International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also receive updates via:

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

07:41 [Event][New] ACNS'14: 12th International Conference on Applied Cryptography and Network Security

  Submission: 10 January 2014
Notification: 14 March 2014
From June 10 to June 13
Location: Lausanne, Switzerland
More Information:

06:17 [Pub][ePrint] Modelling Time, or A Step Towards Reduction-based Security Proofs for OTP and Kerberos, by Jörg Schwenk

  The notion of time plays an important role in many practically deployed cryptographic protocols, ranging from One-Time-Password (OTP) tokens to the Kerberos protocol. However, time is difficult to model in a Turing machine environment.

We propose the first such model, where time is modelled as a global counter T . We argue that this model closely matches several implementations of time in computer environments. The usefulness of the model is shown by giving complexity-theoretic security proofs for OTP protocols, HMQV-like one-round AKE protocols, and a variant of the basic Kerberos building block.

06:17 [Pub][ePrint] Presentation of a new class of public key cryptosystems K(XIII)SE(1)PKC along with Kp(XIII)SE(1)PKC that realizes the coding rate of exactly 1.0, constructed by modifying K(XII)SE(1)PKC., by Masao KAS

  In this paper, we present a new class of public key cryptosystems by modifying K(XII)SE(1)PKC[1], referred to as K(XIII)SE(1)PKC, and a particular class of K(XIII)SE(1)PKC, Kp(XIII)SE(1)PKC. We show that K(XIII)SE(1)PKC would improve both the coding rate and the security, compared with K(XII)SE(1)PKC. We also show that Kp(XIII)SE(1)PKC realizes the coding rate of exactly 1.0. In a sharp contrast with the conventional code based PKC (CB・PKC) that uses Goppa code, in K(XII)SE(1)PKC, K(XIII)SE(1)PKC and Kp(XIII)SE(1)PKC, we do not care for the security of the primitive polynominal that generates the Reed-Solomon code.

06:17 [Pub][ePrint] Revocable quantum timed-release encryption, by Dominique Unruh

  Timed-release encryption is a kind of encryption scheme that a

recipient can decrypt only after a specified amount of time T

(assuming that we have a moderately precise estimate of his computing

power). A revocable timed-release encryption is one where,

before the time T is over, the sender can \"give back\" the

timed-release encryption, provably loosing all access to the data. We

show that revocable timed-release encryption without trusted parties

is possible using quantum cryptography (while trivially impossible


Along the way, we develop two proof techniques in the quantum random

oracle model that we believe may have applications also for other


Finally, we also develop another new primitive, unknown recipient

encryption, which allows us to send a message to an

unknown/unspecified recipient over an insecure network in such a way

that at most one recipient will get the message.

06:17 [Pub][ePrint] Cryptanalysis of Full RIPEMD-128, by Franck Landelle and Thomas Peyrin

  In this article we propose a new cryptanalysis method for double-branch hash functions that we apply on the standard RIPEMD-128, greatly improving over know results. Namely, we were able to build a very good differential path by placing one non-linear differential part in each computation branch of the RIPEMD-128 compression function, but not necessarily in the early steps. In order to handle the low differential probability induced by the non-linear part located in later steps, we propose a new method for using the freedom degrees, by attacking each branch separately and then merging them with free message blocks. Overall, we present the first collision attack on the full RIPEMD-128 compression function as well as the first distinguisher on the full RIPEMD-128 hash function. Experiments on reduced number of rounds were conducted, confirming our reasoning and complexity analysis. Our results show that 16 years old RIPEMD-128, one of the last unbroken primitives belonging to the MD-SHA family, might not be as secure as originally thought.

06:17 [Pub][ePrint] How to Further Increase Leakage Exploitation Rate in Profiled Side-Channel Attacks?, by Guangjun Fan and Yongbin Zhou and Hailong Zhang and Dengguo Feng

  Template Attack is widely accepted to be one of the most powerful side-channel attacks, because it is assumed that one has full knowledge of targeted crypto devices and thus be well capable of characterizing the side-channel leakages. However, whether or not Template Attack exploits side-channel leakages to the fullest is still not clear. In this paper, we present a negative answer to this central question, by introducing a normalization process into original Template Attack. We present Normalized Template Attack, which has the normalization process. Furthermore, we prove that Normalized Template Attack is better that its original counterpart in terms of leakage exploitation rate. We evaluate the key-recovery efficiency of Normalized Template Attack and original Template Attack as well under identical scenarios, by performing attacks against both simulated and real power traces. Our experimental results show that our method is valid end effective. Remarkably enough, this normalization process is of extremely low computation cost. Therefore, we argue that the

normalization process should be integrated as a necessary part of profile attacks in order to better understand the practical threats of these attacks.

06:17 [Pub][ePrint] Ultra Low-Power implementation of ECC on the ARM Cortex-M0+, by Ruan de Clercq and Leif Uhsadel and Anthony Van Herrewege and Ingrid Verbauwhede

  In this work, elliptic curve cryptography (ECC) is used to make an efficient implementation of a public-key cryptography algorithm on the ARM Cortex-M0+. The goal of this implementation is to make not only a fast, but also a very low-power software implementation. To aid in the elliptic curve parameter selection, the energy consumption of different instructions on the ARM Cortex-M0+ was measured and it was found that there is a variation of up to 22.5% between different instructions. The instruction set architecture (ISA) and energy measurements were used to make a simulation of both a binary curve and a prime curve implementation, and the former was found to have a slightly faster execution time with a lower power consumption. Binary curve arithmetic use instructions which requires less energy than prime curve arithmetic on the target platform. A new field multiplication algorithm is proposed, called Lopez-Dahab with fixed registers, which is an optimization of the Lopez-Dahab (LD) algorithm. The proposed algorithm has a performance improvement of 15\\% over the LD with rotating registers algorithm (which is the current fastest optimization of the LD algorithm). A software implementation that uses the proposed algorithm was made in C and assembly, and on average our implementation of a random point multiplication requires 34.16uJ, whereas our fixed point multiplication requires 20.63uJ. The energy consumption of our implementation beats all known software implementations on embedded platforms, of a point multiplication, on the same equivalent security level by a factor of 7.4.

06:17 [Pub][ePrint] Key-recovery Attacks on Various RO PUF Constructions via Helper Data Manipulation, by Jeroen Delvaux and Ingrid Verbauwhede

  Physically Unclonable Functions (PUFs) are emerging as hardware security primitives. They are mainly used to generate secret keys which are inherently unique for every manufactured sample of a chip. Ring Oscillator (RO) PUFs are among the most widely researched PUFs. In this work, we claim various RO PUF constructions to be vulnerable against manipulation of their public helper data. Partial/full key-recovery is a threat for the following constructions, in chronological order. (1) Temperature-aware cooperative RO PUFs, proposed at HOST 2009. (2) The sequential pairing algorithm, proposed at HOST 2010. (3) Group-based RO PUFs, proposed at DATE 2013. (4) Or more general, all entropy distiller constructions proposed at DAC 2013.

06:17 [Pub][ePrint] Limited-birthday Distinguishers for Hash Functions - Collisions Beyond the Birthday Bound can be Meaningful, by Mitsugu Iwamoto and Thomas Peyrin and Yu Sasaki

  In this article, we investigate the use of limited-birthday distinguishers to the context of hash functions. We first provide a proper understanding of the limited-birthday problem and demonstrate its soundness by using a new security notion Differential Target Collision Resistance (dTCR) that is related to the classical Target Collision Resistance (TCR) notion. We then solve an open problem and close the existing security gap by proving that the best known generic attack proposed at FSE 2010 for the limited-birthday problem is indeed the best possible method.

Moreover, we show that almost all known collision attacks are in fact more than just a collision finding algorithm, since the difference mask for the message input is usually fixed. A direct and surprising corollary is that these collision attacks are interesting for cryptanalysis even when their complexity goes beyond the $2^{n/2}$ birthday bound and up to the $2^{n}$ preimage bound, and can be used to derive distinguishers using the limited-birthday problem. Interestingly, cryptanalysts can now search for collision attacks beyond the $2^{n/2}$ birthday bound.

Finally, we describe a generic algorithm that turns a semi-free-start collision attack on a compression function (even if its complexity is beyond the birthday bound) into a distinguisher on the whole hash function when its internal state is not too wide. To the best of our knowledge, this is the first result that exploits classical semi-free-start collisions on the compression function to exhibit a weakness on the whole hash function. As an application of our findings, we provide distinguishers on reduced or full version of several hash functions, such as RIPEMD-128, SHA-256, Whirlpool, etc.

06:17 [Pub][ePrint] Sub-linear Blind Ring Signatures without Random Oracles, by Essam Ghadafi

  Ring signatures allow a signer to anonymously sign a message on behalf of a set of arbitrarily chosen signers called a ``ring\'\'.

Blind signatures, on the other hand, allow a user to obtain a signature on a message while maintaining the privacy of the message.

Blind ring signatures combine properties of both primitives and hence provide a strong notion of anonymity where the privacy of both the identity of the signer and the message is preserved.

Blind ring signatures find applications in various systems; including multi-authority e-voting and distributed e-cash systems.

In this paper we provide the first provably secure blind ring signature construction that does not rely on random oracles, which solves an open problem raised by Herranz and Laguillaumie at ISC 2006. We present different instantiations all of which are round-optimal (i.e.\\ have a two-move signing protocol), yield sub-linear size signatures, and meet strong security requirements.

In order to realize our constructions efficiently, we construct a sub-linear size set membership proof which works in the different bilinear group settings, which may be of independent interest.

As a secondary contribution, we show how to generically combine our set membership proof with any secure signature scheme meeting some conditions to obtain ring signatures whose security does not rely on random oracles. All our constructions work over the efficient prime-order bilinear group setting and yield signatures of sub-linear size. In addition, our constructions meet strong security requirements: namely, anonymity holds under full key exposure and unforgeability holds against insider-corruption.

Finally, we provide some example instantiations of the generic construction.

03:17 [Pub][ePrint] Invariance-Based Concurrent Error Detection for Advanced Encryption Standard, by Xiaofei Guo and Ramesh Karri

  Naturally occurring and maliciously injected faults reduce the reliability of Advanced Encryption Standard (AES) and may leak confidential information. We developed an invariance-based concurrent error detection (CED) scheme which is independent of the implementation of AES encryption/decryption. Additionally, we improve the security of our scheme with Randomized CED Round Insertion and adaptive checking. Experimental results show that the invariance-based CED scheme detects all single-bit, all single-byte fault, and 99.99999997% of burst faults. The area and delay overheads of this scheme are compared with those of previously reported CED schemes on two Xilinx Virtex FPGAs. The hardware overhead is in the 13.2-27.3% range and the throughput is between 1.8-42.2Gbps depending on the AES architecture, FPGA family, and the detection latency. One can im-

plement our scheme in many ways; designers can trade off performance, reliability, and security according to the available resources.