International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also receive updates via:

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

09:17 [Pub][ePrint] Revocation in Publicly Verifiable Outsourced Computation, by James Alderman and Carlos Cid and Jason Crampton and Christian Janson

  The combination of software-as-a-service and the increasing use of mobile devices gives rise to a considerable difference in computational power between servers and clients. Thus, there is a desire for clients to outsource the evaluation of complex functions to an external server. Servers providing such a service may be rewarded per computation, and as such have an incentive to cheat by returning garbage rather than devoting resources and time to compute a valid result.

In this work, we introduce the notion of Revocable Publicly Verifiable Computation (RPVC), where a cheating server is revoked and may not perform future computations (thus incurring a financial penalty). We introduce a Key Distribution Center (KDC) to efficiently handle the generation and distribution of the keys required to support RPVC. The KDC is an authority over entities in the system and enables revocation. We also introduce a notion of blind verification such that results are verifiable (and hence servers can be rewarded or punished) without learning the value.

We present a rigorous definitional framework, define a number of new security models and present a construction of such a scheme built upon Key-Policy Attribute-based Encryption.

09:17 [Pub][ePrint] The Multiple Number Field Sieve with Conjugation Method, by C├ęcile Pierrot

  In this short paper, we propose a variant of the Number Field Sieve to compute discrete logarithms in medium characteristic finite fields.

We propose an algorithm that combines two recent ideas, namely the Multiple variant of the Number Field Sieve taking advantage of a large number of number fields in the sieving phase and the Conjugation Method giving a new polynomial selection for the classical Number Field Sieve. The asymptotic complexity of our improved algorithm is L_Q (1/3, (8 (9+4 \\sqrt{6})/15)^1/3), where F_Q is the target finite field and (8 (9+4 \\sqrt{6})/15)^1/3) is approximately equal to 2.156. This has to be compared with the complexity of the previous state-of-the-art algorithm for medium characteristic finite fields, the Number Field Sieve with Conjugation Method, that has a complexity of approximately L_Q(1/3, 2.201).

09:17 [Pub][ePrint] Balanced permutations Even-Mansour ciphers, by Shoni Gilboa and Shay Gueron

  The $r$-rounds Even-Mansour block cipher uses $r$ public permutations of $\\{0, 1\\}^n$ and $r+1$ secret keys. An attack on this construction was described in \\cite{DDKS}, for $r = 2, 3$. Although this attack is only marginally better than brute force, it is based on an interesting observation (due to \\cite{NWW}): for a \"typical\" permutation $P$, the distribution of $P(x) \\oplus x$ is not uniform.

To address this, and other potential threats that might stem from this observation in this (or other) context, we introduce the notion of a ``balanced permutation\'\' for which the distribution of $P(x) \\oplus x$ is uniform, and show how to generate families of balanced permutations from the Feistel construction.

This allows us to define a $2n$-bit block cipher from the $2$-rounds Even-Mansour scheme. The cipher uses public balanced permutations of $\\{0, 1\\}^{2n}$, which are based on two public permutations of $\\{0, 1\\}^{n}$.

By construction, this cipher is immune against attacks that rely on the non-uniform behavior of $P(x) \\oplus x$. We prove that this cipher is indistinguishable from a random permutation of $\\{0, 1\\}^{2n}$,

for any adversary who has oracle access to the public permutations and to an encryption/decryption oracle, as long as the number of queries is $o (2^{n/2})$. As a practical example, we discuss the properties and the performance of a $256$-bit block cipher that is based on AES.

09:17 [Pub][ePrint] On the Security of `An Efficient Biometric Authentication Protocol for Wireless Sensor Networks\', by Ashok Kumar Das

  In 2013, Althobaiti et al. proposed an efficient biometric-based user authentication scheme for wireless sensor networks. We analyze their scheme for the security against known attacks. Though their scheme is efficient in computation, in this paper we show that their scheme has some security pitfalls such as (1) it is not resilient against node capture attack, (2) it is insecure against impersonation attack and (3) it is insecure against man-in-the-middle attack. Finally, we give some pointers for improving their scheme so that the designed scheme needs to be secure against various known attacks.

09:17 [Pub][ePrint] Side Channel Attacks: Vulnerability Analysis of \\texttt{PRINCE} and \\texttt{RECTANGLE} using DPA, by Ravikumar Selvam and Dillibabu Shanmugam and Suganya Annadurai

  Over a decade, cryptographers are more attentive on designing lightweight ciphers in focus to compact cryptographic devices. More often, the security of these algorithms are defined in terms of its resistance to mathematical cryptanalysis methods. Nevertheless, designers are well aware of implementation attacks and concentrating on new design strategies to improve the defence quality against implementation attack. \\texttt{PRINCE}~\\cite{Julia2012} and \\texttt{RECTANGLE}~\\cite{cryptoeprint:2014:084} lightweight block ciphers are designed using new design strategies for efficiency and security. In this paper we analyse the security of \\texttt{PRINCE} and \\texttt{RECTANGLE} against a type of implementation attack called Differential Power Analysis (DPA) attack. Our attack reduces key search space from $2^{128}$ to $33008$ for \\texttt{PRINCE} and $2^{80}$ to $288$ for \\texttt{RECTANGLE}. To the best of our knowledge, this is the first DPA attack on \\texttt{PRINCE} and \\texttt{RECTANGLE}.

09:17 [Pub][ePrint] Graded Multilinear Maps from Lattices, by Craig Gentry and Sergey Gorbunov and Shai Halevi

  Graded multilinear encodings have found extensive applications in cryptography ranging from

non-interactive key exchange protocols, to broadcast and attribute-based encryption, and even to software obfuscation.

Despite seemingly unlimited applicability, essentially only two candidate constructions are known (GGH and CLT). In this work, we describe a new graded multilinear encoding scheme from lattices.

Our construction encodes Learning With Errors (LWE) samples

in short square matrices of higher dimensions. Addition and multiplication of the encodings corresponds naturally to addition and multiplication

of the LWE secrets. Comparisons of any two encodings

can be performed publicly at any level.

The security of our scheme relies on a hardness of a natural problem which can be thought of as analogous to standard LWE problem.

09:17 [Pub][ePrint] High-speed Polynomial Multiplication Architecture for Ring-LWE and SHE Cryptosystems, by Donald Donglong Chen and Nele Mentens and Frederik Vercauteren and Sujoy Sinha Roy and Ray C.C. Cheung and Dere

  Polynomial multiplication is the basic and most computationally intensive operation in ring-Learning With Errors (ring-LWE) encryption and ``Somewhat\" Homomorphic Encryption (SHE) cryptosystems. In this paper, the Fast Fourier Transform (FFT) with a linearithmic complexity of $O(n\\log n)$, is exploited in the design of a high-speed polynomial multiplier. A constant geometry FFT datapath is used in the computation to simplify the control of the architecture. The contribution of this work is three-fold. First, parameter sets which support both an efficient modular reduction design and the security requirements for ring-LWE encryption and SHE are provided. Second, a versatile pipelined architecture accompanied with an improved dataflow are proposed to obtain a high-speed polynomial multiplier. Third, the proposed architecture supports polynomial multiplications for different lengths $n$ and moduli $p$. The experimental results on a Spartan-6 FPGA show that the proposed design results in a speedup of 3.5 times on average when compared with the state of the art. It performs a polynomial multiplication in the ring-LWE scheme ($n = 256, p = 1049089$) and the SHE scheme ($n = 1024, p = 536903681$) in only 6.3$\\mu$s and 33.1$\\mu$s, respectively.

09:17 [Pub][ePrint] Universally Composable Secure Group Communication, by TIAN Youliang, PENG Changgen

  This paper analyzes group communication within the universally

composable framework. We first propose the group communication

model, identity-based signcrytion model and group key distribution model in the UC framework by

designing the ideal functionality $\\mathcal {F}_{SAGCOM}$, $\\mathcal

{F}_{IDSC}$ and $\\mathcal {F}_{GKD}$, respectively. Then, we construct

a UC secure identity-based signcryption protocol $\\pi_{IDSC}$. Moreover,

we shows that the identity-based signcryption $\\pi_{IDSC}$ securely realizes the ideal functionality $\\mathcal {F}_{IDSC}$ if

and only if the corresponding protocol IDSC is secure. Finally, based on the identity-based protocol, we propose a group communication scheme

$\\pi_{SAGCOM}$, which can securely realizes the ideal functionality

$\\mathcal {F}_{SAGCOM}$ in the $(\\mathcal {F}_{IDSC},\\mathcal

{F}_{GKD})$-hybrid model.

09:17 [Pub][ePrint] An Equivalent Condition on the Switching Construction of Differentially 4-uniform Permutations on $\\gf_{2^{2k}}$ from the Inverse Function, by Xi Chen, Yazhi Deng, Min Zhu and Longjiang Qu

  Differentially 4-uniform permutations on $\\gf_{2^{2k}}$ with high nonlinearity are often chosen as Substitution boxes in block ciphers. Recently, Qu et al. used the powerful switching method to construct such permutations from the inverse function [9],[10]. More precisely, they studied the functions of the form G(x)=1/x+f(1/x),

where f is a Boolean function. They proved that if f is a preferred Boolean function (PBF), then G is a permutation polynomial over $\\gf_{2^n}$ whose differential uniformity is at most 4. However, as pointed out in [9],f is a PBF is a sufficient but not necessary condition. In this paper, a sufficient and necessary condition for G to be a differentially 4-uniform permutation is presented. We also show that G can not be an almost perfect nonlinear (APN) function. As an application, a new class of differentially 4-uniform permutations where f are not PBFs are constructed. By comparing this family with previous constructions, the number of permutations here is much bigger. The obtained functions in this paper may provide more choices for the design of Substitution boxes.

09:17 [Pub][ePrint] FPGA Trojans through Detecting and Weakening of Cryptographic Primitives, by Pawel Swierczynski and Marc Fyrbiak and Philipp Koppe and Christof Paar

  This paper investigates a novel attack vector against

cryptography realized on FPGAs, which can pose a serious threat

to real-world implementations. We demonstrate how a simple

bitstream modification can seriously weaken crypto algorithms,

which we show by example of the AES and 3DES. The attack is

performed by modifying the FPGA bitstream that configures the

hardware elements during initialization. It has been known for a

long time that cloning of FPGA designs, even if the bitstream

is encrypted, is a relatively easy task. However, due to the

proprietary format of the bitstream, a meaningful modification

of an unknown FPGA bitstream is very challenging. While

some previous work had addressed bitstream reverse-engineering,

so far it has not been evaluated how difficult it is to detect

and modify cryptographic elements. We outline two possible

practical attacks that can lead to serious security implications.

We target the non-linear S-boxes of crypto algorithms of a

synthesized FPGA design that can be either implemented as

Boolean equations in look-up tables, or as precomputed set

of values that are stored in the memory of the FPGA. We

demonstrate that it is possible to detect and apply meaningful

changes to cryptographic elements inside an unknown propriety

and undocumented bitstream. Furthermore, we also show how

an AES key can be revealed within seconds by modifying the

bitstream. Finally, we propose countermeasures that can raise

the bar for an adversary to successfully perform an attack.

09:17 [Pub][ePrint] Round-Optimal Password-Protected Secret Sharing and T-PAKE in the Password-Only Model, by Stanislaw Jarecki and Aggelos Kiayias and Hugo Krawczyk

  In a Password-Protected Secret Sharing (PPSS) scheme with parameters (t,n) (formalized by Bagherzandi et al), a user Alice stores secret information s among n servers so that she can later recover the information solely on the basis of her password. The security requirement is similar to a (t,n)-threshold secret sharing, i.e., Alice can recover her secret as long as she can communicate with t + 1 honest servers but an attacker gaining access to t servers cannot learn information about the secret. In particular, the system is secure against o-line attacks by an attacker controlling up to t servers. On the other hand, accounting for inevitable on-line attacks one allows the attacker an advantage proportional to the fraction of dictionary passwords tested in on-line interactions with the user and servers.

We present the first round-optimal PPSS scheme, requiring just one message from user to server, and from server to user, and that works in the password-only setting where users do not have access to an authenticated public key. The scheme uses an Oblivious PRF whose security we define using a UC-style ideal functionality and denote as V-OPRF due to its verifiability, and for which we show concrete, very practical realizations in the random oracle model, as well as standard-model instantiations. As an important application we use this scheme to build the first single-round password-only Threshold-PAKE protocol in the CRS and ROM models for arbitrary (t,n) parameters with no PKI requirements for any party (clients or servers) and no inter-server communication. Our T-PAKE protocols are built by combining suitable key exchange protocols on top of our V-OPRF-based PPSS schemes. We prove T-PAKE security via a generic composition theorem showing the security of any such composed protocol.