International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also get this service via

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

18:17 [Pub][ePrint] Using Variance to Analyze Visual Cryptography Schemes, by Teng Guo and Feng Liu and ChuanKun Wu and YoungChang Hou

  A visual cryptography scheme (VCS) is a secret sharing method, for which the secret can be decoded by human eyes without needing any cryptography knowledge nor any computation. Variance is first introduced by Hou et al. in 2005 and then thoroughly verified by Liu et al. in 2012 to evaluate the visual quality of size invariant VCS. In this paper, we introduce the idea of using variance as an error-detection measurement, by which we find the security defect of Hou et al.\'s multi-pixel encoding method. On the other hand, we find that variance not only effects the visual quality of size invariant VCS, but also effects the

visual quality of VCS. At last, average contrast associated with variance is used as a new criterion to evaluate the visual quality of VCS.

18:17 [Pub][ePrint] Computationally Sound Verification of the NSL Protocol via Computationally Complete Symbolic Attacker, by Gergei Bana and Pedro Adão and Hideki Sakurada

  In this paper we show that the recent technique of computationally complete symbolic attackers proposed by Bana and Comon-Lundh for computationally sound verification is powerful enough to verify actual protocols, such as the Needham-Schroeder-Lowe Protocol. In their model, one does not define explicit Dolev-Yao adversarial capabilities but rather the limitations of the adversarial capabilities. In this paper we present a set of axioms sufficient to show that no symbolic adversary compliant with these axioms can successfully violate secrecy or authentication in case of the NSL protocol. Hence all implementations for which these axioms are sound - namely, implementations using CCA2 encryption, and satisfying a minimal parsing requirement for pairing - exclude the possibility of successful computational attacks.

18:17 [Pub][ePrint] A Do-It-All-Cipher for RFID: Design Requirements (Extended Abstract) , by Markku-Juhani O. Saarinen and Daniel Engels

  Recent years have seen significant progress in the development of lightweight symmetric cryptoprimitives. The main concern of the designers of these primitives has been to minimize the number of gate equivalents (GEs) of the hardware implementation. However, there are numerous additional requirements that are present in real-life RFID systems. We give an overview of requirements emerging or already present in the widely deployed EPCGlobal Gen2 and ISO / IEC 18000-63 passive UHF RFID air interface standards. Lightweight stateful authenticated encryption algorithms seem to offer the most complete set of features for this purpose. In this work we give a Gen2-focused \"lessons learned\" overview of the challenges and related developments in RFID cryptography and propose what we see as appropriate design criteria for a cipher (dubbed \"Do-It-All-Cipher\" or DIAC) in this application area. We also comment on the applicability of NSA\'s new SIMON and SPECK proposals for this purpose.

18:17 [Pub][ePrint] Non-uniform cracks in the concrete: the power of free precomputation, by Daniel J. Bernstein and Tanja Lange

  There is a flaw in the standard security definitions used in the literature on provable concrete security. The definitions are frequently conjectured to assign a security level of 2^128 to AES, the NIST P-256 elliptic curve, DSA-3072, RSA-3072, and various higher-level protocols, but they actually assign a far lower security level to each of these primitives and protocols. This flaw undermines security evaluations and comparisons throughout the literature. This paper analyzes the magnitude of the flaw in detail and discusses several strategies for fixing the definitions.

18:17 [Pub][ePrint] Bounds on the Threshold Gap in Secret Sharing over Small Fields, by Ignacio Cascudo and Ronald Cramer and Chaoping Xing

  We consider the class of secret sharing schemes where there is no a priori bound on the number of players $n$ but where each of the $n$ share-spaces has fixed cardinality~$q$. We show two fundamental lower bounds on the {\\em threshold gap} of such schemes.

The threshold gap $g$ is defined as $r-t$, where $r$ is minimal and $t$ is maximal such that

the following holds: for a secret with arbitrary a priori distribution, each $r$-subset of players can

reconstruct this secret from their joint shares without error ($r$-reconstruction) and the information

gain about the secret is nil for each $t$-subset of players jointly ($t$-privacy).

Our first bound, which is completely general, implies that if $1\\leq t

05:55 [Job][New] Research Scientist / Senior Research Scientist, PARC, Palo Alto, CA, USA

  We invite applications for outstanding researchers to strengthen and broaden our research activities in security research. Our expertise ranges from applied cryptography and privacy to network, system, and usable security. Both recent Ph.D. graduates and well-established scientists are encouraged to apply.

A premier center for commercial innovation, PARC, a Xerox company, is in the business of breakthroughs. We work closely with global enterprises, entrepreneurs, government agencies and partners, and other clients to invent, co-develop, and bring to market game-changing innovations by combining imagination, investigation, and return on investment for our clients. For 40 years, we have lived at the leading edge of innovation, merging inquiry and strategy to pioneer technological change. PARC was incorporated in 2002 as a wholly owned independent subsidiary of Xerox Corporation – enabling us to continue pioneering technological change but across a broader set of industries and clients today.

Depending on seniority, the successful candidate will be responsible for one or more of the following roles:

. Formulating research problems based on real-world needs and independently conducting high-quality research

. Working with existing research and development staff on a broad range of research topics

. Working with business development team in identifying important business opportunities with industry and government agencies.

. Identifying new promising research directions and contributing them to the group’s long-term research agenda.

Candidates in all areas of cyber security will be considered, however, the following areas are of particular interest:

. Systems & network security

. Security in cloud computing

. Data mining and machine learning applied to security and privacy

. Security and privacy in ubiquitous and mobile computing environments

. Formal methods and software

04:59 [PhD][New] Erik Tews: DECT Security Analysis

  Name: Erik Tews
Topic: DECT Security Analysis
Category: applications

Description: DECT is a standard for cordless phones. The intent of this thesis is to evaluate DECT security in a comprehensive way. To secure conversations over the air, DECT uses two proprietary algorithms, namely the DECT Standard Authentication Algorithm (DSAA) for authentication and key derivation, and the DECT Standard Cipher (DSC) for encryption. Both algorithms have been kept secret and were only available to DECT device manufacturers under a None Disclosure Agreement (NDA). The reader is first introduced into the DECT standard. The two algorithms DSAA and DSC have been reverse engineered and are then described in full detail. At first, attacks against DECT devices are presented, that are based on faults made by the manufacturers while implementing the DECT standard. In the next Chapters, attacks against the DSAA and the DSC algorithm are described, that recover the secret keys used by these algorithms faster than by brute force. Thereafter, a attack against the DECT radio protocol is described, that decrypts encrypted DECT voice calls. Finally, an outlook over the next release of the DECT standard is presented, that is expected to counter all attacks against DECT, that are described in this thesis.[...]

04:59 [PhD][New] Johannes Buchmann

  Name: Johannes Buchmann

00:17 [Pub][ePrint] Resistance to Pirates 2.0: A Method from Leakage Resilient Cryptography, by Duong Hieu Phan and Viet Cuong Trinh

  In the classical model of traitor tracing, one assumes that a traitor contributes its entire secret key to build a pirate decoder. However, new practical scenarios of pirate has been considered, namely Pirate Evolution Attacks at Crypto 2007 and Pirates 2.0 at Eurocrypt 2009, in which pirate decoders could be built from sub-keys of users. The key notion in Pirates 2.0 is the anonymity level of traitors: they can rest assured to remain anonymous when each of them only contributes a very small fraction of its secret information. This scenario encourages dishonest users to participate in collusion and the size of collusion could become very large, possibly beyond the considered threshold in the classical model. There are numerous attempts to deal with Pirates 2.0 each of which only considers a particular form of Pirates 2.0. In this paper, we propose a method for fighting Pirates 2.0 in any form.

Our method is based on the researches in key-leakage resilience. It thus gives an interesting and rather surprised connection between the rich domain of key-leakage resilient cryptography and Pirates 2.0. We first formalize the notion of key-leakage resilient revoke system and then identify sufficient conditions so that a key-leakage resilient revoke scheme can resist Pirates 2.0 in any form. We finally propose a construction of a secure key-leakage resilient identity-based revoke system that fulfills the required conditions. The main ingredient in the construction relies on the identity-based encryption with wildcards ($\\WIBE$) and our construction of key-leakage resilient $\\WIBE$ could be useful in its own right.

00:17 [Pub][ePrint] Efficient Threshold Zero-Knowledge with Applications to User-Centric Protocols, by Marcel Keller and Gert Læssøe Mikkelsen and Andy Rupp

  In this paper, we investigate on threshold proofs, a framework for distributing the prover\'s side of

interactive proofs of knowledge over multiple parties. Interactive proofs of knowledge (PoK) are widely used

primitives of cryptographic protocols, including important user-centric protocols, such as identification schemes,

electronic cash (e-cash), and anonymous credentials.

We present a security model for threshold proofs of knowledge and develop threshold versions of well-known

primitives such as range proofs, zero-knowledge proofs for preimages of homomorphisms (which generalizes PoKs

of discrete logarithms, representations, p-th roots, etc.), as well as OR statements. These building blocks are proven

secure in our model.

Furthermore, we apply the developed primitives and techniques in the context of user-centric protocols. In particular,

we construct distributed-user variants of Brands\' e-cash system and the bilinear anonymous credential scheme by

Camenisch and Lysyanskaya. Distributing the user party in such protocols has several practical advantages: First, the

security of a user can be increased by sharing secrets and computations over multiple devices owned by the user. In

this way, losing control of a single device does not result in a security breach. Second, this approach also allows

groups of users to jointly control an application (e.g., a joint e-cash account), not giving a single user full control.

The distributed versions of the protocols we propose in this paper are relatively efficient (when compared to a general

MPC approach). In comparison to the original protocols only the prover\'s (or user\'s) side is modified while the other

side stays untouched. In particular, it is oblivious to the other party whether it interacts with a distributed prover (or

user) or one as defined in the original protocol.

00:17 [Pub][ePrint] Multi-Channel Broadcast Encryption, by Duong Hieu Phan and David Pointcheval and Viet Cuong Trinh

  Broadcast encryption aims at sending a content to a large arbitrary group of users at once. Currently, the most efficient schemes provide constant-size headers, that encapsulate ephemeral session keys under which the payload is encrypted. However, in practice, and namely for pay-TV, providers have to send various contents to different groups of users. Headers are thus specific to each group, one for each channel: as a consequence, the global overhead is linear in the number of channels. Furthermore, when one wants to zap to and watch another channel, one has to get the new header and decrypt it to learn the new session key: either the headers are sent quite frequently or one has to store all the headers, even if one watches one channel only. Otherwise, the zapping time becomes unacceptably long.

In this paper, we consider encapsulation of several ephemeral keys, for various groups and thus various channels, in one header only, and we call this new primitive Multi-Channel Broadcast Encryption: one can hope for a much shorter global overhead and a short zapping time since the decoder already has the information to decrypt any available channel at once. Our candidates are private variants of the Boneh-Gentry-Waters scheme, with a constant-size global header, independently of the number of channels. In order to prove the CCA security of the scheme, we introduce a new dummy-helper technique and implement it in the random oracle model.