International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also receive updates via:

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

06:17 [Pub][ePrint] Beyond eCK: Perfect Forward Secrecy under Actor Compromise and Ephemeral-Key Reveal, by Cas Cremers and Michèle Feltz

  We show that it is possible to achieve perfect forward secrecy in two-message or one-round key exchange (KE) protocols that satisfy even stronger security properties than provided by the extended Canetti-Krawczyk (eCK) security model. In particular, we consider perfect forward secrecy in the presence of adversaries that can reveal ephemeral secret keys and the long-term secret keys of the actor of a session (similar to Key Compromise Impersonation).

We propose two new game-based security models for KE protocols. First, we formalize a slightly stronger variant of the eCK security model that we call eCKw. Second, we integrate perfect forward secrecy into eCKw, which gives rise to the even stronger eCK-PFS model. We propose a security-strengthening transformation (i.e., a compiler) between our new models. Given a two-message Diffie-Hellman type protocol secure in eCKw, our transformation yields a two-message protocol that is secure in eCK-PFS. As an example, we show how our transformation can be applied to the NAXOS protocol.

06:17 [Pub][ePrint] Efficient Padding Oracle Attacks on Cryptographic Hardware, by Romain Bardou and Riccardo Focardi and Yusuke Kawamoto and Lorenzo Simionato and Graham Steel and Joe-Kai Tsay

  We show how to exploit the encrypted key import functions of a

variety of different cryptographic devices to reveal the imported

key. The attacks are padding oracle attacks, where error messages

resulting from incorrectly padded plaintexts are used as a side

channel. In the asymmetric encryption case, we modify and improve

Bleichenbacher\'s attack on RSA PKCS#1v1.5 padding, giving new

cryptanalysis that allows us to carry out the `million message

attack\' in a mean of 49 000 and median of 14 500 oracle calls in the

case of cracking an unknown valid ciphertext under a 1024 bit key

(the original algorithm takes a mean of 215 000 and a median of 163

000 in the same case). We show how implementation details of certain

devices admit an attack that requires only 9 400 operations on

average (3 800 median). For the symmetric case, we adapt Vaudenay\'s

CBC attack, which is already highly efficient. We demonstrate the

vulnerabilities on a number of commercially available cryptographic

devices, including security tokens, smartcards

and the Estonian electronic ID card. The attacks are

efficient enough to be practical: we give timing details for all

the devices found to be vulnerable, showing how our optimisations make a qualitative difference to the practicality of the attack.

We give mathematical analysis of the effectiveness of the attacks,

extensive empirical results, and a discussion of countermeasures and manufacturer reaction.

06:17 [Pub][ePrint] Weaknesses of an Improvement Authentication Scheme using , by Rafael Martínez-Peláez and Francisco Rico-Novella

  Recently, Sood-Sarje-Singh proposed an improvement to Liou et al.\'s dynamic ID-based remote user authentication scheme using smart cards to prevent impersonation attack, malicious user attack, off-line password guessing attack, and man-in-the-middle attack. However, we demonstrate that Sood et al.\'s scheme is still vulnerable to malicious user attack, impersonation attack and steal information from a database attack.

06:17 [Pub][ePrint] DAC-MACS: Effective Data Access Control for Multi-Authority Cloud Storage Systems, by Kan Yang and Xiaohua Jia and Kui Ren

  Data access control is an effective way to ensure the data security in the cloud. However, due to data outsourcing and untrusted cloud servers, the data access control becomes a challenging issue in cloud storage systems. Existing access control schemes are no longer applicable to cloud storage systems, because they either produce multiple encrypted copies of the same data or require a fully trusted cloud server.

Ciphertext-Policy Attribute-based Encryption (CP-ABE) is a promising technique for access control of encrypted data. It requires a trusted authority manages all the attributes and distributes keys in the system. In cloud storage systems, there are multiple authorities co-exist and each authority is able to issue attributes independently.

However, existing CP-ABE schemes cannot be directly applied to the access control for multi-authority cloud storage systems, due to the inefficiency of decryption and revocation. In this paper, we propose DAC-MACS (Data Access Control for Multi-Authority Cloud Storage), an effective and secure data access control scheme with efficient decryption and revocation. Specifically, we construct a new multi-authority CP-ABE scheme with efficient decryption and also design an efficient attribute revocation method that can achieve both forward security and backward security. The analysis and the simulation results show that our DAC-MACS is highly efficient and provably secure under the security model.

16:31 [Event][New] FC13: Financial Crypto

  Submission: 13 October 2012
Notification: 17 December 2012
From April 1 to April 5
Location: Okinawa, Japan
More Information:

06:17 [Pub][JoC] A Comparison of Cryptanalytic Tradeoff Algorithms


Abstract  Three time-memory tradeoff algorithms are compared in this paper. Specifically, the classical tradeoff algorithm by Hellman, the distinguished point tradeoff method, and the rainbow table method, in their non-perfect table versions, are treated. We show that, under parameters and assumptions that are typically considered in theoretic discussions of the tradeoff algorithms, the Hellman and distinguished point tradeoffs perform very close to each other and the rainbow table method performs somewhat better than the other two algorithms. Our method of comparison can easily be applied to other situations, where the conclusions could be different. The analysis of tradeoff efficiency presented in this paper does not ignore the effects of false alarms and also covers techniques for reducing storage, such as ending point truncations and index tables. Our comparison of algorithms fully takes into account success probabilities and precomputation efforts.

  • Content Type Journal Article
  • Pages 1-79
  • DOI 10.1007/s00145-012-9128-3
  • Authors

    • Jin Hong, Department of Mathematical Sciences and ISaC, Seoul National University, Seoul, 151-747 Korea
    • Sunghwan Moon, Department of Mathematics, Texas A&M University, College Station, TX 77843-3368, USA

    • Journal Journal of Cryptology
    • Online ISSN 1432-1378
    • Print ISSN 0933-2790

From: Wed, 25 Jul 2012 14:55:57 GMT

07:33 [Job][New] Security Expert for Smart Card and Embedded Devices, Samsung Electronics, Republic of Korea (South Korea)

  Samsung is opening the job position for the smart card security expert. The detailed job description is as follows:

- Participate to the specification of the next generation security devices in collaboration with the design team, propose new security features

- Customer support for security and security promotion

- Support CC/EMV certification

- Attend & follow-up the smart card security related standard & organization (JHAS...)

- Survey and study the up-to-date attack/countermeasure techniques and the relevant result from crypto/security research communities

The successful candidates are expected to have expertise in one or more of the following areas:

- strong experience in smart card security and more generally embedded device security (SW or HW)

- security architecture specification

- security evaluation and the attack technologies including various side channel analysis attacks

- firmware design

- EMVco / Common Criteria certifications.

The candidates are preferred to work in South Korea but it is negotiable.

The application should include the current curriculum vitae.

14:30 [Job][New] Research and PhD positions, Information Security Group, Royal Holloway, University of London, United Kingdom

  We have several doctoral and research associate positions within ASECOLAB, Adaptive Security and Economics Lab, founded at Royal Holloway, University of London by Prof Dusko Pavlovic. Some of the research directions of the Lab are indicated in the article \\\"Gaming security by obscurity\\\", NSPW 2011. Candidates with interests in the broad area of mathematical and economic models of security processes are encouraged to apply. Salaries will be competitive. The positions are for fixed term, under the standard academic conditions.

Royal Holloway is located in Egham, in the convenient and attractive area between London Heathrow and Windsor Great Park.

Please apply at The screening of the candidates will begin on August 20th, and will continue until the positions are filled. Please email Dusko.Pavlovic (at) for informal discussions about the posts. For inquiries about the application process please contact Claire.Hudson (at)

21:17 [Pub][ePrint] MDPC-McEliece: New McEliece Variants from Moderate Density Parity-Check Codes, by Rafael Misoczki and Jean-Pierre Tillich and Nicolas Sendrier and Paulo S. L. M. Barreto

  Recently, several variants of the McEliece cryptosystem based on low-density parity-check (LDPC) codes have been proposed. When combined with quasi-cyclic structure, these proposals provide much smaller key sizes than the original McEliece cryptosystem. LDPC codes are characterized by the existence of low weight dual codewords, used to perform an efficient iterative decoding. In order to avoid attacks aimed at recovering such codewords, these last proposals suggested to replace the permutation matrix used by McEliece by a matrix of small constant row and column weight, in order to increase the dual codeword weight. In this paper, we introduce the moderate density parity-check codes (MPDC, for short), which provide a better decoding process than the aforementioned LDPC variants. It also recovers the possibility to use permutation equivalent private and public codes. As a result, we present two new McEliece variants (one using quasi-cyclic MDPC codes and other employing generic MDPC codes). One of the main benefits of our variants is that both key-recovery and message decoding attacks boil down to the same coding-theory problem: low weight codeword finding. Therefore we present a security reduction much closer to the general decoding problem than any other code-based encryption scheme. Regarding each variant separately, while the QC-MDPC variant is mainly focused on allowing smaller public keys (e.g., for 80-bits of security, only 4800 bits), the MDPC variant further reduces the ways for structural attacks. Finally, we evaluate several kind of attacks, resulting in practical parameters quite competitive to conventional cryptography.

21:17 [Pub][ePrint] Cryptanalysis of an Identity-Based Multiple Key Agreement Scheme, by Qingfeng Cheng

  Multiple key agreement (MKA) protocols allow two parties to generate two or more session keys in one session, which will be used for future secure communications in public network. In recent years, many MKA protocols have been proposed. However, most of them do not

consider ephemeral key compromise resilience, and some of them still exists security flaws. In this paper, we analyze the scheme proposed by Dehkordi and Alimoradi in 2011, which is announced with stronger security. We will present ephemeral key compromise attack and impersonation attack against Dehkordi and Alimoradi\'s protocol. For overcoming these security flaws, we also propose an improvement of Dehkordi and Alimoradi\'s protocol.

21:17 [Pub][ePrint] Infinite Secret Sharing -- Examples, by Alexander Dibert and Laszlo Csirmaz

  The motivation for extending secret sharing schemes to cases when either the

set of players is infinite or the domain from which the secret and/or the

shares are drawn is infinite or both, is similar to the case when switching

to abstract probability spaces from classical combinatorial probability. It

might shed new light on old problems, could connect seemingly unrelated

problems, and unify diverse phenomena.

Definitions equivalent in the finitary case could be very much different

when switching to infinity, signifying their difference. The standard

requirement that qualified subsets should be able to determine the secret

has different interpretations in spite of the fact that, by assumption, all

participants have infinite computing power. The requirement that unqualified

subsets should have no, or limited information on the secret suggests that

we also need some probability distribution. In the infinite case events with

zero probability are not necessarily impossible, and we should decide

whether bad events with zero probability are allowed or not.

In this paper, rather than giving precise definitions, we enlist an abundance

of hopefully interesting infinite secret sharing schemes. These

schemes touch quite diverse areas of mathematics such as projective

geometry, stochastic processes and Hilbert spaces. Nevertheless our main

tools are from probability theory. The examples discussed here serve as

foundation and illustration to the more theory oriented companion paper ``Probabilistic Infinite Secret Sharing.\'\'