IACR News
Here you can see all recent updates to the IACR webpage. These updates are also available:
20 June 2017
Thomas Espitau, Pierre-Alain Fouque, Benoit Gerard, Mehdi Tibouchi
We first identify a serious source of leakage in the rejection sampling algorithm used during signature generation. Existing implementations of that rejection sampling step, which is essential for security, actually leak the ``relative norm'' of the secret key. We show how an extension of an algorithm due to Howgrave-Graham and Szydlo can be used to recover the key from that relative norm, at least when the absolute norm is easy to factor (which happens for a significant fraction of secret keys). We describe how this leakage can be exploited in practice both on an embedded device (an 8-bit AVR microcontroller) using electromagnetic analysis (EMA), and a desktop computer (recent) Intel CPU running Linux) using branch tracing. The latter attack has been mounted against the open source VPN software strongSwan.
We also show that other parts of the BLISS signing algorithm can leak secrets not just for a subset of secret keys, but for 100% of them. The BLISS Gaussian sampling algorithm in strongSwan is intrinsically variable time. This would be hard to exploit using a noisy source of leakage like EMA, but branch tracing allows to recover the entire randomness and hence the key: we show that a single execution of the strongSwan signature algorithm is actually sufficient for full key recovery. We also describe a more traditional side-channel attack on the sparse polynomial multiplications carried out in BLISS: classically, multiplications can be attacked using DPA; however, our target 8-bit AVR target implementation uses repeated shifted additions instead. Surprisingly, we manage to obtain a full key recovery in that setting using integer linear programming from a single EMA trace.
Angela Jäschke, Frederik Armknecht
In this work, we formally and experimentally investigate this question for applications that operate over integers and rational numbers based on a selection of natural metrics: the number of finite field additions, the number of finite field multiplications, and the multiplicative depth. Our results are partly constructive and partly negative: We show that for the first two metrics, an optimal choice does exist and we state it explicitly. However, we show likewise that regarding multiplicative depth, the parameters need to be chosen specific to the use-case, as there is no global optimum. Still, we show exactly how one can choose the best encoding depending on the use-case.
Gilles Dequen, Sorina Ionica, Monika Trimoska
Riddhi Ghosal
Mridul Nandi
Hubert Ritzdorf, Karl Wüst, Arthur Gervais, Guillaume Felley, Srdjan Capkun
This motivates the need for a seamless and standardized internet-wide non-repudiation mechanism, allowing users to share data from news sources, social websites or financial data feeds in a provably secure manner.
Additionally, blockchain oracles that enable data-rich smart contracts typically rely on a trusted third party (e.g., TLSNotary or Intel SGX). A decentralized method to transfer web-based content into a permissionless blockchain without additional trusted third party would allow for smart contract applications to flourish.
In this work, we present TLS-N, the first TLS extension that provides secure non-repudiation and solves both of the mentioned challenges. TLS-N generates non-interactive proofs about the content of a TLS session that can be efficiently verified by third parties and blockchain based smart contracts. As such, TLS-N increases the accountability for content provided on the web and enables a practical and decentralized blockchain oracle for web content. TLS-N is compatible with TLS 1.3 and adds a minor overhead to a typical TLS session. When a proof is generated, parts of the TLS session (e.g., passwords, cookies) can be hidden for privacy reasons, while the remaining content can be verified.
Practical demonstrations can be found at https://tls-n.org/.
Steffen Schulz, André Schaller, Florian Kohnhäuser, Stefan Katzenbeisser
Zhengbin Liu, Yongqiang Li, Mingsheng Wang
Ehsan Ebrahimi , Dominique Unruh
Hamidreza Yazdanpanah, Mohammadreza Hasani Ahangar, Mahdi Azizi, Arash Ghafouri
16 June 2017
Jaipur, India, 13 October - 15 October 2017
Submission deadline: 15 July 2017
Notification: 30 August 2017
Virginia Tech
We are looking for a candidate with the following qualifications.
- Solid background in cryptographic engineering, covering protocols and algorithms.
- Experience with development of embedded software and/or hardware, including toolchain and design methodology.
- Effective communicator and team leader for a group of PhD students.
- Experience with energy harvesting technologies, intermittently powered computers and design across the hardware/software interface is a plus.
The Hardware Security group at Virginia Tech covers design, optimization and tamper-resistant implementation of cryptographic protocols and related applications. Recent projects include a fault-resistant microprocessor ASIC, side-channel resistant software synthesis, and novel primitives for hardware security.
To apply send your CV to the contact below. Include your publication list, a statement of research interest and objectives, and contact information for two references. Applications will be reviewed on an ongoing basis until the position is filled.
Closing date for applications: 30 September 2017
Contact: Prof. Patrick Schaumont (schaum (at) vt.edu)
More information: http://rijndael.ece.vt.edu/schaum
Unviversity of Bergen
Closing date for applications: 1 July 2017
Contact: Håvard Raddum, Section Leader, Simula@UiB, email: haavardr (at) simula.no
or
Tor Helleseth, Professor, Dept. of Informatics, email: Tor.Helleseth (at) ii.uib.no
More information: https://www.jobbnorge.no/en/available-jobs/job/139151/phd-position-in-computer-security-4-positions
Cryptography, Security, and Privacy Research Group, Koç University, ?stanbul, Turkey
- For more information about joining our group and scholarship opportunities, visit
https://crypto.ku.edu.tr/join
- For applying online, and questions about the application-process for M.Sc. and Ph.D. positions, visit
https://gsse.ku.edu.tr/en/admissions/application-requirements/
All applications must be completed online with all the required documents. Deadline is end of June.
- For postdoctoral researcher positions, contact Asst. Prof. Alptekin Küpçü directly, including full CV, sample publications, a research proposal, and 2-3 reference letters sent directly by the referees. Application and starting dates are flexible.
http://home.ku.edu.tr/~akupcu
Closing date for applications: 31 August 2017
Contact: gsse (at) ku.edu.tr
More information: https://crypto.ku.edu.tr/
14 June 2017
Bernardo David, Peter Ga{\v{z}}i, Aggelos Kiayias, Alexander Russell
Phuong Ha Nguyen, Durga Prasad Sahoo, Chenglu Jin, Kaleel Mahmood, Marten van Dijk
Christophe Petit
In this paper, we provide new algorithms that exploit the additional information provided in isogeny protocols to speed up the resolution of the underlying problems. Our techniques lead to a heuristic polynomial-time key recovery on a non-standard variant of De Feo-Jao-Plût's protocols in a plausible attack model. This shows that at least some isogeny problems are easier to solve when additional information is leaked.
Anders P. K. Dalskov, Claudio Orlandi
After providing a formal description of the key design choices in the reviewed application (e.g., how user's accounts are registered, how new devices are registered, how and what cryptographic keys are used, how file encryption is handled, etc.), we present a number of vulnerabilities that can be exploited by a malicious storage server to break, to different degrees, the confidentiality of the users' password and therefore the users' data.
Our findings have been communicated to SpiderOak in April 2017. The vendor promptly replied to our concerns by releasing an updated version of the application (v. 6.3.0, June 2017) which resolves most of the issues described in this paper.
Yihua Zhang, Marina Blanton, Fattaneh Bayatbabolghani
Ran Canetti, Justin Holmgren, Silas Richelson
We consider single-server PIR schemes where, following a preprocessing stage in which the server obtains an encoded version of the database and the client obtains a short key, the per-query work of both server and client is polylogarithmic in the database size. We call such schemes {\em doubly efficient}. Concentrating on the case where the client's key is secret, we show:
- A scheme, based on one-way functions, that works for a bounded number of queries, and where the server storage is linear in the number of queries plus the database size.
- A scheme for an unbounded number of queries, whose security follows from a new hardness assumption that is related to the hardness of solving a system of noisy linear equations.
We also show the insufficiency of a natural approach for obtaining doubly efficient PIR in the setting where the preprocessing is public.