International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also receive updates via:

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

15:17 [Pub][ePrint]


12:17 [Forum] [IACR Publication Reform] Testable change by amitsahai

  The problem with radical redesign is that it is hard to understand what change has caused which effect. I suggest that we as a community focus on one problem at a time. If we want to focus on multiple problems, maybe each conference should attack one at a time, so at least each variable can be tested separately. Let\'s start with the problem of low quality reviews. Here is a modest initial proposal based on an economic model: Each review should have two components: (1) technical summary and feedback, and (2) subjective evaluation wholly supported by technical evaluation in (1) The technical summary should be presented to the authors before decisions are made, and the authors will rate reviews based on understanding. So will other PC members (anonymously). The results will be used to rate PC members and reviewers and provide them with tokens. PC members and reviewers will need to spend these tokens to get their papers published at top conferences in the future. The monetary system will need to be worked out, but we can let junior researchers borrow tokens from the central bank at the start of their careers so as not to harm their initial careers. But eventually everyone has to pay in quality reviews for papers that they want to publish. These are initial thoughts and the proposal should certainly be refined to address potential abuses. For example, technical parts of the review should be devoid of all subjective opinions and hidden praise, so that the temptation to flatter the authors for earning tokens can be avoided. Also, probably feedback from authors of papers in the bottom 33% should not be counted towards awarding tokens. Amit From: 2013-18-06 09:28:41 (UTC)

12:17 [Pub][ePrint] Practical Secure Logging: Seekable Sequential Key Generators, by Giorgia Azzurra Marson and Bertram Poettering

  In computer forensics, log files are indispensable resources that support auditors in identifying and understanding system threats and security breaches. If such logs are recorded locally, i.e., stored on the monitored machine itself, the problem of log authentication arises: if a system intrusion takes place, the intruder might be able to manipulate the log entries and cover her traces. Mechanisms that cryptographically protect collected log messages from manipulation should ideally have two properties: they should be *forward-secure* (the adversary gets no advantage from learning current keys when aiming at forging past log entries), and they should be *seekable* (the auditor can verify the integrity of log entries in any order or access pattern, at virtually no computational cost).

We propose a new cryptographic primitive, a *seekable sequential key generator* (SSKG), that combines these two properties and has direct application in secure logging. We rigorously formalize the required security properties and give a provably-secure construction based on the integer factorization problem. We further optimize the scheme in various ways, preparing it for real-world deployment. As a byproduct, we develop the notion of a *shortcut one-way permutation* (SCP), which might be of independent interest.

Our work is highly relevant in practice. Indeed, our SSKG implementation has become part of the logging service of the systemd system manager, a core component of many modern commercial Linux-based operating systems.

12:17 [Pub][ePrint] ASICS: Authenticated Key Exchange Security Incorporating Certification Systems, by Colin Boyd and Cas Cremers and Michèle Feltz and Kenneth G. Paterson and Bertram Poettering and Douglas Stebila

  Most security models for authenticated key exchange (AKE) do not explicitly model the associated certification system, which includes the certification authority (CA) and its behaviour. However, there are several well-known and realistic attacks on AKE protocols which exploit various forms of malicious key registration and which therefore lie outside the scope of these models. We provide the first systematic analysis of AKE security incorporating certification systems (ASICS). We define a family of security models that, in addition to allowing different sets of standard AKE adversary queries, also permit the adversary to register arbitrary bitstrings as keys. For this model family we prove generic results that enable the design and verification of protocols that achieve security even if some keys have been produced maliciously. Our approach is applicable to a wide range of models and protocols; as a concrete illustration of its power, we apply it to the CMQV protocol in the natural strengthening of the eCK model to the ASICS setting.

09:43 [Event][New] EBW 2014: The 2nd International Conference on E-Technologies and Business on the Web

  Submission: 20 January 2014
Notification: 15 February 2014
From March 18 to March 20
Location: Kuala Lumpur, Malaysia
More Information:

09:43 [Event][New] RWC 2014: Real World Cryptography Workshop 2014

  From January 13 to January 15
Location: New York, United States of America
More Information:

09:17 [Forum] [IACR Publication Reform] Re: The speed of science: two case studies by hoerder

  Hi, Christopher, if a paper does not get resubmitted to an IACR venue it doesn\'t imply that it\'s not going to be resubmitted at other venues where IACR members are on the program committee and have to spend time reviewing the re-submission. Depending on how it is crafted, the resubmission policy might just end up shifting the workloads around. Also, Dan raises a valid question: What exactly is a resubmission? How much does a rejected paper have to change to be a new submission? From the CHES community I heard rumors that they\'re considering an journal of their own but instead of papers people have to submit extended abstracts and reviewers act more or less as shepherds. I\'m not sure whether this makes more sense or not, just wanted to point out that there are more possibilities. And that both halfs of IACR are leading very similar discussion in parallel (as far as I can see it). A friend of mine who is doing solid state physics was just complaining about stupid reviewers a week ago and the way he described their model, it sounded quite like the proposed proceedings of the IACR. I reckon that there will never be a perfect system and that quite a lot depends on the little details for each system and the degree of flexibility they offer. What I\'d truly like to see is a more scientific debate about it. Right now, we have suggestions, examples and hypotheses but no hard data, not even a detailed comparison of two or three submission models that are currently used by other disciplines (of similar size) who are reasonably happy with their system. Please don\'t get me wrong, I see the need to "grow up" and the suggestions, examples and hypotheses that I\'ve seen so far all make valid points but all that I see emerging from it is that it\'s not simple. Maybe it would be useful to get outside support from people who do metascience. (I\'m sure that someone\'s doing just that. What else do we have social scientists for?) Cheers, Simon Hoerder From: 2013-18-06 08:52:59 (UTC)

09:17 [Pub][ePrint] Chosen Ciphertext Secure Keyed-Homomorphic Public-Key Encryption, by Keita Emura and Goichiro Hanaoka and Koji Nuida and Go Ohtake and Takahiro Matsuda and Shota Yamada

  In homomorphic encryption schemes, anyone can perform homomorphic operations, and therefore, it is difficult to manage when, where and by whom they are performed. In addition, the property that anyone can \\lq\\lq freely\'\' perform the operation inevitably means that ciphertexts are malleable, and it is well-known that adaptive chosen ciphertext (CCA) security and the homomorphic property can never be achieved simultaneously.

In this paper, we show that CCA security and the homomorphic property can be simultaneously handled in situations that the user(s) who can perform homomorphic operations on encrypted data should be controlled/limited, and propose a new concept of homomorphic public-key encryption, which we call \\emph{keyed-homomorphic public-key encryption} (KH-PKE). By introducing a secret key for homomorphic operations, we can control who is allowed to perform the homomorphic operation. To construct KH-PKE schemes, we introduce a new concept, a \\emph{homomorphic transitional universal hash family}, and present a number of KH-PKE schemes through hash proof systems. We also present a practical construction of KH-PKE from the DDH assumption. For $\\ell$-bit security, our DDH-based scheme yields only $\\ell$-bit longer ciphertext size than that of the Cramer-Shoup PKE scheme.

09:17 [Pub][ePrint] Key Recovery Attacks on 3-round Even-Mansour, 8-step LED-128, and Full $\\mbox{AES}^{2}$, by Itai Dinur and Orr Dunkelman and Nathan Keller and Adi Shamir

  The Even-Mansour (EM) encryption scheme received a lot of attention in the last couple of years due to its exceptional simplicity and tight security proofs.

The original $1$-round construction was naturally generalized into $r$-round structures with one key, two alternating keys, and completely independent keys.

In this paper we describe the first key recovery attack on the one-key 3-round version of EM which is asymptotically faster than exhaustive search

(in the sense that its running time is $o(2^n)$ rather than $O(2^n)$ for an $n$-bit key).

We then use the new cryptanalytic techniques in order to improve the best known

attacks on several concrete EM-like schemes. In the case of LED-128, the best previously known attack could only be applied to 6 of its 12 steps. In this paper we develop a new attack which increases the number of attacked steps to 8, is slightly faster than the previous attack on 6 steps, and uses about a thousand times less data.

Finally, we describe the first attack on the full $\\mbox{AES}^{2}$ (which uses two complete AES-128 encryptions and three independent $128$-bit keys, and looks exceptionally strong) which is about 7 times faster than a standard meet-in-the-middle attack, thus violating its security claim.

09:17 [Pub][ePrint] Efficient Simultaneous Privately and Publicly Verifiable Robust Provable Data Possession from Elliptic Curves, by Christian Hanser and Daniel Slamanig

  When outsourcing large sets of data to the cloud, it is desirable for clients to efficiently check, whether all outsourced data is still retrievable at any later point in time without requiring to download all of it. Provable data possession (PDP)/proofs of retrievability (PoR), for which various constructions exist, are concepts to solve this issue. Interestingly, by now, no PDP/PoR scheme leading to an efficient construction supporting both private and public verifiability simultaneously is known. In particular, this means that up to now all PDP/PoR schemes either allow public or private verifiability exclusively, since different setup procedures and metadata sets are required. However, supporting both variants simultaneously seems interesting, as publicly verifiable schemes are far less efficient than privately verifiable ones. In this paper, we propose the first simultaneous privately and publicly verifiable (robust) PDP protocol, which allows the data owner to use the more efficient private verification and anyone else to run the public verification algorithm. Our construction, which is based on elliptic curves, achieves this, as it uses the same setup procedure and the same metadata set for private and public verifiability. We provide a rigorous security analysis and prove our construction secure in the random oracle model under the assumption that the elliptic curve discrete logarithm problem is intractable. We give detailed comparisons with the most efficient existing approaches for either private or public verifiability with our proposed scheme in terms of storage and communication overhead, as well as computational effort for the client and the server. Our analysis shows that for choices of parameters, which are relevant for practical applications, our construction outperforms all existing privately and publicly verifiable schemes significantly. This means, that even when our construction is used for either private or public verifiability alone, it still outperforms the most efficient constructions known, which is particularly appealing in the public verifiability setting.

09:17 [Pub][ePrint] Strongly Secure One-round Group Authenticated Key Exchange in the Standard Model, by Yong Li and Zheng Yang

  One-round group authenticated key exchange (GAKE) protocols typically provide implicit authentication and appealing bind-width efficiency. As a special case of GAKE -- the pairing-based one-round tripartite authenticated key exchange (3AKE), recently gains much attention of research community due to its strong security. Several pairing-based one-round 3AKE protocols have recently been proposed to achieve provable security in the g-eCK model. In contrast to earlier GAKE models, the g-eCK model particularly formulates the security properties regarding resilience to the leakage of various combinations of long-term key and ephemeral session state, and provision of weak perfect forward secrecy in a single model. However, the g-eCK security proofs of previous protocols are only given under the random oracle model. In this work, we give a new construction for pairing-based one-round 3AKE protocol which is provably secure in the g-eCK model without random oracles. Security of proposed protocol is reduced to the hardness of Cube Bilinear Decisional Diffie-Hellman (CBDDH) problem for symmetric pairing. We also extend the proposed 3AKE scheme to a GAKE scheme with more than three group members, based on multilinear maps. We prove g-eCK security of our GAKE scheme in the standard model under the natural multilinear generalization of the CBDDH assumption.