International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also receive updates via:

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

21:17 [Pub][ePrint] Improved Indifferentiability Security Bound for the JH Mode, by Dustin Moody and Souradyuti Paul and Daniel Smith-Tone

  Indifferentiability security of a hash mode of operation guarantees the mode\'s resistance against \\emph{all} generic attacks. It is also useful to establish the security of protocols that use hash functions as random functions. The JH hash function is one of the five finalists in the ongoing NIST SHA-3 hash function competition. Despite several years of analysis, the indifferentiability security of the JH mode (with $n$-bit digest and $2n$-bit permutation) has remained remarkably low, only at n/3 bits (FSE 2010), while the other four finalist modes -- with comparable parameter values -- offer a security guarantee of n/2 bits. In this paper, we improve the indifferentiability security bound for the JH mode to n/2 bits (from 171 to 256 bits when n=512). To put this into perspective, our result guarantees the absence of attacks on both JH-256 and JH-512 hash functions with time less than approximately 2^256 computations of the underlying 1024-bit permutation, under the assumption that the basic permutation is structurally strong. Our bounds are optimal for JH-256, and the best, so far, for JH-512. We obtain this improved bound by establishing an isomorphism of certain query-response graphs through a careful design of the simulators and the bad events. Our experimental data strongly supports the theoretically obtained results.

21:17 [Pub][ePrint] Concurrent Zero Knowledge in the Bounded Player Model, by Abhishek Jain, Rafail Ostrovsky, Silas Richelson, Ivan Visconti

  In this paper we put forward the Bounded Player Model for secure computation. In this new model, the number of players that will ever be involved in secure computations is bounded, but the number of computations has no a-priori bound. Indeed, while the number of devices and people on this planet can be realistically estimated and bounded, the number of computations these devices will run can not be realistically bounded.

We stress that in the Bounded Player model, in addition to no apriori bound on the number of sessions, there is no synchronization barrier, no trusted party, and simulation must be performed in polynomial time.

In this setting, we achieve concurrent Zero Knowledge (cZK) with sub-logarithmic round complexity.

Our security proof is (necessarily) non-black-box, our simulator is straight-line and works as long as the number of rounds is $\\omega(1)$.

We further show that unlike previously studied relaxations of the standard model (e.g., timing assumptions, super-polynomial simulation), concurrent-secure computation is impossible to achieve in the Bounded Player model. This gives evidence that our model is closer to the standard model than previously studied models, and we believe might have additional applications.

21:17 [Pub][ePrint] Improved ``Partial Sums\"-based Square Attack on AES, by Michael Tunstall

  The Square attack as a means of attacking reduced round variants of AES was described in the initial description of the Rijndael block cipher. This attack can be applied to AES, with a relatively small number of chosen plaintext-ciphertext pairs, reduced to less than six rounds in the case of AES-128 and seven rounds otherwise and several extensions to this attack have been described in the literature. In this paper we describe new variants of these attacks that have a smaller time complexity than those present in the literature. Specifically, we demonstrate that the quantity of chosen plaintext-ciphertext pairs can be halved producing the same reduction in the time complexity. We also demonstrate that the time complexity can be halved again for attacks applied to AES-128 and reduced by a smaller factor for attacks applied to AES-192. This is achieved by eliminating hypotheses on-the-fly when bytes in consecutive subkeys are related because of the key schedule.

21:17 [Pub][ePrint] Publicly Verifiable Delegation of Large Polynomials and Matrix Computations, with Applications, by Dario Fiore and Rosario Gennaro

  Outsourced computations (where a client requests a server to perform some computation on its behalf) are becoming increasingly important due to the rise of Cloud Computing and the proliferation of mobile devices.

Since cloud providers may not be trusted, a crucial problem is the verification of the integrity and correctness of such computation, possibly in a {\\em public} way, i.e., the result of a computation can be verified by any third party, and requires no secret key -- akin to a digital signature on a message.

We present new protocols for publicly verifiable secure outsourcing of

{\\em Evaluation of High Degree Polynomials} and {\\em Matrix Multiplication}. Compared to previously

proposed solutions, ours improve in efficiency and offer security in a stronger model.

The paper also discusses several practical applications of our protocols.


  Recently proposed algebraic attack has been shown to be very effective on several stream ciphers. In this paper, we have investigated the resistance of PingPong family of stream ciphers against algebraic attacks. This stream cipher was proposed in 2008 to enhance the security of the improved summation generator against the algebraic attack. In particular, we focus on the PingPong-128 stream cipher\'s resistance against algebraic attack in this paper. In our analysis, it is found that an algebraic attack on PingPong family of stream ciphers require much more operations compare to the exhaustive key search on the internal state of the LFSRs. It will be shown that due to the irregular and mutual clock controlling in PingPong stream cipher the degree of the generated equation tends to grow up with each successive clock which in turn increases the overall complexity of an algebraic attack. Along with the PingPong 128 stream cipher the other instances of PingPong family stream ciphers are also investigated against the algebraic attack. Our analysis shows that, PingPong family stream ciphers are highly resistant against the algebraic attack due to their mutual and irregular clocking function.

21:17 [Pub][ePrint] Some properties of q-ary functions based on spectral analysis, by Deep Singh and Maheshanand Bhaintwal

  In this paper, we generalize some existing results on Boolean

functions to the $q$-ary functions defined over $\\BBZ_q$, where

$q\\geq 2$ is an integer, and obtain some new characterization of

$q$-ary functions based on spectral analysis. We provide a

relationship between Walsh-Hadamard spectra of two $p$-ary functions

$f$ and $g$ (for $p$ a prime) and their derivative $D_{f, g}$. We

provide a relationship between the Walsh-Hadamard spectra and the

decompositions of any two $p$-ary functions. Further, we investigate

a relationship between the Walsh-Hadamard spectra and the

autocorrelation of any two $q$-ary functions.

21:17 [Pub][ePrint] Efficient UC-Secure Authenticated Key-Exchange for Algebraic Languages, by Olivier Blazy and CĂ©line Chevalier and David Pointcheval and Damien Vergnaud

  Authenticated Key Exchange (AKE) protocols enable two parties to

establish a shared, cryptographically strong key over an insecure network using various authentication means, such as cryptographic keys, short (i.e. low-entropy) secret keys or credentials. In this paper, we provide a general framework that encompasses several previous AKE primitives such as Password-Authenticated Key Exchange or Secret Handshakes. We call it LAKE for Language-Authenticated Key Exchange.

We first model this general primitive in the Universal Composability (UC) setting. Thereafter, we show that the Gennaro-Lindell approach can efficiently address this goal. But we need smooth projective hash functions on new languages, whose efficient implementations are of independent interest. We indeed provide such hash functions for languages defined by combinations of linear pairing product equations.

Combined with an efficient commitment scheme, derived from the highly-efficient UC-secure Lindell\'s commitment, we obtain a very practical realization of Secret Handshakes, but also Credential-Authenticated Key Exchange protocols.

All the protocols are UC-secure, in the standard model with a common reference string, under the classical Decisional Linear assumption.

21:17 [Pub][ePrint] Constant-Size Structure-Preserving Signatures: Generic Constructions and Simple Assumptions, by Masayuki Abe, Melissa Chase, Bernardo David, Markulf Kohlweiss, Ryo Nishimaki, Miyako Ohkubo

  This paper presents efficient structure-preserving signature schemes based on assumptions as simple as Decision-Linear. We first give two general frameworks for constructing fully secure signature schemes from weaker building blocks such as two-tier signatures and random-message secure signatures. They can be seen as refinements of the Even-Goldreich-Micali framework, and preserve many desirable properties of the underlying schemes such as constant signature size and structure preservation. We then instantiate them based on simple (i.e., not q-type) assumptions over symmetric and asymmetric bilinear groups. The resulting schemes are structure-preserving and yield constant-size signatures consisting of 11 to 17 group elements, which compares favorably to existing schemes relying on q-type assumptions for their security.

21:17 [Pub][ePrint] Protecting Last Four Rounds of CLEFIA is Not Enough Against Differential Fault Analysis, by Sk Subidh Ali and Debdeep Mukhopadhyay

  In this paper we propose a new differential fault analysis (DFA) on CLEFIA of 128-bit key. The proposed attack requires to induce byte faults at the fourteenth round of CLEFIA encryption. The attack uses only two pairs of fault-free and faulty ciphertexts and uniquely

determines the 128-bit secret key. The attacker does not need to know

the plaintext. The most efficient reported fault attack on CLEFIA, needs fault induction at the fifteenth round of encryption and can be performed with two pairs of fault-free and faulty ciphertexts and brute-force search of around 20 bits. Therefore, the proposed attack can evade the countermeasures against the existing DFAs which only protect the last four rounds of encryption. Extensive simulation results have been presented to validate the proposed attack. The simulation results show that the attack can retrieve the 128-bit secret key in around one minute of execution time. To the best of authors\' knowledge the proposed attack is the most efficient attack in terms of both the input requirements as well as the complexity.

21:17 [Pub][ePrint] Computationally-Fair Group and Identity-Based Key-Exchange, by Andrew C. Yao and Yunlei Zhao

  In this work, we re-examine some fundamental group key-exchange and identity-based key-exchange protocols, specifically the Burmester-Desmedet group key-exchange protocol [7] (re-ferred to as the BD-protocol) and the Chen-Kudla identity-based key-exchange protocol [9]

(referred to as the CK-protocol). We identify some new attacks on these protocols, showing in particular that these protocols are not computationally fair. Specifically, with our attacks, an

adversary can do the following damages:

(1) It can compute the session-key output with much lesser computational complexity than that of the victim honest player, and can maliciously nullify the contributions from the victim honest players.

(2) It can set the session-key output to be some pre-determined value, which can be efficiently and publicly computed without knowing any secrecy supposed to be held by the attacker.

We remark these attacks are beyond the traditional security models for group key-exchange and identity-based key-exchange.

Then, based on the computationally fair Diffie-Hellman key-

exchange in [21], we present some fixing approaches, and prove that the fixed protocols are computationally fair.

21:17 [Pub][ePrint] Fair Exchange of Short Signatures Without Trusted Third Party, by Philippe Camacho

  We propose a protocol to exchange Boneh-Boyen short signatures in a fair way, without relying on a trusted third party. Our protocol is quite practical and is the first of the sort to the bestof our knowledge.

Our construction uses a new non-interactive zero-knowledge (NIZK) argument to prove that a commitment is the encryption of a bit vector.

We also design a NIZK argument to prove that a commitment to a bit vector $v=(b_1,b_2,...,b_\\secparam)$ is such that $\\sum_{i \\in [\\secparam]}b_i2^{i-1}=\\Blinding$ where $\\Blinding$

is the discrete logarithm of some public value $\\BasicCommitment=g^\\Blinding$.These arguments may be of independent interest.