International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also get this service via

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

22:17 [Pub][ePrint] Construction of Multiplicative Monotone Span Program, by Yuenai Chen and Chunming Tang

  Multiplicative monotone span program is one of the important tools to realize secure multiparty computation. It is essential to construct multiplicative monotone span programs for secure multiparty computations. For any access structure, Cramer et al. gave a method to construct multiplicative monotone span programs, but its row size became double, and the column size also increased. In this paper, we propose a new construction which can get a multiplicative monotone span program with the row size less than double without changing the column size.

22:17 [Pub][ePrint] Multi-Stage Fault Attacks on Block Ciphers, by Philipp Jovanovic and Martin Kreuzer and Ilia Polian

  This paper introduces Multi-Stage Fault Attacks, which allow Differential Fault Analysis of block ciphers having independent subkeys. Besides the specification of an algorithm implementing the technique, we show concrete applications to LED-128 and PRINCE and demonstrate that in both cases approximately 3 to 4 fault-injections are enough to reconstruct the full 128-bit key.

22:17 [Pub][ePrint] Distributed Group Authentication for RFID Supply Management, by Mike Burmester and Jorge Munilla

  We investigate an application of Radio Frequency Identification (RFID) referred to in the literature as group scanning, in which an RFID reader device interrogates several RFID tags to establish \"simultaneous\" presence of a group of tags. Our goal is to study the group scanning problem in strong adversarial settings and show how group scanning can be used in distributed applications for supply chain management.

We present a security framework for group scanning and give a formal description of the attending security requirements. Our model is based on the Universal Composability framework and supports re-usability

(through modularity of security guarantees). We propose two novel protocols that realize group scanning in this security model, based on off-the-shelf components such as low-cost (highly optimized) pseudorandom functions, and show how these can be integrated into RFID supply-chain management systems

22:17 [Pub][ePrint] A Distinguish attack on Rabbit Stream Cipher Based on Multiple Cube Tester, by Nasser Ramazani Darmian

  Rabbit stream cipher is one of the finalists of eSTREAM

project which uses 128-bit secret keys. Prior to us, the attacks on Rabbit

has been all focused on the bias analysis and the best result showed the

distinguishing attack with complexity 2136. Our analysis in this paper,

is based on chosen IV analysis on reduced N-S round of Rabbit though

using multi cube tester. For this purpose we show for a mature cube

we could easily identify weak subcubes which increase the probability of

distinguishing for an unknown secret key. We also represent with 225

complexity, using one iteration of next state function the keystream is

completely distinguishable from random.

22:17 [Pub][ePrint] Obfuscation from Semantically-Secure Multi-linear Encodings, by Rafael Pass and Sidharth Telang and Karn Seth

  We define a notion of semantic security of multi-linear

(a.k.a. graded) encoding schemes: roughly speaking, we require that if

an algebraic attacker (obeying the multi-linear restrictions) cannot tell

apart two constant-length sequences $\\vec{m}_0$, $\\vec{m}_1$ in the

presence of some other elements $\\vec{z}$, then

encodings of these sequences should be indistinguishable.

Assuming the existence of semantically secure multi-linear encodings

and the LWE assumption, we demonstrate the existence of

indistinguishability obfuscators for all polynomial-size circuits.

Additionally, if we assume an strengthening of

semantic security, our construction yields extractatability

obfuscators for all polynomial-size circuits.

We rely on the beautiful candidate obfuscation constructions

of Garg et al (FOCS\'13), Brakerski and Rothblum (TCC\'14) and Barak et

al (ePrint\'13) that were proven secure only in idealized generic

multilinear encoding models,

and develop new techniques for demonstrating security in the standard model, based only on

semantical security of multi-linear encoding (which trivially holds in

the generic multilinear encoding model).

22:17 [Pub][ePrint] How Did Dread Pirate Roberts Acquire and Protect His Bitcoin Wealth?, by Dorit Ron and Adi Shamir

  The Bitcoin scheme is one of the most popular and talked about alternative payment schemes. It was conceived in 2008 by the mysterious Satoshi Nakamoto, whose real identity remains unknown even

though his bitcoin holdings are believed to be worth several hundred

million dollars. One of the most active parts of the Bitcoin ecosystem was the Silk Road marketplace, in which highly illegal substances and services were traded. It was run by another mysterious person who called himself Dread Pirate Roberts (DPR), whose bitcoin holdings are also estimated to be worth hundreds of millions of dollars at today\'s exchange rate. On October 1-st 2013, the FBI arrested a 29 year old person named Ross William Ulbricht, claiming that he is DPR, and seizing a small fraction of his bitcoin wealth. In this paper we use the publicly available record to trace the evolution of his holdings in order to find how he acquired and how he tried to hide them from the authorities. For example, we show that all his income from the months of May, June and September 2013, along with numerous other amounts, were not seized by the FBI. One of the most surprising discoveries we made during our analysis was the existence of a recent substantial transfer (which was worth more than 60,000 dollars when made on March 20-th 2013, and close to a million dollars at today\'s exchange rate) which may link these two mysterious figures.

19:17 [Pub][ePrint] RankSign : an efficient signature algorithm based on the rank metric, by P. Gaborit and O. Ruatta and J. Schrek and G. Zémor

  In this paper we propose a new approach to code-based signatures that

makes use in particular of rank metric codes. When the classical approach consists in finding the unique

preimage of a syndrome through a decoding algorithm, we propose to introduce the notion

of mixed decoding of erasures and errors for building signature schemes.

In that case the difficult problem becomes, as is the case in lattice-based cryptography,

finding a preimage of weight above the Gilbert-Varshamov bound (case where

many solutions occur) rather than finding a unique preimage of weight below

the Gilbert-Varshamov bound. The paper describes RankSign: a

new signature algorithm for the rank metric

based on a new mixed algorithm for decoding erasures and errors for

the recently introduced Low Rank Parity Check (LRPC) codes.

We explain how it is possible (depending on choices

of parameters) to obtain a full decoding algorithm which is able

to find a preimage of reasonable rank weight for any random syndrome

with a very strong probability. We study the semantic security

of our signature algorithm and show how it is possible to reduce

the unforgeability to direct attacks on the public matrix, so that

no information leaks through signatures. Finally, we give several examples of parameters

for our scheme, some of which with public key of size $5760$ bits and signature of size $1728$ bits.

Moreover the scheme can be very fast for small base fields.

05:40 [Event][New] Cryptology2014: 4th International Cryptology and Information Security Conference 2014

  Submission: 15 March 2014
Notification: 15 April 2014
From June 24 to June 26
Location: Putrajaya, Malaysia
More Information:

22:17 [Pub][ePrint] Dynamic Countermeasure Against the Zero Power Analysis, by Jean-Luc Danger and Sylvain Guilley and Philippe Hoogvorst and Cédric Murdica and David Naccache

  Elliptic Curve Cryptography can be vulnerable to Side-Channel Attacks, such as the Zero Power Analysis (ZPA).

This attack takes advantage of the occurrence of special points that bring a zero-value when computing a doubling or an addition of points.

This paper consists in analysing this attack.

Some properties of the said special points are explicited.

A novel dynamic countermeasure is described.

The elliptic curve formul\\ae{} are updated depending on the elliptic curve and the provided base point.

22:17 [Pub][ePrint] Kurosawa-Desmedt Key Encapsulation Mechanism, Revisited, by Kaoru Kurosawa and Le Trieu Phong

  While the hybrid public key encryption scheme of Kurosawa and Desmedt (CRYPTO 2004) is provably secure against chosen ciphertext attacks (namely, IND-CCA-secure), its associated key encapsulation mechanism (KEM) is not IND-CCA-secure (Herranz et al. 2006, Choi et al. 2009). In this paper, we show a simple twist, yet neglected in the literature, on the Kurosawa-Desmedt KEM turning it into a scheme with IND-CCA security under the decisional Diffie-Hellman assumption. Our KEM beats the standardized version of Cramer-Shoup KEM in ISO/IEC 18033-2 by margins of around 30% in encapsulation speed, and 20% ~ 60% in decapsulation speed. Moreover, the public and secret key sizes in our schemes are at least 160-bit smaller than those of the Cramer-Shoup KEM. We then generalize the technique into hash proof systems, proposing several KEM schemes with IND-CCA security under decision linear and decisional composite residuosity assumptions respectively. All the KEMs are in the standard model, and use standard, computationally secure symmetric building blocks.

19:17 [Pub][ePrint] Vectorization of ChaCha Stream Cipher, by Martin Goll and Shay Gueron

  This paper describes software optimization for the stream Cipher ChaCha. We leverage the wide vectorization capabilities of the new AVX2 architecture, to speed up ChaCha encryption (and decryption) on the latest x86_64 processors. In addition, we show how to apply vectorization for the future AVX512 architecture, and get further speedup. This leads to significant performance gains. For example, on the latest Intel Haswell microarchitecture, our AVX2 implementation performs at 1.43 cycles per byte (on a 4KB message), which is ~2x faster than the current implementation in the Chromium project.