International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) iacr.org. You can also get this service via

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

2013-07-22
15:17 [Pub][ePrint] Secure Channel Coding Schemes based on Polar Codes, by Behnam Mafakheri, Taraneh Eghlidos, Hossein Pilaram

  In this paper, we propose two new frameworks for joint encryption encoding schemes based on polar codes, namely efficient and secure joint secret/public key encryption channel coding schemes. The issue of using new coding structure, i.e. polar codes in McEliece-like and RN-like schemes is addressed. Cryptanalysis methods show that the proposed schemes have an acceptable level of security with a relatively smaller key size in comparison with the previous works. The results indicate that both schemes provide an efficient error performance and benefit from the higher code rate which can approach to the channel capacity for large enough polar codes. The resulted characteristics of the proposed schemes make them suitable for high-speed communications, such as deep space communication systems.



15:17 [Pub][ePrint] Secret Disclosure attack on Kazahaya, a Yoking-Proof For Low-Cost RFID Tags, by Nasour Bagheri, Masoumeh Safkhani

  Peris-Lopez et al. recently provides some guidelines that should be followed to

design a secure yoking-proof protocol. In addition, conforming to those guidelines and

EPC C1 G2, they presented a yoking-proof for low-cost RFID tags, named Kazahaya. However,

in this letter, we scrutinize its security showing how an passive adversary can retrieve secret

parameters of patient\'s tag in cost of O(216) o-line PRNG evaluations. Given the tag\'s secret

parameters, any security claims are ruined. Nevertheless, to show other weaknesses of the

protocol and rule out any possible improvement by increasing the length of the used PRNG,

we presented a forgery attack that shows that a proof generated at time tn can be used to

forge a valid proof for any desired time tj . The success probability of this attack is `1\' and the

complexity is negligible.



14:28 [Job][New] Post-doc in e-voting and related research topics, Newcastle University, UK

  We are looking for a post-doc researcher to join a vibrant and growing team of security researchers at the Centre for Cybercrime and Computer Security (CCCS) at Newcastle University, UK. Newcastle University is recognized by EPSRC/GCHQ as one of the 11 Academic Centres of Excellence in Cyber Security Research in the country.

The post is supported by a five-year ERC Starting Grant on \\\"Self-enforcing Electronic Voting: Trustworthy Elections in the Presence of Corrupt Authorities\\\". The candidate should have a PhD in Computer Science, engineering or a related discipline, with a solid background in security. Previous research experience on e-voting is desirable but not required.

An ideal candidate would be the one who 1) has good understanding of theory; 2) has good practical skills; 3) has a keen interest to tackle real-world problems.



08:48 [Event][New] FSE'14: Fast Software Encryption 2014

  Submission: 12 November 2013
Notification: 18 January 2014
From March 3 to March 5
Location: London, United Kingdom
More Information: http://fse2014.isg.rhul.ac.uk




2013-07-19
00:17 [Pub][ePrint] On Fair Exchange, Fair Coins and Fair Sampling, by Shashank Agrawal and Manoj Prabhakaran

  We study various classical secure computation problems in the context of fairness, and relate them with each other. We also systematically study fair sampling problems (i.e., inputless functionalities) and discover three levels of complexity for them.

Our results include the following:

-Fair exchange cannot be securely reduced to the problem of fair coin-tossing by an r-round protocol, except with an error that is $\\Omega(1/r)$.

-Finite fair {\\em sampling} problems with rational probabilities can all be reduced to fair coin-tossing and unfair 2-party computation (or equivalently, under computational assumptions). Thus, for this class of functionalities, fair coin-tossing is complete.

-Only sampling problems which have fair protocols without any fair setup are the trivial ones in which the two parties can sample their outputs independently. Others all have an $\\Omega(1/r)$ error, roughly matching an upper bound for fair sampling from Moran et al.(TCC 2009).

-We study communication-less protocols for sampling, given another sampling problem as setup, since such protocols are inherently fair. We use spectral graph theoretic tools to show that it is impossible to reduce a sampling problem with {\\em common information} (like fair coin-tossing) to a sampling problem without (like \'noisy\' coin-tossing, which has a small probability of disagreement).

The last result above is a slightly sharper version of a classical result by Witsenhausen from 1975. Our proof reveals the connection between the tool used by Witsenhausen, namely \'maximal correlation\', and spectral graph theoretic tools like Cheeger inequality.



00:17 [Pub][ePrint] Optimally Anonymous and Transferable Conditional E-cash, by Jiangxiao Zhang. Hua Guo. Zhoujun Li. Chang Xu

  Transferable conditional electronic-cash (e-cash) allows a payer to spend an e-cash based on the outcome not known in advance. It also allows a payee to spend the e-cash to others, or deposit the e-cash to a bank based on the future outcome. Among security properties, the anonymity of the payer has been widely studied. However, the payer is linkable in the existing conditional e-cash schemes. This paper presents the first optimally anonymous and transferable conditional electronic-cash (e-cash) system based on two recent cryptographic primitives, i.e., the Groth-Sahai(GS) proof system

and the commuting signatures, to obtain the user\'s unlinkability and optimal anonymity. A publisher is introduced to publish the conditions, and is firstly formalized. By dividing the deposit protocol into two parts, the anonymity of the user is obtained in the deposit protocol. Compared with the existing conditional e-cash schemes, this scheme has the constant size for the computation and communication. Finally, we give the security proof in the standard model.





2013-07-18
21:17 [Pub][ePrint] Clustering Algorithms for Non-Profiled Single-Execution Attacks on Exponentiations, by Johann Heyszl and Andreas Ibing and Stefan Mangard and Fabrizio De Santis and Georg Sigl

  Most implementations of public key cryptography employ exponentiation algorithms. Side-channel attacks on secret exponents are typically bound to the leakage of single executions because of cryptographic protocols or side-channel countermeasures such as blinding. We propose a new class of algorithms, i.e. unsupervised cluster classification algorithms, to attack cryptographic exponentiations and recover secret exponents without any prior profiling or heuristic leakage models. Not requiring profiling is a significant advantage to attackers. In fact, the proposed non-profiled single-execution attack is able to exploit any available single-execution leakage and provides a straight-forward option to combine simultaneous measurements to improve the signal-to-noise ratio of available leakage. We present empirical results from attacking an elliptic curve scalar multiplication and exploit location-based leakage from high-resolution electromagnetic field measurements without prior profiling. Individual measurements lead to a sufficiently low remaining brute-force complexity of the secret exponent. An errorless recovery of the exponent is achieved after a combination of few measurements.



21:17 [Pub][ePrint] Pushing the Limits of SHA-3 Hardware Implementations to Fit on RFID, by Peter Pessl and Michael Hutter

  There exists a broad range of RFID protocols in literature that propose hash functions as cryptographic primitives. Since Keccak has been selected as the winner of the NIST SHA-3 competition in 2012, there is the question of how far we can push the limits of Keccak to fulfill the stringent requirements of passive low-cost RFID. In this paper, we address this question by presenting a hardware implementation of Keccak that aims for lowest power and lowest area. Our smallest (full-state) design requires only 2\\,927 GEs (for designs with external memory available) and 5\\,522 GEs (total size including memory). It has a power consumption of $12.5\\,\\mu$W at 1\\,MHz on a low leakage 130\\,nm CMOS process technology. As a result, we provide a design that needs 40\\,\\% less resources than related work. Our design is even smaller than the smallest SHA-1 and SHA-2 implementations.



21:17 [Pub][ePrint] Information Theoretic Security for Encryption Based on Conditional Renyi Entropies, by Mitsugu Iwamoto and Junji Shikata

  In this paper, information theoretic cryptography is discussed based on conditional Renyi entropies. Our discussion focuses not only on cryptography but also on the denitions of conditional Renyi entropies and the related information theoretic inequalities. First, we revisit conditional Renyi entropies, and clarify what kind of properties are required and actually satised. Then, we propose security criteria based on Renyi entropies, which suggests us deep relations between (conditional) Renyi entropies and error probabilities by using several guessing strategies. Based on these results, unied proof of impossibility, namely, the lower bounds of key sizes is derived based on conditional Renyi entropies. Our model and lower bounds include the Shannon\'s perfect secrecy, and the min-entropy based encryption presented by Dodis, and Alimomeni and Safavi-Naini. Finally, new optimal symmetric key cryptography and almost optimal secret sharing schemes are proposed which achieve our lower bounds.



21:17 [Pub][ePrint] On Stochastic Security of Java Crypto and NIST DRBG Pseudorandom Sequences, by Yongge Wang

  Cryptographic primitives such as secure hash functions

(e.g., SHA1, SHA2, and SHA3) and symmetric

key block ciphers (e.g., AES and TDES) have been commonly used

to design pseudorandom generators with counter modes

(e.g., in Java Crypto Library and in NIST SP800-90A standards).

It is assumed that if these primitives

are secure then the pseudorandom generators

based on these primitives are also secure. However,

no systematic research and analysis have been done

to support this assumption.

Based on complexity theoretic results for pseudorandom sequences,

this paper analyzes stochastic properties of long sequences

produced by hash function based pseudorandom generators DRBG from

NIST SP800-90A and SHA1PRNG from Java Crypto Library.

Our results show that none of these sequences satisfy the

law of the iterated logarithm (LIL) which holds

for polynomial time pseudorandom sequences. Our results also

show that if the seeds and counters for pseudorandom generators

are not appropriately chosen, then the generated sequences

have strongly biased values for LIL-tests

and could be distinguished from uniformly chosen sequences

with a high probability.

Based on these results, appropriate seeding and counter

methods are proposed for pseudorandom generator designs.

The results in this paper reveal some ``non-random\'\' behavior of

SHA1, SHA2, and of the recently announced SHA3.





2013-07-17
15:17 [Pub][ePrint] Fast Exhaustive Search for Quadratic Systems in $\\mathbb{F}_2$ on FPGAs --- Extended Version, by Charles Bouillaguet and Chen-Mou Cheng and Tung Chou and Ruben Niederhagen and Bo-Yin Yang

  In 2010, Bouillaguet et al. proposed an efficient solver for polynomial systems over $\\mathbb{F}_2$ that trades memory for speed. As a result, 48 quadratic equations in 48 variables can be solved on a graphics card (GPU) in 21 minutes. The research question that we would like to answer in this paper is how specifically designed hardware performs on this task. We approach the answer by solving multivariate quadratic systems on reconfigurable hardware, namely Field-Programmable Gate Arrays (FPGAs). We show that, although the algorithm proposed by Bouillaguet et al. has a better asymptotic time complexity than traditional enumeration algorithms, it does not have a better asymptotic complexity in terms of silicon area. Nevertheless, our FPGA implementation consumes 25 times less energy than their GPU implementation. This is a significant improvement, not to mention that the monetary cost per unit of computational power for FPGAs is generally much cheaper than that of GPUs.