International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also receive updates via:

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

21:17 [Pub][ePrint] Improved Analysis of Zorro-Like Ciphers, by Achiya Bar-Or and Itai Dinur and Orr Dunkelman and Virginie Lallemand and Mar\\\'{\\i}a Naya-Plasencia and Boaz Tsaban

  Zorro is a 128-bit lightweight block cipher supporting 128-bit keys, presented at CHES~2013 by G\\\'erard et al. One of the main design goals of the cipher was to allow efficient masking according to the Rivain and Prouff Scheme, which lead to a very unconventional design, using partial non-linear layers. Despite the security claims of the designers, the cipher was recently broken by differential and linear attacks due to Wang et al., recovering its 128-bit key with complexity of about $2^{108}$. These attacks are based on high-probability iterative characteristics that are made possible due a special property of the linear layer of Zorro, which is shown to be devastating in combination with its partial non-linear layer.

In this paper, we analyze the security of Zorro-like ciphers with partial non-linear layers by devising differential and linear characteristic search algorithms and key recovery algorithms. These algorithms exploit in a generic way the small number of Sboxes in a Zorro-like round, and are independent of any specific property of its linear layer (such as the one exploited by Wang et al.), or its Sbox implementation. When applied to the Zorro block cipher itself, we were able to find \\emph{the highest} probability characteristics for the full cipher and devise significantly improved attacks. Our differential attack has a time complexity of about $2^{45}$, requiring about $2^{44}$ chosen plaintexts, and our linear attack has a time complexity of about $2^{45}$, requiring about $2^{45}$ known plaintexts.

Independently of our results, the recently published paper by Rasoolzadeh et al. found similar iterative characteristics for Zorro by exploiting in a different way the devastating property of its linear layer, described by Wang et al. However, our improved key recovery techniques result in differential and linear attacks which are at least $2^{11}$ times faster. More significantly, the surprisingly large number of Zorro-like rounds analyzed by some of our generic techniques raises questions over the general design strategy of Zorro, namely, the use of partial non-linear layers.

15:17 [Pub][ePrint] Weak-Key Analysis of POET, by Mohamed Ahmed Abdelraheem and Andrey Bogdanov and Elmar Tischhauser

  We evaluate the security of the recently proposed authenticated encryption scheme POET with regard to weak keys when its universal hash functions are instantiated with finite field multiplications. We give explicit constructions for weak key classes not covered by POET\'s

weak key testing strategy, and demonstrate how to leverage them to obtain universal forgeries.

00:17 [Pub][ePrint] Adaptively Secure Functional Encryption for Finitite Languages from DLIN Assumption, by Tapas Pandit and Rana Barua

  In this paper, we present Functional Encryption (FE) schemes for finite languages from standard static assumption, viz., \\textit{Decisional Linear} (DLIN) assumption. These finite languages are described by Deterministic Finite Automatas (DFAs). Our first scheme is ciphertext-policy functional encryption (CP-FE), where a key $\\sk_w$ is labeled with a string $w$ over a fixed alphabet $\\Sigma$ and a ciphertext $\\cipher_\\amn$ is associated with a DFA $\\amn$ over the same alphabet $\\Sigma$. The key $\\sk_w$ can extract the message from the ciphertext $\\cipher_\\amn$ if the DFA $\\amn$ accepts the string $w$. This CP-FE scheme is constructed based on attribute-based encryption (ABE) structure of Okamoto-Takashima in Asiacrypt, 2012. To achieve the adaptive security, we put bounds on number of occurrences of any symbol in a string and in the set of transition tuples of a DFA. Due to this restriction, the size of key space (where the keys are indexed with strings) is reduced to finite. Hence, the functional scope of any DFA in our system can capture only finite language. Similarly, we obtain our second adaptively secure FE scheme in key-policy flavor from DLIN assumption. Both the schemes are shown to be secure in the standard model.

09:17 [Pub][ePrint] Collision Spectrum, Entropy Loss, T-Sponges, and Cryptanalysis of GLUON-64, by Léo Perrin and Dmitry Khovratovich

  In this paper, we investigate the properties of iterative non-injective functions and the security of primitives where they are used. First, we introduce the Collision Probability Spectrum (CPS) parameter to quantify how far from a permutation a function is. In particular, we show that the output size decreases linearly with the number of iterations whereas the collision trees grow quadratically.

Secondly, we investigate the T-sponge construction and show how certain CPS and rate values lead to an improved preimage attack on long messages. As an example, we find collisions for the GLUON-64 internal function, approximate its CPS, and show an attack that violates the security claims. For instance, if a message ends with a sequence of 1~Mb (respectively 1~Gb) of zeros, then our preimage search takes time $2^{115.3}$ (respectively $2^{105.3}$) instead of $2^{128}$.

09:17 [Pub][ePrint] Whitewash: Outsourcing Garbled Circuit Generation for Mobile Devices, by Henry Carter and Charles Lever and Patrick Traynor

  Garbled circuits offer a powerful primitive for computation on a user\'s personal data while keeping that data private. Despite recent improvements, constructing and evaluating circuits of any useful size remains expensive on the limited hardware resources of a smartphone, the primary computational device available to most users around the world. In this work, we develop a new technique for securely outsourcing the generation of garbled circuits to a Cloud provider. By outsourcing the circuit generation, we are able to eliminate the most costly operations from the mobile device, including oblivious transfers. After proving the security of our techniques in the malicious model, we experimentally demonstrate that our new protocol, built on this role reversal, decreases execution time by 98% and reduces network costs by as much as 92% compared to previous outsourcing protocols. In so doing, we demonstrate that the use of garbled circuits on mobile devices can be made nearly as practical as it is becoming for server-class machines.

05:52 [Job][New] Summer Intern – Master\\\'s / Ph.D. student in Computer Science, Computer Engineering, or Applied Math, IBM Research – Almaden, 650 Harry Road, San Jose, CA 95120-6099, USA

  Design and develop security solutions utilizing vetted cryptographic primitives. Application areas include Internet of Things (IoT), sensors, cyber-physical systems, and cloud and cognitive computing. Architectures must meet security and privacy requirements that involve, in particular, device and/or user authentication/authorization under various constraints on connectivity, communications bandwidth, processing complexity, and power consumption.

An important aspect of this position entails porting [our] existing algorithms and code into ARM TrustZone and/or hardware so as to conform to design principles of conventional standardized APIs. 3+ years of coding experience in C/C++ is required. Proficiency in programming FPGAs is a definite plus, as is experience in JNI.

This is a 3-month position with flexible start/end dates during May - September 2014 time frame.

15:17 [Pub][ePrint] Dynamic Searchable Encryption via Blind Storage, by Muhammad Naveed and Manoj Prabhakaran and Carl A. Gunter

  Dynamic Searchable Symmetric Encryption allows a client to store a dynamic collection of encrypted documents with a server, and later quickly carry out keyword searches on these encrypted documents, while revealing minimal information to the server. In this paper we present a new dynamic SSE scheme that is simpler and more efficient than existing schemes while revealing less information to the server than prior schemes, achieving fully adaptive security against honest-but-curious servers.

We implemented a prototype of our scheme and demonstrated its efficiency on datasets from prior work. Apart from its concrete efficiency, our scheme is also simpler: in particular, it does not require the server to support any operation other than upload and download of data. Thus the server in our scheme can be based solely on a cloud storage service, rather than a cloud computation service as well, as in prior work.

In building our dynamic SSE scheme, we introduce a new primitive called Blind Storage, which allows a client to store a set of files on a remote server in such a way that the server does not learn how many files are stored, or the lengths of the individual files; as each file is retrieved, the server learns about its existence (and can notice the same file being downloaded subsequently), but the file\'s name and contents are not revealed. This is a primitive with several applications other than SSE, and is of independent interest.

15:17 [Pub][ePrint] Total Break of Zorro using Linear and Differential Attacks, by Shahram Rasoolzadeh and Zahra Ahmadian and Mahmood Salmasizadeh and Mohammad Reza Aref

  An AES-like lightweight block cipher, namely Zorro, was proposed in CHES 2013. While it has a 16-byte state, it uses only 4 S-Box per round. Its weak nonlinearity was widely criticized and caused serious vulnerabilities, insofar as it has been directly exploited in all the attacks reported by now, including the weak key, reduced round, and even full round attacks.

In this paper, based on some observations discovered by Wang et. al., we present new differential and linear attacks on Zorro, both of which recover the full secret key with practical complexity. These attacks are based on very efficient distinguishers that have only two active sboxes per four rounds. The time complexity of our differential and linear attacks are $2^{52.74}$ and $2^{57.85}$ and the data complexity are $2^{55.15}$ chosen plaintexts and $2^{45.44}$ known plaintexts, respectively. The results clearly show that the block cipher Zorro does not have enough security against differential and linear cryptanalysis.

15:17 [Pub][ePrint] Hybrid Model of Fixed and Floating Point Numbers in Secure Multiparty Computations, by Toomas Krips and Jan Willemson

  This paper develops a new hybrid model of floating point numbers suitable for operations in secure multi-party computations. The basic idea is to consider the significand of the floating point number as a fixed point number and implement elementary function applications separately of the significand. This gives the greatest performance gain for the power functions (e.g. inverse and square root), with computation speeds improving up to 18 times in certain configurations. Also other functions (like exponent and Gaussian error function) allow for the corresponding optimisation.

We have proposed new polynomials for approximation, and implemented and benchmarked all our algorithms on the Sharemind secure multi-party computation framework.

15:17 [Pub][ePrint] Optimizing Obfuscation: Avoiding Barrington\'s Theorem, by Prabhanjan Ananth and Divya Gupta and Yuval Ishai and Amit Sahai

  In this work, we seek to optimize the efficiency of secure general-purpose obfuscation schemes. We focus on the problem of optimizing the obfuscation of general Boolean formulas -- this corresponds to optimizing the \"core obfuscator\'\' from the work of Garg, Gentry, Halevi, Raykova, Sahai, and Waters (FOCS 2013), and all subsequent works constructing general-purpose obfuscators. This core obfuscator builds upon approximate multilinear

maps, where efficiency in proposed instantiations is closely tied to the maximum number of ``levels\'\' of multilinearity required. The most efficient previous construction of a core obfuscator, due to Barak, Garg, Kalai, Paneth, and Sahai (Eurocrypt 2014) required the maximum number of levels of multilinearity to be $\\Theta(\\ell s^{6.82})$, where $s$ is the size of the Boolean formula to be obfuscated, and $\\ell$ is the number of input bits to the formula. In contrast, our construction only requires the maximum number of levels of multilinearity to be $\\Theta(\\ell s)$. This results in significant improvements in both the total size of the obfuscation, as well as the running time of evaluating an obfuscated formula.

18:08 [Event][New] SECRYPT 2014: 11th International Conference on Security and Cryptography

  Submission: 15 April 2014
From September 2 to September 4
Location: Vienna, Austria
More Information: