International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also receive updates via:

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

17:10 [Event][New] Workshop on Security and Privacy for Smart Connected Devices 2014

  Submission: 20 May 2014
Notification: 10 July 2014
From September 10 to September 11
Location: Wroclaw, Poland
More Information:

09:17 [Pub][ePrint] Investigating the Feasibility of LEAP+ in ZigBee Specification, by Mohammad Rezaeirad, Muhammad Aamir Iqbal, Dmitri Perkins, Magdy Bayoumi

  The ZigBee specification is an emerging wireless technology designed to address the specific needs of low-cost, low-power wireless sensor networks and is built upon the physical and medium access control layers defined in IEEE 802.15.4 standard for wireless personal area networks (WPANs). A key component for the wide-spread success and applicability of ZigBee-based networking solutions will be its ability to provide enhanced security mechanisms that can scale to hundreds of nodes. Currently, however, an area of concern is the ZigBee key management scheme, which uses a centralized approach that introduces well-known issues of limited scalability and a single point of vulnerability. Moreover, ZigBee key management uses a public key infrastructure. Due to these limitations, we suggest replacing ZigBee key management with a better candidate scheme that is decentralized, symmetric, and scalable while addressing security requirements. In this work, we investigate the feasibility of implementing Localized Encryption and Authentication Protocol (LEAP+), a distributed symmetric based key management. LEAP+ is designed to support multiple types of keys based on the message type that is being exchanged. In this paper, we first conduct a qualitative security analysis of LEAP+ and the current ZigBee key management scheme. Using the QualNet 5.0.2 simulator, we implement LEAP+ on the ZigBee platform for the very first time. Experimental results show that a distributed key management scheme such as LEAP+ provides improved security and offers good scalability.

09:17 [Pub][ePrint] Isogeny graphs with maximal real multiplication, by Sorina Ionica and Emmanuel Thomé

  An isogeny graph is a graph whose vertices are principally polarized

abelian varieties and whose edges are isogenies between these varieties. In

his thesis, Kohel described the structure of isogeny graphs for elliptic

curves and showed that one may compute the endomorphism ring of an elliptic

curve defined over a finite field by using a depth first search algorithm

in the graph. In dimension 2, the structure of isogeny graphs is less understood and existing algorithms for computing endomorphism rings are very expensive.

Our setting considers genus 2 jacobians with complex multiplication,

with the assumptions that the real multiplication subring is maximal and

has class number one. We fully describe the isogeny graphs in that


Over finite fields, we derive a depth first search algorithm for computing endomorphism rings locally at prime numbers, if the real multiplication is maximal. To the best of our knowledge, this is the first DFS-based algorithm in genus 2.

09:17 [Pub][ePrint] Self-Updatable Encryption with Short Public Parameters and Its Extensions, by Kwangsu Lee

  Cloud storage is very popular since it has many advantages, but there is a new threat to cloud storage that was not considered before. {\\it Self-updatable encryption} that updates a past ciphertext to a future ciphertext by using a public key is a new cryptographic primitive introduced by Lee, Choi, Lee, Park, and Yung (Asiacrypt 2013) to defeat this threat such that an adversary who obtained a past-time private key can still decrypt a (previously unread) past-time ciphertext stored in cloud storage. Additionally, an SUE scheme can be combined with an attribute-based encryption (ABE) scheme to construct a powerful revocable-storage ABE (RS-ABE) scheme introduced by Sahai, Seyalioglu, and Waters (Crypto 2012) that provides the key revocation and ciphertext updating functionality for cloud storage.

In this paper, we propose an efficient SUE scheme and its extended schemes. First, we propose an SUE scheme with short public parameters in prime-order bilinear groups and prove its security under a $q$-type assumption. Next, we extend our SUE scheme to a time-interval SUE (TI-SUE) scheme that supports a time interval in ciphertexts. Our TI-SUE scheme has short public parameters and also secure under the $q$-type assumption. Finally, we propose the first large universe RS-ABE scheme with short public parameters in prime-order bilinear groups and prove its security in the selective revocation list model under a $q$-type assumption.

09:17 [Pub][ePrint] Bandwidth Efficient PIR from NTRU, by Yark{\\i}n Dor\\\"{o}z, Berk Sunar and Ghaith Hammouri

  We present a private information retrieval (PIR) scheme based on a somewhat homomorphic encryption (SWHE). In particular, we customize an NTRU-based SWHE scheme in order to evaluate a specific class of fixed depth circuits relevant for PIR implementation, thus achieving a more practical implementation. In practice, a SWHE that can evaluate a depth 5 circuit is sufficient to construct a PIR capable of retrieving data from a database containing 4 billion rows. We leverage this property in order to produce a more practical PIR scheme. Com- pared to previous results, our implementation achieves a significantly lower bandwidth cost (more than 1000 times smaller). The computational cost of our implementation is higher than previous proposals for databases containing a small number of bits in each row. However, this cost is amortized as database rows become wider.

09:17 [Pub][ePrint] Toward Practical Homomorphic Evaluation of Block Ciphers Using Prince, by Yark{\\i}n Dor\\\"{o}z, Aria Shahverdi, Thomas Eisenbarth, and Berk Sunar

  We present the homomorphic evaluation of the Prince block cipher. Our leveled implementation is based on a generalization of NTRU. We are motivated by the drastic bandwidth savings that may be achieved by scheme conversion. To unlock this advantage we turn to lightweight ciphers such as Prince. These ciphers were designed from scratch to yield fast and compact implementations on resource constrained embedded platforms. We show that some of these ciphers have the potential to enable near practical homomorphic evaluation of block ciphers. Indeed, our analysis shows that Prince can be implemented using only a 24 level deep circuit. Using an NTRU based implementation we achieve an evaluation time of 3.3 seconds per Prince block - one and two orders of magnitude improvement over homomorphic AES implementations achieved using NTRU, and BGV-style homomorphic encryption libraries, respectively.

09:17 [Pub][ePrint] Enhancing Oblivious RAM Performance Using Dynamic Prefetching, by Xiangyao Yu and Ling Ren and Christopher Fletcher and Albert Kwon and Marten van Dijk and Srinivas Devadas

  Oblivious RAM (ORAM) is an established technique to hide the access pattern to an untrusted storage system.

With ORAM, a curious adversary cannot tell what data address the user is accessing when observing the bits moving between the user and the storage system.

All existing ORAM schemes achieve obliviousness by adding redundancy to the storage system, i.e., each access is turned into multiple random accesses.

Such redundancy incurs a large performance overhead.

Though traditional data prefetching techniques successfully hide memory latency in DRAM based systems, it turns out that they do not work well for ORAM.

In this paper, we exploit ORAM locality by taking advantage of the ORAM internal structures.

Though it might seem apparent that obliviousness and locality are two contradictory concepts, we challenge this intuition by exploiting data locality in ORAM without sacrificing provable security.

In particular, we propose an ORAM prefetching technique called dynamic super block scheme and comprehensively explore its design space.

The dynamic super block scheme detects data locality in the program\'s working set at runtime, and exploits the locality in a data-independent way.

% based on the key observation that position map ORAMs have better locality than the data ORAM.

Our simulation results show that with dynamic super block scheme, ORAM performance without super blocks can be significantly improved. After adding timing protection to ORAM, the average performance gain is 25.5\\% (up to 49.4\\%) over the baseline ORAM and 16.6\\% (up to 30.1\\%) over the best ORAM prefetching technique proposed previously.

09:17 [Pub][ePrint] Efficient Fuzzy Search on Encrypted Data, by Alexandra Boldyreva and Nathan Chenette

  We study the problem of efficient (sub-linear) fuzzy search on encrypted outsourced data, in the symmetric-key setting. In particular, a user who stores encrypted data on a remote untrusted server forms queries that enable the server to efficiently locate the records containing the requested keywords, even though the user may misspell keywords or provide noisy data in the query. We define an appropriate primitive for a general \\emph{closeness} function on the message space that we call \\emph{efficiently fuzzy-searchable encryption} (\\emph{EFSE}).

Next we identify an optimal security notion for EFSE. We demonstrate that existing schemes do not meet our security definition and propose a new scheme that we prove secure under basic assumptions. Unfortunately, the scheme requires large ciphertext length, but we show that, in a sense, this space-inefficiency is unavoidable for a general, optimally-secure scheme.

Seeking the right balance between efficiency and security, we then show how to construct schemes that are more efficient and satisfy a weaker security notion that we propose. To illustrate, we present and analyze a more space-efficient scheme for supporting fuzzy search on biometric data that achieves the weaker notion.

07:03 [Event][New] QCRYPT: 4th International Conference on Quantum Cryptography

  Submission: 28 April 2014
Notification: 16 June 2014
From September 1 to September 5
Location: Paris, France
More Information:

07:03 [Event][New] Workshop on Cybersecurity in a Post-Quantum World

  Submission: 15 December 2014
Notification: 1 February 2015
From April 2 to April 3
Location: Gaithersburg, USA
More Information:

00:17 [Pub][ePrint] Improved Analysis of Zorro-Like Ciphers, by Achiya Bar-On and Itai Dinur and Orr Dunkelman and Virginie Lallemand and Mar\\\'{\\i}a Naya-Plasencia and Boaz Tsaban

  Zorro is a 128-bit lightweight block cipher supporting 128-bit keys, presented at CHES~2013 by G\\\'erard et al. One of the main design goals of the cipher was to allow efficient masking according to the Rivain and Prouff Scheme, which lead to a very unconventional design, using partial non-linear layers. Despite the security claims of the designers, the cipher was recently broken by differential and linear attacks due to Wang et al., recovering its 128-bit key with complexity of about $2^{108}$. These attacks are based on high-probability iterative characteristics that are made possible due a special property of the linear layer of Zorro, which is shown to be devastating in combination with its partial non-linear layer.

In this paper, we analyze the security of Zorro-like ciphers with partial non-linear layers by devising differential and linear characteristic search algorithms and key recovery algorithms. These algorithms exploit in a generic way the small number of Sboxes in a Zorro-like round, and are independent of any specific property of its linear layer (such as the one exploited by Wang et al.), or its Sbox implementation. When applied to the Zorro block cipher itself, we were able to find \\emph{the highest} probability characteristics for the full cipher and devise significantly improved attacks. Our differential attack has a time complexity of about $2^{45}$, requiring about $2^{44}$ chosen plaintexts, and our linear attack has a time complexity of about $2^{45}$, requiring about $2^{45}$ known plaintexts.

Independently of our results, the recently published paper by Rasoolzadeh et al. found similar iterative characteristics for Zorro by exploiting in a different way the devastating property of its linear layer, described by Wang et al. However, our improved key recovery techniques result in differential and linear attacks which are at least $2^{11}$ times faster. More significantly, the surprisingly large number of Zorro-like rounds analyzed by some of our generic techniques raises questions over the general design strategy of Zorro, namely, the use of partial non-linear layers.