International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also get this service via

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

10:17 [Pub][ePrint] A Verifiable 1-out-of-n Distributed Oblivious Transfer Protocol, by Christian L. F. Corniaux and Hossein Ghodosi

  In the various 1-out-of-$n$ distributed oblivious transfer protocols (DOT) designed in an unconditionally secure environment, a receiver contacts $k$ out of $m$ servers to obtain one of the $n$ secrets held by a sender. After a protocol has been executed, the sender has no information on the choice of the receiver and the receiver has no information on the secrets she did not obtain. Likewise, a coalition of $k - 1$ servers is unable to infer any information, neither on the sender\'s secrets, nor on the receiver\'s choice.

These protocols are based on a semi-honest model: no mechanism prevents a group of malicious servers from disrupting the protocol such that the secret obtained by the receiver does not correspond to the chosen secret. Actually, to verify the information transmitted by the servers seems to require some properties difficult to reconcile: on one hand the receiver has to collect more information from the servers to discard the incorrect data generated by the malicious servers; on the other hand, if the receiver is allowed to gather more information from the servers, the sender\'s security may be compromised.

We study the first unconditionally secure DOT protocol in the presence of an active adversary who may corrupt up to $k - 1$ servers. In addition to the active adversary, we also assume that the sender may (passively) corrupt up to $k - 1$ servers to learn the choice of the receiver. Similarly, the receiver may (passively) corrupt up to $k - 1$ servers to learn more than the chosen secret. However, we assume that the sender, receiver, and active adversary do not collaborate with each other. Our DOT protocol allows the receiver to contact $4k - 3$ servers to obtain one secret, while the required security is maintained.

10:17 [Pub][ePrint] Lightweight Zero-Knowledge Proofs for Crypto-Computing Protocols, by Sven Laur and Bingsheng Zhang

  Crypto-computing is a set of well-known techniques for computing with encrypted data. The security of the corresponding protocols are usually proven in the semi-honest model. In this work, we propose a new class of zero- knowledge proofs, which are tailored for crypto-computing protocols. First, these proofs directly employ properties of the underlying crypto systems and thus many facts have more concise proofs compared to generic solutions. Second, we show how to achieve universal composability in the trusted set-up model where all zero-knowledge proofs share the same system-wide parameters. Third, we de- rive a new protocol for multiplicative relations and show how to combine it with several crypto-computing frameworks to get security in the malicious model.

10:17 [Pub][ePrint] Instantiating Treeless Signature Schemes, by Patrick Weiden and Andreas Hülsing and Daniel Cabarcas and Johannes Buchmann

  We study the efficiency of the treeless signature schemes [Lyu08], [Lyu09], [Lyu12] and evaluate their practical performance. We explain how to implement them, e.g., how to realize discrete Gaussian sampling and how to instantiate the random oracles. Our software implementation as well as extensive experimental results are presented. In particular, we compare the treeless signature schemes with currently used schemes and other post-quantum signature schemes. As the experimental data shows non-competitiveness, a discussion of possible improvements concludes the paper.

08:52 [Event][New] ICICS'13: 15th International Conference on Information and Communications Security

  Submission: 5 June 2013
Notification: 24 July 2013
From November 20 to November 22
Location: Beijing, China
More Information:

07:46 [Event][New] SSTiC 2013: International Summer School on Trends in Computing

  From July 22 to July 26
Location: Tarragona, Spain
More Information:

19:17 [Pub][ePrint] Cryptanalysis of the Dragonfly Key Exchange Protocol, by Dylan Clarke and Feng Hao

  Dragonfly is a password authenticated key exchange protocol that has been submitted to the Internet Engineering Task Force as a candidate standard for general internet use. We analyzed the security of this protocol and devised an attack that is capable of extracting both the session key and password from an honest party. This attack was then implemented and experiments were performed to determine the time-scale required to successfully complete the attack.

19:17 [Pub][ePrint] Optimized GPU Implementation and Performance Analysis of HC Series of Stream Ciphers, by Ayesha Khalid and Deblin Bagchi and Goutam Paul and Anupam Chattopadhyay

  The ease of programming offered by the CUDA programming model attracted a lot of programmers to try the platform for acceleration of many non-graphics applications. Cryptography, being no exception, also found its share of exploration efforts, especially block ciphers. In this contribution we present a detailed walk-through of effective mapping of HC-128 and HC-256 stream ciphers on GPUs. Due to inherent inter-S-Box dependencies, intra-S-Box dependencies and a high number of memory accesses per keystream word generation, parallelization of HC series of stream ciphers remains challenging. For the first time, we present various optimization strategies for HC-128 and HC-256 speedup in tune with CUDA device architecture. The peak performance achieved with a single data-stream for HC-128 and HC-256 is 0.95 Gbps and 0.41 Gbps respectively. Although these throughput figures do not beat the CPU performance (10.9 Gbps for HC-128 and 7.5 Gbps for HC-256), our multiple parallel data-stream implementation is benchmarked to reach approximately 31 Gbps for HC-128 and 14 Gbps for HC-256 (with 32768 parallel data-streams). To the best of our knowledge, this is the first reported effort of mapping HC-Series of stream ciphers on GPUs.

19:17 [Pub][ePrint] On FHE without bootstrapping, by Aayush Jain

  In this work we come up with two fully homomorphic schemes.

First, we propose an IND-CPA secure symmetric key homomorphic encryption scheme using multivariate polynomial ring over finite fields. This scheme gives a method of constructing a CPA secure homomorphic encryption scheme from another symmetric deterministic CPA secure scheme. We base the security of the scheme on information theoretic arguments and prove the scheme to be IND-CPA secure, rather than basing security on hard problems like Ideal Membership and Gr\\\"obner basis as seen in most polly cracker based schemes which also use multivariate polynomial rings. This scheme is not compact but has many interesting properties. Second, we also describe another similar symmetric key scheme which is compact, fully homomorphic and doesn\'t require bootstrapping. The scheme is on the lines of the work of Albrecht (Asiacrypt-2011) and is proven to be bounded CPA secure. Proof is based on Ideal Membership/ Ideal Remainder/Gr\\\"obner basis problem.

19:17 [Pub][ePrint] On the Indifferentiability of Key-Alternating Ciphers, by Elena Andreeva and Andrey Bogdanov and Yevgeniy Dodis and Bart Mennink and John P. Steinberger

  The Advanced Encryption Standard (AES) is the most widely used block cipher. The high level structure of AES can be viewed as a (10-round) key-alternating cipher, where a t-round key-alternating cipher KA_t consists of a small number $t$ of fixed permutations P_i on n bits, separated by key addition:

KA_t(K,m)= k_t + P_t(... k_2 + P_2(k_1 + P_1(k_0 + m))...),

where (k_0,...,k_t) are obtained from the master key K using some key derivation function.

For t=1, KA_1 collapses to the well-known Even-Mansour cipher, which is known to be indistinguishable from a (secret) random permutation, if P_1 is modeled as a (public) random permutation. In this work we seek for stronger security of key-alternating ciphers --- indifferentiability from an ideal cipher --- and

ask the question under which conditions on the key derivation function and for how many rounds t is the key-alternating cipher KA_t indifferentiable from the ideal cipher, assuming P_1,...,P_t are (public) random permutations?

As our main result, we give an affirmative answer for t=5, showing that the 5-round key-alternating cipher KA_5 is indifferentiable from an ideal cipher, assuming P_1,...,P_5 are five independent random permutations, and the key derivation function sets all rounds keys

k_i=f(K), where 0

16:53 [Job][New] PhD Positions, Vernam Lab at WPI, Worcester, MA

  PhD Positions in Applied Cryptology

The Vernam Lab at WPI in Worcester, MA has open PhD positions in applied cryptology. In particular there are two openings in side channel analysis and countermeasure design and implementation.

Candidates should have a Master’s degree in electronics, computer science or applied mathematics, with strong interest in algorithms and signal processing. Prior experience in side channel analysis and embedded software or hardware design is an asset.

We offer a competitive salary and an international cutting-edge research program in an attractive working environment in the greater Boston area. WPI is one of the highest-ranked technical colleges in the US.

16:17 [Pub][ePrint] Cryptanalysis and Improvement of Akleylek et al.\'s cryptosystem, by Roohallah Rastaghi

  Akleylek et al. [S. Akleylek, L. Emmungil and U. Nuriyev, Algorithm for peer-to-peer security, journal of Appl. Comput. Math., Vol. 6(2), pp.258-264, 2007.], introduced a modified algorithm with steganographic approach for security in peer-to-peer (P2P) network. In this cryptosystem, Akleylek et al. attempt to increase the security of P2P network by connecting the ElGamal cryptosystem with knapsack problem. We show that this combination leak the security and makes the hybrid cryptosystem‎ vulnerable to \"ciphertext only attack\". Thus, in the network, an attacker can apply this attack and simply can recover the original message (plaintext) from any {\\it challenge ciphertext}. Moreover, we show that the receiver cannot decrypt the ciphertext in polynomial time and so, the proposed cryptosystem is completely impractical. We modify this cryptosystem to increase security and efficiency.