On Proactive Verifiable Secret Sharing Schemes

The paper has been presented at the International Conference Pioneers of Bulgarian Mathematics, Dedicated to Nikola Obreshkoff and Lubomir Tschakaloff , Sofia, July, 2006. The material in this paper was presented in part at the 11th Workshop on Selected Areas in Cryptography (SAC) 2004This paper investigates the security of Proactive Secret Sharing Schemes. We first consider the approach of using commitment to 0 in the renewal phase in order to refresh the player's shares and we present two types of attacks in the information theoretic case. Then we prove the conditions for the security of such a proactive scheme. Proactivity can be added also using re-sharing instead of commitment to 0. We investigate this alternative approach too and describe two protocols. We also show that both techniques are not secure against a mobile adversary. To summarize we generalize the existing threshold protocols to protocols for general access structure. Besides this, we propose attacks against the existing proactive verifiable secret sharing schemes, and give modifications of the schemes that resist these attacks

On Distributed Oblivious Transfer

The paper has been presented at the International Conference Pioneers of Bulgarian Mathematics, Dedicated to Nikola Obreshkoff and Lubomir Tschakaloff , Sofia, July, 2006. The material in this paper was presented in part at INDOCRYPT 2002This paper is about unconditionally secure distributed protocols for oblivious transfer, as proposed by Naor and Pinkas and generalized by Blundo et al. In this setting a Sender has ζ secrets and a Receiver is interested in one of them. The Sender distributes the information about the secrets to n servers, and a Receiver must contact a threshold of the servers in order to compute the secret. We present a non-existence result and a lower bound for the existence of one-round, threshold, distributed oblivious transfer protocols, generalizing the results of Blundo et al. A threshold based construction implementing 1-out-of-ζ distributed oblivious transfer achieving this lower bound is described. A condition for existence of distributed oblivious transfer schemes based on general access structures is proven. We also present a general access structure protocol implementing 1-out-of-ζ distributed oblivious transfer

Yet Another Secure Distance-Bounding Protocol

Distance-bounding protocols have been proposed by Brands and Chaum in 1993 in order to detect \emph{relay attacks}, also known as \emph{mafia fraud}. Although the idea has been introduced fifteen years ago, only recently distance-bounding protocols attracted the attention of the researchers. Several new protocols have been proposed the last five years. In this paper, a new secure distance-bounding protocol is presented. It is self-contained and composable with other protocols for example for authentication or key-negotiation. It allows periodically execution and achieves better use of the communication channels by exchanging authenticated nonces. The proposed protocol becomes suitable for wider class of devices, since the resource requirements to the prover are relaxed

On a Relation Between Verifiable Secret Sharing Schemes and a Class of Error-Correcting Codes

In this paper we try to shed a new insight on Verifiable Secret Sharing Schemes (VSS). We first define a new ``metric (with slightly different properties than the standard Hamming metric). Using this metric we define a very particular class of codes that we call {\it error-set correcting codes}, based on a set of forbidden distances which is a monotone decreasing set. Next we redefine the packing problem for the new settings and generalize the notion of error-correcting capability of the error-set correcting codes accordingly (taking into account the new metric and the new packing). Then we consider burst-error interleaving codes proposing an efficient burst-error correcting technique, which is in fact the well known VSS and Distributed Commitments (DC) pair-wise checking protocol and we prove the error-correcting capability of the error-set correcting interleaving codes. Using the known relationship, due to Van Dijk, between a Monotone Span Program (MSP) and a generator matrix of the code generated by the suitable set of vectors, we prove that the error-set correcting codes in fact has the allowed (opposite to forbidden) distances of the dual access structure of the access structure that the MSP computes. We give an efficient construction for them based on this relation and as a consequence we establish a link between Secret Sharing Schemes (SSS) and the error-set correcting codes. Further we give a necessary and sufficient condition for the existence of linear SSS (LSSS), to be secure against $(\Delta,\Delta_A)$-adversary expressed in terms of an error-set correcting code. Finally, we present necessary and sufficient conditions for the existence of a VSS scheme, based on an error-set correcting code, secure against $(\Delta,\Delta_A)$-adversary. Our approach is general and covers all known linear VSS/DC. It allows us to establish the minimal conditions for security of VSSs. Our main theorem states that the security of a scheme is equivalent to a pure geometrical (coding) condition on the linear mappings describing the scheme. Hence the security of all known schemes, e.g. all known bounds for existence of unconditionally secure VSS/DC including the recent result of Fehr and Maurer, can be expressed as certain (geometrical) coding conditions

Low-Latency ECDSA Signature Verification - A Road Towards Safer Traffic -

Car-to-car and Car-to-Infrastructure messages exchanged in Intelligent Transportation Systems can reach reception rates up to and over 1000 messages per second. As these messages contain ECDSA signatures this puts a very heavy load onto the verification hardware. In fact the load is so high that currently it can only be achieved by implementations running on high end CPUs and FPGAs. These implementations are far from cost-effective nor energy efficient. In this paper we present an ASIC implementation of a dedicated ECDSA verification engine that can reach verification rates of up to 27.000 verifications per second using only 1.034 kGE

Optimized Threshold Implementations: Securing Cryptographic Accelerators for Low-Energy and Low-Latency Applications

Threshold implementations have emerged as one of the most popular masking countermeasures for hardware implementations of cryptographic primitives. In the original version of TI, the number of input shares was dependent on both security order $d$ and algebraic degree of a function $t$, namely $td + 1$. At CRYPTO 2015, a new method was presented yielding to a $d$-th order secure implementation using $d+1$ input shares. In this work, we first provide a construction for $d+1$ TI sharing which achieves the minimal number of output shares for any $n$-input Boolean function of degree $t=n-1$. Furthermore, we present a heuristic for minimizing the number of output shares for higher order $td + 1$ TI. Finally, we demonstrate the applicability of our results on $d+1$ and $td+1$ TI versions, for first- and second-order secure, low-latency and low-energy implementations of the PRINCE block cipher

Whirlwind: a new cryptographic hash function

A new cryptographic hash function Whirlwind is presented. We give the full specification and explain the design rationale. We show how the hash function can be implemented efficiently in software and give first performance numbers. A detailed analysis of the security against state-of-the-art cryptanalysis methods is also provided. In comparison to the algorithms submitted to the SHA-3 competition, Whirlwind takes recent developments in cryptanalysis into account by design. Even though software performance is not outstanding, it compares favourably with the 512-bit versions of SHA-3 candidates such as LANE or the original CubeHash proposal and is about on par with ECHO and MD6

Decomposition of Permutations in a Finite Field

We describe a method to decompose any power permutation, as a sequence of power permutations of lower algebraic degree. As a result we obtain decompositions of the inversion in $\mathrm{GF}(2^n)$ for small $n$ from $3$ up to $16$, as well as for the APN functions, when $n=5$. More precisely, we find decompositions into quadratic power permutations for any $n$ not multiple of $4$ and decompositions into cubic power permutations for $n$ multiple of $4$. Finally, we use the Theorem of Carlitz to prove that for $3 \leq n \leq 16$ any $n$-bit permutation can be decomposed in quadratic and cubic permutations

Who Watches the Watchers: Attacking Glitch Detection Circuits

Over the last decades, fault injection attacks have been demonstrated to be an effective method for breaking the security of electronic devices. Some types of fault injection attacks, like clock and voltage glitching, require very few resources by the attacker and are practical and simple to execute. A cost-effective countermeasure against these attacks is the use of a detector circuit which detects timing violations - the underlying effect that glitch attacks rely on. In this paper, we take a closer look at three examples of such detectors that have been presented in the literature. We demonstrate four high-speed clock glitching attacks, which successfully inject faults in systems, where detectors have been implemented to protect. The attacks remain unnoticed by the glitch detectors. We verify our attacks with practical experiments on an FPGA

Higher-Order Threshold Implementation of the AES S-Box

In this paper we present a threshold implementation of the Advanced Encryption Standard’s S-box which is secure against first- and second-order power analysis attacks. This security guarantee holds even in the presence of glitches, and includes resistance against bivariate attacks. The design requires an area of 7849 Gate Equivalents and 126 bits of randomness per S-box execution. The implementation is tested on an FPGA platform and its security claim is supported by practical leakage detection tests