International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also receive updates via:

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

00:17 [Pub][ePrint] Impossible differential cryptanalysis of LBlock with concrete investigation of key scheduling algorithm, by Jiageng Chen, Yuichi Futa, Atsuko Miyaji, Chunhua Su

  Impossible differential cryptanalysis has been proved to be one of the most powerful techniques to attack block ciphers. Based on the impossible differential paths, we can usually add several rounds before or after to launch the key recovery attack. Impossible differential cryptanalysis is powerful not only because the number of rounds it can break is very competitive compared to other attacks, but also unlike differential attacks which are statistical attacks in the essential, impossible differential analysis does not require many statistical assumptions. In this paper, we investigate the key recovery attack part of the impossible differential cryptanalysis. We point out that when taking the (non-linear) key scheduling algorithm into consideration, we can further derive the redundancy among the subkeys, and thus can filter the wrong key at a rather early stage. This can help us control the time complexity and increase the number of rounds we can attack. As an application, we analyze recently proposed lightweight block cipher LBlock, and as a result, we can break 23 rounds with complexity $2^{77.4}$ encryptions without using the whole code block, which is by far the best attack against this cipher.

00:17 [Pub][ePrint] Witness Encryption from Instance Independent Assumptions, by Craig Gentry and Allison Bishop Lewko and Brent Waters

  Witness encryption was proposed by Garg, Gentry, Sahai, and Waters as

a means to encrypt to an instance, x, of an NP language and produce

a ciphertext. In such a system, any decryptor that knows of a witness w that

x is in the language can decrypt the ciphertext and learn the

message. In addition to proposing the concept, their work provided a candidate for a witness encryption scheme built using multilinear encodings. However, one

significant limitation of the work is that the candidate had no proof

of security (other than essentially assuming the scheme secure).

In this work we provide a proof framework for proving witness

encryption schemes secure under instance independent assumptions. At the

highest level we introduce the abstraction of positional witness

encryption which allows a proof reduction of a witness encryption

scheme via a sequence of 2^n hybrid experiments where n is the

witness length of the NP-statement. Each hybrid step proceeds by

looking at a single witness candidate and using the fact that it does not

satisfy the NP-relation to move the proof forward.

We show that this isolation strategy enables one to create a

witness encryption system that is provably secure from assumptions that

are (maximally) independent of any particular encryption instance.

We demonstrate the viability of our approach by implementing this strategy using

level n-linear encodings where n is the witness length. Our

complexity assumption has approximately n group elements,

but does not otherwise depend on the NP-instance x.

00:17 [Pub][ePrint] Weak instances of composite order protocols, by Sorina Ionica and Malika Izabachène

  In pairing-based cryptography, the security of protocols using composite order groups relies on the difficulty of factoring a composite number N. Boneh et al. proposed the Cocks-Pinch method to construct ordinary pairing-friendly elliptic curves having a subgroup of composite order N. Displaying such a curve as a public parameter implies revealing a square root of the complex multiplication discriminant -D modulo N. We exploit this information leak and the structure of the endomorphism ring of the curve to factor the RSA modulus, by computing a square root \\lambda of -D modulo one of its factors. Our attack is based on a generic discrete logarithm algorithm. We recommend that \\lambda should be chosen as a high entropy input parameter when running the Cocks-Pinch algorithm, in order to ensure protection from our attack.

00:17 [Pub][ePrint] Identity-based encryption and digital signature schemes using extended chaotic maps, by SK Hafizul Islam

  This paper designed a new extended chaotic map-based Identity-based encryption (ECM-IBE) scheme and Identity-based digital signature (ECM-IDS) scheme using extended chaotic maps. The security of the ECM-IBE scheme is based on the hardness assumption of chaotic maps-based decisional Diffie-Hellman (CDDH) problem, whereas the ECM-IDS scheme is secure based on the difficulties of chaotic maps-based discrete logarithm (CDL) problem.

00:17 [Pub][ePrint] Design of identity-based digital signature schemes using extended chaotic maps, by SK Hafizul Islam

  Inspired from the Identity-based cryptosystem proposed by Adi Shamir, and Boneh and Franklin, this paper designed a new Identity-based digital signature (ECM-IDS) scheme using extended chaotic maps. The ECM-IDS scheme is secure based on the difficulties of integer factorization problem.

00:17 [Pub][ePrint] New Treatment of the BSW Sampling and Its Applications to Stream Ciphers, by Lin Ding and Chenhui Jin and Jie Guan and Chuanda Qi

  By combining the time-memory-data tradeoff (TMDTO) attack independently proposed by Babbage and Goli\\\'{c} (BG) with the BSW sampling technique, this paper explores to mount a new TMDTO attack on stream ciphers. The new attack gives a wider variety of trade-offs, compared with original BG-TMDTO attack. It is efficient when multiple data is allowed for the attacker from the same key with different IVs, even though the internal state size is twice the key size. We apply the new attack to MICKEY and Grain stream ciphers, and improves the existing TMDTO attacks on them. Our attacks on Grain v1 and Grain-128 stream ciphers are rather attractive in the respect that the online time, offline time and memory complexities are all better than an exhaustive key search, and the amount of keystream needed are completely valid. Finally, we generalize the new attack to a Guess and Determine-TMDTO attack on stream ciphers, and mount a Guess and Determine-TMDTO attack on SOSEMANUK stream cipher with the online time and offline time complexities both equal to $2^{128}$, which achieves the best time complexity level compared with all existing attacks on SOSEMANUK so far.

21:17 [Pub][ePrint] Differential Fault Analysis on SIMON and SPECK ciphers, by Harshal Tupsamudre and Shikha Bisht and Debdeep Mukhopadhyay

  In 2013, the US National Security Agency proposed two new families of lightweight block ciphers: SIMON and SPECK. However, no security analysis was provided for these ciphers. Currently, linear and differential cryptanalytic results for SIMON ciphers are available in the literature, but no fault attacks on these two cipher families have been reported so far. In this paper, we present the first fault attack on SIMON and SPECK families. The attack assumes a fault model that can flip only one bit of the intermediate result. Using this attack the n-bit secret key used in SIMON cipher can be recovered using (n/2) bit faults on an average while the n-bit secret key of SPECK cipher can be recovered using (n/3) bit faults. Furthermore, we demonstrate a more practical attack on SIMON that employs a random byte fault model. This attack retrieves multiple bits of the key depending upon the Hamming weight of the byte fault. The average number of byte faults required to retrieve all n bits of the last round key is (n/8).

21:17 [Pub][ePrint] A low complexity bit-parallel Montgomery multiplier based on squaring for trinomials , by Yin Li and Yiyang Chen

  In this paper, we present a new bit-parallel Montgomery multiplier for $GF(2^m)$ generated with irreducible trinomials. A newly proposed divide-and-conquer approach is applied to simplify the polynomial multiplication while the Montgomery squaring is induced to simplify the modular reduction. Meanwhile, this design effectively exploits the overlapped elements in squaring and reduction operation to reduce the space complexity. As a result, the proposed multiplier has about 25\\% reduced space complexity compared with previous multipliers, with a slight increase of time complexity. Among five binary fields recommended by NIST for the ECDSA (Elliptic Curve Digital Signature Algorithm), there exist two fields, i.e., $GF(2^{409})$, $GF(2^{233})$,

defined by trinomials. For these two fields, we show that our proposal outperforms the previous best known results if the space and time complexities are both considered.

21:17 [Pub][ePrint] Chosen Ciphertext Security via Point Obfuscation, by Takahiro Matsuda and Goichiro Hanaoka

  In this paper, we show two new constructions of chosen ciphertext secure (CCA secure) public key encryption (PKE) from general assumptions. The key ingredient in our constructions is an obfuscator for point functions with multi-bit output (MBPF obfuscators, for short), that satisfies some (average-case) indistinguishability-based security, which we call AIND security, in the presence of hard-to-invert auxiliary input. Specifically, our first construction is based on a chosen plaintext secure PKE scheme and an MBPF obfuscator satisfying the AIND security in the presence of computationally hard-to-invert auxiliary input. Our second construction is based on a lossy encryption scheme and an MBPF obfuscator satisfying the AIND security in the presence of statistically hard-to-invert auxiliary input. To clarify the relative strength of AIND security, we show the relations among security notions for MBPF obfuscators, and show that AIND security with computationally (resp. statistically) hard-to-invert auxiliary input is implied by the average-case virtual black-box (resp. virtual grey-box) property with the same type of auxiliary input. Finally, we show that a lossy encryption scheme can be constructed from an obfuscator for point functions (point obfuscator) that satisfies re-randomizability and a weak form of composability in the worst-case virtual grey-box sense. This result, combined with our second generic construction and several previous results on point obfuscators and MBPF obfuscators, yields a CCA secure PKE scheme that is constructed \\emph{solely} from a re-randomizable and composable point obfuscator. We believe that our results make an interesting bridge that connects CCA secure PKE and program obfuscators, two seemingly isolated but important cryptographic primitives in the area of cryptography.

21:17 [Pub][ePrint] Faster Maliciously Secure Two-Party Computation Using the GPU, by Tore Kasper Frederiksen and Thomas P. Jakobsen and Jesper Buus Nielsen

  We present a new protocol for maliciously secure two-partycomputation based on cut-and-choose of garbled circuits using the recent idea of ``forge-and-loose\'\' which eliminates around a factor 3 of garbled circuits that needs to be constructed and evaluated. Our protocol introduces a new way to realize the \"forge-and-loose\" approach which avoids an auxiliary secure two-party computation protocol, does not rely on any number theoretic assumptions and parallelizes well in a same instruction, multiple data (SIMD) framework.

With this approach we prove our protocol universally composable-secure against a malicious adversary assuming access to oblivious transfer, commitment and coin-tossing functionalities in the random oracle model.

Finally, we construct, and benchmark, a SIMD implementation of this protocol using a GPU as a massive SIMD device. The findings compare favorably with all previous implementations of maliciously secure, two-party computation.

21:17 [Pub][ePrint] STRIBOB: Authenticated Encryption from GOST R 34.11-2012 LPS Permutation, by Markku-Juhani O. Saarinen

  Authenticated encryption algorithms protect both the confidentiality and integrity of messages with a single processing pass. We show how to utilize the $L \\circ P \\circ S$ transform of the Russian GOST R 34.11-2012 standard hash ``Streebog\'\' to build an efficient, lightweight algorithm for Authenticated Encryption with Associated Data (AEAD) via the Sponge construction. The proposed algorithm ``StriBob\'\' has attractive security properties, is faster than the Streebog hash alone, twice as fast as the GOST 28147-89 encryption algorithm, and requires only a modest amount of running-time memory. StriBob is a Round 1 candidate in the CAESAR competition.