International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also get this service via

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

16:17 [Pub][ePrint] Detecting Hidden Leakages, by Amir Moradi and Sylvain Guilley and Annelie Heuser

  Reducing the entropy of the mask is a technique which has been proposed to mitigate the high performance overhead of masked software implementations of symmetric block ciphers. Rotating S-box Masking (RSM) is an example of such schemes applied to AES with the purpose of maintaining the security at least against univariate first-order side-channel attacks. This article examines the vulnerability of a realization of such technique using the side-channel measurements publicly available through DPA contest V4. Our analyses which focus on exploiting the first-order leakage of the implementation discover a couple of potential attacks which can recover the secret key. Indeed the leakage we exploit is due to a design mistake as well as the characteristics of the implementation platform, none of which has been considered during the design of the countermeasure (implemented in naive C code).

16:17 [Pub][ePrint] A Study of Goldbach\'s conjecture and Polignac\'s conjecture equivalence issues, by Jian Ye and Chenglian Liu

  The famous Goldbach\'s conjecture and Polignac\'s conjecture are two of all unsolved problems in the field of number theory today. As well known, the Goldbach\'s conjecture and the Polignac\'s conjecture are equivalent. Most of the literatures does not introduce about internal equivalence in Polignac\'s conjecture. In this paper, we would like to discuss the internal equivalence to the Polignac\'s conjecture, say $T_{2k}(x)$ and $T(x)$ are equivalent. Since $T_{2k}\\sim T(x)\\sim 2c\\cdot \\frac{x}{(\\ln x)^{2}}$, we rewrite and re-express to $T(x)\\sim T_{4}(x)\\sim T_{8}(x)\\sim T_{16}(x)\\sim T_{32}(x)\\sim T_{2^{n}}(x)\\sim 2c\\cdot \\frac{x}{(\\ln x)^{2}}$. And then connected with the Goldbach\'s conjecture. Finally, we will point out the important prime number symmetry role of play in these two conjectures.

16:17 [Pub][ePrint] A generic view on trace-and-revoke broadcast encryption schemes, by Dennis Hofheinz and Christoph Striecks

  At Eurocrypt 2011, Wee presented a generalization of threshold public key encryption, threshold signatures, and revocation schemes arising from threshold extractable hash proof systems. In particular, he gave instances of his generic revocation scheme from the DDH assumption (which led to the Naor-Pinkas revocation scheme), and from the factoring assumption (which led to a new revocation scheme). We expand on Wee\'s work in two directions:

(a) We propose threshold extractable hash proof instantiations from the \"Extended Decisional Diffie-Hellman\" (EDDH) assumption due to Hemenway and Ostrovsky (PKC 2012). This in particular yields EDDH-based variants of threshold public key encryption, threshold signatures, and revocation schemes. In detail, this yields a DCR-based revocation scheme.

(b) We show that our EDDH-based revocation scheme allows for a mild form of traitor tracing (and, thus, yields a new trace-and-revoke scheme). In particular, compared to Wee\'s factoring-based scheme, our DCR-based scheme has the advantage that it allows to trace traitors.

16:17 [Pub][ePrint] How to Keep a Secret: Leakage Deterring Public-key Cryptography, by Aggelos Kiayias and Qiang Tang

  How is it possible to prevent the sharing of cryptographic

functions? This question appears to be fundamentally hard to address

since in this setting the owner of the key {\\em is} the adversary:

she wishes to share a program or device that (potentially only

partly) implements her main cryptographic functionality. Given that

she possesses the cryptographic key, it is impossible for her to be

{\\em prevented} from writing code or building a device that uses

that key. She may though be {\\em deterred} from doing so.

We introduce {\\em leakage-deterring} public-key cryptographic

primitives to address this problem. Such primitives have the feature

of enabling the embedding of owner-specific private data into the

owner\'s public-key so that given access to {\\em any} (even

partially functional) implementation of the primitive, the recovery

of the data can be facilitated. We formalize the notion of

leakage-deterring in the context of encryption, signature, and

identification and we provide efficient generic constructions that

facilitate the recoverability of the hidden data while retaining

privacy as long as no sharing takes place.

16:17 [Pub][ePrint] A new attack on RSA with a composed decryption exponent, by Abderrahmane Nitaj and Mohamed Ould Douh

  In this paper, we consider an RSA modulus $N=pq$, where the prime factors $p$, $q$ are of the same size. We present an attack on RSA when the decryption exponent $d$ is in the form $d=Md_1+d_0$ where $M$ is a given positive integer and $d_1$ and $d_0$ are two suitably small unknown integers. In 1999, Boneh and Durfee~\\cite{BODU} presented an attack on RSA when $d

16:17 [Pub][ePrint] Ultralightweight cryptography for passive RFID system, by Umar Mujahid, M.Najam-ul-islam, Jameel Ahmed

  RFID (Radio Frequency Identification) is one of the most growing technologies among the pervasive systems. Non line of sight capability makes RFID systems much faster than its other contending systems such as barcodes and magnetic taps etc. But there are some allied security apprehensions with RFID systems. RFID security has been acquired a lot of attention in last few years as evinced by the large number of publications (over 2000).

In this paper, a brief survey of eminent ultralightweight authentication protocols has been presented & then a four-layer security model, which comprises of various passive and active attacks, has been proposed. Cryptanalysis of these protocols has also been performed under the implications of the proposed security model

16:17 [Pub][ePrint] Weakness of Several Identity-based Tripartite Authenticated Key Agreement Protocols, by Xi-Jun Lin and Lin Sun

  Key agreement allows multi-parties exchanging public information to create a common secret key that is known only to those entities over an insecure network. In recent years, several identity-based authenticated key agreement protocols have been proposed. In this study, we analyze three identity-based tripartite authenticated key agreement protocols.

After the analysis, we found that these protocols do not possess the desirable security attributes.

16:17 [Pub][ePrint] Pushing the Limit of Non-Profiling DPA using Multivariate Leakage Model, by Suvadeep Hajra and Debdeep Mukhopadhyay

  Profiling power attacks like Template attack and Stochastic attack optimize their performance by jointly evaluating the leakages of multiple sample points. However, such multivariate approaches are rare among non-profiling Differential Power Analysis (DPA) attacks, since integration of the leakage of a higher SNR sample point with the leakage of lower SNR sample point might result in a decrease in the overall performance. One of the few successful multivariate approaches is the application of Principal Component Analysis (PCA) for non-profiling DPA. However, PCA also performs sub-optimally in the presence of high noise. In this paper, a multivariate model for an FPGA platform is introduced for improving the performances of non-profiling DPA attacks. The introduction of the proposed model

greatly increases the success rate of DPA attacks in the presence of high noise. The experimental results on both simulated power traces and real power traces are also provided as an evidence.

16:17 [Pub][ePrint] Secure Floating-Point Arithmetic and Private Satellite Collision Analysis, by Liina Kamm and Jan Willemson

  In this paper we show that it is possible and, indeed, feasible to use secure multiparty computation for calculating the probability of a collision between two satellites. For this purpose, we first describe basic floating-point arithmetic operators (addition and multiplication) for multiparty computations. The operators are implemented on the SHAREMIND secure multiparty computation engine. We discuss the implementation details, provide methods for evaluating example elementary functions (inverse, square root, exponentiation of e, error function). Using these primitives, we implement a satellite conjunction analysis algorithm and give benchmark results for the primitives as well as the conjunction analysis itself.

16:17 [Pub][ePrint] Power and Timing Side Channels for PUFs and their Efficient Exploitation, by Ulrich Rührmair and Xiaolin Xu and Jan Sölter and Ahmed Mahmoud and Farinaz Koushanfar and Wayne Burleson

  This paper discusses combined modeling and side

channel attacks on Strong Physical Unclonable Functions (Strong

PUFs). We illustrate our method by the example of the two

currently most secure (CCS 2010, IEEE T-IFS 2013) electrical

Strong PUFs, so-called XOR Arbiter PUFs and Lightweight

PUFs, and successfully attack them at sizes and complexities

far beyond the reach of pure modeling techniques (CCS 2010,

IEEE T-IFS 2013).

Our approach makes use of the first power and timing

side channels on PUFs reported in the literature. Both provide

information on the single outputs of the many parallel Arbiter

PUFs inside an XOR Arbiter PUF or Lightweight PUF, and

indicate how many of these single outputs (in sum) were equal

to one (and how many were equal to zero) before they entered

the final XOR gate. Taken for itself, this side channel information

is of little value. But if combined with suitably adapted machine

learning techniques, it substantially changes attack performance:

It reduces the empirically estimated complexities for modeling the

above two PUFs from exponential (CCS 2010, IEEE T-IFS) to

low degree polynomial.

The practical viability of our attacks is firstly demonstrated

by SPICE simulations, and by subsequent ML experiments on

numerically simulated CRPs. We thereby confirm attacks on the

two above PUFs for up to 16 XORs and challenge bitlengths

of up to 512. Secondly, we execute a full experimental proof-ofconcept

for our timing side channel, successfully attacking FPGA implementations of the two above PUF types for 8, 12, and 16

XORs, and bitlengths 64, 128, 256 and 512. We implement these

sizes for the first time in the literature in silicon, and subsequently attack them successfully by our new methods. We remark that in recent works (CCS 2010, IEEE T-IFS 2013), 8 XOR architectures

with bitlength 512 had been explicitly suggested as secure and

beyond the reach of current attacks.

Finally, we discuss efficient countermeasures against our power

and timing side channels. They could and should be used to secure

future Arbiter PUF generations against the latter.

16:17 [Pub][ePrint] Improved Boomerang Attacks on Round-Reduced SM3 and BLAKE-256, by Dongxia Bai and Hongbo Yu and Gaoli Wang and Xiaoyun Wang

  In this paper we study the security of hash functions SM3 and BLAKE-256 against boomerang attack. SM3 is designed by X. Wang et al. and published by Chinese Commercial Cryptography Administration Office for the use of electronic certification service system in China. BLAKE is one of the five finalists of the NIST SHA-3 competition submitted by J.-P. Aumasson et al. For SM3, we present boomerang distinguishers for the compression function reduced to 34/35/36/37/38 steps out of 64 steps, with time complexities $2^{31.4}$, $2^{33.6}$, $2^{73.4}$, $2^{93}$ and $2^{192}$ respectively. Then we show some incompatible problems existed in the previous boomerang attacks on SM3. Meanwhile, we launch boomerang attacks on up to 7 and 8 rounds keyed permutation of BLAKE-256 which are the first valid $7$-round and $8$-round boomerangs for BLAKE-256. Especially, since our distinguishers on 34/35-step compression function of SM3 and 7-round keyed permutation of BLAKE-256 are practical, we are able to obtain boomerang quartets of these attacks. As far as we know, these are the best results against round-reduced SM3 and BLAKE-256.