Paris, France


Paris, France
Time filter
Source Type

Coron J.-S.,University of Luxembourg | Lepoint T.,CryptoExperts | Lepoint T.,Mohammed V University | Tibouchi M.,Nippon Telegraph and Telephone
Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) | Year: 2013

Extending bilinear elliptic curve pairings to multilinear maps is a long-standing open problem. The first plausible construction of such multilinear maps has recently been described by Garg, Gentry and Halevi, based on ideal lattices. In this paper we describe a different construction that works over the integers instead of ideal lattices, similar to the DGHV fully homomorphic encryption scheme. We also describe a different technique for proving the full randomization of encodings: instead of Gaussian linear sums, we apply the classical leftover hash lemma over a quotient lattice. We show that our construction is relatively practical: for reasonable security parameters a one-round 7-party Diffie-Hellman key exchange requires less than 40 seconds per party. Moreover, in contrast with previous work, multilinear analogues of useful, base group assumptions like DLIN appear to hold in our setting. © 2013 International Association for Cryptologic Research.

Agency: European Commission | Branch: FP7 | Program: CP | Phase: ICT-2013.1.5 | Award Amount: 5.97M | Year: 2013

With the increasing pervasion of our society by mobile devices like smart phones and tablets and many users running several security relevant applications on multiple mobile devices at the same time, security and privacy challenges outranging those on personal computers arise. In the near future, users are expected to move personal roles and identities between mobile platforms. Electronic representations of rights associated with such roles will be mobilised and residing on multiple devices. These devices could be nanoSIMs used in smartphones or microSDTM cards used in tablets.\nThe objective of MATTHEW is to develop novel, privacy-preserving security applications with Anonymity and Attribute Based Credentials (ABC) being transferable over various mobile platforms like smart phones and tablets using Near Field Communication (NFC). Introducing active transmission technology for NFC, MATTHEW will overcome the most blocking obstacle in scalability of form factors for NFC antennas, thus facilitating integration of NFC-enabled security components in mobile devices.\nMATTHEW directly addresses Security and privacy in mobile systems of the objective ICT-2013.1.5 Trustworthy ICT and will, based on application requirements, specify an architecture with focus on multiple entity security with privacy preservation. Component development will encompass secure elements with physically uncloneable functions (PUFs) and privacy algorithms support, active transmission technology and antenna designs as well as specialized packages for small form factor integration.\nMATTHEW results will be demonstrated by a transferable payment application and a multi-key access control system. An ABC-based cryptographic API will provide pseudonyms for privacy.\nMATTHEW brings together eight highly qualified European partners, world market leading industries (IFAT, GTO, AMS, IFAG), research oriented SMEs (IMA, TEC, CRX) as well as a high esteemed university institute for ICT security (IAIK).

Augot D.,French Institute for Research in Computer Science and Automation | Finiasz M.,CryptoExperts
IEEE International Symposium on Information Theory - Proceedings | Year: 2013

This article presents a new algorithm to find MDS matrices that are well suited for use as a diffusion layer in lightweight block ciphers. Using an recursive construction, it is possible to obtain matrices with a very compact description. Classical field multiplications can also be replaced by simple F2-linear transformations (combinations of XORs and shifts) which are much lighter. Using this algorithm, it was possible to design a 16×16 matrix on a 5-bit alphabet, yielding an efficient 80-bit diffusion layer with maximal branch number. © 2013 IEEE.

Rivain M.,CryptoExperts | Roche T.,ANSSI
Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) | Year: 2013

Side-Channel Analysis (SCA) is commonly used to recover secret keys involved in the implementation of publicly known cryptographic algorithms. On the other hand, Side-Channel Analysis for Reverse Engineering (SCARE) considers an adversary who aims at recovering the secret design of some cryptographic algorithm from its implementation. Most of previously published SCARE attacks enable the recovery of some secret parts of a cipher design -e.g. the substitution box(es)- assuming that the rest of the cipher is known. Moreover, these attacks are often based on idealized leakage assumption where the adversary recovers noise-free side-channel information. In this paper, we address these limitations and describe a generic SCARE attack that can recover the full secret design of any iterated block cipher with common structure. Specifically we consider the family of Substitution-Permutation Networks with either a classical structure (as the AES) or with a Feistel structure. Based on a simple and usual assumption on the side-channel leakage we show how to recover all parts of the design of such ciphers. We then relax our assumption and describe a practical SCARE attack that deals with noisy side-channel leakages. © 2013 Springer-Verlag.

Ducas L.,ENS Paris | Durmus A.,Ecole Normale Superieure de Cachan | Lepoint T.,CryptoExperts | Lyubashevsky V.,French Institute for Research in Computer Science and Automation
Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) | Year: 2013

Our main result is a construction of a lattice-based digital signature scheme that represents an improvement, both in theory and in practice, over today's most efficient lattice schemes. The novel scheme is obtained as a result of a modification of the rejection sampling algorithm that is at the heart of Lyubashevsky's signature scheme (Eurocrypt, 2012) and several other lattice primitives. Our new rejection sampling algorithm which samples from a bimodal Gaussian distribution, combined with a modified scheme instantiation, ends up reducing the standard deviation of the resulting signatures by a factor that is asymptotically square root in the security parameter. The implementations of our signature scheme for security levels of 128, 160, and 192 bits compare very favorably to existing schemes such as RSA and ECDSA in terms of efficiency. In addition, the new scheme has shorter signature and public key sizes than all previously proposed lattice signature schemes. As part of our implementation, we also designed several novel algorithms which could be of independent interest. Of particular note, is a new algorithm for efficiently generating discrete Gaussian samples over ℤn. Current algorithms either require many high-precision floating point exponentiations or the storage of very large pre-computed tables, which makes them completely inappropriate for usage in constrained devices. Our sampling algorithm reduces the hard-coded table sizes from linear to logarithmic as compared to the time-optimal implementations, at the cost of being only a small factor slower. © 2013 International Association for Cryptologic Research.

Prouff E.,ANSSI | Rivain M.,CryptoExperts
Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) | Year: 2013

Masking is a well-known countermeasure to protect block cipher implementations against side-channel attacks. The principle is to randomly split every sensitive intermediate variable occurring in the computation into d + 1 shares, where d is called the masking order and plays the role of a security parameter. Although widely used in practice, masking is often considered as an empirical solution and its effectiveness is rarely proved. In this paper, we provide a formal security proof for masked implementations of block ciphers. Specifically, we prove that the information gained by observing the leakage from one execution can be made negligible (in the masking order). To obtain this bound, we assume that every elementary calculation in the implementation leaks a noisy function of its input, where the amount of noise can be chosen by the designer (yet linearly bounded). We further assume the existence of a leak-free component that can refresh the masks of shared variables. Our work can be viewed as an extension of the seminal work of Chari et al.published at CRYPTO in 1999 on the soundness of combining masking with noise to thwart side-channel attacks. © 2013 International Association for Cryptologic Research.

Batina L.,Catholic University of Leuven | Batina L.,Radboud University Nijmegen | Gierlichs B.,Catholic University of Leuven | Prouff E.,Oberthur Technologies | And 3 more authors.
Journal of Cryptology | Year: 2011

Mutual Information Analysis is a generic side-channel distinguisher that has been introduced at CHES 2008. It aims to allow successful attacks requiring minimum assumptions and knowledge of the target device by the adversary. In this paper, we compile recent contributions and applications of MIA in a comprehensive study. From a theoretical point of view, we carefully discuss its statistical properties and relationship with probability density estimation tools. From a practical point of view, we apply MIA in two of the most investigated contexts for side-channel attacks. Namely, we consider first-order attacks against an unprotected implementation of the DES in a full custom IC and second-order attacks against a masked implementation of the DES in an 8-bit microcontroller. These experiments allow to put forward the strengths and weaknesses of this new distinguisher and to compare it with standard power analysis attacks using the correlation coefficient. © International Association for Cryptologic Research 2010.

Rivain M.,CryptoExperts | Prouff E.,Oberthur Technologies
Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) | Year: 2010

Implementations of cryptographic algorithms are vulnerable to Side Channel Analysis (SCA). To counteract it, masking schemes are usually involved which randomize key-dependent data by the addition of one or several random value(s) (the masks). When dth-order masking is involved (i.e. when d masks are used per key-dependent variable), the complexity of performing an SCA grows exponentially with the order d. The design of generic dth-order masking schemes taking the order d as security parameter is therefore of great interest for the physical security of cryptographic implementations. This paper presents the first generic dth-order masking scheme for AES with a provable security and a reasonable software implementation overhead. Our scheme is based on the hardware-oriented masking scheme published by Ishai et al. at Crypto 2003. Compared to this scheme, our solution can be efficiently implemented in software on any general-purpose processor. This result is of importance considering the lack of solution for d∈≥3. © 2010 Springer-Verlag Berlin Heidelberg.

Finiasz M.,CryptoExperts | Ramchandran K.,University of California at Berkeley
IEEE International Symposium on Information Theory - Proceedings | Year: 2012

Private Stream Search allows users to perform keyword-based queries to a database without revealing any information about the keywords they are searching. Using homomorphic encryption, Ostrovsky and Skeith proposed a computationally secure solution to this problem in 2005. However, their solution requires the server to send an answer of size O(mS log m) bits when m documents of S bits match the query, while a non-private query only requires mS bits. In this work we propose two new communication optimal constructions, both allowing a communication expansion factor (compared to a non-private query) asymptotically equal to 1 when m and S increase. More precisely, our first scheme requires m(S + O(log t)) bits (where t is the size of the database) and our second scheme m(S + C) where C is a constant depending on the chosen computational security level. © 2012 IEEE.

Fanti G.,University of California at Berkeley | Finiasz M.,CryptoExperts | Ramchandran K.,University of California at Berkeley
IEEE Signal Processing Magazine | Year: 2013

Automated media classification is becoming increasingly common in areas ranging from mobile location recognition to surveillance systems to automated annotation. While these tools can add great value to the public sphere, media searches often process private information; in such situations, it is important to protect the interests of one or both parties. Much attention has been given to the scenario where both the server and the client wish to keep their data secret, but comparatively little work has been done on searches in which only the clients data is sensitive. Nonetheless, there is great potential for applications involving private searches on public databases like Google Images, Flickr, or Wanted Persons directories put forth by various police agencies. In this article, we make the case that one-way private media search is an important and practically viable direction for future research. We will introduce readers to some basic one-way privacy tools and present a case study outlining the design of a private audio search tool on a public database. This case study serves as a backdrop for a discussion on the role of signal processing techniques in the design of privacy-preserving media search systems. © 1991-2012 IEEE.

Loading CryptoExperts collaborators
Loading CryptoExperts collaborators