International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also receive updates via:

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

12:17 [Pub][ePrint] Gossip Latin Square and The Meet-All Gossipers Problem, by Nethanel Gelernter and Amir Herzberg

  Given a network of n = 2^k

gossipers, we want to schedule a cyclic calendar

of meetings between all of them, such that: (1) each gossiper communicates

(gossips) only once a day, with one other gossiper, (2) in every (n 1) consecutive

days, each gossiper meets all other gossipers, and (3) every gossip, initiated by

any gossiper, will reach all gossipers within k = log(n) days.

In this paper we study the above stated meet-all gossipers problem, by den-ing and constructing the Gossip Latin Square (GLS), a combinatorial structure

which solves the problem.

12:17 [Pub][ePrint] Efficient Unobservable Anonymous Reporting against Strong Adversaries, by Nethanel Gelernter and Amir Herzberg

  We present DURP, a decentralized protocol for

unobservable, anonymous reporting to an untrusted destination,

with low latency and overhead. DURP provably ensures strong

anonymity properties, as required for some applications (and not

provided by existing systems and practical designs, e.g., Tor),


Provable unobservability against global eavesdropper and

malicious participants.

Provable source anonymity against a malicious destination.

Probable-innocence against a malicious destination which is

also a global eavesdropper.

DURP design is a modular combination of two modules: a

queuing module, ensuring fixed rates for certain events, together

with an anonymization module, which can use either Onion-Routing (DURP^OR) or Crowds (DURP^Crowds). We present anal-ysis, backed by simulation results, of the network properties and

performance of DURP, and show it has reasonable overhead. We

also use the analysis results to create an optimized version of


12:17 [Pub][ePrint] Accelerating Scalar Conversion for Koblitz Curve Cryptoprocessors on Hardware Platforms, by Sujoy Sinha Roy and Junfeng Fan and Ingrid Verbauwhede

  Koblitz curves are a class of computationally efficient elliptic curves where scalar multiplications can be accelerated using $\\tau$NAF representations of scalars. However conversion from an integer scalar to a short $\\tau$NAF is costly and thus restricts speed. In this paper we present acceleration techniques for the recently proposed scalar conversion hardware based on division by $\\tau^2$. Acceleration is achieved in two steps. First we perform computational optimizations to reduce the number of long subtraction operations during the conversion of scalar. This helps in reducing the number of integer adder/subtracter circuits from the critical paths of the conversion architecture. In the second step, we perform pipelining in the conversion architecture in such a way that the pipeline stages are always utilized. Due to bubble free nature of the pipelining, clock cycle requirement of the conversion architecture remains same, while operating frequency increases drastically.

We present detailed experimental results to support our claims made in this paper.

12:17 [Pub][ePrint] A Three-Level Sieve Algorithm for the Shortest Vector Problem, by Feng Zhang and Yanbin Pan and Gengran Hu

  In AsiaCCS 2011, Wang et al. proposed a two-level heuristic sieve algorithm for the shortest vector problem in lattices, which improves the Nguyen-Vidick sieve algorithm. Inspired by their idea, we present a three-level sieve algorithm in this paper, which is shown to have better time complexity. More precisely, the time complexity of our algorithm is $2^{0.3778n+o(n)}$ polynomial-time operations and the corresponding space complexity is $2^{0.2833n+o(n)}$ polynomially many bits.

12:17 [Pub][ePrint] Inter-FSP Funds Transfer Protocol, by Amir Herzberg and Shay Nachmani

  We present the first decentralized secure funds transfer protocol with multiple participants. The protocol ensures that a participant can only lose money, if a peer it trusted is corrupted. Furthermore, the loss is

bounded by the credit allocated to this partner. The protocol supports expiration times for payment orders, and realistic network queuing delay.We achieve this using model and techniques from the Quality of Service area to guarantee delays and avoid payment order expiration. We present rigorous security proof.

12:17 [Pub][ePrint] Practical Issues with TLS Client Certificate Authentication, by Arnis Parsovs

  The most widely used secure Internet communication standard TLS (Transport Layer Security) has an optional client certificate authentication feature that in theory has significant security advantages over HTML form-based password authentication. In this paper we discuss practical security and usability issues related to TLS client certificate authentication stemming from the server side and browser implementations. In particular we analyze Apache mod_ssl implementation on server side and the most popular browsers - Mozilla Firefox, Google Chrome and Microsoft Internet Explorer on client side. We complement our paper with a case study performed in Estonia where TLS client certificate authentication is widely used. We present our recommendations for TLS implementations on the client and server side to improve the security and usability of TLS client certificate authentication.

12:17 [Pub][ePrint] Rebound attacks on Stribog, by Riham AlTawy and Aleksandar Kircanski and Amr M. Youssef

  In August 2012, the Stribog hash function was selected as the new Russian hash standard (GOST R 34.11-2012). Stribog is an AES-based primitive and is considered as an asymmetric reply to the new SHA-3. In this paper we investigate the collision resistance of the Stribog compression function and its internal cipher. Specifically, we present a message differential path for the internal block cipher that allows us to efficiently obtain a 5-round free-start collision and a 7.75 free-start near collision for the internal cipher with complexities $2^8$ and $2^{40}$, respectively. Finally, the compression function is analyzed and a 7.75 round semi free-start collision, 8.75 and 9.75 round semi free-start near collisions are presented along with an example for 4.75 round 49 out of 64 bytes near colliding message pair.

09:17 [Pub][ePrint] Multiple Limited-Birthday Distinguishers and Applications, by Jérémy Jean and María Naya-Plasencia and Thomas Peyrin

  In this article, we propose a new improvement of the rebound techniques, used for cryptanalyzing AES-like permutations during the past years. Our improvement, that allows to reduce the complexity of the attacks, increases the probability of the outbound part by considering a new type of differential paths. Moreover, we propose a new type of distinguisher, the multiple limited-birthday problem, based on the limited-birthday one, but where differences on the input and on the output might have randomized positions. We also discuss the generic complexity for solving this problem and provide a lower bound of it as well as we propose an efficient and generic algorithm for solving it. Our advances lead to improved distinguishing or collision results for many AES-based functions such as AES, ECHO, Grøstl, LED, PHOTON and Whirlpool.

09:17 [Pub][ePrint] The Resistance of PRESENT-80 Against Related-Key Differential Attacks, by Sareh Emami, San Ling, Ivica Nikolic, Josef Pieprzyk and Huaxiong Wang

  We examine the security of the 64-bit lightweight block cipher PRESENT-80 against related-key differential attacks. With a computer search we are able to prove that no related-key differential characteristic exists with probability higher than $2^{-64}$ for the full-round PRESENT-80.

To overcome the exponential (in the state and key sizes) computational complexity we use truncated differences, however as the key schedule is not nibble oriented, we switch to actual differences and apply early abort techniques to prune the tree-based search.

With a new method called extended split approach we are able to make the whole search feasible and we implement and run it in real time.

Our approach targets the PRESENT-80 cipher however, with small modifications can be reused for other lightweight ciphers as well.

09:17 [Pub][ePrint] White-Box Security Notions for Symmetric Encryption Schemes, by Cécile Delerablée and Tancrède Lepoint and Pascal Paillier and Matthieu Rivain

  White-box cryptography has attracted a growing interest from researchers in the last decade. Several white-box implementations of standard block-ciphers (DES, AES) have been proposed but they have all been broken. On the other hand, neither evidence of existence nor proofs of impossibility have been provided for this particular setting. This might be in part because it is still quite unclear what

{white-box} cryptography really aims to achieve and which security properties are expected from white-box programs in applications. This paper builds a first step towards a practical answer to this question by translating folklore intuitions behind white-box cryptography into concrete security notions. Specifically, we introduce the notion of white-box compiler that turns a symmetric encryption scheme into randomized white-box programs, and we capture several desired security properties such as one-wayness, incompressibility and traceability for white-box programs. We also give concrete examples of white-box compilers that already achieve some of these notions. Overall, our results open new perspectives on the design of white-box programs that securely implement symmetric encryption.

09:17 [Pub][ePrint] Threshold Secret Image Sharing, by Teng Guo, Feng Liu, ChuanKun Wu, ChingNung Yang, Wen Wang and YaWei Ren

  A (k; n) threshold secret image sharing scheme, abbreviated as (k; n)-TSISS, splits a secret image into n shadow images in such a way

that any k shadow images can be used to reconstruct the secret image

exactly. In 2002, for (k; n)-TSISS, Thien and Lin reduced the size of each

shadow image to 1/k of the original secret image. Their main technique

is by adopting all coefficients of a (k-1)-degree polynomial to embed the secret pixels. This benet of small shadow size has drawn many researcher\'s attention and their technique has been extensively used in

the following studies. In this paper, we rst show that this technique

is neither information theoretic secure nor computational secure. Furthermore, we point out the security defect of previous (k; n)-TSISSs for

sharing textual images, and then fix up this security defect by adding an

AES encryption process. At last, we prove that this new (k; n)-TSISS is

computational secure.