International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also receive updates via:

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

18:17 [Pub][ePrint] Sieve-in-the-Middle: Improved MITM Attacks (Full Version), by Anne Canteaut and Maria Naya-Plasencia and Bastien Vayssière

  This paper presents a new generic technique, named sieve-in-the-middle, which improves meet-in-the-middle attacks in the sense that it provides an attack on a higher number of rounds. Instead of selecting the key candidates by searching for a collision in an intermediate state which can be computed forwards and backwards, we here look for the existence of valid transitions through some middle sbox. Combining this technique with short bicliques allows to freely add one or two more rounds with the same time complexity. Moreover, when the key size of the cipher is larger than its block size, we show how to build the bicliques by an improved technique which does not require any additional data (on the contrary to previous biclique attacks). These techniques apply to PRESENT, DES, PRINCE and AES, improving the previously known results on these four ciphers. In particular, our attack on PRINCE applies to 8 rounds (out of 12), instead of 6 in the previous cryptanalyses. Some results are also given for theoretically estimating the sieving probability provided by some subsets of the input and output bits of a given sbox.

18:17 [Pub][ePrint] Elligator: Elliptic-curve points indistinguishable from uniform random strings, by Daniel J. Bernstein and Anna Krasnova and Tanja Lange

  Censorship-circumvention tools are in an arms race against censors. The censors study all traffic passing into and out of their controlled sphere, and try to disable censorship-circumvention tools without completely shutting down the Internet. Tools aim to shape their traffic patterns to match unblocked programs, so that simple traffic profiling cannot identify the tools within a reasonable number of traces; the censors respond by deploying firewalls with increasingly sophisticated deep-packet inspection.

Cryptography hides patterns in user data but does not evade censorship if the censor can recognize patterns in the cryptography itself. In particular, elliptic-curve cryptography often transmits points on known elliptic curves, and those points are easily distinguishable from uniform random strings of bits.

This paper introduces high-security high-speed elliptic-curve systems in which elliptic-curve points are encoded so as to be indistinguishable from uniform random strings.

18:17 [Pub][ePrint] Key-Versatile Signatures and Applications: RKA, KDM and Joint Enc/Sig, by Mihir Bellare and Sarah Meiklejohn and Susan Thomson

  Given an *arbitrary* one-way function F, is it possible to design a signature scheme where the secret key is an input x to F and the public key is y = F(x)? We show that signatures that are \"key-versatile\" in this sense, while also meeting stronger-than-usual security conditions we define, enable us to add signature-based integrity that is \"for-free\" in terms of key material, meaning we can sign with keys already in use for another purpose without impacting the security of the original purpose or in turn being impacted by it. We show applications across diverse areas including (1) security against related-key attack (RKA) (2) security for key-dependent messages (KDM), and (3) joint encryption and signing. We show how to build key versatile signature schemes and then obtain new results in all these application domains in a modular way.

18:17 [Pub][ePrint] A Lightweight Hash Function Resisting Birthday Attack and Meet-in-the-middle Attack, by Shenghui Su and Tao Xie and Shuwang Lu

  In this paper, to match a lightweight digital signing scheme of which the length of modulus is between 80 and 160 bits, a lightweight hash function is proposed. It is based on MPP and ASPP intractabilities, and regards a short message or a message digest as an input which is treated as only one block. The lightweight hash function contains two algorithms: an initialization algorithm and a compression algorithm, and converts a string of n bits into another of m bits, where 80

18:17 [Pub][ePrint] A Proof that the ARX Cipher Salsa20 is Secure against Differential Cryptanalysis, by Nicky Mouha and Bart Preneel

  An increasing number of cryptographic primitives are built using the ARX operations: addition modulo $2^n$, bit rotation and XOR. Because of their very fast performance in software, ARX ciphers are becoming increasingly common. However, not a single ARX cipher has yet been proven to be secure against one of the most common attacks in symmetric-key cryptography: differential cryptanalysis. In this paper, we prove that no differential characteristic exists for 15 rounds of Salsa20 with a higher probability than $2^{-130}$. Thereby, we show that the full 20-round Salsa20 with a 128-bit key is secure against differential cryptanalysis, with a security margin of 5 rounds. Our proof holds both in single-key and related-key settings. Furthermore, our proof technique only involves writing out simple equations for every addition, rotation and XOR operation in the cipher, and applying an off-the-shelf SAT solver. To prove that Salsa20 is secure against differential cryptanalysis requires only about 20 hours of computation on a single CPU core.

18:17 [Pub][ePrint] Protocol Variants and Electronic Identification, by Kristian Gjøsteen

  It is important to be able to evaluate information security systems involving humans. We propose an approach in which we consider the system as a cryptographic protocol, and users are modeled as ordinary players. To model the fact that users make mistakes that affect security, we introduce protocol variants that model mistakes or combinations of mistakes. By analysing the base protocol and its variants, and at the same time considering how likely each variant is, we get a reasonable estimate of the real security of the system.

Our work takes the form of a case study of four Norwegian federated identity systems, as well as two proposals for improved systems. The four systems span a good mix of various types of federated identity systems.

18:17 [Pub][ePrint] Trapdoor Privacy in Asymmetric Searchable Encryption Schemes, by Afonso Arriaga and Qiang Tang

  We investigate the open problem, namely trapdoor privacy, in

asymmetric searchable encryption (ASE) schemes. We first present two trapdoor privacy definitions (i.e. 2-TRAP-PRIV and poly-TRAP-PRIV) which provide different levels of security guarantee. Motivated by the generic transformation from IBE to ASE, we introduce two key anonymity properties (i.e. 2-KEY-ANO and poly-KEY-ANO) for IBE schemes, so that these properties directly lead to the resulting ASE\'s 2-TRAP-PRIV and poly-TRAP-PRIV properties respectively at the end of a transformation. We then present a simplified

Boyen-Waters scheme and prove that it achieves IBE-IND-CPA, IBEANO

(anonymity), and 2-KEY-ANO security in the random oracle model. Finally, we extend the simplified Boyen-Waters scheme to be based on pairings over composite-order groups and prove that the extended scheme achieves poly-KEY-ANO security without random oracles.

18:17 [Pub][ePrint] New Constructions and Applications of Trapdoor DDH Groups, by Yannick Seurin

  Trapdoor Decisional Diffie-Hellman (TDDH) groups, introduced by Dent and Galbraith (ANTS 2006), are groups where the DDH problem is hard, unless one is in possession of a secret trapdoor which enables solving it efficiently. Despite their intuitively appealing properties, they have found up to now very few cryptographic applications. Moreover, among the two constructions of such groups proposed by Dent and Galbraith, only a single one based on hidden pairings remains unbroken.

In this paper, we extend the set of trapdoor DDH groups by giving a construction based on composite residuosity. We also introduce a more restrictive variant of these groups that we name \\emph{static} trapdoor DDH groups, where the trapdoor only enables to solve the DDH problem with respect to a fixed pair $(G,G^x)$ of group elements. We give two constructions for such groups whose security relies respectively on the RSA and the factoring assumptions. Then, we show that static trapdoor DDH groups yield elementary constructions of convertible undeniable signature schemes allowing delegatable verification. Using our constructions of static trapdoor DDH groups from the RSA or the factoring assumption, we obtain slightly simpler variants of the undeniable signature schemes of respectively Gennaro, Rabin, and Krawczyk (J. Cryptology, 2000) and Galbraith and Mao (CT-RSA 2003). These new schemes are conceptually more satisfying since they can strictly be viewed as instantiations, in an adequate group, of the original undeniable signature scheme of Chaum and van Antwerpen (CRYPTO~\'89).

17:27 [Job][New] Post-Doc, Radboud University Nijmegen

  For a project on attribute based credentials / identity management on smart cards that is about to start, we are looking for a postdoc for one year. The postdoc should be a good coder, have some experience with smart card programming, and know about crypto and security. The project is related to the IRMA project, about which more info can be found at the link below.

If you think you qualify, please apply. If know anyone that fits this description, and that can start july, august or september 2013, let us know as well.

Also, feel free to forward this question to anyone you know that may be able to help.

17:27 [News] Turing Award for Shafi Goldwasser and Silvio Micali

  Recently, the Turing award was presented to the IACR members Shafi Goldwasser and Silvio Micali. They were honoured for their fundamental work in theoretical mathematics and cryptology. Congratulations from the IACR!

17:22 [Conf] Report on Africacrypt 2012


Africacrypt 2012, July 10-12, Ifrane Morocco

Africacrypt 2012 was held on the campus of the Al Akhawayn University in Ifrane, Morocco, on July 10-12. The Program Chair was Serge Vaudenay, the General co-Chairs were Abdelhak Azhari and Tajje-eddine Rachidi, and the Publication Chair was Aikaterini Mitrokotsa. Africacrypt 2012 was organized jointly by Al Akhawayn University in Ifrane and the Moroccan Association for Cryptography. The conference was held in cooperation with IACR (International Association for Cryptologic Research) and in partnership with the Région Meknès Tafilalet, Morocco. The technical program included 24 regular papers categorized into ten sessions that were selected from 56 submissions 12 of which had at least one co-author from Africa. In addition 3 invited talks were presented, by Willi Meier (University of Applied Sciences and Arts Northwestern Switzerland), Craig Gentry (IBM), and Marc Fischlin (The Darmstadt University of Technology, Germany). The conference proceedings were published by Springer's LNCS and most of the presentation slides for the technical sessions, including the invited talks, are now available on the conference website: Delegates from the Moroccan National Security agencies also attend the conference. The best paper award, went to Elena Andreeva, Bart Mennink, Bart Preneel, and Marjan Skrobot for their paper "Security Analysis and Comparison of the SHA-3 Finalists BLAKE, Groestl, JH, Keccak, and Skein." The social program included a cedar tree planting session, and an optional conference banquet and an excursion to the Imperial city of Fes.