International Association for Cryptologic Research

IACR News Central

Here you can see all recent updates to the IACR webpage. These updates are also available:

Now viewing news items related to:

13 February 2019
Homomorphic secret sharing (HSS) is an analog of somewhat- or fully homomorphic encryption (S/FHE) to the setting of secret sharing, with applications including succinct secure computation, private manipulation of remote databases, and more. While HSS can be viewed as a relaxation of S/FHE, the only constructions from lattice-based assumptions to date build atop specific forms of threshold or multi-key S/FHE. In this work, we present new techniques directly yielding efficient 2-party HSS for polynomial-size branching programs from a range of lattice-based encryption schemes, without S/FHE. More concretely, we avoid the costly key-switching and modulus-reduction steps used in S/FHE ciphertext multiplication, replacing them with a new distributed decryption procedure for performing "restricted" multiplications of an input with a partial computation value. Doing so requires new methods for handling the blowup of "noise'' in ciphertexts in a distributed setting, and leverages several properties of lattice-based encryption schemes together with new tricks in share conversion. The resulting schemes support a superpolynomial-size plaintext space and negligible correctness error, with share sizes comparable to SHE ciphertexts, but cost of homomorphic multiplication roughly one order of magnitude faster. Over certain rings, our HSS can further support some level of packed SIMD homomorphic operations. We demonstrate the practical efficiency of our schemes within two application settings, where we compare favorably with current best approaches: 2-server private database pattern-match queries, and secure 2-party computation of low-degree polynomials.
Tightly secure cryptographic schemes have been extensively studied in the fields of chosen-ciphertext secure public-key encryption (CCA-secure PKE), identity-based encryption (IBE), signature and more. We extend tightly secure cryptography to inner product functional encryption (IPFE) and present the first tightly secure schemes related to IPFE.

We first construct a new IPFE scheme that is tightly secure in the multi-user and multi-challenge setting. In other words, the security of our scheme does not degrade even if an adversary obtains many ciphertexts generated by many users. Our scheme is constructible on a pairing-free group and secure under the matrix decisional Diffie-Hellman (MDDH) assumption, which is the generalization of the decisional Diffie-Hellman (DDH) assumption. Applying the known conversions by Lin (CRYPTO 2017) and Abdalla et al. (CRYPTO 2018) to our scheme, we can obtain the first tightly secure function-hiding IPFE scheme and multi-input IPFE (MIPFE) scheme respectively.

Our second main contribution is the proposal of a new generic conversion from function-hiding IPFE to function-hiding MIPFE, which was left as an open problem by Abdalla et al. (CRYPTO 2018). We can obtain the first tightly secure function-hiding MIPFE scheme by applying our conversion to the tightly secure function-hiding IPFE scheme described above.

Finally, the security reductions of all our schemes are fully tight, which means that the security of our schemes is reduced to the MDDH assumption with a constant security loss.
ePrint Report Beyond Birthday Bound Secure MAC in Faulty Nonce Model Avijit Dutta, Mridul Nandi, Suprita Talnikar
Encrypt-then-MAC (EtM) is a popular mode for authenticated encryption (AE). Unfortunately, almost all designs following the EtM paradigm, including the AE suites for TLS, are vulnerable against nonce misuse. A single repetition of the nonce value reveals the hash key, leading to a universal forgery attack. There are only two authenticated encryption schemes following the EtM paradigm which can resist nonce misuse attacks, the GCM-RUP (CRYPTO-17) and the GCM/2+ (INSCRYPT-12). However, they are secure only up to the birthday bound in the nonce respecting setting, resulting in a restriction on the data limit for a single key. In this paper we show that nEHtM, a nonce-based variant of EHtM (FSE-10) constructed using a block cipher, has a beyond birthday bound (BBB) unforgeable security that gracefully degrades under nonce misuse. We combine nEHtM with the CENC (FSE-06) mode of encryption using the EtM paradigm to realize a nonce-based AE, CWC+. CWC+ is very close (requiring only a few more xor operations) to the CWC AE scheme (FSE-04) and it not only provides BBB security but also gracefully degrading security on nonce misuse.
In this paper, using Mixed Integer Linear Programming, a new automatic search tool for truncated differential characteristic is presented. While the previous MILP models for truncated differential characteristic has been used just as a facilitator for finding the maximal probability bit-wise differential characteristic, ours treats truncated differential characteristic as an independent distinguisher. Our method models the problem of finding a maximal probability truncated differential characteristic, being able to distinguish the cipher from a pseudo random permutation. Our model enjoys a word-wise variable definitions which makes it much simpler and more easily solvable than its bit-wise counterpart. Using this method, we analyse Midori64 and SKINNY64/64,128 block ciphers, for both of which the existing results are improved. In both cases, the truncated differential characteristic is much more efficient than the upper bound of (bit-wise) differential characteristic proven by the designers, for all number of rounds. More specifically, the highest possible rounds, for which a differential characteristic can exist for Midori64 and SKINNY64/64,128, are 6 and 7 rounds respectively, for which differential characteristics with maximum probabilities of $2^{-60}$ and $2^{-52}$ may exist. However, we present new truncated differential characteristics for 6-round of Midori64 with probability $2^{-54}$. In case of SKINNY64/64,128, the gap is much wider, where for 7 rounds we find a truncated characteristic with probability $2^{-4}$, and even a 10-round truncated characteristic can be found with probability $2^{-40}$. Moreover, our result outperforms the only truncated differential analysis that exists on Midori64. This method can be used as a new tool for differential analysis of SPN block ciphers.
12 February 2019
This paper provides proofs of the results of Laisant - Beaujeux: (1) If an integer of the form $n=4k+1$, $k>0$ is prime, then $\left(\begin{array}{c}n-1\\m\end{array}\right)\equiv1(mod\,n),m=\frac{n-1}{2}$, and (2) If an integer of the form $n=4k+3$, $k\geq0$ is prime, then $\left(\begin{array}{c}n-1\\m\end{array}\right)\equiv-1(mod\,n),m=\frac{n-1}{2}$. In addition, the author proposes important conjectures based on the converse of the above theorems which aim to establish primality of $n$. These conjectures are scrutinized by the given combinatorial primality test algorithm which can also distinguish patterns of prime $n$ whether it is of the form $4k+1$ or $4k+3$.
We observe that if a party breaks one cryptographic assumption, construction, or system, then it can reduce the trust in any other. This highlights a shortcoming in the common interpretation of the provable security paradigm that may lead to unwarranted trust. This may have practical implications.

Then we argue that the provable security paradigm remains sound in applications provided that assumptions are made with care. We also strengthen the argument for the study of combiners and constructions based on generic assumptions, and transparent standardization processes in applied cryptography.
ePrint Report Security of Multilinear Galois Mode (MGM) Liliya Akhmetzyanova, Evgeny Alekseev, Grigory Karpunin, Vladislav Nozdrunov
In this paper we analyze the new AEAD mode called the Multilinear Galois Mode (MGM) originally proposed in CTCrypt 2017. This mode is currently considered in the Russian Standardization system as the main contender to be adopted as a standard AEAD mode. The analysis of the MGM mode was carried out in the paradigm of provable security, in other words, lower security bounds were obtained for the Privacy and Authenticity notions. These bounds show that the privacy and authenticity of this mode is provably guaranteed (under security of the used block cipher) up to the birthday paradox bound.
Internet-of-Things (IoT) applications often require constrained devices to be deployed in the field for several years, even decades. Protection of these tiny motes is crucial for end-to-end IoT security. Secure boot and attestation techniques are critical requirements in such devices which rely on public key Sign/Verify operations. In a not-so-distant future, quantum computers are expected to break traditional public key Sign/Verify functions (e.g. RSA and ECC signatures). Hash Based Signatures (HBS) schemes, on the other hand, are promising quantum-resistant alternatives. Their security is based on the security of cryptographic hash function which is known to be secure against quantum computers. The XMSS signature scheme is a modern HBS construction with several advantages but it requires thousands of hash operations per Sign/Verify operation, which could be challenging in resource constrained IoT motes. In this work, we investigated the use of the XMSS scheme targeting IoT constrained. We propose a latency-area optimized XMSS Sign or Verify scheme with 128-bit post-quantum security. An appropriate HW-SW architecture has been designed and implemented in FPGA and Silicon where it spans out to 1521 ALMs and 13.5k gates respectively. In total, each XMSS Sign/Verify operation takes 4.8 million clock cycles in our proposed HW-SW hybrid design approach which is 5.35 times faster than its pure SW execution latency on a 32-bit microcontroller.
ePrint Report Anonymous Attestation for IoT Santosh Ghosh, Andrew H. Reinders, Rafael Misoczki, Manoj R. Sastry
Internet of Things (IoT) have seen tremendous growth and are being deployed pervasively in areas such as home, surveillance, health-care and transportation. These devices collect and process sensitive data with respect to user's privacy. Protecting the privacy of the user is an essential aspect of security, and anonymous attestation of IoT devices are critical to enable privacy-preserving mechanisms. Enhanced Privacy ID (EPID) is an industry-standard cryptographic scheme that offers anonymous attestation. It is based on group signature scheme constructed from bilinear pairings, and provides anonymity and sophisticated revocation capabilities (private-key based revocation and signature-based revocation). Despite the interesting privacy-preserving features, EPID operations are very computational and memory intensive. In this paper, we present a small footprint anonymous attestation solution based on EPID that can meet the stringent resource requirements of IoT devices. A specific modular-reduction technique targeting the EPID prime number has been developed resulting in 50% latency reduction compared to conventional reduction techniques. Furthermore, we developed a multi-exponentiation technique that significantly reduces the runtime memory requirements. Our proposed design can be implemented as SW-only, or it can utilize an integrated Elliptic Curve and Galois Field HW accelerator. The EPID SW stack has a small object code footprint of 22kB. We developed a prototype on a 32-bit microcontroller that computes EPID signature generation in 17.9s at 32MHz.
Song, Huang, Mu, and Wu proposed a new code-based signature scheme, the Rank Quasi-Cyclic Signature (RQCS) scheme (PKC 2019, Cryptology ePrint Archive 2019/053), which is based on RQC, an IND-CCA2 KEM scheme, proposed by Aguilar Melchor et al. (NIST PQC Standardization Round 1). Their scheme is an analogue to the Schnorr signature scheme.

In this short note, we investigate the security of the RQCS scheme. We report a key-recovery known-message attack by following the discussion in Aragon, Blazy, Gaborit, Hauteville, and Zémor (Cryptology ePrint Archive 2018/1192) and an experimental result. The key-recovery attack requires only one signature to retrieve a secret key and recovers a key less than 10 seconds.
The main result of this note is a severe flaw in the description of the zk-SNARK in [BCTV14]. The flaw stems from including redundant elements in the CRS, as compared to that of the original Pinocchio protocol [PHGR16], which are vital not to expose. The flaw enables creating a proof of knowledge for \emph{any} public input given a valid proof for \emph{some} public input. We also provide a proof of security for the [BCTV14] zk-SNARK in the generic group model, when these elements are excluded from the CRS, provided a certain linear algebraic condition is satisfied by the QAP polynomials.
The Walnut Digital Signature Algorithm (WalnutDSA) is a group-theoretic, public-key method that is part of the NIST Post-Quantum Cryptography standardization process. Prior to its submission to NIST, Hart et al published an attack that, when it produces a signature forgery, it is found to be orders of magnitude longer than a valid signature making it invalid due to its length. In addition to being identified as a forgery by our current method, we show that with a modest parameter-only increase we can block this attack to the desired security level without a significant impact on the performance while making WalnutDSA completely secure against this attack.
11 February 2019
Eurocrypt Eurocrypt 2020: Eurocrypt 2020 Zagreb, Croatia, 10 May - 14 May 2020
Event date: 10 May to 14 May 2020
7 February 2019

The group is active both in developing key technologies that ship with IBM products and in maintaining a strong academic research profile and has a dual focus on blockchain and on system security. In particular, the group is part of the core team that designs and develops Hyperledger Fabric, the popular open source blockchain platform.

This is an excellent opportunity for highly qualified and creative candidates with an ambition to work with an international team of researchers in a world-class industrial research organization.


Candidates are expected to have the following background and interests

· A Master\'s degree in Computer Science or a closely related discipline

· strong knowledge of programming languages (in particular C/C++, and optionally golang, bash, python)

· strong skills and experience in system-level programming, large distributed systems, and optionally blockchain

· experience with open source projects and a strong understanding of DevOps

· ability to manage multiple and changing priorities

· fluency in English

The position is available immediately. The successful candidate will enjoy an internationally competitive salary and work in a collaborative and creative group in an exclusive research environment.


IBM is committed to diversity at the workplace. We offer a diverse, independent professional activity, with experienced colleagues in a friendly atmosphere on our campus.

You will find a dynamic, multi-cultural environment, and flexible work conditions.

How to apply

Please send your CV including contact information for references and Ref No. 2019_001


Judith Blanc

HR Business Partner

IBM Research — Zurich

Säumerstrasse 4

8803 Rüschlikon


email: jko (at)

For technical information, please contact:

Dr. Andreas Kind, Manager Industry Solutions and Blockchain

email:ank (at)

Closing date for applications: 31 July 2019

More information:

Distributed systems and Blockchain

Project description

We research and develop scalable, fault-tolerant and secure distributed and blockchain systems that drive a new generation of financial and digital transactions.

We are looking for highly motivated and enthusiastic software engineers and distributed systems researchers to join the Industry Platforms and Blockchain Group at IBM Research – Zurich. You will be expected to contribute to the architecture definition and implementation in our blockchain projects, notably their aspects pertaining to distributed systems. You will be able to directly contribute and make impact not only on IBM products, but also on the Hyperledger Fabric open source project. The researchers in the group have deep expertise and knowledge in scalable, fault-tolerant and secure distributed systems. Software to be developed will be included in critical production system and is expected to be of high quality, modularity, maintainability, scalability, and resilience.

Closing date for applications: 31 July 2019

Contact: Judith Blanc

HR Business Partner

Säumerstrasse 4

8803 Rüschlikon


jko (at)

More information:

Job Posting Postdoc in Symmetric Cryptology DTU Compute’s Section for Cyber Security
DTU Compute’s Section for Cyber Security invites applications for appointment as a postdoctoral researcher within the area of symmetric cryptology. The position is available from 1 May 2019 or according to mutual agreement.

The aim of the new position is to expand the Section’s research in symmetric cryptology and align it with potential novel threats.

The research field of this new Postdoc position is within analysis and design of symmetric cryptographic algorithms, both basic primitives and modes of operation. Correspondingly, we aim to hire a postdoc with a track record in symmetric cryptography and cryptanalysis.

Responsibilities and tasks

The main tasks of the postdoc position are to analyze existing symmetric cryptographic primitives as well as to design and evaluate new primitives to address novel challenges. In this position, you will actively engage in our ongoing and prospective research activities on analysis and design of block ciphers, hash functions, authentication schemes and authentication encryption.

External stays are planned at our research partners in Europe.


Candidates should have a PhD degree (or equivalent) within mathematics, computer science or electric engineering with a focus on cryptology or a closely related field. If you are close to completing your PhD studies, your application will also be considered. You must have contributed with high-quality research to the area of cryptology or a closely related field.

Application procedure

Please submit your online application no later than 1 March 2019 (local time). Apply online at

Read the full job description at

Closing date for applications: 1 March 2019

Contact: Further information can be obtained from Assoc. Prof. Andrey Bogdanov (anbog (at) Please do not send applications to this e-mail address.

More information:

Job Posting PhD Studentships Centre for Secure Information Technologies (CSIT), Queen’s University Belfast, UK
Applications are invited for PhD studentships in areas such as: (1) Post-quantum cryptography; (2) Physical attacks of IoT devices; (3) Privacy-aware cybercrime tracking; (4) Edge-based solutions to IoT attacks; (5) Activity Recognition in Social Media videos; (5) Defending ML-based Network Security Systems from Adversarial Attacks.

Students will be based in the Centre for Secure Information Technology (CSIT), Queens University Belfast. CSIT is recognised by the UK National Cyber Security Centre as an Academic Centre of Excellence (ACE) in Cyber Security Research. It is also host to the UK Research Institute in Secure Hardware and Embedded Systems (RISE).


A minimum 2.1 honours degree or equivalent in Computer Science, Electrical and Electronic Engineering, Mathematics or closely related discipline is required.

Available to eligible UK and EU citizens only.

Applicants should apply electronically through the Queen’s online application portal at:

Closing date for applications: 8 March 2019

Contact: Professor Maire O\'Neill,Email: m.oneill AT

More information:

The work of the Protocol Engineering Groups and Systems R&D team spans all layers of the tech stack for the Ethereum blockchain. Our work covers both public chain and enterprise, including crypto-economics, consensus, networking, storage, cryptography and virtual machine operations. Some of the challenges we have been focusing on include scalability, privacy, permissioning, and robustness — and there are plenty of other areas we’d like to be working on.

The Role

We are seeking applied researchers from a variety of backgrounds who are able to think deeply and creatively about protocol-level blockchain challenges and translate that work into practical outputs for PegaSys, enterprises seeking to use Ethereum and the wider blockchain community.

The Profile We are Seeking

  • Computer Science, Mathematics or Physics Master degree. PhD is a bonus.

  • Strong familiarity with advanced computer science and mathematical concepts

  • Expertise in using formal verification tools especially in the context of analysing distributed systems

  • Capable of articulating theories and related proof in a language suitable for scientific publication. Track record of previous scientific publications is a bonus.

  • Well versed in analysing existing code in a number of languages including Java, Go, Rust, etc.

  • Capable of deep and creative thinking.

  • Have a drive for excellence and quality

  • Passionate about blockchain consensus protocol research and blockchain technology in general

  • Previous experience either in leading small/medium teams or as member of well-functioning self-organising teams

  • Willing collaborator: swift to seek support and advice; equally ready to give support and advice to others.

  • Comfortable with working remotely, and will make progress without supervision while proactively keeping in contact with other remote collaborators.

Closing date for applications: 31 July 2019

Contact: Roberto Saltini

More information:

Job Posting PhD Student Nanyang Technological University, Singapore
The Research Group at Nanyang Technological University (NTU), Singapore, led by Prof. Anupam Chattopadhyay is seeking skilled and motivated PhD candidates to participate in an upcoming project focusing on System-on-Chip (SoC) security. The research team is currently funded by several large and strategic research grants in different domains ranging from microprocessor to system security. Interested applicants are encouraged send their detailed CV, cover letter and two letters of references to Prof. Anupam Chattopadhyay (anupam at

We are soliciting candidates to have an introductory knowledge in cryptography and strong background in digital/system design, including relevant experience in managing large-scale programming projects in C/C++/VHDL/Verilog. Candidates with prior industrial experience and familiarity with commercial processor architectures are preferred.

Review of applications starts immediately and will continue until the position is filled.

Closing date for applications:

PhD and Post-Doc Positions on Privacy Technologies at UCL

I have funding for 2-3 PhD studentships and 1 post-doctoral positions (24 months) in my group at UCL Computer Science to work on research problems at the intersection of privacy and machine learning.

For an overview of my work in this area, please visit


These positions are funded by a mix of industry grants, thanks to the generous support of Amazon, Cisco, Microsoft Research, and the UK Government.


Moreover, we have recently been awarded funding for a Doctoral Training Centre (DTC) in Cybersecurity (see so *additional* positions will be funded through the centre.

Other researchers working on security and privacy at UCL include: Nicolas Courtois, George Danezis, Sarah Meiklejohn, Steven Murdoch, Angela Sasse, plus a couple more faculty that we are in the process of recruiting. The Centre will have a strongly interdisciplinary focus, and will involve colleagues in the Crime Science (e.g., Shane Johnson) and Public Policy (e.g., Madeline Carr).


The PhD students will start in September/October 2019. Alas, some of the funding is limited to people who have lived in the UK for at least 3 years prior to the start of the PhD.

The post-doctoral research should start in the summer and have already completed their PhD or about to.


For both the PhD and the post-doc positions, please send an email to jobs (at) if you are interested.
For the PhD positions, you will also have to apply through (even though the next deadline is April 17th, please apply ASAP).


Closing date for applications: 30 April 2019

Contact: Emiliano De Cristofaro, Associate Professor at UCL

jobs (at)

More information:

Event date: 7 July 2019
Submission deadline: 15 February 2019
Notification: 10 April 2019
CHES CHES 2019: Cryptographic Hardware and Embedded Systems Atlanta, USA, 25 August - 28 August 2019
Event date: 25 August to 28 August 2019
Event date: 2 October to 4 October 2019
Submission deadline: 4 May 2019
Notification: 22 June 2019
Event date: 27 May to 29 May 2019
Anonymous credential (AC) schemes are protocols which allow for authentication of authorized users without compromising their privacy. Of particular interest are non-interactive anonymous credential (NIAC) schemes, where the authentication process only requires the user to send a single message that still conceals its identity. Unfortunately, all known NIAC schemes in the standard model require pairing based cryptography, which limits them to a restricted set of specific assumptions and requires expensive pairing computations. The notion of keyed-verification anonymous credential (KVAC) was introduced in (Chase et al., CCS'14) as an alternative to standard anonymous credential schemes allowing for more efficient instantiations; yet, making existing KVAC non-interactive either requires pairing-based cryptography, or the Fiat-Shamir heuristic.

In this work, we construct the first non-interactive keyed-verification anonymous credential (NIKVAC) system in the standard model, without pairings. Our scheme is efficient, attribute-based, supports multi-show unlinkability, and anonymity revocation. We achieve this by building upon a combination of algebraic \MAC with the recent designated-verifier non-interactive zero-knowledge (DVNIZK) proof of knowledge of (Couteau and Chaidos, Eurocrypt'18). Toward our goal of building NIKVAC, we revisit the security analysis of a MAC scheme introduced in (Chase et al., CCS'14), strengthening its guarantees, and we introduce the notion of oblivious non-interactive zero-knowledge proof system, where the prover can generate non-interactive proofs for statements that he cannot check by himself, having only a part of the corresponding witness, and where the proof can be checked efficiently given the missing part of the witness. We provide an efficient construction of an oblivious DVNIZK, building upon the specific properties of the DVNIZK proof system of (Couteau and Chaidos, Eurocrypt'18).
ePrint Report Multi-Key Homomophic Encryption from TFHE Hao Chen, Ilaria Chillotti, Yongsoo Song
In this paper, we propose a Multi-Key Homomorphic Encryption (MKHE) which allows homomorphic evaluation of a binary gate (with bootstrapping) on ciphertexts encrypted under different keys. We generalize a low-latency homomorphic encryption scheme of Chillotti et al. (ASIACRYPT 2016) by exploiting a key-extension approach of Brakerski and Perlman (CRYPTO 2016).

All the prior works on MKHE were too inefficient to be used in practice. Our construction improved the performance in terms of both asymptotic and concrete complexity: the length of ciphertexts and the computational costs of a binary gate grow linearly and quadratically on the number of parties, respectively. Furthermore, our scheme is fully-dynamic so that no information about the involved parties needs to be known before the computation and the resulting ciphertext can be reused in further computation with newly joined parties.

To the best of our knowledge, this is the first work to implement an MKHE scheme. Our implementation takes about 0.15 (resp. 0.72) seconds to perform the gate bootstrapping when the number of involved parties is 2 (resp. 4).
ePrint Report Distributional Collision Resistance Beyond One-Way Functions Nir Bitansky, Iftach Haiter, Ilan Komargodski, Eylon Yogev
Distributional collision resistance is a relaxation of collision resistance that only requires that it is hard to sample a collision (x,y) where x is uniformly random and y is uniformly random conditioned on colliding with x. The notion lies between one-wayness and collision resistance, but its exact power is still not well-understood. On one hand, distributional collision resistant hash functions cannot be built from one-way functions in a black-box way, which may suggest that they are stronger. On the other hand, so far, they have not yielded any applications beyond one-way functions.

Assuming distributional collision resistant hash functions, we construct constant-round statistically hiding commitment scheme. Such commitments are not known based on one-way functions and are impossible to obtain from one-way functions in a black-box way. Our construction relies on the reduction from inaccessible entropy generators to statistically hiding commitments by Haitner et al. (STOC '09). In the converse direction, we show that two-message statistically hiding commitments imply distributional collision resistance, thereby establishing a loose equivalence between the two notions.

A corollary of the first result is that constant-round statistically hiding commitments are implied by average-case hardness in the class SZK (which is known to imply distributional collision resistance). This implication seems to be folklore, but to the best of our knowledge has not been proven explicitly. We provide yet another proof of this implication, which is arguably more direct than the one going through distributional collision resistance.
A threshold signature scheme enables distributed signing among $n$ players such that any subgroup of size $t+1$ can sign, whereas any group with $t$ or fewer players cannot. While there exist previous threshold schemes for the ECDSA signature scheme, we present the first protocol that supports multiparty signatures for any $t \leq n$ with efficient, dealerless key generation. Our protocol is faster than previous solutions and significantly reduces the communication complexity as well. We prove our scheme secure against malicious adversaries with a dishonest majority. We implemented our protocol, demonstrating its efficiency and suitability to be deployed in practice.
Privacy and mutual authentication under corruption with temporary state disclosure are two significant requirements for real-life applications of RFID schemes. No RFID scheme is known so far to meet these two requirements. In this paper we propose two practical RFID schemes that fill this gap. The first one achieves destructive privacy, while the second one narrow destructive privacy, in Vaudenay's model with temporary state disclosure. Both of them provide mutual (reader-first) authentication. In order to achieve these privacy levels we use Physically Unclonable Functions (PUFs) to assure that the internal secret of the tag remains hidden against an adversary with invasive capabilities. Our first RFID scheme cannot be desynchronized for more than one step, while the second one avoids the use of random generators on tags. Detailed security and privacy proofs are provided.
6 February 2019
ePrint Report Variable Elimination - a Tool for Algebraic Cryptanalysis Bjørn Greve, Øyvind Ytrehus, Håvard Raddum
Techniques for eliminating variables from a system of nonlinear equations are used to find solutions of the system. We discuss how these methods can be used to attack certain types of symmetric block ciphers, by solving sets of equations arising from known plain text attacks. The systems of equations corresponding to these block ciphers have the characteristics that the solution is determined by a small subset of the variables (i.e., the secret key), and also that it is known that there always exists at least one solution (again corresponding to the key which is actually used in the encryption). It turns out that some toy ciphers can be solved simpler than anticipated by this method, and that the method can take advantage of overdetermined systems.

newer items   older items