International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also get this service via

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

06:17 [Pub][ePrint] Optimal Suspicion Functions for Tardos Traitor Tracing Schemes, by Jan-Jaap Oosterwijk and Boris Skoric and Jeroen Doumen

  We investigate alternative suspicion functions for Tardos traitor tracing schemes. In the simple decoder approach (computation of a score for every user independently) we derive suspicion functions that optimize a performance indicator related to the sufficient code length $\\ell$ in the limit of large coalition size $c$. Our results hold for the Restricted-Digit Model as well as the Combined-Digit Model. The scores depend on information that is usually not available

to the tracer -- the attack strategy or the tallies of the symbols received by the colluders. We discuss how such results can be used in realistic contexts.

We study several combinations of coalition attack strategy vs. suspicion function optimized against some attack (another attack or the same). In many of these combinations the usual scaling $\\ell \\propto c^2$ is replaced by a lower power of $c$, e.g. $c^{3/2}$. We find that the interleaving strategy is an especially

powerful attack, and the suspicion function tailored against interleaving is effective against all considered attacks.

06:17 [Pub][ePrint] MiniLEGO: Efficient Secure Two-Party Computation From General Assumptions, by Tore Kasper Frederiksen and Thomas Pelle Jakobsen and Jesper Buus Nielsen and Peter Sebastian Nordholt and Claudio Orlandi

  One of the main tools to construct secure two-party computation protocols are Yao garbled circuits. Using the cut-and-choose technique, one can get reasonably efficient Yao-based protocols with security against malicious adversaries. At TCC 2009, Nielsen and Orlandi suggested to apply cut-and-choose at the gate level, while previously cut-and-choose was applied on the circuit as a whole. This appealing idea allows for a speed up with practical significance (in the order of the logarithm of the size of the circuit) and has become known as the ``LEGO\'\' construction. Unfortunately the construction by Nielsen and Orlandi is based on a specific number-theoretic assumption and requires public-key operations per gate of the circuit.

The main technical contribution of this work is a new XOR-homomorphic commitment scheme based on oblivious transfer, that we use to cope with the problem of connecting the gates in the LEGO construction. Our new protocol has the following advantages:



It maintains the efficiency of the LEGO cut-and-choose.


After a number of seed oblivious transfers linear in the security parameter, the construction uses only primitives from Minicrypt (i.e., private-key cryptography) per gate in the circuit (hence the name MiniLEGO).


On the contrary of original LEGO, MiniLEGO is compatible with all known optimization for Yao garbled gates (row reduction, free-XORs, point-and-permute).


03:17 [Pub][ePrint] High-Performance Scalar Multiplication using 8-Dimensional GLV/GLS Decomposition, by Joppe W. Bos and Craig Costello and Huseyin Hisil and Kristin Lauter

  This paper explores the potential for using genus~2 curves over quadratic extension fields in cryptography, motivated by the fact that they allow for an 8-dimensional scalar decomposition when using a combination of the GLV/GLS algorithms. Besides lowering the number of doublings required in a scalar multiplication, this approach has the advantage of performing arithmetic operations in a 64-bit ground field, making it an attractive candidate for embedded devices. We found cryptographically secure genus 2 curves which, although susceptible to index calculus attacks, aim for the standardized 112-bit security level. Our implementation results on both high-end architectures (Ivy Bridge) and low-end ARM platforms (Cortex-A8) highlight the practical benefits of this approach.

11:24 [Job][New] Ph.D. studentships, Royal Holloway, University of London, UK


The Information Security Group (ISG) at Royal Holloway, University of London is looking for outstanding young graduates to fill 10 well-funded doctoral studentships in Cyber Security starting in October 2013.

The ISG is one of the largest and longest-established academic research groups working in cyber security, with a community of 15 academic staff, 10 postdocs and 40 PhD students. The ISG has a wide range of research interests related to cyber security, including the basic components of security services, such as cryptographic algorithms and trusted hardware; management of cryptographic keys; the correctness of the design and implementation of security protocols; the design of security services for embedded systems, business information systems, telecommunications networks and critical infrastructure; the detection and analysis of malware; and the study of economics, psychology, organizational theory, design theory and sociology in the context of information and cyber security.

We will consider applications from candidates with undergraduate and master\\\'s qualifications in a wide range of disciplines, including, but not limited to, mathematics, computer science, and electrical and electronic engineering. Funding is provided by the EPSRC (the UK Engineering and Physical Sciences Research Council), so full studentships are available to UK residents only (see for further details).

Further details of the research interests of the ISG can be found at Informal enquiries about the studentships can be made to Dr Carlos Cid, Prof. Jason Crampton, Prof. Keith Martin or Prof. Kenny Paterson ({carlos.cid,jason.crampton,keith.martin,kenny.paterson} Further information about applying for the PhD programme at Royal Holloway is available at


  In this paper we present a new method of choosing primitive elements for Brezing-Weng families of pairing friendly elliptic curves with small rho-value, and we improve on previously-known best rho-values of families for the cases k=16, 22, 28 and 46. Our construction uses fixed discriminants.

06:17 [Pub][ePrint] An architecture for practical actively secure MPC with dishonest majority, by Marcel Keller and Peter Scholl and Nigel P. Smart

  We present a runtime environment for executing secure programs via a multi-party computation protocol in the preprocessing model. The runtime environment is general and allows arbitrary reactive computations to be performed. A particularly novel aspect is that it automatically determines the minimum number of rounds needed for a computation, and uses this to minimize the overall cost of the computation. Various experiments are reported on, on various non-trivial functionalities. We show how, by utilizing the ability of modern processors to execute multiple threads at a time, one can obtain various tradeoffs between latency and throughput.

06:17 [Pub][ePrint] On Weak Keys and Forgery Attacks against Polynomial-based MAC Schemes, by Gordon Procter and Carlos Cid

  Universal hash functions are commonly used primitives for fast and secure message authentication in the form of Message Authentication Codes (MACs) or Authenticated Encryption with Associated Data (AEAD) schemes. These schemes are widely used and standardised, the most well known being McGrew and Viega\'s Galois/Counter Mode (GCM). In this paper we identify some properties of hash functions based on polynomial evaluation that arise from the underlying algebraic structure. As a result we are able to describe a general forgery attack, of which Saarinen\'s cycling attack from FSE 2012 is a special case. Our attack removes the requirement for long messages and applies regardless of the eld in which the hash function is evaluated. Furthermore we provide a common description of all published attacks against GCM, by showing that the existing attacks are the result of these algebraic properties of the polynomial-based hash function. Finally, we greatly expand the number of known weak GCM keys and show that almost every subset of the keyspace is a weak key class.

06:17 [Pub][ePrint] Key Wrapping with a Fixed Permutation, by Dmitry Khovratovich

  We present an efficient key wrapping scheme that uses a single wide permutation and does not rely on block ciphers. The scheme is capable of wrapping keys up to 1400 bits long and processing arbitrarily long headers. Our scheme easily delivers the security level of 128 bits or higher with the master key of the same length. The permutation can be taken from the sponge hash functions such as SHA-3 (Keccak), Quark, Photon, Spongent.

We also present a simple proof of security within the concept of Deterministic Authenticated Encryption (DAE) introduced by Rogaway and

Shrimpton. We extend the setting by allowing the adversary to query the permutation and following the indifferentiability setting in the security proof of the sponge construction.

00:17 [Pub][ePrint] Rethinking Definitions of Security for Session Key Agreement, by Wesley George and Charles Rackoff

  We consider session key agreement (SKA) protocols operating in a public key infrastructure, with pre-specified peers, that take no session ID as input, and output only a session key. Despite much work on SKA, we argue that there is no good definition of security for this (very natural) protocol syntax. The difficulty is that in this setting the adversary may not be able to tell which processes share a key, and thus which session keys may be revealed without trivializing the security condition.

We consider security against adversaries that control all network traffic, can register arbitrary public keys, and can retrieve session keys. We do not attempt to mitigate damage from hardware failures, such as session-state compromise, as we aim to improve our understanding of this simpler setting. We give two natural but substantially different game based definitions of security and prove that they are equivalent. Such proofs are rare for SKA. The bulk of this proof consists of showing that, for secure protocols, only compatible processes can be made to share a key. This property is very natural but surprisingly subtle. For comparison, we give a version of our definition in which processes output session IDs and we give strong theorems relating these two types of definitions.

00:17 [Pub][ePrint] Limitations of the Meta-Reduction Technique: The Case of Schnorr Signatures, by Marc Fischlin and Nils Fleischhacker

  We revisit the security of Fiat-Shamir signatures in the non-programmable random oracle model. The well-known proof by Pointcheval and Stern for such signature schemes (Journal of Cryptology, 2000) relies on the ability to re-program the random oracle, and it has been unknown if this property is inherent. Pailler and Vergnaud (Asiacrypt 2005) gave some first evidence of the hardness by showing via meta-reduction techniques that algebraic reductions cannot succeed in reducing key-only attacks against unforgeability to the discrete-log assumptions. We also use meta-reductions to show that the security of Schnorr signatures cannot be proven equivalent to the discrete logarithm problem without programming the random oracle. Our result also holds under the one-more discrete logarithm assumption but applies to a large class of reductions, we call *single-instance* reductions, subsuming those used in previous proofs of security in the (programmable) random oracle model. In contrast to algebraic reductions, our class allows arbitrary operations, but can only invoke a single resettable adversary instance, making our class incomparable to algebraic reductions.

Our main result, however, is about meta-reductions and the question if this technique can be used to further strengthen the separations above. Our answer is negative. We present, to the best of our knowledge for the first time, limitations of the meta-reduction technique in the sense that finding a meta-reduction for general reductions is most likely infeasible. In fact, we prove that finding a meta-reduction against a potential reduction is equivalent to finding a ``meta-meta-reduction\'\' against the strong existential unforgeability of the signature scheme. This means that the existence of a meta-reduction implies that the scheme must be insecure (against a slightly stronger attack) in the first place.

00:17 [Pub][ePrint] Non-isomorphic Biclique Cryptanalysis and Its Application to Full-Round mCrypton, by M. Shakiba and M. Dakhilalian and H. Mala

  Biclique attack, is a new cryptanalytic technique which brings new tools from the area of hash functions to the area of block cipher cryptanalysis. Till now, this technique is the only one able to analyze the full-round AES cipher in a single key scenario. In this paper, we introduce non-isomorphic biclique attack, a modified version of the original biclique attack. In this attack we obtain isomorphic groups of bicliques, each group contains several non-isomorphic bicliques of different dimensions. Actually, these bicliques are the results of an asymmetric key partitioning which is done according to two sets of key differences. Using this technique it is possible to get a chance to expand the length of bicliques or mount an attack with less data complexity. We found out the lightweight block cipher mCrypton is an appropriate candidate to be analyzed with this technique and bicliques up to five rounds can be constructed for this block cipher. Furthermore, we use two additional minor techniques, including pre-computation/re-computation in the bicliques construction and early abort technique in the matching stage, as well as a property observed in the diffusion layer of mCrypton to obtain more improvements for the complexity of our attacks on full-round mCrypton-96 and mCrypton-128.