International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) iacr.org. You can also receive updates via:

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

2015-05-26
09:17 [Pub][ePrint] Efficient Zero-Knowledge Proofs of Non-Algebraic Statements with Sublinear Amortized Cost, by Zhangxiang Hu and Payman Mohassel and Mike Rosulek

  We describe a zero-knowledge proof system in which a prover holds a large dataset $M$ and can repeatedly prove NP relations about that dataset. That is, for any (public) relation $R$ and $x$, the prover can prove that $\\exists w: R(M,x,w)=1$. After an initial setup phase (which depends only on $M$), each proof requires only a constant number of rounds and has communication/computation cost proportional to that of a {\\em random-access machine (RAM)} implementation of $R$, up to polylogarithmic factors. In particular, the cost per proof in many applications is sublinear in $|M|$. Additionally, the storage requirement between proofs for the verifier is constant.



02:01 [Event][New] CryptoBG*2015: CryptoBG*2015: Cryptology and Cyber Resilience

  Submission: 10 June 2015
Notification: 20 June 2015
From July 19 to July 26
Location: Oriahovitza, Bulgaria
More Information: http://www.cryptobg.org




2015-05-25
15:17 [Pub][ePrint] Cryptanalysis Of Dynamic ID Based Remote User Authentication Scheme With Key Agreement, by Sonam Devgan Kaul and Amit K. Awasthi

  In 2012, Wen and Li proposed a secure and robust dynamic identity based remote user authentication scheme with key agreement using smart cards. They claimed that their scheme is efficient and secure. But in this paper, we demonstrate that their scheme is completely insecure and vulnerable to various known attacks like offline and online password guessing attack, impersonation attack, server masquerading attack, denial of service attack and an insider attack. Also we point out that there are loopholes in password change phase and online secret renew phase which leads to the desynchronization between user and the server and even the legitimate user is rejected by the server. In addition, an adversary can easily generate the common session key of further transmission between user and the server. Thus the entire system collapses and authors claims are proven to be wrong and their scheme will not be secure and efficient for practical purpose.



15:17 [Pub][ePrint] Re-encryption, functional re-encryption, and multi-hop re-encryption: A framework for achieving obfuscation-based security and instantiations from lattices, by Nishanth Chandran and Melissa Chase and

  In this work we define multiple relaxations to the definition of correctness in secure obfuscation. While still remaining meaningful, these relaxations provide ways to obfuscate many primitives in a more direct and efficient way. In particular, we first show how to construct a secure obfuscator for the re-encryption primitive from the Decisional Learning with Errors (DLWE) assumption, without going through fully homomorphic encryption. This can be viewed as a meaningful way to trade correctness for efficiency.

Next, we show how our tools can be used to construct secure obfuscators for the functional re-encryption and multi-hop unidirectional re-encryption primitives. In the former case, we improve upon the efficiency of the only previously known construction that satisfies the stronger notion of collusion-resistant obfuscation (due to Chandran et al. - TCC 2012) and obtain a construction with input ciphertexts of constant length. In the latter case, we provide the first known obfuscation-based definition and construction; additionally, our scheme is the first scheme where the size of the ciphertexts does not grow with every hop.



15:17 [Pub][ePrint] Masking vs. Multiparty Computation: How Large is the Gap for AES?, by Vincent Grosso and François-Xavier Standaert and Sebastian Faust

  In this paper, we evaluate the performances of state-of-the-art higher-order masking schemes for the AES. Doing so, we pay a particular attention to the comparison between specialized solutions introduced exclusively as countermeasures against side-channel analysis, and a recent proposal by Roche and Prouff exploiting MultiParty Computation (MPC) techniques. We show that the additional security features this latter scheme provides (e.g. its glitch-freeness) comes at the cost of large performance overheads. We then study how exploiting standard optimization techniques from the MPC literature can be used to reduce this gap. In particular, we show that ``packed secret sharing\" based on a modified multiplication algorithm can speed up MPC-based masking when the order of the masking scheme increases. Eventually, we discuss the randomness requirements of masked implementations. For this purpose, we first show with information theoretic

arguments that the security guarantees of masking are only preserved if this randomness is uniform, and analyze the consequences of a deviation from this requirement. We then conclude the paper by including the cost of randomness generation in our performance evaluations. These results should help actual designers to choose a masking scheme based on security and performance~constraints.



15:17 [Pub][ePrint] Fault Tolerant Infective Countermeasure for AES, by Sikhar Patranabis and Abhishek Chakraborty and Debdeep Mukhopadhyay

  Infective countermeasures have been a promising class of fault attack countermeasures. However, they have been subjected to several attacks owing to lack of formal proofs of security and improper implementations. In this paper, we first provide a formal information theoretic proof of security for one of the most recently proposed infective countermeasures against DFA, under the assumption that the adversary does not change the flow sequence or skip any instruction. Subsequently, we identify weaknesses in the infection

mechanism of the countermeasure that could be exploited by attacks which change the flow sequence. We propose suitable randomizations to reduce the success probabilities of such attacks. Furthermore, we develop a fault tolerant implementation of the countermeasure using the x86 instruction set to make such attacks which attempt to change the control flow of the algorithm practically infeasible. All the claims have been validated by supporting simulations and real life experiments on a SASEBO-W platform. We also compare the performance and security provided by the proposed countermeasure against that provided by the existing scheme.



15:17 [Pub][ePrint] Cryptanalysis of the LSH and SHA-V Hash Functions, by Yonglin Hao and Hongbo Yu

  In this paper, we study the security of two hash function families LSH and SHA-V.

We find that the wide-pipe MD structural LSH hash functions do not apply the traditional feeding forward operation.

This structural weakness enables us to launch free-start collision and pseudo-preimage attacks on full-round LSH hash functions with negligible complexities.

In order to evaluate the quality of the LSH round functions, we launch 14-round boomerang attacks on LSH-512 and LSH-256 hash functions with complexities $2^{308}$ and $2^{242}$ respectively.

We verify the correctness of our boomerang attacks by giving practical 11-round boomerang quartets.

These boomerang results indicate that the round functions of LSH are well designed.

Based on our analysis, we stress that the adoption of the feeding forward operation should be essential to the LSH hash functions despite of their well designed round functions.

The PMD structural SHA-V parallelizes two SHA-1-like streams and each stream processes independent 512-bit message blocks.

This structure enable us to utilize the divide-and-conquer strategy to find preimages and collisions.

Our preimage attack can be applied to full-round SHA-V with time \\& memory complexities $O(2^{80})$.

Our trivial collision attacks also requires $O(2^{80})$ complexities but, utilizing existing results on SHA-1, we can find a SHA-V collision with a time complexity $O(2^{61})$ and a negligible memory complexity.

These results indicate that there are weaknesses in both the structure and the round function of SHA-V.



15:17 [Pub][ePrint] Powers of Subfield Polynomials and Algebraic Attacks on Word-Based Stream Ciphers, by Sondre R{\\o}njom

  In this paper we investigate univariate algebraic attacks on filter generators over extension fields $\\F_q=\\F_{2^n}$ with focus on the Welch-Gong (WG) family of stream ciphers. Our main contribution is to break WG-5, WG-7, WG-8 and WG-16 by combining results on the so-called spectral immunity (minimum distance of certain cyclic codes) with properties of the WG type stream cipher construction. The spectral immunity is the univariate analog of algebraic immunity and instead of measuring degree of multiples of a multivariate polynomial, it measures the minimum number of nonzero coefficients of a multiple of a univariate polynomial. Based on the structure of the general WG-construction, we deduce better bounds for the spectral immunity and the univariate analog of algebraic attacks.





2015-05-24
00:49 [Event][New] SPiCy: 1st Workshop on Security and Privacy in Cybermatics

  Submission: 3 July 2015
Notification: 3 August 2015
From September 30 to September 30
Location: Florence, Italy
More Information: http://spicy2015.di.unimi.it




2015-05-22
22:51 [Job][New] Marie Sklodowska-Curie Research Fellows in Cryptography (Early Stage Researchers – 1 post), NXP Semiconductors, Leuven, Belgium

  ECRYPT-NET is a European research network that intends to develop advanced cryptographic techniques and implementations for the Internet of Things and the Cloud. The network is currently recruiting a group of 15 PhD students who will be trained in an international context that involves Summer Schools and internships in a company or research organization in a second country. We are looking for highly motivated candidates, ideally with background on cryptology and with proven research abilities.

One open position is at NXP Semiconductors in Leuven, Belgium for research on cryptography for passively powered devices. New methods (like threshold implementations) and design approaches (e.g., leakage resilient crypto) will be investigated. Since the goal is to target efficiency in dedicated hardware and/or embedded software, interest and expertise in these areas and ideally a degree in electrical engineering is of advantage for applicants.

NXP Semiconductors is one of the market leaders in providing High Performance Mixed Signal and Standard Product solutions that leverage its leading RF, Analog, PM, Interface, Security, Digital Processing and Manufacturing expertise. NXP’s strong drive for innovation ensures secure identification in a smart connected world. Headquartered in Europe, the company has about 23,000 employees working in more than 25 countries.

The PhD student will, in addition to a supervisor from NXP, be supervised by a member of the Computer Security and Industrial Cryptography group (COSIC) at KU Leuven and closely collaborate with PhD students there; COSIC is within biking distance of the NXP site in Leuven. The research of COSIC has led to important cryptographic advances such as the Rijndael algorithm. The goal of the student is to receive a PhD from the KU Leuven after three years.

09:17 [Pub][ePrint] Contention in Cryptoland: Obfuscation, Leakage and UCE, by Mihir Bellare, Igors Stepanovs and Stefano Tessaro

  We study the achievability of different forms of obfuscation and related primitives A,B through relations of the form A=>not(B) ---this says that A,B cannot both exist--- or A=>B ---this says that if A exists so does B or if B does not exist then neither does A. Specifically: (1) We show that VGBO (Virtual Grey Box Obfuscation) for all circuits, which has been conjectured to be achieved by candidate constructions, would imply the failure of Canetti\'s 1997 AI-DHI1 (auxiliary input DH inversion) assumption and corresponding AIPO (Auxiliary-Input Point-function Obfuscation) scheme (2) We recover AIPO via a variant AI-DHI2 assumption, certain forms of UCE (Universal Computational Extractors), and a construction from any auxiliary-input OWF (3) We show that iO (indistinguishability Obfuscation) for all circuits implies the impossibility of certain forms of leakage-resilient encryption and other forms of UCE.