International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also receive updates via:

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

21:17 [Pub][ePrint] Discrete Ziggurat: A Time-Memory Trade-off for Sampling from a Gaussian Distribution over the Integers, by Johannes Buchmann and Daniel Cabarcas and Florian Göpfert and Andreas Hülsing and Patrick W

  Several lattice-based cryptosystems require to sample from a discrete Gaussian distribution over the integers. Existing methods to sample from such a distribution either need large amounts of memory or they are very slow. In this paper we explore a different method that allows for a flexible time-memory trade-off, offering developers freedom in choosing how much space they can spare to store precomputed values. We prove that the generated distribution is close enough to a discrete Gaussian to be used in lattice-based cryptography. Moreover, we report on an implementation of the method and compare its performance to existing methods from the literature. We show that for large standard deviations, the Ziggurat algorithm outperforms all existing methods.

21:17 [Pub][ePrint] Low Data Complexity Biclique Cryptanalysis of Block Ciphers with Application to Piccolo and HIGHT, by Siavash Ahmadi, Zahra Ahmadian, Javad Mohajeri, and Mohammad Reza Aref

  In this paper, we present a framework for biclique cryptanalysis of block ciphers with an extremely low data complexity. To that end, we enjoy a new representation of biclique attack. Then an algorithm for choosing two dierential characteristics is also presented to simultaneously minimize the data complexity and control the computational complexity.

Then we characterize those block ciphers that are vulnerable to this technique and among them, we apply this attack on lightweight block ciphers Piccolo-80, Piccolo-128 and HIGHT. The data complexities of these attacks are considerably less than the existing results. For full-round Piccolo-80 and 128, the data complexity of the attacks are only 16

plaintext-ciphertext pairs and for full-round HIGHT our attack requires

256 pairs. In all attacks the computational complexity remains the same

as the previous ones or even it is slightly improved.

21:17 [Pub][ePrint] Rounding LLL: Finding Faster Small Roots of Univariate Polynomial Congruences , by Jingguo Bi and Phong Q. Nguyen

  In a seminal work at EUROCRYPT \'96, Coppersmith showed how to find all small roots of a univariate polynomial congruence in polynomial time:

this has found many applications in public-key cryptanalysis and in a few security proofs.

However, the running time of the algorithm is a high-degree polynomial,

which limits experiments:

the bottleneck is an LLL reduction of a high-dimensional matrix with extra-large coefficients.

We present in this paper a polynomial speedup over Coppersmith\'s algorithm.

Our improvement is based on a special property of the matrices used by Coppersmith\'s algorithm,

which allows us to speed up the LLL reduction by rounding.

The exact speedup depends on the LLL algorithm used: for instance, the speedup is quadratic

in the bit-size of the small-root bound if one uses the Nguyen-Stehl\\\'e L^2 algorithm.

09:17 [Pub][ePrint] Adaptively Secure Broadcast Encryption under Standard Assumptions with Better Efficiency, by Kwangsu Lee and Dong Hoon Lee

  In this paper, we present an efficient public-key broadcast encryption (PKBE) scheme with sub-linear size of public keys, private keys, and ciphertexts and prove its adaptive security under standard assumptions. Compared with the currently best scheme that provides adaptive security under standard assumptions and sub-linear size of various parameters, the ciphertext size of our scheme is $94\\%$ shorter and the encryption algorithm of our scheme is also $2.8$ times faster than those of the currently best scheme.

To achieve our scheme, we adapt the dual system encryption technique of Waters. However, there is a challenging problem to use this technique for the construction of PKBE with sub-linear size of ciphertexts such as a tag compression problem. To overcome this problem, we first devise a novel tag update technique for broadcast encryption. Using this technique, we build an efficient PKBE scheme in symmetric bilinear groups, and prove its adaptive security under standard assumptions. After that, we build another PKBE scheme in asymmetric bilinear groups and also prove its adaptive security under simple assumptions.

09:17 [Pub][ePrint] An Efficient Scheme for Centralized Group Key Management in Collaborative Environments, by Constantinos Patsakis and Agusti Solanas

  The increasing demand for on-line collaborative applications has sparked the interest for multicast services, which in many cases have to guarantee properties such as authentication or confidentiality within groups of users.To do so, cryptographic protocols are generally used and the cryptographic keys, in which they rely, have to be managed (e.g. created, updated, distributed). The procedures to perform these operations are determined by the so-called Group Key Management Schemes. Many schemes have been proposed and some

of them have been proven to be vulnerable. This is the case of the Piao et al. scheme, whose scalability/efficiency is very good but it is vulnerable to many attacks because its security is based on a ``weak\'\' mathematical problem, so it can be broken in polynomial time.

Inspired by the concepts proposed in the Piao et al. scheme we have re-designed the protocol and we have founded it on a hard mathematical problem and tweaked some of the procedures. This way, we propose a new scheme that is efficient, collusion free, and provides backward and forward secrecy.

09:17 [Pub][ePrint] For an EPC-C1 G2 RFID compliant Protocol, CRC with Concatenation : No; PRNG with Concatenation : Yes, by Masoumeh Safkhani, Nasour Bagheri

  In this paper we present new constraints to EPCglobal Class 1 Generation 2 (EPC-C1 G2) standard which if they have been considered in the design of EPC-C1 G2 complaint authentication protocols, lead to prevent predecessor\'s protocols\' weaknesses and also present the secure ones. Also in this paper as an example, we use Pang \\textit{et al.} EPC-C1 G2-friendly protocol which has been recently proposed, to show our proposed constraints in EPC-C1 G2 standard. Pang \\textit{et al.}\'s protocol security analysis show how its security claim based on untraceability and resistance against de-synchronization attacks is ruined. More precisely, we present very efficient de-synchronization attack and traceability attack against the protocol. Finally, take Pang \\textit{et al.} protocol\'s vulnerability points, we present new conditions to design EPC-C1 G2 complaint protocols and based on it we propose a secure (EPC-C1 G2) RFID authentication scheme which is a good sample to EPC-C1 G2 complaint protocols.

09:17 [Pub][ePrint] Improved OT Extension for Transferring Short Secrets, by Vladimir Kolesnikov and Ranjit Kumaresan

  We propose an optimization and generalization of OT extension of Ishai et al. of Crypto 2003. For computational security parameter k, our OT extension for short secrets offers O(log k) factor performance improvement in communication and computation, compared to prior work. In concrete terms, for today\'s security parameters, this means approx. factor 2-3 improvement.

This results in corresponding improvements in applications relying on

such OT. In particular, for two-party semi-honest SFE, this results in O(log k) factor improvement in communication over state of the art Yao Garbled Circuit, and has the same asymptotic complexity as the recent multi-round construction of Kolesnikov and Kumaresan of SCN 2012. For multi-party semi-honest SFE, where their construction is inapplicable, our construction implies O(log k) factor communication and computation improvement over best previous constructions. As with our OT extension, for today\'s security parameters, this means approximately factor 2 improvement in semi-honest multi-party SFE.

Our building block of independent interest is a novel IKNP-based framework for 1-out-of-n OT extension, which offers O(log n) factor performance improvement over previous work (for n

09:17 [Pub][ePrint] Cryptographically Enforced RBAC, by Anna Lisa Ferrara and George Fuchsbauer and Bogdan Warinschi

  Cryptographic access control promises to offer easily distributed trust and broader applicability, while reducing reliance on low-level online monitors. Traditional implementations of cryptographic access control rely on simple cryptographic primitives whereas recent endeavors employ primitives with richer functionality and security guarantees. Worryingly, few of the existing cryptographic access-control schemes come with precise guarantees, the gap between the policy specication and the implementation being analyzed only informally, if at all.

In this paper we begin addressing this shortcoming. Unlike prior work that targeted ad-hoc policy specification, we look at the well-established Role-Based Access Control (RBAC) model, as used in a

typical file system. In short, we provide a precise syntax for a computational version of RBAC, offer rigorous denitions for cryptographic policy enforcement of a large class of RBAC security policies, and demonstrate that an implementation based on attribute-based encryption meets our security notions.

We view our main contribution as being at the conceptual level. Although we work with RBAC for concreteness, our general methodology could guide future research for uses of cryptography in other

access-control models.

09:17 [Pub][ePrint] A new class of semi-bent quadratic Boolean functions, by Chunming Tang and Yanfeng Qi

  In this paper, we present a new class of semi-bent quadratic Boolean functions of the form $f(x)=\\sum_{i=1}^{\\lfloor\\frac{m-1}{2}\\rfloor}Tr^n_1(c_ix^{1+4^{i}})$ $~(c_i\\in \\mathbb{F}_4$,$n=2m)$. We first characterize the semi-bentness of these quadratic Boolean functions. There exists semi-bent functions only when $m$ is odd. For the case: $m=p^r$, where $p$ is an odd prime with some conditions, we enumerate the semi-bent functions. Further, we give a simple characterization of semi-bentness for these functions with linear properties of $c_i$. In particular, for

a special case of $p$, any quadratic Boolean function $f(x)=\\sum_{i=1}^{\\frac{p-1}{2}}Tr^{2p}_1(c_ix^{1+4^{i}})$ over $\\mathbb{F}_{2^{2p}}$ is a semi-bent function.

09:17 [Pub][ePrint] Differential Fault Attack against Grain family with very few faults and minimal assumptions, by Santanu Sarkar and Subhadeep Banik and Subhamoy Maitra

  The series of published works, related to Differential Fault Attack

(DFA) against the Grain family, require (i) quite a large number (hundreds) of faults (around $n \\ln n$, where $n = 80$ for Grain v1 and $n = 128$ for Grain-128, Grain-128a) and also (ii) several assumptions on location and timing of the fault injected. In this paper we present a significantly improved scenario from the adversarial point of view for DFA against the Grain family of stream ciphers. Our model is the most realistic one so far as it considers that the cipher to be re-keyed a very few times and fault can be injected at any random location and at any random point of time, i.e., no precise control is needed over the location and timing

of fault injections. We construct equations based on the algebraic description of the cipher by introducing new variables so that the degrees of the equations do not increase. In line of algebraic cryptanalysis, we accumulate such equations based on the fault-free and faulty key-stream bits and solve them using the SAT Solver

Cryptominisat-2.9.5 installed with SAGE 5.7. In a few minutes we can recover the state of Grain v1, Grain-128 and Grain-128a with as little as 10, 4 and 10 faults respectively (and may be improved further with more computational efforts).

09:17 [Pub][ePrint] Revocable IBE Systems with Almost Constant-size Key Update, by Le Su and Hoon Wei Lim and San Ling and Huaxiong Wang

  Identity-based encryption (IBE) has been regarded as an attractive alternative to more conventional certificate-based public key systems.

It has recently attracted not only considerable research from the academic community, but also interest from the industry and standardization bodies. However, while key revocation is a fundamental requirement to any public key systems, not much work has been done in the identity-based setting. In this paper, we continue the study of revocable IBE (RIBE) initiated by Boldyreva, Goyal, and Kumar. Their proposal of a selective secure RIBE scheme, and a subsequent construction by Libert and Vergnaud in a stronger adaptive security model are based on a binary tree approach, such that their key update size is logarithmic in the number of users. We ask the question of whether or not the key update size could be further reduced by using a cryptographic accumulator. We show that, indeed, the key update material can be made constant with some small amount of auxiliary information, through a novel combination of the Lewko and Waters IBE scheme and the Camenisch, Kohlweiss, and Soriente pairing-based dynamic accumulator.