity and instead of measuring degree of multiples of a multivariate polynomial, it measures the minimum number of nonzero coefficients of a multiple of a univariate polynomial. Based on the structure of the general WG-construction, we deduce better bounds for the spectral immunity and the univariate analog of algebraic attacks.





2015-05-24
00:49 [Event][New] SPiCy: 1st Workshop on Security and Privacy in Cybermatics

  Submission: 3 July 2015
Notification: 3 August 2015
From September 30 to September 30
Location: Florence, Italy
More Information: http://spicy2015.di.unimi.it




2015-05-22
22:51 [Job][New] Marie Sklodowska-Curie Research Fellows in Cryptography (Early Stage Researchers – 1 post), NXP Semiconductors, Leuven, Belgium

  ECRYPT-NET is a European research network that intends to develop advanced cryptographic techniques and implementations for the Internet of Things and the Cloud. The network is currently recruiting a group of 15 PhD students who will be trained in an international context that involves Summer Schools and internships in a company or research organization in a second country. We are looking for highly motivated candidates, ideally with background on cryptology and with proven research abilities.

One open position is at NXP Semiconductors in Leuven, Belgium for research on cryptography for passively powered devices. New methods (like threshold implementations) and design approaches (e.g., leakage resilient crypto) will be investigated. Since the goal is to target efficiency in dedicated hardware and/or embedded software, interest and expertise in these areas and ideally a degree in electrical engineering is of advantage for applicants.

NXP Semiconductors is one of the market leaders in providing High Performance Mixed Signal and Standard Product solutions that leverage its leading RF, Analog, PM, Interface, Security, Digital Processing and Manufacturing expertise. NXP’s strong drive for innovation ensures secure identification in a smart connected world. Headquartered in Europe, the company has about 23,000 employees working in more than 25 countries.

The PhD student will, in addition to a supervisor from NXP, be supervised by a member of the Computer Security and Industrial Cryptography group (COSIC) at KU Leuven and closely collaborate with PhD students there; COSIC is within biking distance of the NXP site in Leuven. The research of COSIC has led to important cryptographic advances such as the Rijndael algorithm. The goal of the student is to receive a PhD from the KU Leuven after three years.

09:17 [Pub][ePrint] Contention in Cryptoland: Obfuscation, Leakage and UCE, by Mihir Bellare, Igors Stepanovs and Stefano Tessaro

  We study the achievability of different forms of obfuscation and related primitives A,B through relations of the form A=>not(B) ---this says that A,B cannot both exist--- or A=>B ---this says that if A exists so does B or if B does not exist then neither does A. Specifically: (1) We show that VGBO (Virtual Grey Box Obfuscation) for all circuits, which has been conjectured to be achieved by candidate constructions, would imply the failure of Canetti\'s 1997 AI-DHI1 (auxiliary input DH inversion) assumption and corresponding AIPO (Auxiliary-Input Point-function Obfuscation) scheme (2) We recover AIPO via a variant AI-DHI2 assumption, certain forms of UCE (Universal Computational Extractors), and a construction from any auxiliary-input OWF (3) We show that iO (indistinguishability Obfuscation) for all circuits implies the impossibility of certain forms of leakage-resilient encryption and other forms of UCE.



09:17 [Pub][ePrint] On Black-Box Complexity of Universally Composable Security in the CRS model, by Carmit Hazay and Muthuramakrishnan Venkitasubramaniam

  In this work, we study the intrinsic complexity of black-box Universally Composable (UC) secure computation based on general assumptions. We present a thorough study in various corruption modelings while focusing on achieving security in the common reference string (CRS) model. Our results involve the following:

1. Static UC secure computation. Designing the first static UC secure oblivious transfer protocol based on public-key encryption and stand-alone semi-honest oblivious transfer. As a corollary we obtain the first black-box constructions of UC secure computation assuming only two-round semi-honest oblivious transfer.

2. One-sided UC secure computation. Designing adaptive UC secure two-party computation with single corruptions assuming public-key encryption with oblivious ciphertext generation.

3. Adaptive UC secure computation. Designing adaptively secure UC commitment scheme assuming only public-key encryption with oblivious ciphertext generation. As a corollary we obtain the first black-box constructions of adaptive UC secure computation assuming only (trapdoor) simulatable public-key encryption (as well as a variety of concrete assumptions). We remark that such a result was not known even under non-black-box constructions.



09:17 [Pub][ePrint] Scalable and private media consumption with Popcorn, by Trinabh Gupta and Natacha Crooks and Srinath Setty and Lorenzo Alvisi and Michael Walfish

  This paper describes the design, implementation, and experimental evaluation of Popcorn, a media content delivery system that comprehensively hides (even from the content distributor) what is consumed but not necessarily who is doing the consumption. The motivation for Popcorn is both principled and pragmatic: we want to provide provable privacy while still respecting the current commercial context. To instantiate Popcorn, we turn to a powerful primitive from cryptography: private information retrieval (PIR). However, the cost and structure of PIR, as it appears in the literature, present major obstacles to using PIR as the foundation for an Internet-scale service. Nevertheless, with careful system design, and by composing a series of novel refinements and optimizations that leverage the properties of PIR protocols as well as the properties of media streaming, we have produced a system that cheaply hides media consumption, scales to the size of Netflix\'s library (8,000 movies) and respects current controls on media dissemination. The per-request cost in Popcorn is less than three times the per-request cost in a baseline system that does not provide privacy.





2015-05-21
21:17 [Pub][ePrint] Improved security proofs in lattice-based cryptography: using the R\\\'enyi divergence rather than the statistical distance, by Shi Bai and Adeline Langlois and Tancr{\\`e}de Lepoint and Damien Stehl\

  The R\\\'enyi divergence is a measure of closeness of two

probability distributions. We show that it can often be used as an alternative

to the statistical distance in security proofs for lattice-based

cryptography. Using the R\\\'enyi divergence is particularly suited

for security proofs of primitives in which the attacker is required

to solve a search problem (e.g., forging a signature). We show that

it may also be used in the case of distinguishing problems (e.g.,

semantic security of encryption schemes), when they enjoy a public

sampleability property. The techniques lead to security proofs for

schemes with smaller parameters, and sometimes to simpler security

proofs than the existing ones.



21:17 [Pub][ePrint] More Rounds, Less Security?, by Jian Guo and J\\\'{e}r\\\'{e}my Jean and Nicky Mouha and Ivica Nikoli\\\'{c}

  This paper focuses on a surprising class of cryptanalysis results for symmetric-key primitives: when the number of rounds of the primitive is increased, the complexity of the cryptanalysis result decreases. Our primary target will be primitives that consist of identical round functions, such as PBKDF1, the Unix password hashing algorithm, and the Chaskey MAC function. However, some of our results also apply to constructions with non-identical rounds, such as the PRIDE block cipher. Firstly, we construct distinguishers for which the data complexity decreases when the number of rounds is increased. They are based on two well-known observations: iterating a random permutation increases the expected number of fixed points, and iterating a random function decreases the expected number of image points. We explain that these effects also apply to components of cryptographic primitives, such as a round of a block cipher. Secondly, we introduce a class of key-recovery and preimage-finding techniques that correspond to exhaustive search, however on a smaller part (e.g. one round) of the primitive. As the time complexity of a cryptanalysis result is usually measured by the number of full-round evaluations of the primitive, increasing the number of rounds will lower the time complexity. None of the observations in this paper result in more than a small speed-up over exhaustive search. Therefore, for lightweight applications, implementation advantages may outweigh the presence of these observations.



21:17 [Pub][ePrint] Turning Online Ciphers Off, by Elena Andreeva and Guy Barwell and Dan Page and Martijn Stam

  CAESAR has caused a heated discussion regarding the merits of one-pass encryption and online ciphers. The latter is a keyed, length preserving function which outputs ciphertext blocks as soon as the respective plaintext block is received. The immediacy of an online cipher gives a clear performance advantage, yet it comes at a price. Since ciphertext blocks cannot depend on later plaintext blocks, diffusion and hence security is limited. We show how one can attain the best of both worlds by providing provably secure constructions,

achieving full cipher security, based on applying an online cipher and reordering blocks.

Explicitly, we show that with just two calls to the online cipher, security up to the birthday bound is both attainable and maximal. Moreover, we demonstrate that three calls to the online cipher suffice to obtain beyond birthday bound security, and (for suitably long messages) arbitrarily strong security. As part of our investigation, we extend an observation by Rogaway and Zhang, highlighting the close relationship between online ciphers and tweakable blockciphers with variable-length tweaks.



21:17 [Pub][ePrint] How to detect unauthorised usage of a key, by Jiangshan Yu and Mark Ryan and Cas Cremers

  Encryption is useful only if the decryption key has not been exposed to adversaries; in particular, it requires that the device performing the crypto operations is free of malware. We explore ways in which some security guarantees can be achieved even if an attacker has succeeded in obtaining access to all the keys in a device, e.g. by exploiting software vulnerabilities.

We develop a new protocol concept that allows the device owner to detect if another party is using the device\'s long-term key. We achieve this by making it necessary for uses of the key to be inserted in an append-only log, which the device owner can interrogate. We propose a multi-device messaging protocol that exploits our concept to allow users to detect unauthorised usage of their device keys. We prove the main properties of our protocol using the Tamarin prover.

The methods we introduce are not intended to replace existing methods used to keep keys safe (such as hardware devices or careful procedures). Rather, our methods provide a useful and effective additional layer of security.