International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also receive updates via:

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

08:12 [Event][New] TAEECE2013: Intl Con: Technological Advances in Electrical, Electronics & Computer Eng.

  Submission: 20 March 2013
Notification: 20 April 2013
From May 9 to May 10
Location: Konya, Turkey
More Information:

19:17 [Pub][ePrint] Virtual isomorphisms of ciphers: is AES secure against differential / linear attack?, by Alexander Rostovtsev

  In [] method of virtual isomorphisms of ciphers was proposed for cryptanalysis. Cipher is vulnerable to an attack iff isomorphic cipher is vulnerable to this attack. That method is based on conjugation, and it is not practical because all round operations except one become nonlinear. New isomorphism of AES is proposed, its image IAES has only one nonlinear operation IXOR - isomorphic image of XOR of 5 bytes. Maximal probabilities of byte differentials are increased about 10-11 times, maximal biases of linear sums are increased about 3.6 times comparatively to original AES. IAES possesses computable family of differentials of IXOR with two active input bytes, zero output difference and probability 1. Zero output difference decreases the rate of multiplication of active nonlinearities in differential characteristic of IAES.

19:17 [Pub][ePrint] PRE- Stronger Security Notion and Efficient Construction with New Property, by Jiang Zhang \\and Zhenfeng Zhang \\and Yu Chen

  In a proxy re-encryption (PRE) scheme, a proxy is given a re-encryption key and has the ability to translate a ciphertext under one key into a ciphertext of the same message under a different key, without learning anything about the message encrypted under either key. PREs have been widely used in many exciting applications, such as email forwarding and law enforcement. Based on a good observation on the applications of PREs, we find that a PRE receiver needs an ability, just like what is provided by public-key encryption with non-interactive opening, to non-interactively and efficiently convince third parties of what he obtains from a particular (transformed) ciphertext, while still keeping the security of his secret key and other ciphertexts.

To meet such a practical requirement, we first introduce proxy re-encryption with non-interactive opening (PRENO), and formally

define the notions of security against \\textit{chosen ciphertext

attacks} (CCA) and \\textit{proof soundness}. Our security model is natural and strong since we allow the CCA adversary to adaptively choose public keys for malicious users (i.e., a chosen key model), and a scheme secure in previous models (i.e., knowledge of secret key models) is not necessarily secure in our model. Then, we present an efficient PRENO scheme which satisfies our security notions based on the decisional bilinear Diffie-Hellman (DBDH) assumption in the standard model. Compared with two previous PRE schemes, our scheme is competitive in several aspects. First, its CCA security is proved in a strong security model under a well-studied assumption in the standard model. Second, it has a good overall performance in terms of ciphertext length and computational cost. Third, it first provides non-interactive opening for PRE schemes.

19:17 [Pub][ePrint] Uniform Compression Functions Can Fail to Preserve \"Full\" Entropy, by Daniel R. L. Brown

  To have \"full\" entropy has been defined in a draft NIST standard to be to have min-entropy very close, proportionally, to the min-entropy of a uniform distribution. A function is uniform if all its preimages have the same size. This report proves that the output of any uniform compression function can fail to have full entropy, even when the input has full entropy.

19:17 [Pub][ePrint] Estimating the $\\phi(n)$ of Upper/Lower Bound in its RSA Cryptosystem, by Rock C. Liu and Zhiwi Yeh

  The RSA-768 (270 decimal digits) was factored by Kleinjung et al. on December 12 2009, and the RSA-704 (212 decimal digits) was factored by Bai et al. on July 2, 2012. And the RSA-200 (663 bits) was factored by Bahr et al. on May 9, 2005. Until right now, there is no body successful to break the RSA-210 (696 bits) currently. In this paper, we would discuss an estimation method to approach lower/upper bound of $\\phi(n)$ in the RSA parameters. Our contribution may help researchers lock the $\\phi(n)$ and the challenge RSA shortly.

19:17 [Pub][ePrint] False Negative probabilities in Tardos codes, by Antonino Simone and Boris Skoric

  Forensic watermarking is the application of digital watermarks

for the purpose of tracing unauthorized redistribution of content.

The most powerful type of attack on watermarks is the

collusion attack, in which multiple users compare their differently

watermarked versions of the same content.

Collusion-resistant codes have been developed against these attacks.

One of the most famous such codes is the Tardos code.

It has the asymptotically optimal property that it can resist c

attackers with a code of length proportional to c^2.

Determining error rates for the Tardos code and its various

extensions and generalizations turns out to be a nontrivial problem.

In recent work we developed an approach called the

Convolution and Series Expansion (CSE) method to accurately compute

false positive accusation probabilities.

In this paper we extend the CSE method in order to make it possible

to compute false negative accusation probabilities as well.

19:17 [Pub][ePrint] Construction of Differential Characteristics in ARX Designs -- Application to Skein, by Gaetan Leurent

  In this paper, we study differential attacks against ARX schemes. We

build upon the generalized characteristics of de Cannière and Rechberger

and the multi-bit constraints of Leurent. We describe a more efficient

way to propagate multi-bit constraints, that allows us to use the

complete set of 2^32 2.5-bit constraints, instead of the reduced sets

used by Leurent.

As a result, we are able to build complex non-linear differential

characteristics for reduced versions of the hash function Skein. We

present several characteristics for use in various attack scenarios;

this results in attacks with a relatively low complexity, in relatively

strong settings. In particular, we show practical free-start and

semi-free-start collision attacks for 20 rounds and 12 rounds of

Skein-256, respectively.

To the best of our knowledge, these are the first examples of complex

differential trails are build for pure ARX designs. We believe this is

an important work to assess the security of ARX designs against

differential cryptanalysis. Our improved tools will be publicly available

with the final version of this paper.

19:17 [Pub][ePrint] Expressive Black-box Traceable Ciphertext-Policy Attribute-Based Encryption, by Zhen Liu and Zhenfu Cao and Duncan S. Wong

  In a Ciphertext-Policy Attribute-Based Encryption (CP-ABE) system, decryption privileges are defined over attributes that could be shared by multiple users. If some of the users leak their decryption privileges to the public or to some third party, say for profit gain, a conventional CP-ABE has no tracing mechanism for finding these malicious users out. There are two levels of traceability for tackling this problem: (1) given a well-formed decryption key, a \\emph{White-Box} tracing algorithm can find out the original key owner; and (2) given a decryption-device while the underlying decryption algorithm or key may not be given, a \\emph{Black-Box} tracing algorithm, which treats the decryption-device as an oracle, can find out at least one of the malicious users whose keys have been used for constructing the decryption-device.

In this paper we propose the first \\emph{Expressive Black-box Traceable CP-ABE} system which has two main merits: (1) it supports fully collusion-resistant black-box traceability, that is, an adversary is allowed to access an arbitrary number of keys of its own choice when building the decryption-device, and (2) it is highly expressive, that is, the system supports policies expressed in any monotonic access structures. In addition, the traceability of this new system is public, that no secret input is required and no authority needs to be called in, instead, anyone can run the tracing algorithm. We show that the system is secure against adaptive adversaries in the standard model, and is efficient, that when compared with the expressive (non-traceable) CP-ABE due to Lewko et al. in Eurocrypt 2010, our new system \\emph{adds} fully collusion-resistant black-box traceability with the price of adding only $O(\\sqrt{\\cal K})$ elements into the ciphertext and public key, rather than increasing the sizes linearly with ${\\cal K}$, which is the number of users in the system.

19:17 [Pub][ePrint] Two is Greater than One, by Joppe W. Bos and Craig Costello and Huseyin Hisil and Kristin Lauter

  In this paper we highlight the benefits of using genus-2 curves in public-key cryptography. Compared to the standardized genus-1 curves, or elliptic curves, arithmetic on genus-2 curves is typically more involved but allows us to work with moduli of half the size. We give a taxonomy of the best known techniques to realize genus-2 based cryptography, which includes fast formulas on the Kummer surface and efficient 4-dimensional GLV decompositions. By studying different modular arithmetic approaches on these curves, we present a range of genus-2 implementations. Our implementation on the Kummer surface breaks the 120 thousand cycle barrier which sets a new software speed record at the 128-bit security level for side-channel resistant scalar multiplications compared to all previous genus-1 and genus-2 implementations.

19:17 [Pub][ePrint] Fully Secure Unbounded Inner-Product and Attribute-Based Encryption, by Tatsuaki Okamoto and Katsuyuki Takashima

  In this paper, we present the first inner-product encryption (IPE) schemes that are unbounded in the sense that the public parameters do not impose additional limitations on the predicates and attributes used for encryption and decryption keys. All previous IPE schemes were bounded, or have a bound on the size of predicates and

attributes given public parameters fixed at setup. The proposed unbounded IPE schemes are fully (adaptively) secure and fully attribute-hiding in the standard model under a standard assumption, the decisional linear (DLIN) assumption. In our unbounded IPE schemes, the inner-product relation is generalized, where the two vectors of inner-product can be different sizes and it provides a great improvement of efficiency in many applications. We also present the first fully secure unbounded attribute-based encryption (ABE) schemes, and the security is proven under the DLIN assumption in the standard model. To achieve these results, we develop novel techniques, indexing and consistent randomness amplification, on the (extended) dual system encryption technique and the dual pairing vector spaces (DPVS).

19:17 [Pub][ePrint] Self-Differential Cryptanalysis of Up to 5 Rounds of SHA-3, by Itai Dinur and Orr Dunkelman and Adi Shamir

  On October 2-nd 2012 NIST announced its selection of the Keccak scheme as the new SHA-3 hash standard. In this paper

we present the first published collision finding attacks on reduced-round versions of Keccak-384 and Keccak-512,

providing actual collisions for 3-round versions, and describing attacks which are much faster than birthday

attacks for 4-round Keccak-384. For Keccak-256, we increase the number of rounds which can be attacked to 5.

All these results are based on a new type of {\\it self-differential} attack, which makes it possible to map

a large number of Keccak inputs into a relatively small subset of possible outputs with a surprisingly large probability, which

makes it easier to find random collisions in this subset.