International Association for Cryptologic Research

International Association
for Cryptologic Research

IACR News

If you have a news item you wish to distribute, they should be sent to the communications secretary. See also the events database for conference announcements.

Here you can see all recent updates to the IACR webpage. These updates are also available:

email icon
via email
RSS symbol icon
via RSS feed

12 August 2015

Using State Space Encoding To Counter Biased Fault Attacks on AES Countermeasures
Sikhar Patranabis, Abhishek Chakraborty, Debdeep Mukhopadhyay, P.P. Chakrabarti
ePrint Report ePrint Report
Biased fault attacks such as the Differential Fault Intensity Analysis (DFIA) have been a major threat to cryptosystems in recent times. DFIA combines principles of side channel analysis and fault attacks to try and extract the key using faulty ciphertexts only. Biased fault attacks have also been shown to weaken traditional redundancy based countermeasures, such as Concurrent Error Detection (CED) techniques, that provide security against classical fault attacks such as Differential Fault Analysis (DFA). While these countermeasures are effective under the assumption that the adversary uses a uniform fault model, they are vulnerable to attacks using biased fault models. Till date, no effective countermeasure against such biased fault attacks has been reported in literature. In this work, we propose a countermeasure strategy that combines the principles of redundancy with that of fault space transformation to achieve security against both classical and biased fault attacks. The novelty in the proposed countermeasure lies in the concept of transforming the fault space, that reduces the probability that the adversary can bypass the redundant checks by introducing the same fault in the original and redundant computations. All claims have been validated via practical experiments on a SASEBO GII board.

Expand
Fair Distributed Computation of Reactive Functions
Juan Garay, Björn Tackmann, Vassilis Zikas
ePrint Report ePrint Report
A fair distributed protocol ensures that dishonest parties have no advantage over honest parties in learning their protocol\'s output. This is a desirable property, as honest parties are more reluctant to participate in an (unfair) protocol in which cheaters learn their outputs while the honest parties waste their time and computation resources. But what makes fairness an even more intriguing topic is Cleve\'s seminal result [STOC\'86], which proves that it is impossible to achieve in the presence of dishonest majorities.

Cleve\'s result ignited a quest for more relaxed, yet meaningful definitions of fairness, with numerous works suggesting such relaxations and protocols satisfying them. A common pattern in these works, however, is that they only treat the case of non-reactive computation--i.e., distributed computation of \"one-shot\" (stateless) functions, in which parties give inputs strictly before any output is computed. Yet, many natural cryptographic tasks are of a reactive (stateful) nature, where parties provide inputs and receive outputs several times during the course of the computation. This is the case, for example, when computing multi-stage auctions or emulating a virtual stock-exchange market, or even when computing basic cryptographic tasks such as commitments and secret sharing.

In this work we introduce the first notion of fairness tailored to reactive distributed computation, which can be realized in the presence of dishonest majorities. Our definition builds on the recently suggested utility-based fairness notion (for non-reactive functions) by Garay, Katz, Tackmann and Zikas [PODC\'15], which, informally, defines the utility of an adversary who wants to break fairness and uses it as a measure of a protocol\'s success in satisfying the property. Similarly to the non-reactive notion, our definition enjoys the advantage of offering a comparative notion of fairness for reactive functions, inducing a partial order on protocols with respect to fairness.

We then turn to the question of finding protocols that restrict the adversary\'s utility. We provide, for each parameter choice of the adversary\'s utility, a protocol for fair and reactive two-party computation, and prove the optimality of this protocol for one (natural) class of parameter values and (non-tight) lower bounds for all remaining values. Our study shows that achieving fairness in the reactive setting is more complex than in the much-studied case of one-shot functions. For example, in contrast to the non-reactive case, (a) increasing the number of rounds used for reconstructing the output can lead to improved fairness, and (b) the minimal number or rounds required in the reconstruction depends on the exact values of the adversary\'s utility.

Expand
Postdoc and PhD student in Cryptography (Mix-Nets)
University of Tartu, Estonia
Job Posting Job Posting
The cryptography group at the Institute of Computer Science of University of Tartu seeks a postdoctoral researcher and a PhD student in computer science. The positions will be supporting a EU H2020 project on mix-nets (PANORAMIX) for applications like electronic voting, secure messaging, and statistics gathering. The postdoctoral researcher should have a strong track record in cryptography, and in particular in the design of efficient zero knowledge proofs and/or e-voting and mix-nets. The PhD student is expected to have a MSc degree or equivalent, and strong background in mathematics and/or theoretical computer science, with some background in cryptography.

Successful candidates will help to design and evaluate cryptographically secure mix-nets and perform other research duties to help with the project, coordinate and advise partners on implementing research prototypes (the candidate may or may not participate in implementing), and ensure the smooth administration of the project including the timely delivery of research output. (Some of these duties apply only for the postdoctoral researcher.) We expect candidates to be able to develop and devote significant time to their own research agenda around the theme of the project.

The EU H2020 project PANORAMIX requires travel to and collaboration with colleagues throughout the European Union. Full travel and equipment budget is available to support the activities of the project.

For any inquiries or to apply for the positions, submit a full research curriculum-vitae (cv), names of two references, and a research statement (obligatory for the postdoctoral researcher) to Prof Helger Lipmaa (firstname.lastname (at) ut.ee) clearly indicating the position sought.

The call for expressions of interest will remain open until a suitable candidate is appointed. However, the project starts from September 1, 2015, and will last for three years. In the case of interest, the candidat

Expand

11 August 2015

Statistical and Algebraic Properties of DES
Stian Fauskanger, Igor Semaev
ePrint Report ePrint Report
D. Davies and S. Murphy found that there are at most 660 different probability distributions on the output from any three adjacent S-boxes after 16 rounds of DES[1]. In this paper it is shown that there are at most 72 different distributions for S-boxes 4, 5 and 6. The distributions from S-box triplets are linearly dependent and the dependencies are described. E.g. there are only 13 linearly independent distributions for S-boxes 4, 5 and 6. A coset representation of DES S-boxes which reveals their hidden linearity is studied. That may be used in algebraic attacks. S-box 4 can be represented by significantly fewer cosets than the other S-boxes and therefore has more linearity. Open cryptanalytic problems are stated.

[1] D. Davies and S. Murphy, \"Pairs and Triplets of DES S-boxes\", Journal of Crypt. vol. 8(1995), pp. 1--25

Expand
Post-Doc
University of Florida, Gainesville, FL, USA
Job Posting Job Posting
The Florida Institute of Cyber Security (FICS) at the University of Florida is in search of a Post-Doctoral Research Fellow for participation in the AFOSR sponsored “MURI: Universal Security Theory for Evaluation and Design of Nano-scale Devices and for Development of Innovative Security Primitives” led by Prof. Mark Tehranipoor. The Post-Doctoral Fellow will provide expertise primarily in the area of applied cryptography, but should be open to investigating new security primitives and computing paradigms based on emerging nanoscale devices (e.g., memristor, PCM, Graphene) and integration approaches (e.g., 3D ICs). The Fellow will work closely with the PI and co-PIs, and actively advise PhD students involved with the MURI.

Ideal candidates should have experience in the following areas:

- Applied cryptography and provable security

- Formal methods applied to security protocols

- Information theory

- Embedded and hardware security primitives including PUFs, TRNGs, etc.

The position is available immediately and for a period of up to three years.

Job Requirements:

- PhD in Computer Science, Electrical and Computer Engineering, or related field

- Excellent technical English writing and oral communication skills

- Should have papers published in top tier conferences/journals (IEEE S&P, CCS, USENIX Security, etc.)

- Familiarity with VLSI design principles, CAD tools, and emerging integration approaches (2.5D ICs, 3D ICs) is encouraged, but not required

Application Procedure:

- Interested applicants should send CVs and supporting information (relevant publications, etc.) to Prof. Domenic Forte (dforte (at) ece.ufl.edu) and Prof. Mark Tehranipoor (tehranipoor (at) ece.ufl.edu)

- Only short-listed candidates will be notified for interview

- Application closes when the position is filled

Expand

10 August 2015

Secure Binary Field Multiplication
Hwajeong Seo, Chien-Ning Chen, Zhe Liu, Yasuyuki Nogami, Taehwan Park, Jongseok Choi, Howon Kim
ePrint Report ePrint Report
Binary eld multiplication is the most fundamental building block of binary eld Elliptic Curve Cryptography (ECC) and Galois/Counter Mode (GCM). Both bit-wise scanning and Look-Up Table (LUT) based methods are commonly used for binary eld multiplication. In terms of Side Channel Attack (SCA), bit-wise scanning exploits insecure branch operations which leaks information in a form of timing and power consumption. On the other hands, LUT based method is regarded as a relatively secure approach because LUT access can be conducted in a regular and atomic form. This ensures a constant time solution as well. In this paper, we conduct the SCA on the LUT based binary eld multiplication. The attack exploits the horizontal Correlation Power Analysis (CPA) on weights of LUT. We identify the operand with only a power

trace of binary eld multiplication. In order to prevent SCA, we also suggest a mask based binary eld multiplication which ensures a regular and constant time solution without LUT and branch statements.

Expand
Hybrid WBC: Secure and efficient encryption schemes using the White-Box Cryptography
Jihoon Cho, Kyu Young Choi, and Duk Jae Moon
ePrint Report ePrint Report
We analyse and define practical requirements in white-box attack environment, and then propose secure and effective cryptographic constructions combining WBC primitive and standard block cipher, providing security and reasonable performance. The proposed design also delivers great effectiveness in the commercial development of cryptographic systems, transforming the existing cryptographic libraries secure in the black-box model to those secure in the white-box model. Furthermore, the suggested architecture potentially gives a novel direction of the design of WBC primitives.

Expand
Scalar Blinding on Elliptic Curves based on Primes with Special Structure
Scott Fluhrer
ePrint Report ePrint Report
This paper shows how scalar blinding can provide protection against side channel attacks when performing elliptic curve operations with modest cost, even if the characteristic of the field has a sparse representation. This may indicate that, for hardware implementations, random primes might not have as large of an advantage over special primes as previously claimed.

Expand
Ciphertext-only attack on d*d Hill in O(d13^d)
Shahram Khazaei, Siavash Ahmadi
ePrint Report ePrint Report
Hill is a classical cipher which is generally believed to be resistant against ciphertext-only attack. In this paper, by using a divide-and-conquer technique, it is first shown that Hill with d*d key matrix over Z_26 can be broken with computational complexity of O(d26^d), for the English language. This is much less than the only publicly known attack, i.e., the brute-force with complexity of O(d^3(26)^(d^2)). Then by using the Chinese Remainder Theorem, it is shown that the computational complexity of the proposed attack can be reduced to O(d13^d). Using an information-theoretic approach, supported by extensive simulation results, it is shown that the minimum ciphertext length required for a successful attack increases by a factor of about 7 and 9.8, respectively for these two attacks in comparison with the brute-force attack. This is the only serious attack on Hill since its invention in 1929.

Expand
Stubborn Mining: Generalizing Selfish Mining and Combining with an Eclipse Attack
Kartik Nayak, Srijan Kumar, Andrew Miller, Elaine Shi
ePrint Report ePrint Report
Selfish mining is a well-known attack where a selfish miner, under certain conditions, can gain a disproportionate share of reward by deviating from the honest behavior.

In this paper, we greatly expand the mining strategy space, and consider a class of stubborn mining strategies where a miner performs better by taking long shot gambles. Consequently, we show that the selfish mining attack is not optimal for a large parameter region.

Further, we show how a miner can further amplify its gain by non-trivially composing mining attacks and network-level attacks. We show that surprisingly, in some strategies desirable for the adversary, victims of an eclipse attack can actually benefit from being eclipsed!

Expand
What Security can we Achieve in 4-Rounds?
Carmit Hazay, Muthuramakrishnan Venkitasubramaniam
ePrint Report ePrint Report
In this paper we study the question of what security is achievable for stand-alone two-party computation in four-rounds. Our starting point point is the Katz-Ostrovsky lower bound [KatzO04] which determines that the exact round complexity of achieving a secure two-party computation protocol is five. To get around this lower bound we consider two relaxations of the standard simulation-based security definition, where each relaxation implies a different security guarantee.

Specifically, we analyze our protocols in the presence of malicious non-aborting adversaries (for which we obtain full security) and malicious aborting adversaries (for which we obtain 1/p-security, which implies that the simulation fails with probability at most 1/p+negl). We further prove that our security guarantee is tight with respect to the party that obtains the input first.

Expand
A Stateless Cryptographically-Secure Physical Unclonable Function
Charles Herder, Ling Ren, Marten van Dijk, Meng-Day (Mandel) Yu, Srinivas Devadas
ePrint Report ePrint Report
We present the first stateless construction of a cryptographically-secure Physical Unclonable Function. Our construct requires no non-volatile (permanent) storage, secure or otherwise, and its computational security can be clearly reduced to the hardness of Learning Parity with Noise (LPN) in the random oracle model. The construction is ``stateless,\'\' because there is \\emph{no} information stored between subsequent queries, which mitigates attacks against the PUF via tampering. Moreover, our stateless construction corresponds to a PUF whose outputs are free of noise because of internal error-correcting capability, which enables a host of applications beyond authentication. We describe the construction, provide a proof of computational security, and present experimental evidence that this construct is viable.

Expand
Efficient Hardware Implementations of the Warbler Pseudorandom Number Generator
Gangqiang Yang, Mark D. Aagaard, Guang Gong
ePrint Report ePrint Report
Pseudorandom number generators (PRNGs) are very important for EPC Class 1 Generation 2 (EPC C1 G2) Radio Frequency Identification (RFID) systems. A PRNG is able to provide a 16-bit random number that is used in many commands of the EPC C1 G2 standard, and it can also be used in future security extensions of the EPC C1 G2 standard, such as mutual authentication protocols between the readers and tags. In this paper, we investigate efficient ASIC hardware implementations of Warbler (a lightweight PRNG), and demonstrate that Warbler can meet the area and

power consumption requirements in passive RFID systems. Warbler is built upon three nonlinear feedback shift registers (NLFSRs) and four WG-5 transformation modules. We employ two design options to implement Warbler and three different compilation methods to further optimize the area, maximum operating frequency, and power consumption. We can achieve an area of 498 GEs after the place and route phase in a CMOS 65nm ASIC, with a maximum frequency of 1430 MHz and a total power consumption of 1.239 uW at 100 KHz. Accordingly, an area of 534 GEs after the place and route phase, with a maximum frequency of 250 MHz and a total power consumption of 0.296 uW at 100 KHz can be obtained in a CMOS 130nm ASIC. Our results show that the LFSR counter based

design is better than the binary counter-based one in terms of area and power consumption. In addition, we show that the areas of WG-5 transformation look-up tables depend on the specific decimation values.

Expand
On weak and strong 2^k-bent Boolean functions
Pantelimon Stanica
ePrint Report ePrint Report
In this paper we introduce a sequence of discrete Fourier transforms and define new versions of bent functions, which we shall call (weak, strong) octa/hexa/2^k-bent functions. We investigate relationships between these classes and completely characterize the octabent and hexabent functions in terms of bent functions.

Expand
On the equivalence of obfuscation and multilinear maps
Omer Paneth, Amit Sahai
ePrint Report ePrint Report
Garg et al. [FOCS 2013] showed how to construct indistinguishability obfuscation (iO) from a restriction of cryptographic multilinear maps called Multilinear Jigsaw Puzzles. Since then, a number of other works have shown constructions and security analyses for iO from different abstractions of multilinear maps. However, the converse question --- whether some form

of multilinear maps follows from iO --- has remained largely open.

We offer an abstraction of multilinear maps called Polynomial Jigsaw Puzzles, and show that iO for circuits implies Polynomial Jigsaw Puzzles. This implication is unconditional: no additional assumptions, such as one-way functions, are needed. Furthermore, we show that this abstraction of Polynomial Jigsaw Puzzles is sufficient to construct iO for NC1, thus showing

a near-equivalence of these notions.

Expand
Standard Security Does Not Imply Indistinguishability Under Selective Opening
Dennis Hofheinz, Vanishree Rao, Daniel Wichs
ePrint Report ePrint Report
In a selective opening attack (SOA) on an encryption scheme, the adversary is given a collection of ciphertexts and selectively chooses to see some subset of them ``opened\'\', meaning that the messages and the encryption randomness are revealed to her. A scheme is SOA secure if the data contained in the unopened ciphertexts remains hidden. A fundamental question is whether every CPA secure scheme is necessarily also SOA secure. The work of Bellare et al. (EUROCRYPT \'12) gives a partial negative answer by showing that some CPA secure schemes do not satisfy a simulation-based definition of SOA security called SIM-SOA. However, until now, it remained possible that every CPA secure scheme satisfies an indistinguishability-based definition of SOA security called IND-SOA.

In this work, we resolve the above question in the negative and construct a highly contrived encryption scheme which is CPA (and even CCA) secure but is not IND-SOA secure. In fact, it is broken in a very obvious sense by a selective opening attack as follows. A random value is secret-shared via Shamir\'s scheme so that any t out of n shares reveal no information about the shared value. The n shares are individually encrypted under a common public key and the n resulting ciphertexts are given to the adversary who selectively chooses to see t of the ciphertexts opened. Counter-intuitively, this suffices for the adversary to completely recover the shared value. Our contrived scheme relies on strong assumptions: public-coin differing inputs obfuscation and a certain type of correlation intractable hash functions.

We also extend our negative result to the setting of SOA attacks with key opening (IND-SOA-K) where the adversary is given a collection of ciphertexts under different public keys and selectively chooses to see some subset of the secret keys.

Expand
Algorithmic Information Theory for Obfuscation Security
Rabih Mohsen, Alexandre Miranda Pinto
ePrint Report ePrint Report
The main problem in designing effective code obfuscation is to guarantee security. State of the art obfuscation techniques rely on an unproven concept of security, and therefore are not regarded as provably secure. In this paper, we undertake a theoretical investigation of code obfuscation security based on Kolmogorov complexity and algorithmic mutual information. We introduce a new definition of code obfuscation that requires the algorithmic mutual information between a code and its obfuscated version to be minimal, allowing for controlled amount of information to be leaked to an adversary. We argue that our definition avoids the impossibility results of Barak et al. and is more advantageous then obfuscation indistinguishability definition in the sense it is more intuitive, and is algorithmic rather than probabilistic.

Expand
Safe-Errors on SPA Protected implementations with the Atomicity Technique
Pierre-Alain Fouque, Sylvain Guilley, Cédric Murdica, David Naccache
ePrint Report ePrint Report
ECDSA is one of the most important public-key signature scheme, however it is vulnerable to lattice attack once a few bits of the nonces are leaked. To protect Elliptic Curve Cryptography (ECC) against Simple Power Analysis, many countermeasures have been proposed.

Doubling and Additions of points on the given elliptic curve require several additions and multiplications in the base field and this number is not the same for the two operations.

The idea of the atomicity protection is to use a fixed pattern, i.e. a small number of instructions and rewrite the two basic operations of ECC using this pattern. Dummy operations are introduced so that the different elliptic curve operations might be written with the same atomic pattern. In an adversary point of view, the attacker only sees a succession of patterns and is no longer able to distinguish which one corresponds to addition and doubling.

Chevallier-Mames, Ciet and Joye were the first to introduce such countermeasure.

In this paper, we are interested in studying this countermeasure and we show a new vulnerability since the ECDSA implementation succumbs now to C Safe-Error attacks. Then, we propose an effective solution to prevent against C Safe-Error attacks when using the Side-Channel Atomicity. The dummy operations are used in such a way that if a fault is introduced on one of them, it can be detected. Finally, our countermeasure method is generic, meaning that it can be adapted to all formulae. We apply our methods to different formulae presented for side-channel Atomicity.

Expand
Fast and Memory-Efficient Key Recovery in Side-Channel Attacks
Andrey Bogdanov, Ilya Kizhvatov, Kamran Manzoor, Elmar Tischhauser, Marc Witteman
ePrint Report ePrint Report
Side-channel attacks are powerful techniques to attack implementations of cryptographic algorithms by observing its physical parameters such as power consumption and electromagnetic radiation that are modulated by the secret state. Most side-channel attacks are of divide-and-conquer nature, that is, they yield a ranked list of secret key chunks, e.g. the subkey bytes in AES. The problem of the key recovery is then to find the correct combined key.

An optimal key enumeration algorithm (OKEA) was proposed by Charvillon et al. at SAC\'12. Given the ranked key chunks together with their probabilities, this algorithm outputs the full combined keys in the optimal order - from more likely to less likely ones. OKEA uses plenty of memory by its nature though, which limits its practical efficiency. Especially in the cases where the side-channel traces are noisy, the memory and running time requirements to find the right key can be prohibitively high.

To tackle this problem, we propose a score-based key enumeration algorithm (SKEA). Though it is suboptimal in terms of the output order of cadidate combined keys, SKEA\'s memory and running time requirements are more practical than those of OKEA. We verify the advantage at the example of a DPA attack on an 8-bit embedded software implementation of AES-128. We vary the number of traces available to the adversary and report a significant increase in the success rate of the key recovery due to SKEA when compared to OKEA, within practical limitations on time and memory. We also compare SKEA to the probabilistic key enumeration algorithm (PKEA) by Meier and Staffelbach and show its practical superiority in this case. We propose a high-performance solution for the entire conquer stage of side-channel attacks that includes SKEA and the subsequent full key testing, using AES-NI on Haswell Intel CPUs.

Expand

07 August 2015

InfoSec2015: The Second International Conference on Information Security and Cyber Foren
Cape Town, South Africa, November 15 - November 17
Event Calendar Event Calendar
Submission: 15 October 2015
From November 15 to November 17
Location: Cape Town, South Africa
More Information: http://sdiwc.net/conferences/infosec2015/
Expand
◄ Previous Next ►