International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also get this service via

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

16:17 [Pub][ePrint] Efficient Group Key Management Schemes for Multicast Dynamic Communication Systems, by Muhammad Yasir Malik

  Key management in multicast dynamic groups, where users can leave or join at their ease is one of the most crucial and essential part of secure communication. Various efficient management strategies have been proposed during last decade that aim to decrease encryption costs and transmission overheads. In this report, two different types of key management schemes are proposed. First proposed scheme is based on One-way function tree (OFT).

The proposed scheme fulfills the security gaps that have been pointed out in recent years. Second proposed scheme is based on logical key hierarchy (LKH). This proposed scheme provides better performance for, rather inflexible and expensive, LKH scheme.

16:17 [Pub][ePrint] SCAPI: The Secure Computation Application Programming Interface, by Yael Ejgenberg and Moriya Farbstein and Meital Levy and Yehuda Lindell

  Secure two-party and multiparty computation has long stood at the center of the foundations of theoretical cryptography. Recently, however, interest has grown regarding the efficiency of such protocols and their application in practice. As a result, there has been significant progress on this problem and it is possible to actually carry out secure computation for non-trivial tasks on reasonably large inputs. Part of this research goal of making secure computation practical has also involved \\emph{implementations}. Such implementations are of importance for two reasons: first, they demonstrate the real efficiency of known and new protocols; second, they deepen our understanding regarding where the bottlenecks in efficiency lie. However, it is very hard to compare between implementations by different research groups since they are carried out on different platforms and using different infrastructures. In addition, most implementations have been carried out without the goal of code reuse, and so are not helpful to other researchers. The difficulty of beginning implementation projects is further compounded by the fact that existing cryptographic libraries (like openSSL, Bouncy Castle, and others) are tailored for tasks like encryption, authentication and key-exchange, and not for secure computation. We have developed SCAPI in order to address these problems. SCAPI is an \\emph{open-source} general library tailored for secure computation implementations. Our aim in developing SCAPI has been to provide a flexible and efficient infrastructure for secure computation implementations, that is both easy to use and robust. Great care has been taken in the design of the library, in writing clean code, and in documentation. We hope that this library will be useful to the community interested in implementations of secure protocols, and will help to promote the goal of making secure computation practical.

16:17 [Pub][ePrint] On the Security of TLS Renegotiation, by Florian Giesen and Florian Kohlar and Douglas Stebila

  The Transport Layer Security (TLS) protocol is the most widely used security protocol on the Internet. It supports negotiation of a wide variety of cryptographic primitives through different cipher suites, various modes of client authentication, and additional features such as session resumption and renegotiation. Despite its widespread use, only recently has the full TLS protocol been proven secure, and only then a single ciphersuite family (TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA) with no additional features. These additional features have been the cause of practical attacks on TLS. In 2009, Ray and Dispensa demonstrated how TLS renegotiation allows an attacker to splice together its own session with that of a victim, resulting in a man-in-the-middle attack on TLS-reliant applications such as HTTP. TLS was subsequently patched with two defence mechanisms for protection against this attack.

We present the first formal treatment of renegotiation in secure channel establishment protocols. We add optional renegotiation to the authenticated and confidential channel establishment model of Jager et al., an adaptation of the Bellare--Rogaway authenticated key exchange model. We describe the attack of Ray and Dispensa on TLS within our model. Although the two proposed fixes for TLS do not achieve our strongest notion of security, they do achieve a weaker but still reasonable security notion, and TLS can be easily adjusted to achieve that stronger level of security.

14:54 [Event][New] TRUST '13: 6th International Conference on Trust & Trustworthy Computing

  Submission: 15 February 2013
Notification: 22 March 2013
From June 17 to June 19
Location: London, UK
More Information:

12:29 [Event][New] CSF'13: 2013 IEEE 26th Computer Security Foundations Symposium

  Submission: 6 February 2013
Notification: 5 April 2013
From June 26 to June 28
Location: New Orleans, USA
More Information:

15:57 [Event][New] CBC2013: Fourth Code-based Cryptography Workshop 2013

  From June 10 to June 12
Location: Rocquencourt, France
More Information:

04:17 [Pub][JoC] Fully Leakage-Resilient Signatures


Abstract  A signature scheme is fully leakage resilient (Katz and Vaikuntanathan, ASIACRYPT’09) if it is existentially unforgeable under an adaptive chosen-message attack even in a setting where an adversary may obtain bounded (yet arbitrary) leakage information on all intermediate values that are used throughout the lifetime of the system. This is a strong and meaningful notion of security that captures a wide range of side-channel attacks. One of the main challenges in constructing fully leakage-resilient signature schemes is dealing with leakage that may depend on the random bits used by the signing algorithm, and constructions of such schemes are known only in the random-oracle model. Moreover, even in the random-oracle model, known schemes are only resilient to leakage of less than half the length of their signing key. In this paper we construct the first fully leakage-resilient signature schemes without random oracles. We present a scheme that is resilient to any leakage of length (1−o(1))L bits, where L is the length of the signing key. Our approach relies on generic cryptographic primitives, and at the same time admits rather efficient instantiations based on specific number-theoretic assumptions. In addition, we show that our approach extends to the continual-leakage model, recently introduced by Dodis, Haralambiev, Lopez-Alt and Wichs (FOCS’10), and by Brakerski, Tauman Kalai, Katz and Vaikuntanathan (FOCS’10). In this model the signing key is allowed to be refreshed, while its corresponding verification key remains fixed, and the amount of leakage is assumed to be bounded only in between any two successive key refreshes.

  • Content Type Journal Article
  • Pages 1-46
  • DOI 10.1007/s00145-012-9136-3
  • Authors

    • Elette Boyle, Department of Mathematics, Massachusetts Institute of Technology, Cambridge, MA 02139, USA
    • Gil Segev, Microsoft Research, Mountain View, CA 94043, USA
    • Daniel Wichs, Department of Computer Science, New York University, New York, NY 10012, USA

    • Journal Journal of Cryptology
    • Online ISSN 1432-1378
    • Print ISSN 0933-2790

From: Tue, 30 Oct 2012 18:08:17 GMT

16:17 [Pub][ePrint] Asynchronous Computational VSS with Reduced Communication Complexity, by Michael Backes and Amit Datta and Aniket Kate

  Verifiable secret sharing (VSS) is a vital primitive in secure distributed computing. It allows an untrusted dealer to verifiably share a secret among n parties in the presence of an adversary controlling at most t of them. VSS in the synchronous communication model has received tremendous attention in the cryptographic research community. Nevertheless, recent interest in deploying secure distributed computing over the Internet requires going beyond the synchronous communication model and thoroughly investigating VSS in the asynchronous communication model.

In this work, we consider the communication complexity of asynchronous VSS in the com- putational setting for the optimal resilience of n = 3t + 1. The best known asynchronous VSS protocol by Cachin et al. has O(n^2) message complexity and O(kn^3) communication complexity, where k is a security parameter corresponding to the size of the secret. We close the linear complexity gap between these two measures for asynchronous VSS by presenting two protocols with O(n^2) message complexity and O(kn^2) communication complexity. Our first protocol satisfies the standard VSS definition, and can be used in stand-alone VSS scenarios as well as in applications such as Byzantine agreement. Our second and more intricate protocol satisfies a stronger VSS definition, and is useful in all VSS applications including multiparty computation and threshold cryptography.

16:17 [Pub][ePrint] Solving Subset Sum Problems of Densioty close to 1 by \"randomized\" BKZ-reduction, by Claus P. Schnorr and Taras Shevchenko

  Subset sum or Knapsack problems of dimension $n$ are known to be hardest for knapsacks of density close to 1.These problems are NP-hard for arbitrary $n$. One can solve such problems either by lattice basis reduction or by optimized birthday algorithms. Recently Becker, Coron, Jou } [BCJ10] present a birthday algorithm that

follows Schroeppel, Shamir [SS81], and Howgrave-Graham, Joux [HJ10]. This algorithm solves 50 random knapsacks of dimension 80 and density close to 1 in roughly 15 hours on a 2.67 GHz PC.

We present an optimized lattice basis reduction algorithm that follows Schnorr, Euchne} [SE03] using pruning of Schnorr, H\\\"orner [SH95] that solves such random knapsacks of dimension 80 on average in less than a minute, and 50 such problems all together about 9.4 times faster and using much less space than [BCJ10] on another 2.67 GHz PC.

16:17 [Pub][ePrint] Biclique Cryptanalysis of Lightweight Block Ciphers PRESENT, Piccolo and LED, by Kitae Jeong and HyungChul Kang and Changhoon Lee and Jaechul Sung and Seokhie Hong

  In this paper, we evaluate the security of lightweight block ciphers PRESENT, Piccolo and LED against biclique cryptanalysis. To recover the secret key of PRESENT-80/128, our attacks require $2^{79.76}$ full PRESENT-80 encryptions and $2^{127.91}$ full PRESENT-128 encryptions, respectively. Our attacks on Piccolo-80/128 require computational complexities of $2^{79.13}$ and $2^{127.35}$, respectively. The attack on a $29$-round reduced LED-64 needs $2^{63.58}$ 29-round reduced LED-64 encryptions. In the cases of LED-80/96/128, we propose the attacks on two versions. First, to recover the secret key of $45$-round reduced LED-80/96/128, our attacks require computational complexities of $2^{79.45}, 2^{95.45}$ and $2^{127.45}$, respectively. To attack the full version, we require computational complexities of $2^{79.37}, 2^{95.37}$ and $2^{127.37}$, respectively. However, in these cases, we need the full codebook. These results are superior to known biclique cryptanalytic results on them.

16:17 [Pub][ePrint] Resolving the conflict between generality and plausibility in verified computation, by Srinath Setty and Benjamin Braun and Victor Vu and Andrew J. Blumberg and Bryan Parno and Michael Walfish

  The area of proof-based verified computation (outsourced computation

built atop probabilistically checkable proofs and cryptographic

machinery) has lately seen renewed interest. Although recent work has

made great strides in reducing the overhead of naive applications of the

theory, these schemes still cannot be considered practical. The core

issue is that the work for the prover is immense, in general; it

is near-practical only for hand-compiled computations that can

be expressed in special forms.

This paper addresses that problem. Provided one is willing to batch

verification, we develop a protocol that

achieves the efficiency of the

best manually constructed protocols in the literature yet applies to all


Our protocol

is built on the observation that the

recently-proposed QAPs of Gennaro et al. (ePrint 2012/215) yield a

linear PCP that works with the efficient argument protocol of Setty et

al. (ePrint 2012/598, Security 2012, NDSS 2012), itself based on the

proposal of Ishai et al. (CCC 2007).

The consequence is a prover whose total work is not much more than

_linear_ in the running time of the computation.

We implement the protocol in the

context of a built system that includes a compiler and a parallel GPU

implementation. The result, as indicated by an experimental evaluation,

is a system that is _almost_ usable for real problems -- without

special-purpose tailoring.