Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) iacr.org. You can also receive updates via:
To receive your credentials via mail again, please click here.
You can also access the full news archive.
In this paper, we attempt at proving the new, unproved or partially proved biases amongst the above-mentioned ones. The theoretical proofs of these biases not only assert a scientific justification, but also discover intricate patterns and operations of the cipher associated with these biases. For example, while attempting the proof of a bias of the first output byte towards 129, we observe that this bias occurs prominently only for certain lengths of the secret key of RC4. In addition, our findings reveal that this bias may be related to the old and unsolved problem of ``anomalies\'\' in the distribution of the state array after the Key Scheduling Algorithm. In this connection, we prove the anomaly in $S_0 = 127$, a problem open for more than a decade.
Other than proving the new biases, we also complete the proof for the extended keylength dependent biases in RC4, a problem attempted and partially solved by Isobe, Ohigashi, Watanabe and Morii in FSE 2013. Our new proofs and observations in this paper, along with the connection to the older results, provide a comprehensive view on the state-of-the-art literature in RC4 cryptanalysis.
text, a session key is produced, which is required to be indistinguishable from random. Such a scheme can
provide public encryption functionality in combination with a symmetric encryption through the hybrid en-
cryption paradigm. The Boneh-Gentry-Waters scheme of 2005 proposed a broadcast scheme with constant-size
ciphertext. It is one of the most efficient broadcast encryption schemes regarding overhead size. In this work we
consider the improved scheme of Phan-Pointcheval-Shahandashi-Ste
er [PPSS12] which provides an adaptive
CCA broadcast encryption scheme. These two schemes may be tweaked to use bilinear pairings[DGS].
This document details our choices for the implementation of the PPSS scheme. We provide a complete golden sequence
of the protocol with efficient pairings (Tate, Ate and Optimal Ate). We target a 128-bit security
level, hence we use a BN-curve [BN06]. The aim of this work is to contribute to the use and the standardization of
PPSS scheme and pairings in concrete systems.
Dealing with these challenges, the contribution of this article is two-fold. Firstly, together with emergency practioners, we follow a participatory design approach. We define security requirements, patterns for efficient communication and derive a design proposal. Secondly, we devise a novel approach to multilaterally end-to-end secure, user-friendly attribute-based messaging for one-to-many communication. It builds on a hybrid encryption technique, which efficiently combines ciphertext-policy attribute-based encryption, location-based encryption and symmetric encryption. The hybrid encryption approach supports dynamic location attributes as user-friendly selectors for targeted messaging with dynamic groups of mobile and anonymous receivers. The achieved security of the approach and concrete application scenarios are discussed.
a technique for remote authentication of objects. The security
is based on basic quantum information theoretic principles
and the assumption that the adversary cannot efficiently implement arbitrary unitary transformations.
We analyze the security of QR-PUF schemes in the case where
each challenge consists of precisely $n$ quanta and the dimension $K$ of the Hilbert space is larger than $n^2$.
We consider a class of attacks where the adversary first tries to learn as much as possible about the challenge and then bases his response on his estimate of the challenge.
For this class of attacks we derive an upper bound on the adversary\'s success probability as a function of $K$ and~$n$.
1. Design a protocol for a small number of parties (say, 3 or 4)
which achieves security against a single corrupted party. Such
protocols are typically easy to construct as they may employ
techniques that do not scale well with the number of corrupted
2. Recursively compose with itself to obtain an efficient n-party
protocol which achieves security against a constant fraction of
The second step of our approach combines the player emulation
technique of Hirt and Maurer (J. Cryptology, 2000) with
constructions of logarithmic-depth formulae which compute
threshold functions using only constant fan-in threshold gates.
Using this approach, we simplify and improve on previous results
in cryptography and distributed computing. In particular:
- We provide conceptually simple constructions of efficient
protocols for Secure Multiparty Computation (MPC) in the
presence of an honest majority, as well as broadcast protocols
from point-to-point channels and a 2-cast primitive.
- We obtain new results on MPC over blackbox groups and other
The above results rely on the following complexity-theoretic
contributions, which may be of independent interest:
- We show that for every integers j,k such that m = (k-1)/(j-1)
is an integer, there is an explicit (poly(n)-time) construction
of a logarithmic-depth formula which computes a good
approximation of an (n/m)-out-of-n threshold function using only
j-out-of-k threshold gates and no constants.
- For the special case of n-bit majority from 3-bit majority
gates, a non-explicit construction follows from the work of
Valiant (J. Algorithms, 1984). For this special case, we provide
an explicit construction with a better approximation than for the
general threshold case, and also an exact explicit construction
based on standard complexity-theoretic or cryptographic
In this paper, we aim to bridge this fundamental gap. Our main result is a quantitative connection between a bound on the EDP of differential characteristics and the highest
number of input pairs that actually satisfy a characteristic for a fixed key. This is particularly important for the design of permutation-based hash functions such as sponge functions, where the EDP value itself is not informative for the absence of rekeying. We apply our theoretical result to revisit the security arguments of some prominent recent block ciphers and hash functions. For most of those, we have good news: a characteristic is followed by a small number of pairs only. For Keccak, though, currently much more rounds would be needed for our technique to guarantee any reasonable maximum number of pairs.
Thus, our work --- for the first time --- sheds light on the fixed-key differential behaviour of block ciphers in general and substitution-permutation networks in particular which has been a long-standing fundamental problem in symmetric-key cryptography.