International Association for Cryptologic Research

# IACR News Central

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

2015-06-11
06:37 [Job][New]

The Ruhr University Bochum is offering a 2-year post-doc position in theoretical cryptography, working on the ERC project \"Efficient Resource Constrained Cryptography\". Required is a PhD in cryptography and excellence in research, proven for example by publications in IACR conferences and workshops.

Applicants interested in the positions should provide the following information in pdf format with the application:

- Motivation letter

- CV

- List of publications, mark your top 2

This position will be filled as soon as possible, late applications will be considered.

06:37 [Job][New]

The researcher will work on a project entitled “Securing emerging network technologies with homomorphic encryption”. The overall aim of the project is to design methods for secure processing of network data in emerging networks using practical variants of homomorphic encryption. Recent advances in cryptography will be applied to secure the virtualization of the ICT infrastructure (such as “cloud” processing and storage) and new flexible networking technologies such as software defined networks (SDN) and network function virtualization (NFV). Work tasks will include: analysis of suitable network functions for homomorphic processing; analysis of practical homomorphic encryption algorithms; secure protocol design and analysis; and experimental implementations.

2015-06-10
14:44 [Event][New]

Submission: 7 September 2015
From February 29 to March 4
Location: San Francisco, USA

2015-06-09
15:06 [Event][New]

Submission: 9 September 2015
From January 19 to February 21
Location: Rome, Italy

00:17 [Pub][ePrint]

We provide a security analysis for full-state keyed Sponge and full-state Duplex constructions. Our results can be used for making a large class of Sponge-based authenticated encryption schemes more efficient by concurrent absorption of associated data and message blocks. In particular, we introduce and analyze a new variant of SpongeWrap with almost free authentication of associated data. The idea of using full-state message absorption for higher efficiency was first made explicit in the Donkey Sponge MAC construction, but without any formal security proof. Recently, Gazi, Pietrzak and Tessaro (CRYPTO 2015) have provided a proof for the fixed-output-length variant of Donkey Sponge. Yasuda and Sasaki (CT-RSA 2015) have considered partially full-state Sponge-based authenticated encryption schemes for efficient incorporation of associated data. In this work, we unify, simplify, and generalize these results about the security and applicability of full-state keyed Sponge and Duplex constructions; in particular, for designing more efficient authenticated encryption schemes. Compared to the proof of Gazi et al., our analysis directly targets the original Donkey Sponge construction as an arbitrary-output-length function. Our treatment is also more general than that of Yasuda and Sasaki, while yielding a more efficient authenticated encryption mode for the case that associated data might be longer than messages.

00:17 [Pub][ePrint]

A side-channel analysis of multiplication in GF(2^{128}) has recently been published by Belaïd, Fouque and Gérard at Asiacrypt 2014, with an application to AES-GCM. Using the least significant bit of the Hamming weight of the multiplication result, the authors have shown how to recover the secret multiplier efficiently. However such least significant bit is very sensitive to noise measurement; this implies that without averaging their attack can only work for high signal-to-noise ratios (SNR > 128). In this paper we describe a new side-channel attack against the multiplication in GF(2^{128}) that uses the most significant bits of the Hamming weight. We show that much higher values of noise can be then tolerated. For instance with an SNR equal to 8, the key can be recovered using 2^{20} consumption traces with time and memory complexities respectively equal to 2^{51.68} and 2^{36}. We moreover show that the new method can be extended to attack the fresh re-keying countermeasure proposed by Medwed, Standaert, Großschädl and Regazzoni at Africacrypt 2010.

00:17 [Pub][ePrint]

Many efficient data structures use randomness, allowing them to improve upon deterministic ones. Usually, their efficiency and/or correctness are analyzed using probabilistic tools under the assumption that the inputs and queries are independent of the internal randomness of the data structure. In this work, we consider data structures in a more robust model, which we call the adversarial model. Roughly speaking, this model allows an adversary to choose inputs and queries adaptively according to previous responses. Specifically, we consider a data structure known as \"Bloom filter\" and prove a tight connection between Bloom filters in this model and cryptography.

A Bloom filter represents a set S of elements approximately, by using fewer bits than a precise representation. The price for succinctness is allowing some errors: for any x in S it should always answer \'Yes\', and for any x not in S it should answer \'Yes\' only with small probability.

In the adversarial model, we consider both efficient adversaries (that run in polynomial time) and computationally unbounded adversaries that are only bounded in the amount of queries they can make. For computationally bounded adversaries, we show that non-trivial (memory-wise) Bloom filters exist if and only if one-way functions exist. For unbounded adversaries we show that there exists a Bloom filter for sets of size n and error eps, that is secure against t queries and uses only O(n*log(1/eps) + t) bits of memory. In comparison, n*log(1/eps) is the best possible under a non-adaptive adversary.

00:17 [Pub][ePrint]

Two alternating vector operations on a cubic hypersurface are given

simple expressions. Direct use of the first operation\'s expression

seems less efficient than state-of-the-art elliptic curve

cryptography. The second expression seems mainly interesting

towards an elementary exposition about elliptic curve theory.

00:17 [Pub][ePrint]

Ring oscillator (RO) based physically unclonable function

(PUF) on FPGAs is crucial and popular for its nice properties and easy

implementation. The compensated measurement based on the ratio of

two ring oscillators\' frequencies proves to be particularly effective to extract

entropy of process variations. However from two ring oscillators

only one bit entropy is extracted and RO PUFs will occupy numerous

resource with the size of private information increasing. Motivated by this

inefficient resource usage, we propose an elegant and efficient method to

extract at least 31 bits entropy from two ring oscillators on FPGAs by

utilizing the fine control of programmable delay lines (PDL). We call this

construction Further ROPUF (FROPUF). In this paper, we present in

detail how to take advantage of the underlying random process variation

which derives from the lookup tables (LUT) of two ring oscillators,

and show that the in-depth variation can be extracted by a similar second

order difference calculation. In addition, we reveal the consistency

of the evaluation results from Xilinx FPGAs (e.g. Virtex-5, Virtex-6,

Kintex-7) and those by simulation of FROPUF. The responses of our

new construction have a nominal bit-error-rate (BER) of 1.85% at 27

C

and FROPUF greatly promotes the number of entropy with equivalent

reliability of the general ROPUF.

00:17 [Pub][ePrint]

We describe an actively secure OT extension protocol in the random oracle model with efficiency very close to the passively secure IKNP protocol of Ishai et al. (Crypto 2003). For computational security parameter $\\kappa$, our protocol requires $\\kappa$ base OTs, and is the first practical, actively secure protocol to match the cost of the passive IKNP extension in this regard. The added communication cost is

only additive in $O(\\kappa)$, independent of the number of OTs being created, while the computation cost is essentially two finite field operations per extended OT. We present implementation results that show our protocol takes no more than 5% more time than the passively secure IKNP extension, in both LAN and WAN environments, and so is essentially optimal with respect to the passive protocol.

00:17 [Pub][ePrint]

Existing systems for secure computation require programmers to express the program to be securely computed as a circuit, or in some domain-specific language that can be compiled to a form suitable for applying known protocols. We propose a new system that can securely execute native MIPS code with no special annotations. Our system has the advantage of allowing programmers to use a language of their choice to express their programs, together with any off-the-shelf compiler to MIPS; it can be used for secure computation of existing \"legacy\" MIPS code as well.

Our system uses oblivious RAM for fetching instructions and performing load/store operations in memory, and garbled universal circuits for the execution of a MIPS ALU in each instruction step. We also explore various optimizations based on an offline analysis of the MIPS code to be executed, in order to minimize the overhead of executing each instruction while still maintaining security.