International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also receive updates via:

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

12:17 [Pub][ePrint] Preimage attacks on Reduced-round Stribog, by Riham AlTawy and Amr M. Youssef

  In August 2012, the Stribog hash function was selected as the new Russian cryptographic hash standard (GOST R 34.11-2012). Stribog employs twelve rounds of an AES-based compression function operating in Miyaguchi-Preneel mode. In this paper, we investigate the preimage resistance of the Stribog hash function. Specifically, we apply a meet in the middle preimage attack on the compression function which allows us to obtain a 5-round pseudo preimage for a given compression function output with time complexity of $2^{448}$ and memory complexity of $2^{64}$. Additionally, we adopt a guess and determine approach to obtain a 6-round chunk separation that balances the available degrees of freedom and the guess size. The proposed chunk separation allows us to attack 6 out of 12 rounds with time and memory complexities of $2^{496}$ and $2^{112}$, respectively. Finally, employing $2^t$ multicollision, we show that preimages of the 5 and 6-round reduced hash function can be generated with time complexity of $2^{481}$ and $2^{505}$, respectively. The two preimage attacks have equal memory complexity of $2^{256}$.

12:17 [Pub][ePrint] Improved Differential Cryptanalysis of Round-Reduced Speck, by Itai Dinur

  Simon and Speck are families of lightweight block ciphers designed by the U.S. National Security Agency and published in 2013. Each of the families contains 10 variants, supporting a wide range of block and key sizes. Since the publication of Simon and Speck, several research papers analyzed their security using various cryptanalytic techniques. The best previously published attacks on all the 20 round-reduced ciphers are differential attacks, and are described in two papers (presented at FSE 2014) by Abed et al. and Biryukov et al.

In this paper, we focus on the software-optimized block cipher family Speck, and describe significantly improved attacks on all of its 10 variants. In particular, we increase the number of rounds which can be attacked by 1, 2, or 3, for 9 out of 10 round-reduced members of the family, while significantly improving the complexity of the previous best attack on the remaining round-reduced member. Our attacks use an untraditional key recovery technique for differential attacks, which resembles techniques typically used in attacks based on self-similarity.

Despite our significantly improved attacks, they do not seem to threaten the security of any member of Speck.

12:17 [Pub][ePrint] Efficient Quantum-Immune Keyless Signatures with Identity, by Ahto Buldas and Risto Laanoja and Ahto Truu

  We show how to extend hash-tree based data signatures to server-assisted personal digital signature schemes. The new signature scheme does not use trapdoor functions and is based solely on cryptographic hash functions and is thereby, considering the current state of knowledge, resistant to quantum computational attacks. In the new scheme, we combine hash-tree data signature (time- stamping) solutions with hash sequence authentication mechanisms. We show how to implement such a scheme in practice.

06:40 [Event][New] EC'15: Eurocrypt 2015

  From March 26 to April 30
Location: Sofia, Bulgaria
More Information:

05:00 [Job][New] Ph. D student, CEA SAS (Secure Architectures & Systems) Lab, France

  Pairing Based Cryptography (PBC) has recently been studied and developed to satisfy emerging industrial and societal needs such as user privacy, identity based encryption or efficient key establishment protocols. Research on PBC has mainly been focusing on the mathematical robustness of the proposed algorithms or on the latter\\\'s calculation times. Latest published results have shown that PBC is also vulnerable to physical attacks: research work carried by the Secure Architectures & Systems (SAS) lab of the CEA has shown that all the parts of a Pairing algorithm can be attacked using fault injections. The first objective of this thesis is to study, in the same way as the work done using fault attacks, the vulnerability of PBC to side channel analysis. Then efficient countermeasures shall be studied and tested in order to make PBC implementations immune against physical attacks (fault injections and side channel analysis).

12:17 [Pub][ePrint] Statistical weaknesses in 20 RC4-like algorithms and (probably) the simplest algorithm free from these weaknesses - VMPC-R, by Bartosz Zoltak

  We find statistical weaknesses in 20 RC4-like algorithms including the original RC4, RC4A, PC-RC4 and others.

This is achieved using a simple statistical test.

We found only one algorithm which was able to pass the test - VMPC-R.

This algorithm, being approximately three times more complex then RC4,

is probably the simplest RC4-like cipher capable of producing pseudo-random output.

18:17 [Pub][ePrint] Improved Leakage Model Based on Genetic Algorithm, by Zhenbin Zhang and Liji Wu

  The classical leakage model usually exploits the power of one single S-box, which is called divide and conquer. Taking DES algorithm for example, the attack on each S-box needs to search the key space of 2^6 in a brute force way. Besides, 48-bit round key is limited to the result correctness of each single S-box. In this paper, we put forward a new leakage model based on the power consumption of multi S-box. The implementation of this method is combined with genetic algorithm. In DES algorithm, we can establish leakage model based on the Hamming distance of summing up 8 S-boxes. The genetic algorithm can search the key space of 2^48 to complete the attack of 8 S-boxes at the same time intelligently. And we also experimentally validate the fact that the leakage model of 8 S-boxes can decrease about 60% number of traces which is needed in the classical based on one single S-box in time domain and it also decreases about 33% number of traces in frequency domain. The IC card which is used in experiment is the training card 8 provided by Riscure Company.

18:17 [Pub][ePrint] Statistical weaknesses in 20 RC-4 like algorithms and (probably) the simplest algorithm free from these weaknesses - VMPC-R, by Bartosz Zoltak

  We find statistical weaknesses in 20 RC-4 like algorithms including the original RC4, RC4A, PC-RC4 and others.

This is achieved using a simple statistical test.

We found only one algorithm which was able to pass the test - VMPC-R.

This algorithm, being approximately three times more complex then RC4,

is probably the simplest RC4-like cipher capable of producing pseudo-random output.

18:17 [Pub][ePrint] On the Complexity of Finding Low-Level Solutions, by Bjoern Grohmann

  In this article the complexity of finding low-level solutions is investigated.

18:17 [Pub][ePrint] Structure-Preserving Signatures from Type II Pairings, by Masayuki Abe and Jens Groth and Miyako Ohkubo and Mehdi Tibouchi

  We investigate structure-preserving signatures in asymmetric bilinear groups with an efficiently computable homomorphism from one source group to the other, i.e., the Type II setting. It has been shown that in the Type I and Type III settings (with maximal symmetry and maximal asymmetry respectively), structure-preserving signatures need at least 2 verification equations and 3 group elements. It is therefore natural to conjecture that this would also be required in the intermediate Type II setting, but surprisingly this turns out not to be the case. We construct structure-preserving signatures in the Type II setting that only require a single verification equation and consist of only 2 group elements. This shows that the Type II setting with partial asymmetry is different from the other two settings in a way that permits the construction of cryptographic schemes with unique properties.

We also investigate lower bounds on the size of the public verification key in the Type II setting. Previous work in structure-preserving signatures has explored lower bounds on the number of verification equations and the number of group elements in a signature but the size of the verification key has not been investigated before. We show that in the Type II setting it is necessary to have at least 2 group elements in the public verification key in a signature scheme with a single verification equation.

Our constructions match the lower bounds so they are optimal with respect to verification complexity, signature sizes and verification key sizes. In fact, in terms of verification complexity, they are the most efficient structure preserving signature schemes to date. Depending on the context in which a scheme is deployed it is sometimes desirable to have strong existential unforgeability, and in other cases full randomizability. We give two structure-preserving signature schemes with a single verification equation where both the signatures and the public verification keys consist of two group elements each. One signature scheme is strongly existentially unforgeable, the other is fully randomizable. Having such simple and elegant structure-preserving signatures may make the Type II setting the easiest to use when designing new structure-preserving cryptographic schemes, and lead to schemes with the greatest conceptual simplicity.

03:17 [Pub][ePrint] Sakai-Ohgishi-Kasahara Non-Interactive Identity-Based Key Exchange Scheme, Revisited, by Yu Chen and Qiong Huang and Zongyang Zhang

  Identity-based non-interactive key exchange (IB-NIKE) is a powerful but a bit overlooked primitive in identity-based cryptography. While identity-based encryption and signature have been extensively investigated over the past three decades, IB-NIKE has remained largely unstudied. Currently, there are only few IB-NIKE schemes in the literature. Among them, Sakai-Ohgishi-Kasahara (SOK) scheme is the first efficient and secure IB-NIKE scheme, which has great influence on follow-up works. However, the SOK scheme required its identity mapping function to be modeled as a random oracle to prove security. Moreover, the existing security proof heavily relies on the ability of programming the random oracle. It is unknown whether such reliance is inherent.

In this work, we intensively revisit the SOK IB-NIKE scheme, and present a series of possible and impossible results in the random oracle model and the standard model. In the random oracle model, we first improve previous security analysis for the SOK IB-NIKE scheme by giving a tighter reduction. We then use meta-reduction technique to show that the SOK scheme is unlikely proven to be secure based on the computational bilinear Diffie-Hellman (CBDH) assumption without programming the random oracle. In the standard model, we show how to instantiate the random oracle in the SOK scheme with a concrete hash function from admissible hash functions (AHFs) and indistinguishability obfuscation.

The resulting scheme is fully adaptive-secure based on the decisional bilinear Diffie-Hellman inversion (DBDHI) assumption. To the best of our knowledge, this is first fully adaptive-secure IB-NIKE scheme in the standard model that does not explicitly require multilinear maps. Previous schemes in the standard model either have merely selective security or use multilinear maps as a key ingredient. Of particular interest, we generalize the definition of AHFs, and propose a generic construction which enables AHFs with previously unachieved parameters.