International Association
for Cryptologic Research

In this paper, we propose an efficient identity-based password authenticated key exchange (IBPAKE) protocol using identity-based KEM/DEM. In IBPAKE, a client conducts authentication based on a human-memorable password and a server\'s identity. A distinctive feature of IBPAKE protocols, compared to the well-known EKE-type PAKE protocols, is that an adversary who even acquired a user\'s password cannot impersonate a server to further investigate user\'s sensitive information. We first construct the new IBPAKE protocol using the Boneh-Franklin Identity-based encryption (IBE) scheme, and then generalize the protocol by presenting a generic method to yield an efficient IBPAKE protocol from identity-based KEM/DEM. Our fine-grained approach has concrete advantages in terms of performance. First, unnecessary parameters can be removed easily. This allows a straightforward improvement on computational cost and communication bandwidth. In addition, using the essential feature of identity-based KEM/DEM, we can construct an IBPAKE protocol which runs in a single pass. Our protocol gives better performance, compared to prior known IBPAKE protocols.

This paper introduces a new P2P Electronic Cash system called Netcoin. The purpose of Netcoin is to facilitate inexpensive peer-to-peer monetary transactions on the Web. Its salient features are that it is a traceable system with an efficient mechanism for verifying transactions. Netcoins are reusable and can be easily passed from one user to another. The issuing of virtual currency and verification of transactions are performed by trusted mints, which act as the gateway between the fiat and virtual currency worlds. There is no need to maintain a public ledger, which would inhibit use on a global scale because of rapidly increasing memory and bandwidth requirements. The system is neither inflationary nor deflationary in nature and does not purport a new economic model. As a fiat-backed currency it should not suffer the volatility issues associated with Bitcoin. In this paper the two most prominent electronic payment systems of the last forty years, namely Ecash and Bitcoin, are examined. Netcoin is then introduced in detail and is designed to address the shortcomings of these payment systems.

Functional encryption is a modern public-key paradigm where a master private key can be used to derive sub-keys $SK_F$ associated with certain functions $F$ in such a way that the decryption operation reveals $F(M)$, if $M$ is the encrypted message, and nothing else. Recently, Abdalla {\\it et al.} gave simple and efficient realizations of the primitive for the computation of linear functions on encrypted data: given an encryption of a vector $\\vec{y} \\in \\Z_q^\\ell$, a private key $SK_{\\vec{x}}$ for the vector $\\vec{x} \\in \\Z_q^\\ell$ allows computing $\\langle \\vec{x} ,\\vec{y} \\rangle$. Their technique surprisingly allows for instantiations under standard assumptions, like the hardness of the Decision Diffie-Hellman ($\\DDH$) and Learning-with-Errors ($\\LWE$) problems. Their constructions, however, are only proved secure against {\\it selective} adversaries, which have to declare the challenge messages $M_0$ and $M_1$ at the outset of the game. In this paper, we provide constructions that provably achieve security against more realistic {\\it adaptive} attacks (where the messages $M_0$ and $M_1$ may be chosen in the challenge phase, based on the previously collected information) for the same inner product functionality. Our constructions are obtained from hash proof systems endowed with homomorphic properties over the key space. They are as efficient as those of Abdalla {\\it et al.} and rely on the same assumptions. As a result of independent interest, we prove the security of our $\\LWE$-based system via a new result on the hardness of the extended $\\LWE$ problem, where the distinguisher receives hints about the noise distribution.

Based on the analysis of $6$-digit one-time passwords(OTP) generated by DIGIPASS GO3 we were able to reconstruct the synchronisation system of the token, the OTP generating algorithm and the verification protocol in details essential for an attack. The OTPs are more predictable than expected. A forgery attack is described. We argue the attack success probability is $8^{-5}$. That is much higher than $10^{-6}$ which may be expected if all the digits are independent and uniformly distributed. Under natural assumptions even in a relatively small bank or company with $10^4$ customers the number of compromised accounts during a year may be more than $100$.

This paper presents extremely fast algorithms for code-based

public-key cryptography, including full protection against timing attacks. For example, at a 2^128 security level, this paper achieves a reciprocal decryption throughput of just 60493 cycles (plus cipher cost etc.) on a single Ivy Bridge core. These algorithms rely on an additive FFT for fast root computation, a transposed additive FFT for fast syndrome computation, and a sorting network to avoid cache-timing attacks.

The Trusted Platform Module (TPM) version 2.0 provides an authenticated key exchange functionality by a single key exchange primitive, which can be called to implement three key exchange protocols (denoted as two-phase key exchange protocols in TPM 2.0): the Full Unified Model, the MQV, and the SM2 key exchange protocols. However, some vulnerabilities have been found in all of these protocols. Fortunately, it seems that protections provided by the TPM can deal with vulnerabilities of these protocols. This paper investigates whether the TPM key exchange primitive provides a secure key exchange functionality under protections of the TPM. We first perform an informal analysis of the TPM key exchange primitive which helps us to model in a precise way. Then we formally analyze the TPM key exchange primitive in a security model for AKE, based on which all the protocols adopted by TPM 2.0 can be analyzed in a unified way. Our analysis indicates under what conditions the TPM 2.0 can provide a provable secure key exchange functionality. In the end, we give suggestions on how to leverage the TPM key exchange primitive properly, and suggestions on how to improve the security of current TPM key exchange primitive to enable its wide use in practice.

Submission: 27 January 2016
Notification: 25 March 2016
From June 19 to June 22
Location: London, UK
More Information: http://acns2016.sccs.surrey.ac.uk/

We are looking for PhD applicants in the areas of practical Multi-Party Computation and in Multi-Linear Maps and associated techniques. The positions include a tax free stipend as well as payment of your tuition fees. The projects are with partners in the USA and so travel to the USA will be a major component of the projects.

Please contact Nigel Smart, as soon as possible, to informally discuss the positions.

There is a vacancy for a PhD position at Department of Informatics (www.uib.no/en/ii) in cryptography. The position is for a fixed-term period of 4 years and within the Simula@UiB group, a joint collaboration in cyber security between UiB and Simula Research Laboratory. Salary at pay grade 50 upon appointment; currently NOK 430,500 gross p.a. Further promotions are made according to length of service in the position.

The Cryptographic Algorithms Group is offering a 2-year post-doc position. We are part of the Center for IT-Security and Privacy (short: CISPA). The CISPA was founded in October 2011 as a competence center for IT security at Saarland University. It is a joint endeavor of Saarland University (UdS) and its on-site partner institutions: the Max Planck Institute for Informatics (MPI-INF), the Max Planck Institute for Software Systems (MPI-SWS), and the German Research Center for Artificial Intelligence (DFKI).

Requirements: A PhD in cryptography and related areas, excellence in research proven for example by publications in IACR conferences and workshops or venues like IEEE S&P, ACM CCS, NDSS, USENIX Security,…

Applicants interested in the positions should provide the following information in pdf format with the application:

- Research Statement

- CV

- List of publications, mark your top 2

- 2 reference letters

Expected starting date is Nov, 1st.

Cryptographic Algorithms Group: www.ca.cs.uni-saarland.de

CISPA: http://cispa.saarland

Aspera, an IBM Company is profitable, and headquartered in Emeryville, California with satellite offices in the United Kingdom, France and Singapore. Over 3,000 customers across all industries that need to move large volumes of data in industries such as enterprise IT, games and software development, government, legal & eDiscovery, life sciences, media & entertainment and oil & gas rely on Aspera software to move extreme data sets at high-speed over global distances.

• Focus on defining and building out security programs and quality programs

• Develop an analysis framework for vulnerabilities

• Code or help code the security framework components

• Develop patches and new security features to help mitigate security flaws

• Coordinate activities during the deployment of security-relevant features

• Perform security code audits and design reviews

• Architecture, design and coding of Aspera’s end-to-end security framework

• Threat and vulnerability analysis

• Code analysis, scanning

• Pen-test

• Ability to deliver results quickly and efficiently with iterative approache

Requirements:

• Strong software development background - C and C++, systems programming, web application frameworks, JavaScript

• Expert knowledge of applied cryptography and software security

• Ultra familiarity with common software security threats, CWE

• Expert knowledge of applied cryptography and software security

• Proven record - contribution or ownership of security framework design and implementation for large scale software systems

• Authentication and distributed authorization frameworks (SAML, OpenID, OAuth(2))

• Code analysis and scanning tools and processes

• Secure communication protocols, data protection, secure interaction with authentication and authorizations systems, and cloud services (particularly cloud storage)

• To

Open Letter to the Hon'ble President of India

The International Association of Cryptologic Research (IACR) is dismayed by reports of Professor Bimal Roy being dismissed in all but name as Director of the Indian Statistical Institute in Kolkata. Professor Roy has been a driving force in advancing the important field of cryptology in India, elevating its visibility to international level. Cryptology is a prime application of statistical and probabilistic methods.

The IACR confirms that Professor Roy deserves great recognition for his service to India and to the field of cryptology. He devoted his career to strengthening India's standing in this timely, fast advancing field. Removing him from this position one month before the appointment expires is an act that has put India in a shameful and awkward position in front of the international community of cryptology research and of mathematics in general.

The International Association of Cryptologic Research
June 21, 2015

Pedersen commitments are important cryptographic primitives.

They allow a prover to commit to a certain value without revealing

any information about it and without the prover being able to change its mind later on. Since the first property holds unconditionally this is an essential primitive for many schemes providing long-term confidentiality. However, the second property only holds computationally. Hence, in the long run bindingness is lost, making the primitive improper for long-lived systems. Thus in this paper, we describe a protocol that, in a sense, prolongs the bindingness of a given Pedersen commitment. More precisely, we demonstrate how to prove in perfect zero-knowledge that a new Pedersen commitment - generated with a larger security parameter - and a corresponding old commitment both commit to the same value. We stress that this is a non-trivial procedure. Up until now the only known perfect zero-knowledge proof techniques for proving message equivalence of two commitments work when both commitments use isomorphic message spaces. However, as we will show in this work, to prolong the security of Pedersen commitments we cannot tolerate this restriction. Our prolonging technique works for non-isomorphic message spaces, is efficient, can be repeated an arbitrary number of times, maintains

unconditional confidentiality, and allows to preserve the format of

the Pedersen commitments. This makes the construction presented here

an important contribution to long-lived systems. Finally, we illustrate this by discussing how commitments with prolongable bindingness can be used to allow for archiving solutions that provide not only integrity but also confidentiality in the long-term.

The U.S. National Security Agency (NSA) developed the SIMON and SPECK families of lightweight block ciphers as an aid for securing applications in very constrained environments where AES may not be suitable. This paper summarizes the algorithms, their design rationale, along with current cryptanalysis and implementation results.

Cyber-physical-social system (CPSS) allows individuals to share personal information collected from not only cyberspace, but also physical space. This has resulted in generating numerous data at a user\'s local storage. However, it is very expensive for users to store large data sets, and it also causes problems in data management. Therefore, it is of critical importance to outsource the data to cloud servers, which provides users an easy, cost-effective and flexible way to manage data. Whereas, users lose control on their data once outsourcing their data to cloud servers, which poses challenges on integrity of outsourced data. Many mechanisms have been proposed to allow a third-party auditor to verify data integrity using the public keys of users. Most of these mechanisms bear a strong assumption: the auditors are honest and reliable, and thereby are vulnerability in the case that auditors are malicious. Moreover, in most of these approaches, an auditor needs to manage users certificates to choose the correct public keys for verification.

In this paper, we propose a secure certificateless public integrity verification scheme (SCLPV). The SCLPV scheme is the first work that simultaneously supports certificateless public verification and resistance against malicious auditors to verify the integrity of outsourced data in CPSS. A formal and strict security proof proves the correctness and security of our scheme. In addition, an elaborate performance analysis demonstrates that our scheme is efficient and practical. Compared with the best of the existing certificateless public verification scheme (CLPV), the SCLPV provides stronger security guarantees in terms of remedying the security vulnerability of the CLPV and resistance against malicious auditors. At the same time, in comparison with the best of integrity verification scheme achieving resistance against malicious auditors, the communication cost between the auditor and the cloud server in the SCLPV is independent of the size of the processed data, meanwhile, the auditor in the SCLPV does not need to manage certificates.

In remote authentication scheme, a remote user can communicate with server over open networks even though the physical distance is much far. Before interaction, they require to establish common session key by authenticating each other. Recently in 2014, Kumari et al. proposed the efficient scheme for remote user authentication. However in this paper, we show that the Kumari et al.\'s scheme is vulnerably susceptible to the Insider Attack, Stolen Verifier Attack, Session Key Disclosure Attack, Password Guessing Attack, Modification Attack, User Impersonation Attack, Replay Attack, Shoulder Surfing Attack and Denial of Service Attack. Afterwards, we have proposed an improved remote user authentication scheme to deal with these attacks and other attacks.

Two (so-called $C, D$) classes of permutation-based bent Boolean functions were introduced by Carlet two decades ago, but without specifying some explicit construction methods for their construction (apart from the subclass $D_0$). In this article, we look in more detail at the $C$ class, and derive some existence and nonexistence results concerning the bent functions in the $C$ class for many of the known classes of permutations over $\\mathbb F_{2^n}$. Most importantly, the existence results induce generic methods of constructing bent functions in class $C$ which possibly do not belong to the completed Maiorana-McFarland class. The question whether the specific permutations and related subspaces we identify in this article indeed give bent functions outside the completed Maiorana-McFarland class remains open.

Methods are presented to derive with the aid of the computer mathematics

software system SageMath the Multivariate Quadratic equation systems (MQ) for the input and output bit variables of a cryptographic S-box starting from its algebraic expressions. Motivation to this work were the results of recent articles which we have verified and extended in an original way, to our knowledge, not yet published elsewhere. At the same time we present results contrary to the published ones which cast serious doubts on the suitability of previously presented formulas, supposed to quantify the resistance of S-boxes against algebraic attacks.

In this paper, we propose a new hardware friendly authen- ticated encryption (AE) scheme TriviA based on (i) a stream cipher for generating keys for the ciphertext and the tag, and (ii) a pairwise in- dependent hash to compute the tag. We have adopted one of the ISO- standardized stream ciphers for lightweight cryptography, namely Triv- ium, to obtain our underlying stream cipher. This new stream cipher has a state that is a little larger than the state of Trivium to accommodate a 128-bit secret key and IV. Our pairwise independent hash is also an adaptation of the EHC or \"Encode-Hash-Combine\" hash, that requires the optimum number of field multiplications and hence requires small hardware footprint. We have implemented the design in synthesizable RTL. Pre-layout synthesis, using 65 nm standard cell technology under typical operating conditions, reveals that TriviA is able to achieve a high throughput of 91.2 Gbps for an area of 24.4 KGE. We prove that our construction has at least 128-bit security for privacy and 124-bit security of authenticity under the assumption that the underlying stream cipher produces a pseudorandom bit stream.

We revisit the classical problem: given a memoryless source having a certain amount of Shannon Entropy, how many random bits can be extracted? This question appears in works studying random number generators built from physical entropy sources.

Some authors use a heuristic estimate obtained from the Asymptotic Equipartition Property, which yields roughly $n$ extractable bits, where $n$ is the total Shannon entropy amount. However the best known precise form gives only $n-O(\\sqrt{\\log(1/\\epsilon) n})$, where $\\epsilon$ is the distance of the extracted bits from uniform. In this paper we show a matching $ n-\\Omega(\\sqrt{\\log(1/\\epsilon) n})$ upper bound. Therefore, the loss of $\\Theta(\\sqrt{\\log(1/\\epsilon) n})$ bits is necessary. As we show, this theoretical bound is of practical relevance. Namely, applying the imprecise AEP heuristic to a mobile phone accelerometer one might overestimate extractable entropy even by $100\\%$, no matter what the extractor is. Thus, the ``AEP extracting heuristic\'\' should not be used without taking the precise error into account.