International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also get this service via

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

04:17 [Pub][ePrint] Fast Software Implementation of Binary Elliptic Curve Cryptography, by Manuel Bluhm and Shay Gueron

  This paper presents an efficient and side channel protected software implementation of point multiplication for the standard NIST and SECG binary elliptic curves. The enhanced performance is achieved by improving the L\\`{o}pez-Dahab/Montgomery method at the algorithmic level, and by leveraging Intel\'s AVX architecture and the pclmulqdq processor instruction at the coding level.

The fast carry-less multiplication is further used to speed up the reduction on the newest Haswell platforms.

For the five NIST curves over $GF(2^m)$ with $m$ $\\in$ $\\{163,233,283,409,571\\}$, the resulting point multiplication implementation is about 6 to 12 times faster than that of OpenSSL-1.0.1e, enhancing the ECDHE and ECDSA algorithms significantly.

04:17 [Pub][ePrint] Dipl.-Math., by Jürgen Müller


\\hspace{0,3 cm}\\=\\hspace{0,7 cm}\\=\\hspace{8 cm}\\=\\kill

Kernel of the symmetric block ciphering methods presented here is the coupling of XOR operations\\\\

and of invertible substitution tables S with all possible 256$^{t}$ byte groups (with t=1, 2, 3, ... bytes,\\\\

fixed at the beginning) being derived from keys:\\\\

\\>\\>\\textbf{K}(block) := S(S(block) $\\otimes$ E$_{o}$) $\\otimes$ E$_{u}$ with\\\\

-\\> E$_{o}$ upper and E$_{u}$ lower triangular (byte-group-)matrix with (byte-block-length/t)$^{2}$ values,\\\\

\\> value 1 at all non-zero positions,\\\\

-\\> $\\oplus$ the byte-group-wise addition without carry (\'xor\'; \'not xor\' is possible too),\\\\

-\\> $\\otimes$ the (vector) multiplication which belongs to $\\oplus$.\\\\

Variable block lengths (v$\\cdot$t or (mod t)$>$0) are possible. This kernel can be applied n-times:\\\\

\\>\\>\\textbf{K}$_{\\textbf{n}}$(block) := K(...K(block)...) with n K-operations, in which n can be variable.\\\\

Because XOR operations and S-tables only operate in a useful manner if \'block\' is not to\\\\

\"{}homogeneous\"{} and for safety, two further components are determined from keys\\\\

\\>\\>- parameters of 2 pseudo random processes,\\>- operation key\\\\

used at beginning and at end to get a ciphered block:\\\\

\\>\\>\\textbf{cblock} := S(ZZ$_{2}$ $\\oplus$ S(Op$_{E}$ $\\oplus$ S(K$_{n}$(Op$_{A}$ $\\oplus$ S(ZZ$_{1}$ $\\oplus$ S(block)))))) with\\\\

-\\> ZZ$_{1}$ and ZZ$_{2}$ are the bytes of the 1. and 2. pseudo random number process in block length,\\\\

-\\> Op$_{A}$ and Op$_{E}$ is the (1./front and 2./back part of the or multiple of the) operation key.


An initial key is first expanded to t$\\cdot$256$^{t}$ bytes (all further keys have this size too) and can be modified so the result key does not statistically differ from a random key.

Using an invertible S-table, the value (modulo n) of only as much consecutive bits of a key as to represent the number n-1 is determined to shift the last n S-table elements cyclically in accordance with this value, n=2 to 256$^{t}$. So all such 256$^{t}$! tables can be generated by the top bits of all possible keys and have length of t$\\cdot$256$^{t}$ bytes.

The byte-group-value +1 at a position of a S-table determines the byte-group in the key from which up 2$\\cdot$7 bytes are used to initialize two floating point numbers (IEEE 754) for a pseudo random process. Floating point numbers are initialized again if a process will be cyclic.\\\\


Idea is, to modify (operation) keys similar to data blocks to generate and use more or less continual new S-tables, new pseudo random processes, and new operation keys during ciphering data.

Inspections show that in spite of knowledge of 2 of the 3 components S-table, pseudo random parameters, and operation key as well as the knowledge of original and ciphered data it can not infer the missing 3. component if component modifications are carried out \"{}some time\"{}.

As well it is shown that by knowledge of the 3 components generated by a key the key itself can not be inferred (because of usage of interim operation keys). That is compromising of data and with that of components does not concern data ciphered before component-changing to the compromised components. By add-on usage of separate components only for the modifications of keys, it will be guaranteed that data sections ciphered after a component-changing started from compromised components are not compromised automatically.

Because of that a safety stream ciphering should be possible as already constructed for t=1,2,3.


04:17 [Pub][ePrint] Privacy Preserving Unique Statistics in a Smart Grid, by Iraklis Leontiadis, Melek Önen, Refik Molva

  Smart meters are widely deployed to provide fine-grained data

that correspond to tenant power consumption. These data are analyzed by suppliers for personalized billing, more accurate statistics and energy consumption predictions.

Indirectly this aggregation of data can reveal personal information of tenants such as number of persons in a house, vacation periods and appliance preferences.

To date, work in the area has focused mainly on privacy preserving aggregate statistical functions as the computation of sum.

In this paper we propose a novel solution for privacy preserving unique data collection per smart meter. We consider the operation of identifying the maximum consumption

of a smart meter as an interesting property for energy suppliers, as it can be employed for energy forecasting to allocate in advance electricity. In our solution we employ an order preserving encryption scheme in which the order of numerical

data is preserved in the ciphertext space. We enhance the accuracy of maximum consumption by utilizing a delta encoding scheme.

04:17 [Pub][ePrint] Function Private Functional Encryption and Property Preserving Encryption : New Definitions and Positive Results, by Shashank Agrawal and Shweta Agrawal and Saikrishna Badrinarayanan and Abishek Kumar

  This work furthers the exploration of meaningful definitions for security of Functional Encryption. We propose new simulation based definitions for function privacy in addition to data privacy and study their achievability. In addition, we improve efficiency/ underlying assumptions/ security achieved by existing inner product Functional Encryption and Property Preserving Encryption schemes, in both the private and public key setting. Our results can be summarized as follows:

o We present a new simulation based definition, which we call Relax-AD-SIM, that lies between simulation based (SIM) and indistinguishability based (IND) definitions for data privacy, and implies the function privacy definition of [BRS13a]. Our definition relaxes the requirements on the simulator to bypass impossibility of SIM in the standard model. We show that the inner product FE scheme of [KSW08] enjoys Relax-AD-SIM security for function hiding and the inner product FE scheme of [LOS+10] enjoys Relax-AD-SIM security for data hiding.

o We study whether known impossibilities for achieving strong SIM based security imply actual real world attacks. For this, we present a new UC-style SIM based definition of security that captures both data and function hiding, both public key and symmetric key settings and represents the \"dream\" security of FE. While known impossibilities rule out its achievability in the standard model, we show, surprisingly, that it can be achieved in the generic group model for Inner Product FE ([KSW08]). This provides evidence that FE implementations may enjoy extremely strong security against a large class of real world attacks, namely generic attacks. It also implies a program obfuscator for the inner product functionality in the generic group model, which is related to the hyperplane-membership obfuscator of [CRV10].

o We provide several improvements to known constructions of Inner Product FE. In the private key setting, the construction by Shen et al. was based on non-standard assumptions, used composite order groups, and only achieved selective security. We give the first construction of a symmetric key inner product FE which is built using prime order groups, and is fully secure under the standard DLIN assumption. Our scheme is more efficient in the size of key and ciphertext than [SSW09], when the latter is converted to prime-order groups. We also port the public key inner product scheme of [KSW08] to prime order groups.

o We give the first standard model construction of a property preserving encryption (PPE) scheme [PR12] for inner-products. Our scheme is secure under the DLIN assumption and satisfies the strongest definition of security - Left-or-Right security. Note that previously known constructions were only known to be secure in the generic group model.

04:17 [Pub][ePrint] Asynchronous MPC with t< n/2 Using Non-equivocation, by Michael Backes, Fabian Bendun, Ashish Choudhury and Aniket Kate

  Secure Multiparty Computation (MPC) is a fundamental problem in distributed cryptography. Although MPC in the synchronous communication setting has received tremendous attention in security research, recent interest in deploying MPC in real-life systems requires going beyond the synchronous setting and working towards MPC in the weaker asynchronous communication setting. The asynchronous setting, however, does not come without a penalty: asynchronous MPC (AMPC) protocols among n parties can only tolerate up to t < n/3 active corruptions in contrast to the synchronous protocols, which can tolerate up to t

04:17 [Pub][ePrint] Asymptotically Efficient Lattice-Based Digital Signatures, by Vadim Lyubashevsky and Daniele Miccicancio

  We present a general framework that converts certain types of linear collision-resistant hash

functions into one-time signatures. Our generic construction can be instantiated based on both

general and ideal (e.g. cyclic) lattices, and the resulting signature schemes are provably secure

based on the worst-case hardness of approximating the shortest vector (and other standard

lattice problems) in the corresponding class of lattices to within a polynomial factor. When

instantiated with ideal lattices, the time complexity of the signing and verification algorithms,

as well as key and signature size is almost linear (up to poly-logarithmic factors) in the dimension

n of the underlying lattice. Since no sub-exponential (in n) time algorithm is known to solve

lattice problems in the worst case, even when restricted to ideal lattices, our construction gives

a digital signature scheme with an essentially optimal performance/security trade-off.

04:17 [Pub][ePrint] Authenticated Multiple Key Establishment Protocol for Wireless Sensor Networks, by Jayaprakash Kar

  The article proposes a provably secure authenticated multiple key establishment protocol for Wireless Sensor Network. Security of the protocol is based on the computational infeasiblity of solving Elliptic Curve Discrete Logarithm Problem and Computational Diffie-Hellman Problem on Bilinear Pairing. User authentication is a one of the most challenging security requirement in wireless sensor networks

(WSN). It is required to establish the correct session key between two adjacent nodes of WSNs to achieve this security goal. Here we prove that, the proposed protocol is secure against the attack on data integrity and known key security attack on session key. It also provides perfect forward secrecy.

04:17 [Pub][ePrint] Plaintext Recovery Attacks Against WPA/TKIP, by Kenneth G. Paterson and Bertram Poettering and Jacob C.N. Schuldt

  We conduct an analysis of the RC4 algorithm as it is used in the IEEE WPA/TKIP wireless standard. In that standard, RC4 keys are computed on a per-frame basis, with specific key bytes being set to known values that depend on 2 bytes of the WPA frame counter (called the TSC). We observe very large, TSC-dependent biases in the RC4 keystream when the algorithm is keyed according to the WPA specification. These biases permit us to mount an effective statistical, plaintext-recovering attack in the situation where the same plaintext is encrypted in many different frames (the so-called ``broadcast attack\'\' setting). We assess the practical impact of these attacks on WPA/TKIP.

04:17 [Pub][ePrint] Efficient CCA-secure Threshold Public-Key Encryption Scheme, by Xi-Jun Lin and Lin Sun

  In threshold public-key encryption, the decryption key is divided into n

shares, each one of which is given to a different decryption user in order to avoid single points of failure. In this study, we propose a simple and efficient non-interactive threshold public-key encryption scheme by using the hashed Diffie-Hellman assumption in bilinear groups.

Compared with the other related constructions, the proposed scheme is more efficient.

04:17 [Pub][ePrint] Fully Deniable Mutual Authentication Protocol Based on RSA Signature, by Xi-Jun Lin and Lin Sun

  Deniable authentication protocols allow a sender to authenticate a receiver, in a way that the receiver cannot convince a third party that such authentication (or any authentication) ever took place. In this study, we construct a fully deniable mutual authentication protocol based on RSA signature, and then a deniable authenticated key exchange protocol is constructed from the proposed protocol.

04:17 [Pub][ePrint] Using Hamiltonian Totems as Passwords, by Herv\\\'e Chabanne and Jean-Michel Cioranesco and Vincent Despiegel and Jean-Christophe Fondeur and David Naccache

  Physical authentication brings extra security to software authentication by adding real-world input to conventional authentication protocols.

Existing solutions such as textual and graphical passwords are subject to brute force and shoulder surfing attacks, while users are reluctant to use biometrics for identification, due to its intrusiveness.

This paper uses Hamiltonian tokens as authentication means. The proposed token structure offers many possible configurations ({\\sl i.e.}, passwords) and is small enough to be carried on a physical keychain.

After presenting our general idea, we describe an efficient algorithm to produce these tokens. Our procedure was validated by running a recognition campaign on a wide batch of synthetic samples, and experimented on prototypes manufactured using a commercial 3D-printer.