International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also receive updates via:

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

09:17 [Pub][ePrint] Machine Learning Classification over Encrypted Data, by Raphael Bost and Raluca Ada Popa and Stephen Tu and Shafi Goldwasser

  Machine learning classification is used in numerous settings nowadays, such as medical or genomics predictions, spam detection, face recognition, and financial predictions. Due to privacy concerns in some of these applications, it is important that the data and the classifier remain confidential.

In this work, we construct three major classification protocols that satisfy this privacy constraint: hyperplane decision, Na\\\"ive Bayes, and decision trees. These protocols may also be combined with AdaBoost. They rely on a library of building blocks for constructing classifiers securely, and we demonstrate the versatility of this library by constructing a face detection classifier.

Our protocols are efficient, taking milliseconds to a few seconds to perform a classification when running on real medical datasets.

09:17 [Pub][ePrint] Using More Points in One Clock Cycle to Achieve Better Performance of Template Attacks, by Guangjun Fan, Yongbin Zhou, Hailong Zhang, and Dengguo Feng

  Template Attacks are widely accepted to be the most powerful side-channel attacks from an information theoretic point of view. For classical Template Attacks, several papers suggested that one should not choose more than one point as the interesting point per clock cycle when he conducts Template Attacks. Disobeying this constraint leads to poorer classification performance even if a higher number of interesting points is chosen. A more systematic approach, which relies on the data variability, is to choose the interesting points based on principal component analysis (PCA). In this paper, we present a new way of conducting Template Attacks when one uses more than one point as the interesting point per clock cycle. This new way has better classification performance compared with classical Template Attacks and PCA-based Template Attacks. Moreover, the computational price of the new way is low and practical. Therefore, we suggest that one should use this new way to better understand practical threats of Template Attacks when one want to use more than one point as the interesting point per clock cycle.

09:17 [Pub][ePrint] An optimal representation for the trace zero subgroup, by Elisa Gorla and Maike Massierer

  We give an optimal-size representation for the elements of the trace zero subgroup of the Picard group of an elliptic or hyperelliptic curve of any genus, with respect to a field extension of any prime degree. The representation is via the coefficients of a rational function, and it is compatible with scalar multiplication of points. We provide efficient compression and decompression algorithms, and complement them with implementation results. We discuss in detail the practically relevant cases of small genus and extension degree, and compare with the other known compression methods.

06:17 [Pub][ePrint] FeW: A Lightweight Block Cipher, by Manoj Kumar and Saibal K Pal and Anupama Panigrahi

  In this paper, we propose a new lightweight block cipher called FeW which encrypts 64-bit plaintext using key size 80/128 bits and produces 64-bit ciphertext. FeW is a software oriented design with the aim of achieving high efficiency in software based environments. We use a mix of Feistel and generalised Feistel structures (referred as Feistel-M structure hereinafter) to enhance the security of our design against basic cryptanalytic attacks like differential, linear, impossible differential and zero correlation attacks. Security analysis of this scheme proves its strength against present day cryptanalytic attacks.

09:17 [Pub][ePrint] From Single-Bit to Multi-Bit Public-Key Encryption via Non-Malleable Codes, by Sandro Coretti and Ueli Maurer Björn Tackmann and Daniele Venturi}

  One approach towards basing public-key encryption schemes on weak and credible assumptions is to build ``stronger\'\' or more general schemes generically from ``weaker\'\' or more restricted schemes. One particular line of work in this context, which has been initiated by Myers and Shelat (FOCS \'09) and continued by Hohenberger, Lewko, and Waters (Eurocrypt \'12), is to build a multi-bit chosen-ciphertext (CCA) secure public-key encryption scheme from a single-bit CCA-secure one. While their approaches achieve the desired goal, it is fair to say that the employed techniques are complicated and that the resulting ciphertext lengths are impractical.

We propose a completely different and surprisingly simple approach to solving this problem. While it is well-known that encrypting each bit of a plaintext string independently is insecure---the resulting scheme is malleable---we show that applying a suitable non-malleable code (Dziembowski et al., ICS \'10) to the plaintext and subsequently encrypting the resulting codeword bit-by-bit results in a secure scheme. To the best of our knowledge, our result is the first application of non-malleable codes in a context other than memory tampering.

The original notion of non-malleability is, however, not sufficient. We therefore prove that (a simplified version of) the code of Dziembowski et al.\\ is actually continuously non-malleable (Faust et al., TCC \'14). Then, we show that this notion is sufficient for our application. Since continuously non-malleable codes require to keep a single bit of (not necessarily secret) state in the decoding, the decryption of our scheme also has to keep this state. This slight generalization of the traditional formalization of public-key encryption schemes seems appropriate for applications. Compared to the previous approaches, our technique leads to conceptually simpler and more efficient schemes.

09:17 [Pub][ePrint] A practical forgery and state recovery attack on the authenticated cipher PANDA-s, by Xiutao FENG, Fan ZHANG and Hui WANG

  PANDA is a family of authenticated ciphers submitted to CARSAR, which consists of two ciphers: PANDA-s and PANDA-b. In this work we present a

state recovery attack against PANDA-s with time complexity about $2^{41}$ under the known-plaintext-attack model, which needs 137 pairs of known plaintext/ciphertext and about 2GB memories. Our attack is practical in a small workstation. Based on the above attack, we further deduce a forgery attack against PANDA-s, which can forge a legal ciphertext $(C,T)$ of an arbitrary plaintext $P$. The results show that PANDA-s is insecure.

09:17 [Pub][ePrint] Some Remarks on Honeyword Based Password-Cracking Detection, by Imran Erguler

  Recently, Juels and Rivest proposed honeywords (decoy pass-

words) to detect attacks against hashed password databases. For each

user account, the legitimate password is stored with several honeywords in order to sense impersonation. If honeywords are selected properly, an adversary who steals a file of hashed passwords cannot be sure if it is the real password or a honeyword for any account. Moreover, entering with a honeyword to login will trigger an alarm notifying the administrator about a password file breach. At the expense of increasing storage requirement by 20 times, the authors introduce a simple and effective solution to detection of password file disclosure events. In this study, we scrutinize the honeyword system and present some remarks to highlight possible weak points. Also, we suggest an alternative approach that selects honeywords from existing user passwords in the system to provide

realistic honeywords - a perfectly flat honeyword generation method - and also to reduce storage cost of the honeyword scheme.

18:21 [News] Volunteers wanted for IACR online services


The IACR Board of Directors is searching for volunteers to help with the website, the Cryptology ePrint Archive, and other IACR online services. Maintenance and future expansion of the online services of the IACR are crucial part for the interaction among cryptographers. We are interested in motivated cryptographers who would like to exploit their systems skills in a LAMP environment.

If you are interested in serving the community in this way, please contact the President of the IACR at

09:17 [Pub][ePrint] Coding Theoretic Construction of Quantum Ramp Secret Sharing, by Ryutaroh Matsumoto

  We show a construction of a quantum ramp secret sharing scheme from a nested pair of linear codes. Necessary and sufficient conditions for qualified sets and forbidden sets are given in terms of combinatorial properties of nested linear codes. An algebraic geometric construction for quantum secret sharing is also given.

12:17 [Pub][ePrint] Explicit Non-Malleable Codes Resistant to Permutations, by Shashank Agrawal and Divya Gupta and Hemanta K. Maji and Omkant Pandey and Manoj Prabhakaran

  The notion of non-malleable codes was introduced as a relaxation of standard error-correction and error-detection. Informally, a code is non-malleable if the message contained in a modified codeword is either the original message, or a completely unrelated value.

In the information theoretic setting, although existence of such codes for various rich classes of tampering functions is known, explicit constructions exist only for highly structured family of tampering functions. Prior explicit constructions of non-malleable codes rely on the ``compartmentalized\'\' structure of the tampering function, i.e. the codeword is partitioned into {\\em a priori fixed} blocks and each block can {\\em only} be tampered independently. The prominent examples of this model are the family of bit-wise independent tampering functions and the split-state


We consider an infinitely large natural class of non-compartmentalized tampering functions. In our model, the tampering function can permute the bits of the encoding and (optionally) perturb them. In the information theoretic setting, we provide an {\\em explicit} and {\\em efficient}, {\\em rate-1} non-malleable code for {\\em multi-bit messages}.

Lack of explicit constructions of non-malleable codes for non-compartmentalized tampering functions severely inhibits their utility in cryptographic protocols. As a motivation for our construction, we show an application of non-malleable codes to cryptographic protocols. In an idealized setting, we show how string commitments can be based on one-bit commitments, if non-malleable codes exist. Further, as an example of a non-trivial use of non-malleable codes in standard cryptographic protocols (not in an idealized model), we show that if explicit non-malleable codes are obtained for a slightly larger class of tampering functions than we currently handle, one can obtain a very simple non-malleable commitment scheme, under somewhat strong assumptions.

12:17 [Pub][ePrint] Analysis of NORX, by Philipp Jovanovic and Samuel Neves and Jean-Philippe Aumasson

  This paper presents a thorough security analysis of the AEAD scheme NORX,

focussing on differential and rotational properties of the core permutation.

To examine its differential properties, we first introduce mathematical models

that describe differential propagation with respect to the non-linear operation

of NORX. Then we adapt the framework previously proposed for ARX designs,

which allows us to automatise the search for differentials and differential

characteristics. We give upper bounds on the differential probability of a

small number of steps of the NORX core permutation, and show how we found the

best characteristics for four rounds, which have probabilities of $2^{-584}$

($32$-bit) and $2^{-836}$ ($64$-bit), respectively. Finally, we discuss some

rotational properties of the core permutation which can be used as a basis for

future studies.