International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also receive updates via:

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

15:17 [Pub][ePrint] Simple AEAD Hardware Interface (S{\\AE}HI) in a SoC: Implementing an On-Chip Keyak/WhirlBob Coprocessor, by Markku-Juhani O. Saarinen

  Simple AEAD Hardware Interface (S{\\AE}HI) is a hardware cryptographic

interface aimed at CAESAR Authenticated Encryption with Associated

Data (AEAD) algorithms. Cryptographic acceleration is typically

achieved either with a coprocessor or via instruction set

extensions. ISA modifications require re-engineering the CPU core,

making the approach inapplicable outside the realm of open source

processor cores. Our proposed hardware interface is a memory-mapped

cryptographic coprocessor, implementable even on very low end FPGA

evaluation platforms. Algorithms complying to S{\\AE}HI must also

include C language API drivers that directly utilize the

memory mapping in a ``bare metal\'\' fashion. This can also

be accommodated on MMU systems.

Extended battery life and bandwidth resulting from dedicated

cryptographic hardware is vital for currently dominant computing and

communication devices: mobile phones, tablets, and Internet-of-Things

(IoT) applications. We argue that these should be priority hardware

optimization targets for AEAD algorithms with realistic payload


We demonstrate a fully integrated implementation of WhirlBob

and Keyak AEADs on the FPGA fabric of Xilinx Zynq 7010. This low-cost

System-on-Chip (SoC) also houses a dual-core Cortex-A9 CPU, closely

matching the architecture of many embedded devices. The on-chip

coprocessor is accessible from user space with a Linux

kernel driver. An integration path exists all the way to end-user


15:17 [Pub][ePrint] Vernam Two, by Dan P. Milleville

  The Vernam Algorithm has long been unable to be commercially used because it requires the key to be transmitted with the ciphertext, an obvious security hazard. What has been developed with this methodology is to take a fixed key, XOR 4 randomly selected/extracted segments of this key together forming an \'Effective Key Stream\' and XOR\'ing that with the plaintext. With both the sender and receiver possessing the fixed key, using this new methodology circumvents the requirement to send the key along with the ciphertext.

Considering the drastic reduction in computations needed, this algorithm executes at better than four times faster than the AES. With our society becoming more and more digitally oriented, faster security is needed.

15:17 [Pub][ePrint] Reducing Communication Overhead of the Subset Difference Scheme, by Sanjay Bhattacherjee and Palash Sarkar

  In Broadcast Encryption (BE) systems like Pay-TV, AACS, online content sharing and broadcasting, reducing the header length (communication overhead per session) is of practical interest. The Subset Difference (SD) scheme due to Naor-Naor-Lotspiech (NNL) is the most popularly used BE scheme. It assumes an underlying full binary tree to assign keys to subsets of users. In this work, we associate short tree structures of height $a$ to nodes in the binary tree to assign keys to more subsets. This ensures that for any set of revoked users, the header length is in general less and never more than the NNL-SD scheme. Experimental studies show that the average header length is always less than that of the NNL-SD scheme and decreases as $a$ increases. User storage in the new scheme is more than that of the NNL-SD scheme but is not prohibitively expensive. By choosing a suitable value of $a$, it is possible to obtain substantial reduction in the communication overhead at the cost of a tolerable increase in the user storage.

15:17 [Pub][ePrint] The Exact PRF-Security of NMAC and HMAC, by Peter Gazi and Krzysztof Pietrzak and Michal Rybár

  NMAC is a mode of operation which turns a fixed input-length

keyed hash function f into a variable input-length function.

A~practical single-key variant of NMAC called HMAC is a very

popular and widely deployed message authentication code

(MAC). Security proofs and attacks for NMAC can typically

be lifted to HMAC.

NMAC was introduced by Bellare, Canetti and Krawczyk

[Crypto\'96], who proved it to be a secure pseudorandom

function (PRF), and thus also a MAC, assuming that

(1) f is a PRF and

(2) the function we get when cascading f is weakly


Unfortunately, HMAC is typically instantiated with

cryptographic hash functions like MD5 or SHA-1 for which (2)

has been found to be wrong. To restore the provable

guarantees for NMAC, Bellare [Crypto\'06] showed its

security based solely on the assumption that f is a PRF,

albeit via a non-uniform reduction.

Our first contribution is a simpler and uniform proof: If f

is an \\eps-secure PRF (against q queries) and a

\\delta-non-adaptively secure PRF (against q queries), then

NMAC^f is an (\\eps+lq\\delta)-secure PRF against q queries of

length at most l blocks each.

We then show that this \\eps+lq\\delta bound is basically

tight. For the most interesting case where lq\\delta>=\\eps

we prove this by constructing an f for which an attack with

advantage lq\\delta exists. This also violates the bound

O(l\\eps) on the PRF-security of NMAC recently claimed by

Koblitz and Menezes.

Finally, we analyze the PRF-security of a modification of

NMAC called NI [An and Bellare, Crypto\'99] that differs

mainly by using a compression function with an additional

keying input. This avoids the constant rekeying on

multi-block messages in NMAC and allows for a security proof

starting by the standard switch from a PRF to a random

function, followed by an information-theoretic analysis. We

carry out such an analysis, obtaining a tight lq^2/2^c bound

for this step, improving over the trivial bound of

l^2q^2/2^c. The proof borrows combinatorial techniques

originally developed for proving the security of CBC-MAC

[Bellare et al., Crypto\'05]. We also analyze a variant of

NI that does not include the message length in the last call

to the compression function, proving a l^{1+o(1)}q^2/2^c

bound in this case.

00:17 [Pub][ePrint] Fast Lattice Point Enumeration with Minimal Overhead, by Daniele Micciancio and Michael Walter

  Enumeration algorithms are the best currently known methods to solve lattice problems, both in theory (within the class of polynomial space algorithms), and in practice (where they are routinely used to evaluate the concrete security of lattice cryptography). However, there is an uncomfortable gap between our theoretical understanding and practical performance of lattice point enumeration algorithms.

The algorithms typically used in practice have worst-case asymptotic running time $2^{O(n^2)}$, but perform extremely well in practice, at least for all values of the lattice dimension for which experimentation is feasible. At the same time, theoretical algorithms

(Kannan, Mathematics of Operation Research 12(3):415-440, 1987) are asymptotically superior (achieving $2^{O(n \\log n)}$ running time), but they are never used in practice because they incur a substantial overhead that makes them uncompetitive for all reasonable values of the lattice dimension $n$. This gap is especially troublesome when algorithms are run in practice to evaluate the concrete security of a cryptosystem, and then experimental results are extrapolated to much larger dimension where solving lattice problems is computationally infeasible.

We introduce a new class of (polynomial space) lattice enumeration algorithms that simultaneously achieve asymptotic efficiency (meeting the theoretical $n^{O(n)} = 2^{O(n \\log n)}$ time bound) and practicality, matching or surpassing the performance of practical algorithms already in moderately low dimension. Key technical contributions that allow us to achieve this result are a new analysis technique that allows us to greatly reduce the number of recursive calls performed during preprocessing (from super exponential in $n$ to single exponential, or even polynomial in $n$), a new enumeration technique that can be directly applied to projected lattice (basis) vectors, without the need to remove linear dependencies, and a modified block basis reduction method with fast (logarithmic) convergence properties. The last technique is used to obtain a new SVP enumeration procedure with $\\tilde O(n^{n/2e})$ running time, matching (even in the constant in the exponent) the optimal worst-case analysis (Hanrot and Stehl{\\\'e}, CRYPTO 2007)

of Kannan\'s theoretical algorithm, but with far superior performance

in practice.

We complement our theoretical analysis with a comprehensive set of experiments that not only support our practicality claims, but also allow to estimate the cross-over point between different versions of enumeration algorithms, as well as asymptotically faster (but not quite practical) algorithms running in single exponential $2^{O(n)}$ time and space.

09:17 [Pub][ePrint] Direct Construction of Recursive MDS Diffusion Layers using Shortened BCH Codes, by Daniel Augot and Matthieu Finiasz

  MDS matrices allow to build optimal linear diffusion layers in block ciphers. However, MDS matrices cannot be sparse and usually have a large description, inducing costly software/hardware implementations.

Recursive MDS matrices allow to solve this problem by focusing on MDS

matrices that can be computed as a power of a simple companion matrix,

thus having a compact description suitable even for constrained environments. However, up to now, finding recursive MDS matrices required to perform an exhaustive search on families of companion matrices, thus limiting the size of MDS matrices one could look for. In this article we propose a new direct construction based on shortened BCH codes, allowing to efficiently construct such matrices for whatever parameters. Unfortunately, not all recursive MDS matrices can be obtained from BCH codes, and our algorithm is not always guaranteed to find the best matrices for a given set of parameters.

09:17 [Pub][ePrint] Attribute-Based Signatures without Pairings by the Fiat-Shamir Transformation, by Hiroaki Anada and Seiko Arita and Kouichi Sakurai

  We propose the first practical attribute-based signature (ABS) scheme with attribute privacy without pairings in the random oracle model. Our strategy is in the Fiat-Shamir paradigm; we first provide a concrete construction of a $\\Sigma$-protocol of \\textit{boolean proof}, which is a generalization of the well-known $\\Sigma$-protocol of OR-proof, so that it can treat any monotone boolean formula instead of a single OR-gate. Then, we apply the Fiat-Shamir transformation to our $\\Sigma$-protocol of boolean proof and obtain a non-interactive witness-indistinguishable proof of knowledge system (NIWIPoK) which has a knowledge extractor in the random oracle model. Finally, by combining our NIWIPoK with a credential bundle scheme of the Fiat-Shamir signature, we obtain an attribute-based signature scheme (ABS) which possesses the property of attribute privacy. The series of constructions are obtained from a given $\\Sigma$-protocol and can be attained without pairings.

09:17 [Pub][ePrint] New Classes of Public Key Cryptosystems over $F_2^8$ Constructed Based on Reed-Solomon Codes, K(XVII)SE(1)PKC and K(XVII)$\\Sigma \\Pi$PKC, by Masao KASAHARA

  In this paper, we present new classes of public key cryptosystem over $F_2^8$ based on Reed-Solomon codes, referred to as K(XVII)SE(1)PKC

and K(XVII)$\\Sigma \\Pi$PKC, a subclass of K(XVII)SE(1)PKC.

We show that K(XVII)SE(1)PKC over $F_2^8$ can be secure against the various attacks.

We also present K(XVII)$\\Sigma \\Pi$PKC over $F_2^8$, a subclass of K(XVII)SE(1)PKC.

We show that any assertion of successfull attack on K(XVII)SE(1)PKC including K(XVII)$\\Sigma \\Pi$PKC whose parameters are properly chosen

is a coding theoretical contradiction.

We thus conclude that K(XVII)SE(1)PKC and K(XVII)$\\Sigma \\Pi$PKC would be secure against the various attacks including LLL attack.

The schemes presented in this paper would yield brand-new techniques in the field of code-based PKC.

01:45 [Event][New] FC '15: Financial Cryptography and Data Security 2015

  Submission: 15 September 2014
Notification: 16 November 2014
From January 26 to January 30
Location: San Juan, Puerto Rico
More Information:

18:17 [Pub][ePrint] Kangaroos in Side-Channel Attacks, by Tanja Lange and Christine van Vredendaal and Marnix Wakker

  Side-channel attacks are a powerful tool to discover the

cryptographic secrets of a chip or other device but only too often do they require too many traces or leave too many possible keys to

explore. In this paper we show that for side channel attacks on

discrete-logarithm-based systems significantly more unknown bits can

be handled by using Pollard\'s kangaroo method: if $b$ bits are

unknown then the attack runs in $2^{b/2}$ instead of $2^b$. If an

attacker has many targets in the same group and thus has reasons to

invest in precomputation, the costs can even be brought down to


Usually the separation between known and unknown keybits is not this clear cut -- they are known with probabilities ranging between 100\\%

and 0\\%. Enumeration and rank estimation of cryptographic keys

based on partial information derived from cryptanalysis have become

important tools for security evaluations. They make the line between

a broken and secure device more clear and thus help security

evaluators determine how high the security of a device is. For

symmetric-key cryptography there has been some recent work on key

enumeration and rank estimation, but for discrete-logarithm-based

systems these algorithms fail because the subkeys are not

independent and the algorithms

cannot take advantage of the above-mentioned faster

attacks. We present $\\epsilon$-enumeration as a new method to

compute the rank of a key by using the probabilities together with

(variations of) Pollard\'s kangaroo algorithm and give experimental evidence.

06:29 [Event][New] NWC: National Workshop on Cryptology

  Submission: 30 July 2014
Notification: 15 August 2014
From September 25 to September 27
Location: Jabalpur, India
More Information: