International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also get this service via

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

15:17 [Pub][ePrint] Sequential message authentication code without random oracles, by Bin Wang and Xiaojing Hong

  Katz et al. provided a generic transform to construct aggregate message authentication codes and imposed a lower bound on the length of one aggregate MAC tag. The lower bound shows that the required tag length is at least linear with the number of messages when fast verification such as constant or logarithmic computation overhead is required. Aggregate message authentication codes are useful in settings such as mobile ad-hoc networks where devices are resource-constrained and energy cost is at a premium. In this paper, we introduce the notion of sequential aggregate message authentication code (SAMAC). We present a security model for this notion under unforgeability against chosen message and verification query attack and construct an efficient SAMAC scheme by extending a number-theoretic MAC construction due to Dodis et al. We prove the security of our SAMAC scheme under the CDH assumption in the standard model. Our SAMAC scheme improves the lower bound with the help of the underlying algebraic structure. Performance analysis shows that our SAMAC scheme yields constant computation for the verifier as well as fixed length for one aggregate.

15:17 [Pub][ePrint] Implementing Lightweight Block Ciphers on x86 Architectures, by Ryad Benadjila and Jian Guo and Victor Lomné and Thomas Peyrin

  Lightweight block ciphers are designed so as to fit into very constrained environments, but usually not really with software performance in mind. For classical lightweight applications where many constrained devices communicate with a server, it is also crucial that the cipher has good software performance on the server side. Recent work has shown that bitslice implementations applied to Piccolo and PRESENT led to very good software speeds, thus making lightweight ciphers interesting for cloud applications. However, we remark that bitslice implementations might not be interesting for some situations, where the amount of data to be enciphered at a time is usually small, and very little work has been done on non-bitslice implementations.

In this article, we explore general software implementations of lightweight ciphers on x86 architectures, with a special focus on LED, Piccolo and PRESENT. First, we analyze table-based implementations, and we provide a theoretical model to predict the behavior of various possible trade-offs depending on the processor cache latency profile. We obtain the fastest table-based implementations for our lightweight ciphers, which is of interest for legacy processors. Secondly, we apply to our portfolio of primitives the vperm implementation trick for 4-bit Sboxes, which gives good performance, extra side-channels protection, and is quite fit for many lightweight primitives. Finally, we investigate bitslice implementations, analyzing various costs which are usually neglected (bitsliced form (un)packing, key schedule, etc.), but that must be taken in account for many lightweight applications. We finally discuss which type of implementation seems to be the best suited depending on the applications profile.

15:17 [Pub][ePrint] Weakness of $\\mbox{${\\mathbb F}$}_{3^{6 \\cdot 509}}$ for Discrete Logarithm Cryptography, by Gora Adj and Alfred Menezes and Thomaz Oliveira and Francisco Rodr\\\'iguez-Henr\\\'iquez

  In 2013, Joux, and then Barbulescu, Gaudry, Joux and Thom\\\'{e},

presented new algorithms for computing discrete logarithms in finite

fields of small and medium characteristic. We show that these new

algorithms render the finite field $\\Fmain = \\FF_{3^{3054}}$ weak for

discrete logarithm cryptography in the sense that discrete logarithms

in this field can be computed significantly faster than with the

previous fastest algorithms. Our concrete analysis shows that the

supersingular elliptic curve over $\\FF_{3^{509}}$ with embedding degree

6 that had been considered for implementing pairing-based cryptosystems

at the 128-bit security level in fact provides only a significantly

lower level of security.

15:17 [Pub][ePrint] Dynamic Runtime Methods to Enhance Private Key Blinding, by Karine Gandolfi-Villegas and Nabil Hamzi

  In this paper we propose new methods to blind exponents

used in RSA and in elliptic curves based algorithms. Due to classical

differential power analysis (DPA and CPA), a lot of countermeasures to

protect exponents have been proposed since 1999 Kocher [20] and by

Coron [13]. However, these blinding methods present some drawbacks

regarding execution time and memory cost. It also got some weaknesses.

Indeed they could also be targeted by some attacks such as The Carry

Leakage on the Randomized Exponent proposed by P.A. Fouque et al.

in [23] or inefficient against some others analysis such as Single Power

Analysis. In this article, we explain how the most used method could

be exploited when an attacker can access test samples. We target here

new dynamic blinding methods in order to prevent from any learning

phase and also to improve the resistance against the latest side channel

analyses published.

15:17 [Pub][ePrint] Flush+Reload: a High Resolution, Low Noise, L3 Cache Side-Channel Attack, by Yuval Yarom and Katrina Falkner

  Flush+Reload is a cache side-channel attack that monitors access to data in shared pages. In this paper we demonstrate how to use the attack to extract private encryption keys from GnuPG. The high resolution and low noise of the Flush+Reload attack enables a spy program to recover over 98% of the bits of the private key in a single decryption or signing round. Unlike previous attacks, the attack targets the last level L3 cache. Consequently, the spy program and the victim do not need to share the execution core of the CPU. The attack is not limited to a traditional OS and can be used in a virtualised environment, where it can attack programs executing in a different VM.

15:17 [Pub][ePrint] A Note On the Storage Requirement for AKS Primality Testing Algorithm, by Zhengjun Cao

  We remark that AKS primality testing algorithm needs about 1,000,000,000 G (gigabyte) storage space for a number of 1024 bits. Such storage requirement is hard to meet in practice. To the best of our knowledge, it is impossible for current operating systems to write and read data in so huge storage space. Thus, the running time for AKS algorithm shuould not be simply estimated as usual in terms of the amount of arithmetic operations.

15:17 [Pub][ePrint] Revisiting the BGE Attack on a White-Box AES Implementation, by Yoni De Mulder and Peter Roelse and Bart Preneel

  White-box cryptography aims to protect the secret key of a cipher in an environment in which an adversary has full access to the implementation of the cipher and its execution environment. In 2002, Chow, Eisen, Johnson and van Oorschot proposed a white-box implementation of AES. In 2004, Billet, Gilbert and Ech-Chatbi presented an efficient attack (referred to as the BGE attack) on this implementation, extracting its embedded AES key with a work factor of $2^{30}$. In 2012, Tolhuizen presented an improvement of the most time-consuming phase of the BGE attack. This paper presents several improvements to the other phases of the BGE attack. The paper shows that the overall work factor of the BGE attack is reduced to $2^{22}$ when all improvements are implemented. In 2010, Karroumi presented a white-box AES implementation that is designed to withstand the BGE attack. This paper shows that the implementations of Karroumi and Chow \\emph{et al.} are the same. As a result, Karroumi\'s white-box AES implementation is vulnerable to the attack it was designed to resist.

15:17 [Pub][ePrint] Candidate Indistinguishability Obfuscation and Functional Encryption for all circuits, by Sanjam Garg and Craig Gentry and Shai Halevi and Mariana Raykova and Amit Sahai and Brent Waters

  In this work, we study indistinguishability obfuscation and functional encryption for general circuits:

Indistinguishability obfuscation requires that given any two equivalent circuits C_0 and C_1 of similar size, the obfuscations of C_0 and C_1 should be computationally indistinguishable.

In functional encryption, ciphertexts encrypt inputs x and keys are issued for circuits C. Using the key SK_C to decrypt a ciphertext CT_x = Enc(x), yields the value C(x) but does not reveal anything else about x. Furthermore, no collusion of secret key holders should be able to learn anything more than the union of what they can each learn individually.

We give constructions for indistinguishability obfuscation and functional encryption that supports all polynomial-size circuits. We accomplish this goal in three steps:

- We describe a candidate construction for indistinguishability obfuscation for NC1 circuits. The security of this construction is based on a new algebraic hardness assumption. The candidate and assumption use a simplified variant of multilinear maps, which we call Multilinear Jigsaw Puzzles.

- We show how to use indistinguishability obfuscation for NC1 together with Fully Homomorphic Encryption (with decryption in NC1) to achieve indistinguishability obfuscation for all circuits.

- Finally, we show how to use indistinguishability obfuscation for circuits, public-key encryption, and non-interactive zero knowledge to achieve functional encryption for all circuits. The functional encryption scheme we construct also enjoys succinct ciphertexts, which enables several other applications.

15:17 [Pub][ePrint] Secure Channel Coding Schemes based on Polar Codes, by Behnam Mafakheri, Taraneh Eghlidos, Hossein Pilaram

  In this paper, we propose two new frameworks for joint encryption encoding schemes based on polar codes, namely efficient and secure joint secret/public key encryption channel coding schemes. The issue of using new coding structure, i.e. polar codes in McEliece-like and RN-like schemes is addressed. Cryptanalysis methods show that the proposed schemes have an acceptable level of security with a relatively smaller key size in comparison with the previous works. The results indicate that both schemes provide an efficient error performance and benefit from the higher code rate which can approach to the channel capacity for large enough polar codes. The resulted characteristics of the proposed schemes make them suitable for high-speed communications, such as deep space communication systems.

15:17 [Pub][ePrint] Secret Disclosure attack on Kazahaya, a Yoking-Proof For Low-Cost RFID Tags, by Nasour Bagheri, Masoumeh Safkhani

  Peris-Lopez et al. recently provides some guidelines that should be followed to

design a secure yoking-proof protocol. In addition, conforming to those guidelines and

EPC C1 G2, they presented a yoking-proof for low-cost RFID tags, named Kazahaya. However,

in this letter, we scrutinize its security showing how an passive adversary can retrieve secret

parameters of patient\'s tag in cost of O(216) o-line PRNG evaluations. Given the tag\'s secret

parameters, any security claims are ruined. Nevertheless, to show other weaknesses of the

protocol and rule out any possible improvement by increasing the length of the used PRNG,

we presented a forgery attack that shows that a proof generated at time tn can be used to

forge a valid proof for any desired time tj . The success probability of this attack is `1\' and the

complexity is negligible.

14:28 [Job][New] Post-doc in e-voting and related research topics, Newcastle University, UK

  We are looking for a post-doc researcher to join a vibrant and growing team of security researchers at the Centre for Cybercrime and Computer Security (CCCS) at Newcastle University, UK. Newcastle University is recognized by EPSRC/GCHQ as one of the 11 Academic Centres of Excellence in Cyber Security Research in the country.

The post is supported by a five-year ERC Starting Grant on \\\"Self-enforcing Electronic Voting: Trustworthy Elections in the Presence of Corrupt Authorities\\\". The candidate should have a PhD in Computer Science, engineering or a related discipline, with a solid background in security. Previous research experience on e-voting is desirable but not required.

An ideal candidate would be the one who 1) has good understanding of theory; 2) has good practical skills; 3) has a keen interest to tackle real-world problems.