International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also get this service via

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

04:59 [PhD][New] Erik Tews: DECT Security Analysis

  Name: Erik Tews
Topic: DECT Security Analysis
Category: applications

Description: DECT is a standard for cordless phones. The intent of this thesis is to evaluate DECT security in a comprehensive way. To secure conversations over the air, DECT uses two proprietary algorithms, namely the DECT Standard Authentication Algorithm (DSAA) for authentication and key derivation, and the DECT Standard Cipher (DSC) for encryption. Both algorithms have been kept secret and were only available to DECT device manufacturers under a None Disclosure Agreement (NDA). The reader is first introduced into the DECT standard. The two algorithms DSAA and DSC have been reverse engineered and are then described in full detail. At first, attacks against DECT devices are presented, that are based on faults made by the manufacturers while implementing the DECT standard. In the next Chapters, attacks against the DSAA and the DSC algorithm are described, that recover the secret keys used by these algorithms faster than by brute force. Thereafter, a attack against the DECT radio protocol is described, that decrypts encrypted DECT voice calls. Finally, an outlook over the next release of the DECT standard is presented, that is expected to counter all attacks against DECT, that are described in this thesis.[...]

04:59 [PhD][New] Johannes Buchmann

  Name: Johannes Buchmann

00:17 [Pub][ePrint] Resistance to Pirates 2.0: A Method from Leakage Resilient Cryptography, by Duong Hieu Phan and Viet Cuong Trinh

  In the classical model of traitor tracing, one assumes that a traitor contributes its entire secret key to build a pirate decoder. However, new practical scenarios of pirate has been considered, namely Pirate Evolution Attacks at Crypto 2007 and Pirates 2.0 at Eurocrypt 2009, in which pirate decoders could be built from sub-keys of users. The key notion in Pirates 2.0 is the anonymity level of traitors: they can rest assured to remain anonymous when each of them only contributes a very small fraction of its secret information. This scenario encourages dishonest users to participate in collusion and the size of collusion could become very large, possibly beyond the considered threshold in the classical model. There are numerous attempts to deal with Pirates 2.0 each of which only considers a particular form of Pirates 2.0. In this paper, we propose a method for fighting Pirates 2.0 in any form.

Our method is based on the researches in key-leakage resilience. It thus gives an interesting and rather surprised connection between the rich domain of key-leakage resilient cryptography and Pirates 2.0. We first formalize the notion of key-leakage resilient revoke system and then identify sufficient conditions so that a key-leakage resilient revoke scheme can resist Pirates 2.0 in any form. We finally propose a construction of a secure key-leakage resilient identity-based revoke system that fulfills the required conditions. The main ingredient in the construction relies on the identity-based encryption with wildcards ($\\WIBE$) and our construction of key-leakage resilient $\\WIBE$ could be useful in its own right.

00:17 [Pub][ePrint] Efficient Threshold Zero-Knowledge with Applications to User-Centric Protocols, by Marcel Keller and Gert Læssøe Mikkelsen and Andy Rupp

  In this paper, we investigate on threshold proofs, a framework for distributing the prover\'s side of

interactive proofs of knowledge over multiple parties. Interactive proofs of knowledge (PoK) are widely used

primitives of cryptographic protocols, including important user-centric protocols, such as identification schemes,

electronic cash (e-cash), and anonymous credentials.

We present a security model for threshold proofs of knowledge and develop threshold versions of well-known

primitives such as range proofs, zero-knowledge proofs for preimages of homomorphisms (which generalizes PoKs

of discrete logarithms, representations, p-th roots, etc.), as well as OR statements. These building blocks are proven

secure in our model.

Furthermore, we apply the developed primitives and techniques in the context of user-centric protocols. In particular,

we construct distributed-user variants of Brands\' e-cash system and the bilinear anonymous credential scheme by

Camenisch and Lysyanskaya. Distributing the user party in such protocols has several practical advantages: First, the

security of a user can be increased by sharing secrets and computations over multiple devices owned by the user. In

this way, losing control of a single device does not result in a security breach. Second, this approach also allows

groups of users to jointly control an application (e.g., a joint e-cash account), not giving a single user full control.

The distributed versions of the protocols we propose in this paper are relatively efficient (when compared to a general

MPC approach). In comparison to the original protocols only the prover\'s (or user\'s) side is modified while the other

side stays untouched. In particular, it is oblivious to the other party whether it interacts with a distributed prover (or

user) or one as defined in the original protocol.

00:17 [Pub][ePrint] Multi-Channel Broadcast Encryption, by Duong Hieu Phan and David Pointcheval and Viet Cuong Trinh

  Broadcast encryption aims at sending a content to a large arbitrary group of users at once. Currently, the most efficient schemes provide constant-size headers, that encapsulate ephemeral session keys under which the payload is encrypted. However, in practice, and namely for pay-TV, providers have to send various contents to different groups of users. Headers are thus specific to each group, one for each channel: as a consequence, the global overhead is linear in the number of channels. Furthermore, when one wants to zap to and watch another channel, one has to get the new header and decrypt it to learn the new session key: either the headers are sent quite frequently or one has to store all the headers, even if one watches one channel only. Otherwise, the zapping time becomes unacceptably long.

In this paper, we consider encapsulation of several ephemeral keys, for various groups and thus various channels, in one header only, and we call this new primitive Multi-Channel Broadcast Encryption: one can hope for a much shorter global overhead and a short zapping time since the decoder already has the information to decrypt any available channel at once. Our candidates are private variants of the Boneh-Gentry-Waters scheme, with a constant-size global header, independently of the number of channels. In order to prove the CCA security of the scheme, we introduce a new dummy-helper technique and implement it in the random oracle model.

00:17 [Pub][ePrint] Verified Security of Redundancy-Free Encryption from Rabin and RSA, by Gilles Barthe and David Pointcheval and Santiago Zanella-Béguelin

  Verified security provides a firm foundation for cryptographic proofs

by means of rigorous programming language techniques and verification

methods. EasyCrypt is a framework that realizes the verified security

paradigm and supports the machine-checked construction and

verification of cryptographic proofs using state-of-the-art SMT

solvers, automated theorem provers and interactive proof assistants.

Previous experiments have shown that EasyCrypt is effective for a

posteriori validation of cryptographic systems. In this paper, we

report on the first application of verified security to a novel

cryptographic construction, with strong security properties and

interesting practical features. Specifically, we use EasyCrypt to

prove the IND-CCA security of a redundancy-free public-key encryption

scheme based on trapdoor one-way permutations. Somewhat surprisingly,

we show that even with a zero-length redundancy, Boneh\'s SAEP scheme

(an OAEP-like construction with a single-round Feistel network rather

than two) converts a trapdoor one-way permutation into an

IND-CCA-secure scheme, provided the permutation satisfies two

additional properties. We then prove that the Rabin function and RSA

with short exponent enjoy these properties, and thus can be used to

instantiate the construction we propose to obtain efficient encryption

schemes. The reduction that justifies the security of our construction

is tight enough to achieve practical security with reasonable key


00:17 [Pub][ePrint] Fast and compact elliptic-curve cryptography, by Mike Hamburg

Elliptic curve cryptosystems have improved greatly in speed over the past few years. In this paper we outline a new elliptic curve signature and key agreement implementation which achieves record speeds while remaining relatively compact. For example, on Intel Sandy Bridge, a curve with about $2^{250}$ points produces a signature in just under 60k clock cycles, verifies in under 169k clock cycles, and computes a Diffie-Hellman shared secret in under 153k clock cycles. Our implementation has a small footprint: the library is under 55kB. We also post competitive timings on ARM processors, verifying a signature in under 626k Tegra-2 cycles. We introduce faster field arithmetic, a new point compression algorithm, an improved fixed-base scalar multiplication algorithm and a new way to verify signatures without inversions or coordinate recovery. Some of these improvements should be applicable to other systems.

00:17 [Pub][ePrint] A mathematical problem for security analysis of hash functions and pseudorandom generators, by Koji Nuida and Takuro Abe and Shizuo Kaji and Toshiaki Maeno and Yasuhide Numata

  In this paper, we specify a class of mathematical problems, which we refer to as ``Function Density Problems\'\' (FDPs, in short), and point out novel connections of FDPs to the following two cryptographic topics; theoretical security evaluations of keyless hash functions (such as SHA-1), and constructions of provably secure pseudorandom generators (PRGs) with some enhanced security property introduced by Dubrov and Ishai [STOC 2006]. Our argument aims at proposing new theoretical frameworks for these topics (especially for the former) based on FDPs, rather than providing some concrete and practical results on the topics. We also give some examples of mathematical discussions on FDPs, which would be of independent interest from mathematical viewpoints. Finally, we discuss possible directions of future research on other cryptographic applications of FDPs and on mathematical studies on FDPs themselves.

00:17 [Pub][ePrint] Tightly Secure Signatures and Public-Key Encryption, by Dennis Hofheinz and Tibor Jager

  We construct the first public-key encryption scheme whose chosen-ciphertext (i.e., IND-CCA) security can be proved under a standard assumption and does not degrade in either the number of users or the number of ciphertexts. In particular, our scheme can be safely deployed in unknown settings in which no a-priori bound on the number of encryptions and/or users is known.

As a central technical building block, we devise the first structure-preserving signature scheme with a tight security reduction. (This signature scheme may be of independent interest.) Combining this scheme with Groth-Sahai proofs yields a tightly simulation-sound non-interactive zero-knowledge proof system for group equations. If we use this proof system in the Naor-Yung double encryption scheme, we obtain a tightly IND-CCA secure public-key encryption scheme from the Decision Linear assumption.

We point out that our techniques are not specific to public-key encryption security. Rather, we view our signature scheme and proof system as general building blocks that can help to achieve a tight security reduction.

00:17 [Pub][ePrint] Cryptanalysis of a Provably Secure Gateway-Oriented Password-Based Authenticated Key Exchange Protocol, by Debiao He

  Recently, Chien et al. proposed a gateway-oriented password-based authenticated key exchange (GPAKE) protocol, through which a client and a gateway could generate a session key for future communication with the help of an authentication server. They also demonstrated that their scheme is provably secure in a formal model. However, in this letter, we will show that Chien et al.\'s protocol is vulnerable to the off-line password guessing attack. To overcome the weakness, we also propose an efficient countermeasure.

00:17 [Pub][ePrint] An anonymous proxy signature scheme without random oracles, by Rahim Toluee and Maryam Rajabzadeh Asaar and Mahmoud Salmasizadeh

  The concept of proxy signature was introduced in 1996, up to now many proxy signature schemes have been proposed. In order to protect the proxy signer\'s privacy, the concept of anonymous proxy signature, which is also called proxy ring signature, was introduced in 2003. Some anonymous proxy signature schemes, which are provable secure in the random oracle model, have been proposed. However, provable security in the random oracle model is doubtful when the random oracles are instantiated with hash functions in their implementation. Hence, we propose the first secure anonymous proxy signature scheme without random oracles.