International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also receive updates via:

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

01:17 [Pub][ePrint] Generalized proper matrices and constructing of $m$-resilient Boolean functions with maximal nonlinearity for expanded range of parameters, by Yuriy Tarannikov

  Nonlinearity and resiliency are well known as some of the most important

cryptographic parameters of Boolean functions, it is actual the problem of

the constructing of functions that have high nonlinearity and resiliency

simultaneously. In 2000 three groups of au\\-thors obtained independently the

upper bound $2^{n-1}-2^{m+1}$ for the nonlinearity of an $m$-resilient

function of $n$ variables. It was shown that if this bound is achieved then

$(n-3)/2\\le m\\le n-2$. Simultaneously in 2000 Tarannikov constructed

functions that achieve this bound for $(2n-7)/3\\le m\\le n-2$. In 2001

Tarannikov constructed such functions for $0.6n-1\\le m$ introducing for this

aim so called proper matrices; later in 2001 Fedorova and Tarannikov

constructed by means of proper matrices the functions that achieve the bound

$2^{n-1}-2^{m+1}$ for $m\\ge cn(1+o(1))$ where

$c=1/\\log_2(\\sqrt{5}+1)=0.5902...$ but proved simultaneously

that by means of proper matrices it is impossible to improve this

result. During the period since 2001 it was not any further progress

in the problem on the achievability of the bound $2^{n-1}-2^{m+1}$ in spite of

this problem was well known and actual except the constructing

in 2006--2007 by three groups of authors by means of a computer search

concrete functions for $n=9$, $m=3$. In this paper we find the new

approach that uses the generalization of the concept of proper

matrices. We formulate com\\-bi\\-na\\-to\\-ri\\-al problems solutions of which

allow to construct generalized proper matrices with parameters impossible

for old proper matrices. As a result we obtain the constructions of

$m$-resilient functions of $n$ variables with maximal nonlinearity for

$m\\ge cn(1+o(1))$ where $c=0.5789...$, and also we demonstrate how further

advance in combinatorial problems follows an additional decrease of the

constant $c$.


  With the fast development of cryptography research and computer technology, the cryptosystems of RSA and Diffe-Hellman are getting more and more unsafe, and Elliptic Curve Cryptosystem is becoming the trend of public cryptography in the future. Scalar Point Multiplication Scalar multiplication is the time consuming operation in elliptic curve based cryptosystem. In this paper, Nicolas Meloni1,2 2012 springer algorithm for addition of points on elliptic curve is used along with multibase concept to improve the speed of the scalar multiplication. Comparative analysis of proposed approach and some previous approaches is also discussed in last.

01:17 [Pub][ePrint] Tuple decoders for traitor tracing schemes, by Jan-Jaap Oosterwijk, Jeroen Doumen, Thijs Laarhoven

  In the field of collusion-resistant traitor tracing, Oosterwijk et al. recently determined the optimal suspicion function for simple decoders. Earlier, Moulin also considered another type of decoder: the generic joint decoder that compares all possible coalitions, and showed that usually the generic joint decoder outperforms the simple decoder. Both Amiri and Tardos, and Meerwald and Furon described constructions that assign suspicion levels to $c$-tuples, where $c$ is the number of colluders. We investigate a novel idea: the tuple decoder, assigning a suspicion level to tuples of a fixed size. In contrast to earlier work, we use this in a novel accusation algorithm to decide for each distinct user whether or not to accuse him. We expect such a scheme to outperform simple decoders while not being as computationally intensive as the generic joint decoder. In this paper we generalize the optimal suspicion functions to tuples, and describe a family of accusation algorithms in this setting that accuses individual users using this tuple-based information.

01:17 [Pub][ePrint] How to Eat Your Entropy and Have it Too -- Optimal Recovery Strategies for Compromised RNGs, by Yevgeniy Dodis and Adi Shamir and Noah Stephens-Davidowitz and Daniel Wichs

  Random number generators (RNGs) play a crucial role in many cryptographic schemes and protocols, but their security proof usually assumes that their internal state is initialized with truly random seeds and remains secret at all times. However, in many practical situations these are unrealistic assumptions: The seed is often gathered after a reset/reboot from low entropy external events such as the timing of manual key presses, and the state can be compromised at unknown points in time via side channels or penetration attacks. The usual remedy (used by all the major operating systems, including Windows, Linux, FreeBSD, MacOS, iOS, etc.) is to periodically replenish the internal state through an auxiliary input with additional randomness harvested from the environment. However, recovering from such attacks in a provably correct and computationally optimal way had remained an unsolved challenge so far.

In this paper we formalize the problem of designing an efficient recovery mechanism from state compromise, by considering it as an online optimization problem. If we knew the timing of the last compromise and the amount of entropy gathered since then, we could stop producing any outputs until the state becomes truly random again. However, our challenge is to recover within a time proportional to this optimal solution even in the hardest (and most realistic) case in which (a) we know nothing about the timing of the last state compromise, and the amount of new entropy injected since then into the state, and (b) any premature production of outputs leads to the total loss of all the added entropy {\\em used by the RNG}, since the attacker can use brute force to enumerate all the possible low-entropy states. In other words, the challenge is to develop recovery mechanisms which are guaranteed to save the day as quickly as possible after a compromise we are not even aware of. The dilemma that we face is that any entropy used prematurely will be lost, and any entropy which is kept unused will delay the recovery.

After developing our formal definitional framework for RNGs with inputs, we show how to construct a nearly optimal RNG which is secure in our model. Our technique is inspired by the design of the Fortuna RNG (which is a heuristic RNG construction that is currently used by Windows and comes without any formal analysis), but we non-trivially adapt it to our much stronger adversarial setting. Along the way, our formal treatment of Fortuna enables us to improve its entropy efficiency by almost a factor of two, and to show that our improved construction is essentially tight, by proving a rigorous lower bound on the possible efficiency of any recovery mechanism in our very general model of the problem.

01:17 [Pub][ePrint] Privacy Failures in Encrypted Messaging Services: Apple iMessage and Beyond, by Scott Coull and Kevin Dyer

  Instant messaging services are quickly becoming the most dominant form of communication among consumers around the world. Apple iMessage, for example, handles over 2 billion message each day, while WhatsApp claims 16 billion messages from 400 million international users. To protect user privacy, these services typically implement end-to-end and transport layer encryption, which are meant to make eavesdropping infeasible even for the service providers themselves. In this paper, however, we show that it is possible for an eavesdropper to learn information about user actions, the language of messages, and even the length of those messages with greater than 96% accuracy despite the use of state-of-the-art encryption technologies simply by observing the sizes of encrypted packet. While our evaluation focuses on Apple iMessage, the attacks are completely generic and we show how they can be applied to many popular messaging services, including WhatsApp, Viber, and Telegram.

13:17 [Pub][ePrint] Point compression for the trace zero subgroup over a small degree extension field, by Elisa Gorla and Maike Massierer

  Using Semaev\'s summation polynomials, we derive a new equation for the $\\mathbb{F}_q$-rational points of the trace zero variety of an elliptic curve defined over $\\mathbb{F}_q$. Using this equation, we produce an optimal-size representation for such points. Our representation is compatible with scalar multiplication. We give a point compression algorithm to compute the representation and a decompression algorithm to recover the original point (up to some small ambiguity). The algorithms are efficient for trace zero varieties coming from small degree extension fields. We give explicit equations and discuss in detail the practically relevant cases of cubic and quintic field extensions.

13:17 [Pub][ePrint] Weak-Key Leakage Resilient Cryptography, by Zuoxia Yu and Qiuliang Xu and Yongbin Zhou and Chengyu Hu and Rupeng Yang and Guangjun Fan

  In traditional cryptography, the standard way of examining the security of a scheme is to analyze it in a black box manner which does not capture the side channel attacks. Such attacks can exploit various forms of unintended information leakage and threaten the practical security. One way to protect against such attacks is to extend the traditional models to capture them. Early models rely on the assumption that only computation leaks information, and can not capture memory attacks such as cold boot attacks. Thus, Akavia et al. (TCC \'09) formalize the model of key-leakage attacks to cover them. However, as we will mention below, most keyleakage attacks in reality may be weak key-leakage attacks which can be viewed as a non-adaptive version of the key-leakage attacks. And the existing construction of cryptographic schemes in models that can capture adaptive key-leakage attacks has some drawbacks. We mainly consider the models that cover weak key-leakage attacks and the corresponding constructions in them.

In this paper, we extend the transformation paradigm presented by Naor and Segev that can transform from any chosen-plaintext secure public key encryption (PKE) scheme into a chosenplaintext weak key-leakage secure PKE scheme. Our extensions are mainly in two manners. On one hand, we extend the paradigm into chosen-ciphertext attack scenarios and prove that the properties of the paradigm still hold when we consider chosen-ciphertext attacks. We also give an instantiation based on DDH assumption in this setting for concrete. On the other hand, we extend the paradigm to cover more powerful side channel attacks. We do this by relaxing the restrictions on leakage functions. We further consider attacks that require the secret key still has enough min-entropy after leaking and prove the original paradigm is still applicable in this case with chosen-ciphertext attacks. We also consider attacks that require the secret key is computationally infeasible to recover given the leakage information and formalize the informal discusses by Naor and Segev in (Crypto\' 09) on how to adapt the original paradigm in this new models.

08:28 [Job][New] Full Time Lecturer, University of Washington, Tacoma Washington USA

  The Institute of Technology at the University of Washington Tacoma is seeking applications for a full-time lecturer position for the Information Technology and Systems (ITS) program, with emphasis on (Server-Side) Web and Database Systems & Administration, Network and System Administration, or Network and System Security for the 2014-2015 academic year, September 16, 2014 through June 15, 2015. The initial appointment is for one academic year with the possibility for renewal. This position requires an MS or higher or foreign equivalent in Information Technology, Information Systems, Computer Science, or related field at the time of appointment and industry experience in ITS-related areas. The successful candidate will be teaching undergraduate fundamental and advanced courses in areas such as Programming, Server-Side Web Programming, Database Systems Design and Administration, Network Administration, System Administration, Network Security, and System Security at the undergraduate level. Candidates with experience in multi-tier web-based database application design, deployment, and administration are encouraged to apply.

Applicants should include (1) a cover letter describing academic qualifications and professional experiences, and how they specifically relate to the Information Technology and Systems curriculum, and previous activities mentoring minorities and/or advancing minorities, women, or members of other under-represented groups, (2) a description of teaching philosophy (including a list of courses the candidate is qualified to teach, refer to, (3) evidence of teaching effectiveness (4) a curriculum vitae, and (5) contact information for three references. Applications should be submitted electronically to

Screening of applications will begin on March 10, 2014, and will continue until the position is filled. Salary is competitive and will be c

08:27 [Job][New] Cloud Security R&D Engineers, Applied Science and Technology Research Institute (ASTRI), Hong Kong

  We are looking for R&D engineers to work on network and system security. The positions offered are at the Senior Engineer/Engineer level, depending on qualifications and experiences. The candidates should have hands on experiences in implementing systems, network security and cloud computing, and a good knowledge of SeLinux and secure sandboxes. Knowledge of MAC (Mandatory Access Control) policies, honeypots, proxy re-encryption would be an advantage. The candidates are expected to create intellectual properties, develop demo systems and deliver projects.

If interested, please submit your CV to Dr. Aldar Chan (aldarchan (at)

19:17 [Pub][ePrint] Non-Malleable Extractors with Shorter Seeds and Min-Entropy Rate $

  Motivated by the problem of how to communicate over a public channel with an active adversary, Dodis and Wichs [DW09] introduced the notion of a non-malleable extractor, as a much stronger version of a strong extractor. A non-malleable extractor $\\textsf{nmExt}$ takes two inputs, a weakly-random $W$ and a uniformly random seed $S$, and outputs a string which is nearly uniform, given $S$ as well as $\\textsf{nmExt}(W, \\mathcal{A}(S))$, for an arbitrary function $\\mathcal{A}$ with $\\mathcal{A}(S) \\neq S$.

Cohen, Raz and Segev in CCC\'12 presented an explicit construction of a non-malleable extractor with short seeds. For any integers $n$ and $d$ such that $2.01 \\cdot \\log n \\leq d \\leq n$, they proposed an explicit construction of a non-malleable extractor $\\textsf{nmExt}: \\{0, 1\\}^n \\times \\{0, 1\\}^d \\rightarrow \\{0, 1\\}^m$ with error exponentially small in $m$. However, their result suffers from some drawbacks: First, the non-malleable extractor is constructed based on Raz\'s etractor in SOTC\'05, while the error estimation in that construction is too rough. Second, though they aimed to shorten the length of the seed, the lower bound of the seed length is not optimal. Moreover, their construction requires the min-entropy rate to be greater than $\\frac{1}{2}$.

In this paper, we improve the error estimation of Raz\'s extractor, which plays an extremely important role in the constraints of the non-malleable extractor parameters including the seed length. Then we present an improved explicit construction of non-malleable extractors with shorter seed length by using biased variable sequence for linear tests. More precisely, we construct an explicit $(1016, \\frac{1}{2})-1-$non-malleable extractor $\\textsf{nmExt}: \\{0, 1\\}^{2^{10}} \\times \\{0, 1\\}^d \\rightarrow \\{0, 1\\}$ with seed length 19, while it should be no less than $\\frac{46}{63} + 66$ according to Cohen et al. in CCC\'12. Therefore, it beats the condition ``$2.01 \\cdot \\log n \\leq d \\leq n$\", since $d$ is just $1.9 \\cdot \\log n$ in our construction. We also give a general explicit construction of non-malleable extractors and analyze the simplification of the constraints on the parameters.

Furthermore, we show an explicit construction of non-malleable extractors for the min-entropy $k = ( \\frac{1}{2} - \\delta)n$ for some constant $ \\delta > 0$, while the min-entropy should be greater than $ \\frac{1}{2} n$ by Cohen et al. in CCC\'12. We also propose a general construction of non-malleable extractors with min-entropy $k = ( \\frac{1}{2} - \\delta)n$ from any non-malleable extractor with min-entropy $k > \\frac{1}{2} n$ by employing a special encoding technique and the property of statical distance. Compared with Li\'s construction in FOCS\'12 by using inner product function, our construction is more general. Finally, we give their application to privacy amplification.

19:17 [Pub][ePrint] CLOC: Authenticated Encryption for Short Input, by Tetsu Iwata and Kazuhiko Minematsu and Jian Guo and Sumio Morioka

  We define and analyze the security of a blockcipher mode of operation, CLOC, for provably secure authenticated encryption with associated data. The design of CLOC aims at optimizing previous schemes, CCM, EAX, and EAX-prime, in terms of the implementation overhead beyond the blockcipher, the precomputation complexity, and the memory requirement. With these features, CLOC is suitable for handling short input data, say 16 bytes, without needing precomputation nor large memory. This property is especially beneficial to small microprocessors, where the word size is typically 8 bits or 16 bits, and there are significant restrictions in the size and the number of registers. CLOC uses a variant of CFB mode in its encryption part and a variant of CBC MAC in the authentication part. We introduce various design techniques in order to achieve the above mentioned design goals. We prove CLOC secure, in a reduction-based provable security paradigm, under the assumption that the blockcipher is a pseudorandom permutation. We also present our preliminary implementation results.