IACR News
Here you can see all recent updates to the IACR webpage. These updates are also available:
05 October 2016
Joshua Fried, Pierrick Gaudry, Nadia Heninger, Emmanuel Thom\'e
Our chosen prime $p$ looks random, and $p-1$ has a 160-bit prime factor, in line with recommended parameters for the Digital Signature Algorithm. However, our $p$ has been trapdoored in such a way that the special number field sieve can be used to compute discrete logarithms in $\GF p^*$, yet detecting that $p$ has this trapdoor seems out of reach. Twenty-five years ago, there was considerable controversy around the possibility of backdoored parameters for DSA. Our computations show that trapdoored primes are entirely feasible with current computing technology. We also describe special number field sieve discrete log computations carried out for multiple weak primes found in use in the wild.
Gorjan Alagic, Alexander Russell
We establish security by treating the (quantum) hardness of the well-studied Hidden Shift problem as a basic cryptographic assumption. We observe that this problem has a number of attractive features in this cryptographic context, including random self-reducibility, hardness amplification, and--in many cases of interest--a reduction from the "search version" to the "decisional version." We then establish, under this assumption, the security of several such hidden-shift adaptations of symmetric-key constructions against quantum CPA attack. We show that a Hidden Shift version of the Even-Mansour block cipher yields a quantum-secure pseudorandom function, and that a Hidden Shift version of the Encrypted CBC-MAC yields a collision-resistant hash function. Finally, we observe that such adaptations frustrate the direct Simon's algorithm-based attacks in more general circumstances, e.g., Feistel networks and slide attacks.
CEA, Grenoble, France
This Post-Doc position is located in Grenoble, France, at the CEA-LETI institute. Its context is the realization of a lightweight Security Audit Module capable of making low-cost, pervasive IoT nodes tolerant to attacks.
The goal of this project is to propose machine learning methods to identify and react to security attacks in IoT nodes. The first part of the work consists of modelling normal and attack behavior starting with a set of hardware and software probes. These models will be used to design low-cost attack classifiers, suitable for typical IoT nodes consisting of a processor, a radio interface, and a set of sensors/actuators.
We are looking for applicants with expertise in machine learning, data analysis, with focus on clustering and classification. Prior knowledge on security, e.g., physical attacks and countermeasures, are preferred but not essential. The candidate should be at ease with classical software programming environments, e.g., Python, C/C++, and simulation tools, e.g., Matlab, Scilab, and should understand conventional computer architecture concepts, e.g., processor, bus, memory, registers.
The main tasks of the Postdoctoral researcher are as follows:
- Define the attack scenarios and security reactions, given the specifications of an IoT node.
- Define software and hardware probes that can be used to determine attack cases.
- Construct of normal/attack behavior models.
- Investigate of low-cost classifiers for on-line attack detection, and their cost evaluation in terms of performance, algorithm complexity and overhead.
- Propose the specification of the Security Audit Module.
The final outcome of the work is a lightweight Security Audit Module capable of making low-cost, pervasive embedded devices tolerant to attacks. The candidate will work with a pool of experts coming from different research teams of the Leti, namely the embedded system’s design team and the security teams.
Closing date for applications: 20 December 2016
Contact: Anca Molnos, anca.molnos (at) cea.fr
Damien Couroussé, damien.courousse (at) cea.fr
More information: http://www.cea.fr/technologies
University of Birmingham
The Security and Privacy group currently consists of eleven academic staff researching all aspects of computing security and privacy. Particular expertise within the group includes designing secure systems, formal analysis of systems, applied cryptography, security testing, and developing attack methods and defenses. The research ethos of the group is to tackle problems that are important to society, government and industry. We are recognised as an EPSRC/GCHQ Academic Centre of Excellence in Cybersecurity Research. Current areas of expertise within the group include: applied cryptography, formal verification, automotive security, cloud security, embedded devices and internet of things security (including industrial control systems), wireless security, electronic voting, security and privacy for society, and cyber security education.
Closing date for applications: 3 November 2016
More information: http://sec.cs.bham.ac.uk/index.html#lecturer
04 October 2016
Shashank Agrawal, Venkata Koppula, Brent Waters
We begin by giving a formal definition of simulation security that explicitly incorporates the random oracles. Next, we show a particular functionality for which it is impossible to achieve simulation security. Here messages are interpreted as seeds to a (weak) pseudorandom function family $F$ and private keys are ascribed to points in the domain of the function. On a message $s$ and private key $x$ one can learn $F(s,x)$. We show that there exists an attacker that makes a polynomial number of private key queries followed by a single ciphertext query for which there exists no simulator.
Our functionality and attacker access pattern closely matches the standard model impossibility result of Agrawal, Gorbunov, Vaikuntanathan and Wee (CRYPTO 2013). The crux of their argument is that no simulator can succinctly program in the outputs of an unbounded number of evaluations of a pseudorandom function family into a fixed size ciphertext. However, their argument does not apply in the random oracle setting since the oracle acts as an additional conduit of information which the simulator can program. We overcome this barrier by proposing an attacker who decrypts the challenge ciphertext with the secret keys issued earlier without using the random oracle, even though the decryption algorithm may require it. This involves collecting most of the useful random oracle queries in advance, without giving the simulator too many opportunities to program. We note that our negative result contradicts a theorem of De Caro et al. (CRYPTO 2013) which claims that random oracles can transform any indistinguishability secure functional encryption system into one that is simulation secure.
On the flip side, we demonstrate the utility of the random oracle in simulation security. Given only public key encryption and low-depth PRGs we show how to build an FE system that is simulation secure for any poly-time attacker that makes an unbounded number of message queries, but an a-priori bounded number of key queries. This bests what is possible in the standard model where it is only feasible to achieve security for an attacker that is bounded both in the number of key and message queries it makes. We achieve this by creating a system that leverages the random oracle to get one-key security and then adapt previously known techniques to boost the system to resist up to $q$ queries.
Finally, we ask whether it is possible to achieve simulation security for an unbounded number of messages and keys, but where all key queries are made after the message queries. We show this too is impossible to achieve using a different twist on our first impossibility result.
Michał Zieliński
Thomas Espitau, Pierre-Alain Fouque, Alexandre Gelin, Paul Kirchner
Jacques Patarin
Massimo Bartoletti, Roberto Zunino
WeiGuo Zhang, Enes Pasalic
Linfeng Zhou
Christoph Dobraunig, Maria Eichlseder, Stefan Mangard, Florian Mendel, Thomas Unterluggauer
In this work, we therefore adapt the re-keying approach to present the first symmetric authenticated encryption scheme that is inherently secure against DPA attacks and that does not have such a usage restriction. This means that our scheme fully complies with the requirements given in the CAESAR call and hence, can be used like other standard authenticated encryption schemes without loss of side-channel protection. Its resistance against side-channel analysis is highly relevant for several applications in practice, like bulk storage settings in general and the protection of FPGA bitfiles and firmware images in particular.
Geoffroy Couteau
01 October 2016
Busan, South Korea, 13 February - 15 February 2017
Submission deadline: 19 October 2016
Notification: 15 November 2016