IACR News
Here you can see all recent updates to the IACR webpage. These updates are also available:
12 October 2015
Koh-ichi Nagao
ePrint ReportIn this algorithm, ECDLP of an elliptic curve $E$ defined over $\\bF_q$ ($q$ is prime or power of primes) reduces to solving quadratic equations system of $d-1$ variables and $d+C_0-1$ equations where $C_0$ is small natural number and $d \\sim C_0 \\, \\log_2 q$.
This equations system is too large and it can not be solved by computer.
However, we can show theoritically the cost for solving this equations system by xL algorithm is subexponential under the reasonable assumption of xL algorithm.
James Alderman, Christian Janson, Keith M. Martin, Sarah Louise Renwick
ePrint ReportHowever, many current schemes lack two important properties: verifiability of search results, and expressive queries. We introduce Extended Verifiable Searchable Encryption (eVSE) that permits a user to verify that search results are correct and complete. We also permit verifiable computational queries over keywords and specific data values, that go beyond the standard keyword matching queries to allow functions such as averaging or counting operations.
We formally define the notion of eVSE within relevant security models and give a provably secure instantiation.
Alex Biryukov, Léo Perrin
ePrint Report
Michał Wroński
ePrint Report
Hugo Krawczyk, Hoeteck Wee
ePrint Report
Raluca Ada Popa, Nickolai Zeldovich, Hari Balakrishnan
ePrint ReportSecond, we explain that the recent study of Naveed, Kamara, and Wright [NKW15] represents an unsafe usage of CryptDB, in which the authors violate CryptDB\'s security guidelines. Hence, the conclusions drawn in that paper regarding CryptDB are both unfounded and incorrect: had the guidelines been followed, none of the claimed attacks would have been possible.
Behzad Abdolmaleki, Hamidreza Bakhshi, Karim Baghery, Mohammad Reza Aref
ePrint Report
Ayantika Chatterjee, Indranil Sengupta
ePrint Report
10 October 2015
Ehsan Aerabi, A. Elhadi Amirouche, Houda Ferradi, R\\\'emi G\\\'eraud David Naccache, Jean Vuillemin
ePrint Report
09 October 2015
Dustin Moody, Ray Perlner
ePrint Report``generalized error sets.\" The general approach was referred to as \\emph{McEliece in the World of Escher.} This paper demonstrates
attacks which are significantly cheaper than the claimed security level of the parameters given by Gligoroski et al. We implemented an attack on the proposed 80-bit parameters which was able
to recover private keys for both encryption and signatures in approximately 2 hours on a single laptop. We further find that increasing the parameters to avoid our attack will require parameters to grow by almost an order of magnitude for signatures, and (at least) two orders of magnitude for encryption.
Marc Stevens, Pierre Karpman, Thomas Peyrin
ePrint Reportcollision for its internal compression function. This is the first practical
break of the full SHA-1, reaching all 80 out of 80 steps, while only 10 days
of computation on a 64 GPU cluster were necessary to perform the attack.
This work builds on a continuous series of cryptanalytic advancements on SHA-1
since the theoretical collision attack breakthrough in 2005.
In particular, we extend the recent freestart collision work on reduced-round
SHA-1 from CRYPTO 2015 that leverages the computational power of graphic cards
and adapt it to allow the use of boomerang speed-up techniques.
We also leverage the cryptanalytic techniques by Stevens from EUROCRYPT 2013
to obtain optimal attack conditions,
which required further refinements for this work.
Freestart collisions, like the one presented here, do not directly imply a
collision for SHA-1.
However, this work is an important milestone towards an actual SHA-1 collision
and it further shows how graphics cards can be used very efficiently for these
kind of attacks.
Based on the state-of-the-art collision attack on SHA-1 by Stevens from
EUROCRYPT 2013, we are able to present new projections on the
computational/financial cost required by a SHA-1 collision computation.
These projections are significantly lower than previously anticipated by the
industry, due to the use of the more cost efficient graphics cards compared to
regular CPUs.
We therefore recommend the industry, in particular Internet browser vendors
and Certification Authorities, to retract SHA-1 soon.
We hope the industry has learned from the events surrounding the cryptanalytic
breaks of MD5 and will retract SHA-1 before example signature forgeries appear
in the near future.
With our new cost projections in mind, we strongly and urgently recommend
against a recent proposal to extend the issuance of SHA-1 certificates with a
year in the CAB/forum (vote closes October 9 2015).
Gaëtan Leurent
ePrint ReportBiham and Carmeli to improve the linear cryptanalysis of addition
operations, and we propose an analogue improvement of differential
cryptanalysis of addition operations. These two technique can reduce
the data complexity of linear and differential attacks, at the cost of
more processing time. Our technique can be seen of the analogue for ARX
ciphers of partial key guess and partial decryption for SPN ciphers.
We show a first application of the generalized linear partitioning
technique on FEAL-8X, revisiting the attack of Biham and Carmeli. We
manage to reduce the data complexity from 2^14 to 2^12 known plaintexts,
while the time complexity increases from 2^45 to 2^47.
Then, we use these technique to analyze Chaskey, a recent MAC proposal
by Mouha et al, that is being studied for standardisation by ISO and
ITU-T. Chaskey uses an ARX structure very similar to SipHash. We use a
differential-linear attack with improvements from the partitioning
technique, combined with a convolution-based method to reduce the time
complexity. This leads to an attack on 6 rounds with 2^25 data and
2^28.6 time (verified experimentally), and an attack on 7 rounds with
2^48 data and 2^67 time. These results show that the full version of
Chaskey with 8 rounds has a rather small security margin.
Claude Crepéau, Raza Ali Kazmi
ePrint Report
Gu Chunsheng
ePrint Report
Hao Chen, Kristin Lauter, and Katherine E. Stange
ePrint ReportThe time complexity of our attack is $O(q^{2f})$, where $f$ is the {\\it residue degree} of $q$ in $K$.
We also show an attack on the RLWE problem in general cyclotomic rings (non $2$-power cyclotomic rings) which works when the modulus is a ramified prime.
We demonstrate the attacks in practice by finding many vulnerable instances and successfully attacking them. We include the code for all attacks.
David Pointcheval, Olivier Sanders, Jacques Traoré
ePrint ReportIn this paper, we propose the first divisible e-cash system without such a tree structure, and so without its inherent downsides. Our construction is the first one to achieve constant-time spendings while offering a quite easy management of the coins. It compares favorably with the state-of-the-art, while being provably secure in the standard model.
Ashwin Jha, Mridul Nandi
ePrint ReportHoch and Shamir have shown that the concatenated hash offers only $\\frac{n}{2}$-bits security when both the underlying compression functions are strong invertible. We show that the bound is tight even when only one of the underlying compression functions is strong invertible.
08 October 2015
Danping Shi, Lei Hu, Siwei Sun, Ling Song
ePrint Report
Miran Kim, Kristin Lauter
ePrint ReportIn this paper, we present evaluation algorithms for secure computation of the minor allele frequencies and chi-squared statistic in a genome-wide association studies setting. We also describe how to privately compute the Hamming distance and approximate Edit distance between encrypted DNA sequences. Finally, we compare performance details of using two practical homomorphic encryption schemes - the BGV scheme by Gentry, Halevi and Smart and the YASHE scheme by Bos, Lauter, Loftus and Naehrig. Such an approach with the YASHE scheme analyzes data from 400 people within about 2 seconds and picks a variant associated with disease from 311 spots. For another task, using the BGV scheme, it took about 65 seconds to securely compute the approximate Edit distance for DNA sequences of size 5K and figure out the differences between them.
CryptoExperts, Paris, France
Job PostingThe candidate may be of any nationality but may have resided in France for at most 1 year in the 3 years preceeding the application. They can have at most 2 years of research experience at the doctoral level. The PhD student is expected to have a MSc degree or equivalent.
This PhD position will be fully funded by the ECRYPT-NET project (www.ecrypt.eu.org/net/). ECRYPT-NET is a European research network that intends to develop advanced cryptographic techniques and implementations for the Internet of Things and the Cloud. The network is currently recruiting a group of 15 PhD students who will be trained in an international context, that involves Summer Schools and internships. The project offers opportunities to travel and interact with PhD students and scientists all over Europe.
The PhD thesis will focus on white-box cryptography and may include works ranging from theoretic solutions (e.g. indistinguishability obfuscation) to practical cryptanalytic attacks on software claimed to be white-box secure, as well as designing reliable software solutions of industrial strength in mobile environments.