International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also receive updates via:

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

21:17 [Pub][ePrint] On the Impossibility of Constructing Efficient Key Encapsulation and Programmable Hash Functions in Prime Order Groups, by Goichiro Hanaoka and Takahiro Matsuda and Jacob C.N. Schuldt

  In this paper, we focus on the problem of minimizing ciphertext overhead, and discuss the (im)possibility of constructing key encapsulation mechanisms (KEMs) with low ciphertext overhead. More specifically, we rule out the existence of algebraic black-box reductions from the (bounded) CCA security of a natural class of KEMs to any non-interactive problem. The class of KEMs captures the structure of the currently most efficient KEMs defined in standard prime order groups, but restricts an encapsulation to consist of a single group element and a string. This result suggests that we cannot rely on existing techniques to construct a CCA secure KEM in standard prime order groups with a ciphertext overhead lower than two group elements. Furthermore, we show how the properties of an (algebraic) programmable hash function can be exploited to construct a simple, efficient and CCA secure KEM based on the hardness of the decisional Diffie-Hellman problem with the ciphertext overhead of just a single group element. Since this KEM construction is covered by the above mentioned impossibility result, this enables us to derive a lower bound on the hash key size of an algebraic programmable hash function, and rule out the existence of algebraic $({\\sf poly},n)$-programmable hash functions in prime order groups for any integer $n$. The latter result answers an open question posed by Hofheinz and Kiltz (CRYPTO\'08) in the case of algebraic programmable hash functions in prime order groups.

21:17 [Pub][ePrint] Long Term Confidentiality: a Survey, by Johannes Braun, Johannes Buchmann, Ciaran Mullan, and Alex Wiesmaier

  Sensitive electronic data may be required to remain confidential for long periods of time. Yet encryption under a computationally secure cryptosystem cannot provide a guarantee of long term confidentiality, due to potential advances in computing power or cryptanalysis. Long term confidentiality is ensured by information theoretically secure ciphers, but at the expense of impractical key agreement and key management.

We overview known methods to alleviate these problems, whilst retaining some form of information theoretic security relevant for long term confidentiality.

21:17 [Pub][ePrint] Tweakable Blockciphers with Beyond Birthday-Bound Security, by Will Landecker and Thomas Shrimpton and R. Seth Terashima

  Liskov, Rivest and Wagner formalized the tweakable blockcipher (TBC) primitive at CRYPTO\'02. The typical recipe for instantiating a TBC is to start with a blockcipher, and then build up a construction that admits a tweak. Almost all such constructions enjoy provable security only to the birthday bound, and the one that does achieve security beyond the birthday bound (due to Minematsu) severely restricts the tweak size and requires per-invocation blockcipher rekeying.

This paper gives the first TBC construction that simultaneously allows for arbitrarily \"wide\" tweaks, does not rekey, and delivers provable security beyond the birthday bound. Our construction is built from a blockcipher and an $\\eAXU$ hash function.

As an application of the TBC primitive, LRW suggest the TBC-MAC construction (similar to CBC-MAC but chaining through the tweak), but leave open the question of its security. We close this question, both for TBC-MAC as a PRF and a MAC. Along the way, we find a nonce-based variant of TBC-MAC that has a tight reduction to the security of the underlying TBC, and also displays graceful security degradation when nonces are misused. This result is interesting on its own, but it also serves as an application of our new TBC construction, ultimately giving a variable input-length PRF with beyond birthday-bound security.

07:14 [Conf][CHES] invited speakers announced

  CHES 2012 will feature 2 invited talks

Steven Murdoch
University of Cambridge, UK
Title: "Banking Security: Attacks and Defences"

Christof Tarnovsky
Flylogic Engineering
Title: TBD

15:17 [Pub][ePrint] Improved CRT Algorithm for Class Polynomials in Genus 2, by Kristin Lauter and Damien Robert

  We present a generalization to genus 2 of the probabilistic

algorithm in Sutherland~\\cite{Sutherland} for computing Hilbert class polynomial˻s. The improvement over the algorithm presented

in~\\cite{BGL} for the genus 2 case, is that we do not need to find a

curve in the isogeny class with endomorphism ring which is the maximal

order: rather we present a probabilistic algorithm for ``going up\'\' to a {\\it

maximal} curve (a curve with maximal endomorphism ring), once we find {\\it

any} curve in the right isogeny class. Then we use the structure of the

Shimura class group and the computation of $(\\ell,\\ell)$-isogenies to

compute all isogenous maximal curves from an initial one.

15:17 [Pub][ePrint] Factorization of a 1061-bit number by the Special Number Field Sieve, by Greg Childers

  I provide the details of the factorization of the Mersenne number $2^{1061}-1$ by the Special Number Field Sieve. Although this factorization is easier than the completed factorization of RSA-768, it represents a new milestone for factorization using publicly available software.

15:17 [Pub][ePrint] A note on \'An efficient certificateless aggregate signature with constant pairing computations\', by Debiao He, Miaomiao Tian

  Recently, Xiong et al. [H. Xiong, Z. Guan, Z. Chen, F. Li, An Efficient certificateless aggregate signature with constant pairing computations, Information Science, doi: 10.1016/j.ins.2012.07.004, 2012] proposed a certificateless signature (CLS) scheme and used it to construct a certificateless aggregate signature (CLAS) scheme with constant pairing computations. They also demonstrated that both of their schemes are provably secure in the random oracle model under the computational Diffie-Hellman assumption. Unfortunately, by giving concrete attacks, we point out that Xiong et al. schemes are not secure in their security model.

15:17 [Pub][ePrint] Differential Fault Analysis of AES: Towards Reaching its Limits, by Sk Subidh Ali , Debdeep Mukhopadhyay, and Michael Tunstall

  In this paper we present a theoretical analysis of the limits

of the Differential Fault Analysis (DFA) of AES by developing an inter

relationship between conventional cryptanalysis of AES and DFAs. We

show that the existing attacks have not reached these limits and present techniques to reach these. More specifically, we propose optimal DFA on states of AES-128 and AES-256. We also propose attacks on the key schedule of the three versions of AES, and demonstrate that these are some of the most efficient attacks on AES to date. Our attack on AES-128 key schedule is optimal, and the attacks on AES-192 and AES-256 key schedule are very close to optimal. Detailed experimental results have been provided for the developed attacks. The work has been compared to other works and also the optimal limits of Differential Fault Analysis of AES.

15:17 [Pub][ePrint] Multi-receiver Homomorphic Authentication Codes for Network Coding, by Zhaohui Tang, and Hoon Wei Lim

  We investigate a new class of authenticate codes (A-codes) that support verification

by a group of message recipients in the network coding setting. That is, a sender generates an

A-code over a message such that any intermediate node or recipient can check the authenticity

of the message, typically to detect pollution attacks. We call such an A-code as multi-receiver

homomorphic A-code (MRHA-code). In this paper, we first formally define an MRHA-code.

We then derive some lower bounds on the security parameters and key sizes associated with our

MRHA-codes. Moreover, we give efficient constructions of MRHA-code schemes that can be used

to mitigate pollution attacks on network codes. Unlike prior works on computationally secure

homomorphic signatures and MACs for network coding, our MRHA-codes achieve unconditional


05:51 [Conf][CHES] Early registration deadline Aug. 5

  CHES 2012 early registration deadline Aug. 5.

18:38 [News] Wanted: Volunteers for Crypto (GC) and Websystem

  The IACR Board is seeking volunteers to assist with the maintenance of the IACR website and to serve as general chair for a future Crypto. If you are interested in these tasks, send a message to