International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also receive updates via:

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

13:17 [Pub][ePrint] Weak-Key Leakage Resilient Cryptography, by Zuoxia Yu and Qiuliang Xu and Yongbin Zhou and Chengyu Hu and Rupeng Yang and Guangjun Fan

  In traditional cryptography, the standard way of examining the security of a scheme is to analyze it in a black box manner which does not capture the side channel attacks. Such attacks can exploit various forms of unintended information leakage and threaten the practical security. One way to protect against such attacks is to extend the traditional models to capture them. Early models rely on the assumption that only computation leaks information, and can not capture memory attacks such as cold boot attacks. Thus, Akavia et al. (TCC \'09) formalize the model of key-leakage attacks to cover them. However, as we will mention below, most keyleakage attacks in reality may be weak key-leakage attacks which can be viewed as a non-adaptive version of the key-leakage attacks. And the existing construction of cryptographic schemes in models that can capture adaptive key-leakage attacks has some drawbacks. We mainly consider the models that cover weak key-leakage attacks and the corresponding constructions in them.

In this paper, we extend the transformation paradigm presented by Naor and Segev that can transform from any chosen-plaintext secure public key encryption (PKE) scheme into a chosenplaintext weak key-leakage secure PKE scheme. Our extensions are mainly in two manners. On one hand, we extend the paradigm into chosen-ciphertext attack scenarios and prove that the properties of the paradigm still hold when we consider chosen-ciphertext attacks. We also give an instantiation based on DDH assumption in this setting for concrete. On the other hand, we extend the paradigm to cover more powerful side channel attacks. We do this by relaxing the restrictions on leakage functions. We further consider attacks that require the secret key still has enough min-entropy after leaking and prove the original paradigm is still applicable in this case with chosen-ciphertext attacks. We also consider attacks that require the secret key is computationally infeasible to recover given the leakage information and formalize the informal discusses by Naor and Segev in (Crypto\' 09) on how to adapt the original paradigm in this new models.

08:28 [Job][New] Full Time Lecturer, University of Washington, Tacoma Washington USA

  The Institute of Technology at the University of Washington Tacoma is seeking applications for a full-time lecturer position for the Information Technology and Systems (ITS) program, with emphasis on (Server-Side) Web and Database Systems & Administration, Network and System Administration, or Network and System Security for the 2014-2015 academic year, September 16, 2014 through June 15, 2015. The initial appointment is for one academic year with the possibility for renewal. This position requires an MS or higher or foreign equivalent in Information Technology, Information Systems, Computer Science, or related field at the time of appointment and industry experience in ITS-related areas. The successful candidate will be teaching undergraduate fundamental and advanced courses in areas such as Programming, Server-Side Web Programming, Database Systems Design and Administration, Network Administration, System Administration, Network Security, and System Security at the undergraduate level. Candidates with experience in multi-tier web-based database application design, deployment, and administration are encouraged to apply.

Applicants should include (1) a cover letter describing academic qualifications and professional experiences, and how they specifically relate to the Information Technology and Systems curriculum, and previous activities mentoring minorities and/or advancing minorities, women, or members of other under-represented groups, (2) a description of teaching philosophy (including a list of courses the candidate is qualified to teach, refer to, (3) evidence of teaching effectiveness (4) a curriculum vitae, and (5) contact information for three references. Applications should be submitted electronically to

Screening of applications will begin on March 10, 2014, and will continue until the position is filled. Salary is competitive and will be c

08:27 [Job][New] Cloud Security R&D Engineers, Applied Science and Technology Research Institute (ASTRI), Hong Kong

  We are looking for R&D engineers to work on network and system security. The positions offered are at the Senior Engineer/Engineer level, depending on qualifications and experiences. The candidates should have hands on experiences in implementing systems, network security and cloud computing, and a good knowledge of SeLinux and secure sandboxes. Knowledge of MAC (Mandatory Access Control) policies, honeypots, proxy re-encryption would be an advantage. The candidates are expected to create intellectual properties, develop demo systems and deliver projects.

If interested, please submit your CV to Dr. Aldar Chan (aldarchan (at)

19:17 [Pub][ePrint] Non-Malleable Extractors with Shorter Seeds and Min-Entropy Rate $

  Motivated by the problem of how to communicate over a public channel with an active adversary, Dodis and Wichs [DW09] introduced the notion of a non-malleable extractor, as a much stronger version of a strong extractor. A non-malleable extractor $\\textsf{nmExt}$ takes two inputs, a weakly-random $W$ and a uniformly random seed $S$, and outputs a string which is nearly uniform, given $S$ as well as $\\textsf{nmExt}(W, \\mathcal{A}(S))$, for an arbitrary function $\\mathcal{A}$ with $\\mathcal{A}(S) \\neq S$.

Cohen, Raz and Segev in CCC\'12 presented an explicit construction of a non-malleable extractor with short seeds. For any integers $n$ and $d$ such that $2.01 \\cdot \\log n \\leq d \\leq n$, they proposed an explicit construction of a non-malleable extractor $\\textsf{nmExt}: \\{0, 1\\}^n \\times \\{0, 1\\}^d \\rightarrow \\{0, 1\\}^m$ with error exponentially small in $m$. However, their result suffers from some drawbacks: First, the non-malleable extractor is constructed based on Raz\'s etractor in SOTC\'05, while the error estimation in that construction is too rough. Second, though they aimed to shorten the length of the seed, the lower bound of the seed length is not optimal. Moreover, their construction requires the min-entropy rate to be greater than $\\frac{1}{2}$.

In this paper, we improve the error estimation of Raz\'s extractor, which plays an extremely important role in the constraints of the non-malleable extractor parameters including the seed length. Then we present an improved explicit construction of non-malleable extractors with shorter seed length by using biased variable sequence for linear tests. More precisely, we construct an explicit $(1016, \\frac{1}{2})-1-$non-malleable extractor $\\textsf{nmExt}: \\{0, 1\\}^{2^{10}} \\times \\{0, 1\\}^d \\rightarrow \\{0, 1\\}$ with seed length 19, while it should be no less than $\\frac{46}{63} + 66$ according to Cohen et al. in CCC\'12. Therefore, it beats the condition ``$2.01 \\cdot \\log n \\leq d \\leq n$\", since $d$ is just $1.9 \\cdot \\log n$ in our construction. We also give a general explicit construction of non-malleable extractors and analyze the simplification of the constraints on the parameters.

Furthermore, we show an explicit construction of non-malleable extractors for the min-entropy $k = ( \\frac{1}{2} - \\delta)n$ for some constant $ \\delta > 0$, while the min-entropy should be greater than $ \\frac{1}{2} n$ by Cohen et al. in CCC\'12. We also propose a general construction of non-malleable extractors with min-entropy $k = ( \\frac{1}{2} - \\delta)n$ from any non-malleable extractor with min-entropy $k > \\frac{1}{2} n$ by employing a special encoding technique and the property of statical distance. Compared with Li\'s construction in FOCS\'12 by using inner product function, our construction is more general. Finally, we give their application to privacy amplification.

19:17 [Pub][ePrint] CLOC: Authenticated Encryption for Short Input, by Tetsu Iwata and Kazuhiko Minematsu and Jian Guo and Sumio Morioka

  We define and analyze the security of a blockcipher mode of operation, CLOC, for provably secure authenticated encryption with associated data. The design of CLOC aims at optimizing previous schemes, CCM, EAX, and EAX-prime, in terms of the implementation overhead beyond the blockcipher, the precomputation complexity, and the memory requirement. With these features, CLOC is suitable for handling short input data, say 16 bytes, without needing precomputation nor large memory. This property is especially beneficial to small microprocessors, where the word size is typically 8 bits or 16 bits, and there are significant restrictions in the size and the number of registers. CLOC uses a variant of CFB mode in its encryption part and a variant of CBC MAC in the authentication part. We introduce various design techniques in order to achieve the above mentioned design goals. We prove CLOC secure, in a reduction-based provable security paradigm, under the assumption that the blockcipher is a pseudorandom permutation. We also present our preliminary implementation results.

16:17 [Pub][ePrint] Security Analysis of Key-Alternating Feistel Ciphers, by Rodolphe Lampe and Yannick Seurin

  We study the security of \\emph{key-alternating Feistel} ciphers, a class of key-alternating ciphers with a Feistel structure. Alternatively, this may be viewed as the study of Feistel ciphers where the pseudorandom round functions are of the form $F_i(x\\oplus k_i)$, where $k_i$ is the (secret) round key and $F_i$ is a \\emph{public} random function that the adversary is allowed to query in a black-box way. Interestingly, our results can be seen as a generalization of traditional results \\emph{à la} Luby-Rackoff in the sense that we can derive results for this model by simply letting the number of queries of the adversary to the public random functions $F_i$ be zero in our general bounds. We make an extensive use of the coupling technique. In particular (and as a result of independent interest), we improve the analysis of the coupling probability for balanced Feistel schemes previously carried out by Hoang and Rogaway (CRYPTO 2010).

16:17 [Pub][ePrint] A Statistics-based Fundamental Model for Side-channel Attack Analysis, by Yunsi Fei and A. Adam Ding and Jian Lao and Liwei Zhang

  ide-channel attacks (SCAs) exploit leakage from the physical implementation of cryptographic algorithms to recover the otherwise secret information. In the last decade, popular SCAs like differential power analysis (DPA) and correlation power analysis (CPA) have been invented and demonstrated to be realistic threats to many critical embedded systems. However, there is still no sound and provable theoretical model that illustrates precisely what the success of these attacks depends on and how. Based on the maximum likelihood estimation (MLE) theory, this paper proposes a general statistical model for side-channel attack analysis that takes characteristics of both the physical implementation and cryptographic algorithm into consideration. The model establishes analytical relations between the success rate of attacks and the cryptographic system. For power analysis attacks, the side-channel characteristic of the physical implementation is modeled as signal-to-noise ratio (SNR), which is the ratio between the single-bit unit power consumption and the standard deviation of power distribution. The side-channel property of the cryptographic algorithm is extracted by a novel algorithmic confusion analysis. Experimental results of DPA and CPA on both DES and AES verify this model with high accuracy and demonstrate effectiveness of the algorithmic confusion analysis and SNR extraction. We expect the model to be extendable to other SCAs, like timing attacks, and would provide valuable guidelines for truly SCA-resilient system design and implementation.

16:17 [Pub][ePrint] Verifiable Oblivious Storage, by Daniel Apon and Jonathan Katz and Elaine Shi and Aishwarya Thiruvengadam

  We formalize the notion of Verifiable Oblivious Storage (VOS), where a client outsources the storage of data to a server while ensuring data confidentiality, access pattern privacy, and integrity and freshness of data accesses. VOS generalizes the notion of Oblivious RAM (ORAM) in that it allows the server to perform computation, and also explicitly considers data integrity and freshness.

We show that allowing server-side computation enables us to

construct asymptotically more efficient VOS schemes whose bandwidth overhead cannot be matched by any ORAM scheme, due to a known lower bound by Goldreich and Ostrovsky. Specifically, for large block sizes

we can construct a VOS scheme with constant bandwidth per query; further, answering queries requires only poly-logarithmic

server computation. We describe applications of VOS to Dynamic Proofs of Retrievability, and RAM-model secure multi-party computation.

16:17 [Pub][ePrint] Non-Interactive Cryptography in the RAM Model of Computation, by Daniel Apon and Xiong Fan and Jonathan Katz and Feng-Hao Liu and Elaine Shi and Hong-Sheng Zhou

  Using recently developed techniques for program obfuscation, we show several constructions of non-interactive cryptosystems in the random-access machine (RAM) model of computation that are asymptotically more efficient than what would be obtained using generic RAM-to-circuit compilation. In particular, let $T$ denote the running time and $n$ the memory size of a RAM program. We show that using differing-inputs obfuscation, functional encryption for arbitrary RAM programs can be achieved with evaluation time $\\tilde{O}(T+n)$.

Additionally, we provide a number of RAM-model constructions assuming

the stronger notion of virtual black-box (VBB) obfuscation. We view these as initial feasibility results and leave instantiating similar protocols from weaker assumptions for future work. Specifically, using VBB obfuscation we show how to construct RAM-model functional encryption with function privacy, fully homomorphic encryption, and stateful, privacy-preserving verifiable computation in the memory-delegation model.

16:17 [Pub][ePrint] Honey Encryption: Security Beyond the Brute-Force Bound, by Ari Juels and Thomas Ristenpart

  We introduce {\\em honey encryption} (HE), a simple, general approach to encrypting messages using low min-entropy keys such as passwords. HE is designed to produce a ciphertext which, when decrypted with any of a number of {\\em incorrect} keys, yields plausible-looking but bogus plaintexts called {\\em honey messages}. A key benefit of HE is that it provides security in cases where too little entropy is available to withstand brute-force attacks that try every key; in this sense, HE provides security beyond conventional brute-force bounds. HE can also provide a hedge against partial disclosure of high min-entropy keys.

HE significantly improves security in a number of practical settings. To showcase this improvement, we build concrete HE schemes for password-based encryption of RSA secret keys and credit card numbers. The key challenges are development of appropriate instances of a new type of randomized message encoding scheme called a {\\em distribution-transforming encoder} (DTE), and analyses of the expected maximum loading of bins in various kinds of balls-and-bins games.

01:17 [Pub][ePrint] On the Effective Prevention of TLS Man-In-The-Middle Attacks in Web Applications, by Nikolaos Karapanos and Srdjan Capkun

  In this paper we consider TLS MITM attacks in the context of web applications, where the attacker\'s goal is to impersonate the user to the legitimate server, and thus gain access to the user\'s online account. We describe in detail why the recently proposed TLS Channel ID-based client authentication, as well as client web authentication in general, cannot fully prevent such attacks.

We then leverage TLS Channel ID-based authentication and combine it with the concept of sender invariance to create a novel mechanism that we call SISCA: Server Invariance with Strong Client Authentication. SISCA resists user impersonation via TLS MITM attacks even if the attacker has obtained the private key of the legitimate server. We analyze our proposal and show how it can be integrated in today\'s web infrastructure.