International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also receive updates via:

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

07:17 [Pub][ePrint] SSS-V2: Secure Similarity Search, by Hyun-A Park

  Encrypting information has been regarded as one of the most substantial approaches to protect users\' sensitive information in radically changing internet technology era. In prior research, researchers have considered similarity search over encrypted documents infeasible, because the single-bit difference of a plaintext would result in an enormous bits difference in the corresponding ciphertext. However, we propose a novel idea of Security Similarity Search (SSS) over encrypted documents by applying character-wise encryption with approximate string matching to keyword index search systems. In order to do this, we define the security requirements of similarity search over encrypted data, propose two similarity search schemes, and formally prove the security of the schemes. The first scheme is more efficient, while the second scheme achieves perfect similarity search privacy. Surprisingly, the second scheme turns out to be faster than other keyword index search schemes with keywordwise encryption, while enjoying the same level of security. The schemes of SSS support \"like query(\'ab%\')\" and a query with misprints in that

the character-wise encryption preserves the degree of similarity between two plaintexts, and renders approximate string matching between the corresponding ciphertexts possible without decryption.

07:17 [Pub][ePrint] A Key Compromise Impersonation attack against Wang\'s Provably Secure Identity-based Key Agreement Protocol, by Maurizio Adriano Strangio

  In a 2005 IACR report, Wang published an efficient identity-based key agreement protocol (IDAK) suitable for resource constraint devices.

The author shows that the IDAK key agreement protocol is secure in the Bellare-Rogaway model with random oracles and also provides an ad-hoc security proof claiming that the IDAK protocol is not vulnerable to Key Compromise Impersonation attacks.

In this report, we claim that the IDAK protocol is vulnerable to key-compromise impersonation attacks. Indeed, Wang\'s results are valid only for a passive adversary that can corrupt parties or reveal certain session-specific data but is not allowed to manipulate protocol transcripts; a model considering this type of adversary is unable to afford KCI resilience.

07:17 [Pub][ePrint] Elliptic Curve Cryptography in Practice, by Joppe W. Bos and J. Alex Halderman and Nadia Heninger and Jonathan Moore and Michael Naehrig and Eric Wustrow

  In this paper, we perform a review of elliptic curve cryptography (ECC), as it is used in practice today, in order to reveal unique mistakes and vulnerabilities that arise in implementations of ECC. We study four popular protocols that make use of this type of public-key cryptography: Bitcoin, secure shell (SSH), transport layer security (TLS), and the Austrian e-ID card. We are pleased to observe that about 1 in 10 systems support ECC across the TLS and SSH protocols. However, we find that despite the high stakes of money, access and resources protected by ECC, implementations suffer from vulnerabilities similar to those that plague previous cryptographic systems.

07:17 [Pub][ePrint] Masking Tables---An Underestimated Security Risk, by Michael Tunstall and Carolyn Whitnall and Elisabeth Oswald

  The literature on side-channel analysis describes numerous masking schemes designed to protect block ciphers at the implementation level. Such masking schemes typically require the computation of masked tables prior to the execution of an encryption function. In this paper we revisit an attack which directly exploits this computation in such a way as to recover all or some of the masks used. We show that securely implementing masking schemes is only possible where one has access to a significant amount of random numbers.

07:17 [Pub][ePrint] TRS-80 With A Keccak Sponge Cake, by Jean-Marie Chauvet

  The subject of this paper, an improbable implementation of a recently standardized cryptographic hash function on a thirty-five-year-old microcomputer, may strike some as unusual and recreative at best. In the tedious discipline of the process, however, lessons were learned in implementation trade-offs for basic cryptographic primitives which may prove interesting in the current context of securing (small to nano) machine to machine communications. More importantly, that such insights might stem out of revisiting how earlier computing platforms relate to the code written on them to cast a distant light on modern connections of code to material, historical and contextual factors certainly illuminates the joys of retrocomputing.

07:17 [Pub][ePrint] Weakness of F_{3^{6*1429}} and F_{2^{4*3041}} for Discrete Logarithm Cryptography, by Gora Adj and Alfred Menezes and Thomaz Oliveira and Francisco Rodriguez-Henriquez

  In 2013, Joux and then Barbulsecu et al. presented new algorithms for computing discrete logarithms in finite fields of small characteristic. Shortly thereafter, Adj et al. presented a concrete analysis showing that, when combined with some steps from classical algorithms, the new algorithms render the finite field F_{3^{6*509}} weak for pairing-based cryptography. Granger and Zumbragel then presented a modification of the new algorithms that extends their effectiveness to a wider range of fields.

In this paper, we study the effectiveness of the new algorithms combined with a carefully crafted descent strategy for the fields F_{3^{6*1429}} and F_{2^{4*3041}}. The intractability of the discrete logarithm problem in these fields is necessary for the security of pairings derived from supersingular curves with embedding degree 6 and 4 defined, respectively, over F_{3^{1429}} and F_{2^{3041}}; these curves were believed to enjoy a security level of 192 bits against attacks by Coppersmith\'s algorithm. Our analysis shows that these pairings offer security levels of at most 91 and 129 bits, respectively, leading us to conclude that they are dead for pairing-based cryptography.

07:17 [Pub][ePrint] Multi-Input Functional Encryption, by Shafi Goldwasser and Vipul Goyal and Abhishek Jain and Amit Sahai

  We introduce the problem of Multi-Input Functional Encryption, where a secret key SK_f can correspond to an n-ary function f that takes multiple ciphertexts as input. Multi-input functional encryption is a general tool for computing on encrypting data which allows for mining aggregate information from several different data sources (rather than just a single source as in single input functional encryption). We show wide applications of this primitive to running SQL queries over encrypted database, non-interactive differentially private data release, delegation of computation, etc.

We formulate both indistinguishability-based and simulation-based definitions of security for this notion, and show close connections with indistinguishability and virtual black-box definitions of obfuscation. Assuming indistinguishability obfuscation for circuits, we present constructions achieving indistinguishability security for a large class of settings. We show how to modify this construction to achieve simulation-based security as well, in those settings where simulation security is possible. Assuming differing-inputs obfuscation [Barak et al., FOCS\'01], we also provide a construction with similar security guarantees as above, but where the keys and ciphertexts are compact.

07:17 [Pub][ePrint] Modified Alternating Step Generators, by Robert Wicik and Tomasz Rachwalik

  Irregular clocking of feedback shift registers is a popular technique to improve parameters of keystream generators in stream ciphers. Another technique is to implement nonlinear functions. We join these techniques and propose Modified Alternating Step Generators built with linear and nonlinear feedback shift registers. Adequate nonlinear Boolean functions are used as feedbacks or as filtering functions of shift registers in order to increase complexity of sequences produced by individual registers and the whole generator. We investigate basic parameters of proposed keystream generators, such as period, linear complexity and randomness.

07:17 [Pub][ePrint] Functional Encryption for Randomized Functionalities, by Vipul Goyal and Abhishek Jain and Venkata Koppula and Amit Sahai

  In this work, we present the first definitions and constructions for functional encryption supporting randomized functionalities. The setting of randomized functionalities require us to revisit functional encryption definitions by, for the first time, explicitly adding security requirements for dishonest encryptors, to ensure that they cannot improperly tamper with the randomness that will be used for computing outputs. Our constructions are built using indistinguishability obfuscation.

07:17 [Pub][ePrint] Stamp \\& Extend -- Instant but Undeniable Timestamping based on Lazy Trees, by {\\L}ukasz Krzywiecki and Przemys{\\l}aw Kubiak and Miros{\\l}aw Kuty{\\l}owski

  We present a Stamp\\&Extend time-stamping scheme based on linking via modified creation of Schnorr signatures.

The scheme is based on lazy construction of a tree of signatures.

Stamp\\&Extend returns a timestamp immediately after the request, unlike the schemes based on the concept of timestamping rounds.

Despite the fact that all timestamps are linearly linked, verification of a timestamp requires a logarithmic number of steps with respect to the chain length.

An extra feature of the scheme is that any attempt to forge a timestamp by the Time Stamping Authority (TSA) results in revealing its secret key, providing an undeniable cryptographic evidence of misbehavior of TSA.

Breaking Stamp\\&Extend requires not only breaking Schnorr signatures,

but to some extend also breaking Pedersen commitments.

07:17 [Pub][ePrint] Constructing Differentially 4-uniform Permutations over GF(2^{2k}) from the Inverse Function Revisited, by Yongqiang Li and Mingsheng Wang and Yuyin Yu

  Constructing S-boxes with low differential uniformity and high

nonlinearity is of cardinal significance in cryptography. In the

present paper, we show that numerous differentially 4-uniform

permutations over GF(2^{2k}) can be constructed by composing

the inverse function and cycles over GF(2^{2k}). Two sufficient

conditions are given, which ensure that the differential uniformity

of the corresponding compositions equals 4. A lower bound on

nonlinearity is also given for permutations constructed with the

method in the present paper. Moreover, up to CCZ-equivalence, a new

differentially 4-uniform permutation with the best known

nonlinearity over GF(2^{2k}) with $k$ odd is constructed. For

some special cycles, necessary and sufficient conditions are given

such that the corresponding compositions are differentially