IACR News
Here you can see all recent updates to the IACR webpage. These updates are also available:
15 September 2015
Guy Barwell, Dan Page, Martijn Stam
ePrint ReportWe reconcile these three works by providing a reference model of security for authenticated encryption in the face of decryption leakage from invalid queries. Having tracked the development of AE security games, we provide a single expressive framework allowing us to compare and contrast the previous notions. We find that at their core, the notions are essentially equivalent, with their key differences stemming from definitional choices independent of the desire to capture real world behaviour.
Xiaoyang Dong, Leibo Li, Keting Jia, Xiaoyun Wang
ePrint Report
Prosanta Gope
ePrint Report
14 September 2015
Kazuhiko Minematsu, Tetsu Iwata
ePrint ReportIn this paper we study the problem of extending tweak of a given TBC of fixed-length tweak,
which is a variant of popular problem of converting a blockcipher into a TBC, i.e., blockcipher mode of operation.
The problem is particularly important for known dedicated TBCs since they have relatively short tweak.
We propose a simple and efficient solution, called XTX, for this problem.
XTX converts a TBC of fixed-length tweak into another TBC of arbitrarily long tweak, by extending the scheme of Liskov, Rivest and Wagner that converts a blockcipher into a TBC.
Given a TBC of $n$-bit block and $m$-bit tweak, XTX provides $(n+m)/2$-bit security while conventional methods provide $n/2$ or $m/2$-bit security.
We also show that XTX is even useful when combined with some blockcipher modes for building TBC having security beyond the birthday bound.
Ana Maria Costache, Nigel P. Smart
ePrint Report
13 September 2015
Shahin Tajik, Enrico Dietz, Sven Frohmann, Helmar Dittrich, Dmitry Nedospasov, Clemens Helfmei
ePrint Report
Seyed Slman Sajjadi GhaemMaghami, Afrooz Haghbin, Mahtab Mimohseni
ePrint Report
J. Liu, S. Mesnager, and L. Chen
ePrint ReportWe present a study on the diffusion property of iterated vectorial Boolean functions. The measure that will be of main interest here is the notion of the degree of completeness, which has been suggested by the NESSIE project.
We provide the first (to the best
of our knowledge) two constructions of $(n,n)$-functions having perfect diffusion property and optimal algebraic degree.
We also obtain the complete enumeration results for the constructed functions.
Yuanxi Dai, John Steinberger
ePrint Reportnetwork is indifferentiable from a random
permutation. In a previous seminal result,
Holenstein et al. had established
indifferentiability of Feistel at 14 rounds.
Our simulator achieves security $O(q^8/2^n)$
and query complexity $O(q^4)$, where $n$ is
half the block length, similarly to
the 14-round simulator of Holenstein et al.,
so that our result is a strict (and also the first)
improvement of that work.
Our simulator is very similar to a 10-round
simulator of Seurin that was subsequently
found to be flawed. Indeed, the main change
of our simulator is to switch to \"FIFO\" path
completion from \"LIFO\" path completion.
This relatively minor change results in an
overall significant paradigm shift, including a
conceptually simpler proof.
Ne\\c{s}e Ko\\c{c}ak, Sihem Mesnager, Ferruh \\\"{O}zbudak
ePrint ReportIn the first part of the paper, we construct mainly bent and semi-bent functions in the Maiorana-McFarland class using Boolean functions having linear structures (linear translators) systematically. Although most of these results are rather direct applications of some recent results, using linear structures (linear translators) allows us to have certain flexibilities to control extra properties of these plateaued functions. In the second part of the paper, using the results of the first part and exploiting these flexibilities, we modify many secondary constructions. Therefore, we obtain new secondary constructions of bent and semi-bent functions not belonging to the Maiorana-McFarland class. Instead of using bent (semi-bent) functions as ingredients, our secondary constructions use only Boolean (vectorial Boolean) functions with linear structures (linear translators) which are very easy to choose. Moreover, all of them are very explicit and we also determine the duals of the bent functions in our constructions. We show how these linear structures should be chosen in order to satisfy the corresponding conditions coming from using derivatives and quadratic/cubic functions in our secondary constructions.
Dana Dachman-Soled, Jonathan Katz, Aishwarya Thiruvengadam
ePrint Reportfrom a random oracle.
Coron et al.~(Journal of Cryptology, 2014) proved that a 14-round Feistel network using random,
independent,
keyed round functions
is indifferentiable from an ideal cipher, thus demonstrating the feasibility
of such a construction.
Left unresolved is the best possible efficiency of the transformation.
We improve upon the result of Coron et al.\\ and show that
10 rounds suffice.
Christophe Clavier, Julien Francq, Antoine Wurcker
ePrint ReportWe provide a generalization of their approach that allows to derive parity equations for every AES sizes not given by the authors. We analyze why Chen et al. countermeasure does not properly works. Doing so we are able to extend the coverage of the fault detection to the full expanded key. Finally we suggest optimizations that reduce memory and computation costs, and propose an adaptation to a more general fault model.
Edward Eaton, Fang Song
ePrint ReportThis work investigates a generic transformation that compiles any existential-unforgeable scheme into a strongly unforgeable one, which was proposed by Teranishi et al. and was proven in the classical random-oracle model. Our main contribution is showing that the transformation also works against quantum adversaries in the quantum random-oracle model. We develop proof techniques such as adaptively programming a quantum random-oracle in a new setting, which could be of independent interest. Applying the transformation to an existential-unforgeable signature scheme due to Cash et al., which can be shown to be quantum-secure assuming certain lattice problems are hard for quantum computers, we get an efficient quantum-secure strongly unforgeable signature scheme in the quantum random-oracle model.
Martin Ekerå
ePrint ReportWe show that it is not possible to compute any information on the generator g regardless of the number of public keys observed.
In the case of elliptic curves E(GF(p)) or E(GF(2^n)) on short Weierstrass form, or E(K) on Edwards form, twisted Edwards form or Montgomery form, where K is a non-binary field, we show how to compute the domain parameters excluding the generator from four keys on affine form.
Hence, if the domain parameters excluding the generator are to be kept private, points may not be transmitted on affine form. It is an open question whether point compression is a sufficient requirement.
Regardless of whether points are transmitted on affine or compressed form, it is in general possible to create a distinguisher for the domain parameters, excluding the generator, both in the case of the elliptic curve groups previously mentioned, and in the case of multiplicative subgroups of GF(p).
We propose that a good method for preventing all of the above attacks may be to use blinding schemes, and suggest new applications for existing blinding schemes originally designed for steganographic applications.
Mohammad Etemad, Alptekin Küpçü
ePrint ReportSince the beginning, the difference between PDP and PoR models were greatly debated. Most notably, it was thought that dynamic PoR (DPoR) is harder than dynamic PDP (DPDP). Historically this was true: The first DPDP scheme was shown by Erway et al. in 2009, whereas the first DPoR scheme was created by Cash et al. in 2013. We show how to obtain DPoR from DPDP and PDP, together with erasure codes, making us realize that even though we did not know it, in 2009 we already could have had a DPoR solution.
We propose a general framework for constructing DPoR schemes. Our framework encapsulates all known DPoR schemes as its special cases. We further show practical and interesting optimizations that enable even better performance than Chandran et al. and Shi et al. constructions. For the first time, we show how to obtain audit bandwidth for DPoR that is independent of the data size, and how the client can greatly speed up updates with O(λ√n) local storage (where n is the number of blocks, and λ is the security parameter), which corresponds to less than 3 MB for 10 GB outsourced data, and can easily be obtained in today\'s smart phones, let alone computers.
Peter Gazi, Krzysztof Pietrzak, Stefano Tessaro
ePrint Reportderiving a MAC (and more generally, a PRF) from a cryptographic hash
function. Despite nearly two decades of research, their exact
security still remains far from understood in many different
contexts. Indeed, recent works have re-surfaced interest for {\\em
generic} attacks, i.e., attacks that treat the compression
function of the underlying hash function as a black box.
Generic security can be proved in a model where the underlying
compression function is modeled as a random function -- yet, to
date, the question of proving tight, non-trivial bounds on the
generic security of HMAC/NMAC even as a PRF remains a challenging
open question.
In this paper, we ask the question of whether a small modification
to HMAC and NMAC can allow us to exactly characterize
the security of the resulting constructions, while only
incurring little penalty with respect to efficiency. To this end,
we present simple variants of NMAC and HMAC, for which we prove
tight bounds on the generic PRF security, expressed in terms of
numbers of construction and compression function queries necessary
to break the construction. All of our constructions are obtained via
a (near) {\\em black-box} modification of NMAC and HMAC, which can be
interpreted as an initial step of key-dependent message
pre-processing.
While our focus is on PRF security, a further attractive feature of
our new constructions is that they clearly defeat all recent generic
attacks against properties such as state recovery and universal
forgery. These exploit properties of the so-called ``functional
graph\'\' which are not directly accessible in our new constructions.
Pablo Rauzy, Martin Moreau, Sylvain Guilley, Zakaria Najm
ePrint ReportIn this paper, we focus on countermeasures which guarantee the integrity of the computation result, hence covering most existing and future faults attacks.
Namely, we study the modular extension protection scheme in previously existing and newly contributed countermeasures on elliptic curve scalar multiplication (ECSM) algorithms.
We find that problems undermine existing countermeasures but we are able to solve some of them.
We show the genericity of our contributed variant of modular extension countermeasure and formally prove its correctness and security:
the fault non-detection probability is inversely proportional to the security parameter.
Finally, we implement an ECSM protected with our countermeasure on an ARM Cortex-M4 microcontroller.
A systematic fault injection campaign for several values of the security parameter confirms our theoretical prediction and the security of the obtained implementation and provides figures for practical performance.
Avijit Dutta, Goutam Paul
ePrint Report
Pratish Datta, Ratna Dutta, Sourav Mukhopadhyay
ePrint Reportattribute-based encryption (ABE) and presents two selectively secure directly revocable ABE (RABE)
constructions
- supporting decryption policies realizable by polynomial size Boolean circuits of arbitrary fan-out
and
- featuring compactness in the sense that the number of revocation controlling components in
ciphertexts and decryption keys are constant.
In fact, our RABE schemes are the first to achieve these parameters. Both our constructions utilize
multilinear maps. The size of public parameter in our first construction is linear to the maximum
number of users supported by the system while in the second construction we reduce it to logarithmic.
Roman Oliynykov, Ivan Gorbenko, Oleksandr Kazymyrov, Victor Ruzhentsev, Oleksandr Kuznetsov, Yurii Gorbenko, Artem Boiko, O
ePrint Report