International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also receive updates via:

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

04:17 [Pub][ePrint] Plaintext Recovery Attacks Against WPA/TKIP, by Kenneth G. Paterson and Bertram Poettering and Jacob C.N. Schuldt

  We conduct an analysis of the RC4 algorithm as it is used in the IEEE WPA/TKIP wireless standard. In that standard, RC4 keys are computed on a per-frame basis, with specific key bytes being set to known values that depend on 2 bytes of the WPA frame counter (called the TSC). We observe very large, TSC-dependent biases in the RC4 keystream when the algorithm is keyed according to the WPA specification. These biases permit us to mount an effective statistical, plaintext-recovering attack in the situation where the same plaintext is encrypted in many different frames (the so-called ``broadcast attack\'\' setting). We assess the practical impact of these attacks on WPA/TKIP.

04:17 [Pub][ePrint] Efficient CCA-secure Threshold Public-Key Encryption Scheme, by Xi-Jun Lin and Lin Sun

  In threshold public-key encryption, the decryption key is divided into n

shares, each one of which is given to a different decryption user in order to avoid single points of failure. In this study, we propose a simple and efficient non-interactive threshold public-key encryption scheme by using the hashed Diffie-Hellman assumption in bilinear groups.

Compared with the other related constructions, the proposed scheme is more efficient.

04:17 [Pub][ePrint] Fully Deniable Mutual Authentication Protocol Based on RSA Signature, by Xi-Jun Lin and Lin Sun

  Deniable authentication protocols allow a sender to authenticate a receiver, in a way that the receiver cannot convince a third party that such authentication (or any authentication) ever took place. In this study, we construct a fully deniable mutual authentication protocol based on RSA signature, and then a deniable authenticated key exchange protocol is constructed from the proposed protocol.

04:17 [Pub][ePrint] Using Hamiltonian Totems as Passwords, by Herv\\\'e Chabanne and Jean-Michel Cioranesco and Vincent Despiegel and Jean-Christophe Fondeur and David Naccache

  Physical authentication brings extra security to software authentication by adding real-world input to conventional authentication protocols.

Existing solutions such as textual and graphical passwords are subject to brute force and shoulder surfing attacks, while users are reluctant to use biometrics for identification, due to its intrusiveness.

This paper uses Hamiltonian tokens as authentication means. The proposed token structure offers many possible configurations ({\\sl i.e.}, passwords) and is small enough to be carried on a physical keychain.

After presenting our general idea, we describe an efficient algorithm to produce these tokens. Our procedure was validated by running a recognition campaign on a wide batch of synthetic samples, and experimented on prototypes manufactured using a commercial 3D-printer.

04:17 [Pub][ePrint] On the Power of Rewinding Simulators in Functional Encryption, by Angelo De Caro and Vincenzo Iovino

  In the recent years, functional encryption (FE)

has received a lot of attention due to its

versatility and unique challenges it poses.

In FE, a receiver with secret-key $sk_y$ can compute from an

encryption of $x$ the value $F(y,x)$ for some

functionality $F$. The seminal work

of Boneh, Sahai and Waters [TCC\'11] showed

that for functional encryption the indistinguishability

notion of security (IND-Security) is weaker then simulation-based

and, moreover, showed that simulation-based security

is impossible to achieve even in weaker settings.

This has opened up the door to a plethora of papers,

showing feasibility and new impossibility results,

having in common the pursuit of a reasonable

and achievable simulation-based security definition.

With the same aim, in this work, we propose a new

simulation-based security definition that we call

{\\em rewinding simulation-based security} (RSIM-Security).

Rewinding arguments have been used

in all sorts of interactive protocols

and have been shown to be highly useful to argue

security. We exploit this power allowing

the simulator to rewind the adversary

under specific constraints.

Specifically, the simulator will be able to rewind

the adversary an arbitrary number of times

under the constraint that

the simulator does not learn more

information about the challenge messages than the


Under our new definition we show that:

(1) IND-Security is equivalent

to RSIM-Security

for {\\em predicate encryption with public-index}

(i.e. Attribute-Based Encryption)

in the {\\em standard model}. Previous results

showed impossibility results in the standard


This {\\em equivalence} is the best one can hope

for general functionalities due to the counterexample of Boneh \\etal.

(2) Notwithstanding, we show that for notable classes of predicates (e.g., Anonymous IBE, inner-product over $\\Z_2$, any

family of circuits in $\\NC_0$, and monotone conjunctive Boolean formulae)

IND-Security is equivalent

to RSIM-Security in the standard


Previous results showed impossibility results in the

standard model and the positive results were set

either in the random oracle or in more restricted security


(3) On the negative side,

we show that our security

definition cannot be achieved

by functional encryption schemes for

general functionalities (specifically, functionalities that compute a pseudo-random function) in the adaptive setting. The argument

we use is to some extent the {\\em dual}

of that used by

Agrawal, Gorbunov, Vaikuntanathan, and Wee

[CRYPTO\'13] in the non-adaptive setting.

(4) We complete the picture showing the achievability of unbounded simulation (USIM) answering positively to a question posed by Agrawal, Gorbunov, Vaikuntanathan and Wee [CRYPTO 2013].

04:17 [Pub][ePrint] Dietary Recommendations for Lightweight Block Ciphers: Power, Energy and Area Analysis of Recently Developed Architectures, by Lejla Batina and Amitabh Das and Baris Ege and Elif Bilge Kavun and Nele

  In this paper we perform a comprehensive area, power, and energy analysis of some of the most recently-developed lightweight block ciphers and we compare them to the standard AES algorithm. We do this for several different architectures of the considered block ciphers. Our evaluation method consists of estimating the pre-layout power consumption and the derived energy using Cadence Encounter RTL Compiler and ModelSIM simulations.We show that the area is not always correlated to the power and energy consumption, which is of importance for mobile battery-fed devices. As a result, this paper can be used to make a choice of architecture when the algorithm has already been fixed; or it can help deciding which algorithm to choose based on energy and key/block length requirements.

04:17 [Pub][ePrint] Obfuscation-based Non-black-box Simulation and Four Message Concurrent Zero Knowledge for NP, by Omkant Pandey and Manoj Prabhakaran and Amit Sahai

  As recent studies show, the notions of *program obfuscation* and *zero

knowledge* are intimately connected. In this work, we explore this connection further, and prove the following general result. If there exists *differing input obfuscation* (diO) for the class of all polynomial time Turing machines, then there exists a *four message, fully concurrent zero-knowledge* proof system for all languages in NP with negligible soundness error. This result is constructive: given diO, our reduction yields an explicit protocol along with an *explicit* simulator that is ``straight line\'\' and runs in strict

polynomial time.

Our reduction relies on a new non-black-box simulation technique which does not use the PCP theorem. In addition to assuming diO, our reduction also assumes (standard and polynomial time) cryptographic assumptions such as collision-resistant hash functions.

The round complexity of our protocol also sheds new light on the *exact* round complexity of concurrent zero-knowledge. It shows, for the first time, that in the realm of non-black-box simulation, concurrent zero-knowledge may not necessarily require more rounds than *stand alone* zero-knowledge!

04:17 [Pub][ePrint] Improving security and efficiency for multi-authority access control system in cloud storage, by Qi Li and Jianfeng Ma and Rui Li and Ximeng Liu and Jinbo Xiong

  Multi-Authority Attribute-Based Encryption (MA-ABE) is an emerging cryptographic primitive for enforcing fine-grained attribute-based access control on the outsourced data in cloud storage. However, most of the previous multi-authority attribute-based systems are either proven security in a weak model or lack of efficiency in user revocation. In this paper, we propose a novel multi-authority attribute-based data access control system for cloud storage. We construct a new multi-authority CP-ABE scheme with decryption outsourcing. We largely eliminate the decryption overhead for users by outsourcing the undesirable bilinear pairing operations to the cloud servers. The proposed scheme is proven adaptively secure in the standard model and supports any monotone access policy. We also design an efficient attribute-level user revocation approach with less computation cost. The security analysis, numeral comparisons indicate that the proposed system is secure, efficient and scalable.

04:17 [Pub][ePrint] A Meet-in-the-middle Attack on Round-Reduced mCrypton, by Yonglin Hao, Dongxia Bai

  The meet-in-the-middle (MITM) attack on AES is a great success.

In this paper, we apply the method to the lightweight SPN block cipher mCrypton.

We prove that the multiset technique used to analyze AES can not be applied directly to mCrypton due to the scarcity of information. As a solution, we replace the unordered multiset with the ordered sequence. We lower the memory requirement from $2^{100}$ to $2^{44}$ using the efficient differential enumeration technique.

Based on these modifications, we construct a MITM attack on 7-round mCrypton-64/96/128 with complexities

of $2^{44}$ 64-bit blocks and $2^{57}$ encryptions.

We further extend the attack to 8 and 9 rounds for mCrypton-128 by adding some key-bridging techniques. The 8-round attack requires $2^{44}$ blocks and $2^{96}$ encryptions while the 9-round attack needs $2^{120}$ blocks and $2^{116}$ encryptions.

04:17 [Pub][ePrint] Practical Signatures from the Partial Fourier Recovery Problem, by Jeff Hoffstein and Jill Pipher and John Schanck and Joseph H. Silverman and William Whyte

  Abstract. We present PASSSign, a variant of the prior PASS and PASS-2 proposals, as a candidate for a practical post-quantum signature scheme. Its hardness is based on the problem of recovering a ring element with small norm from an incomplete description of its Chinese remainder representation. For our particular instantiation, this corresponds to the recovery of a signal with small infinity norm from a limited set of its Fourier coefficients.

The key improvement over previous versions of PASS is the introduction of a rejection sampling technique from Lyubashevsky (2009) which assures that transcript distributions are completely decoupled from the keys that generate them.

Although the scheme is not supported by a formal security reduction, we present extensive arguments for its security and derive concrete parameters based on the performance of state of the art lattice reduction and enumeration techniques.

04:17 [Pub][ePrint] A Revocable Online-Offline Certificateless Signature Scheme without Pairing, by Karthik Abinav and Saikrishna Badrinarayanan and C. Pandu Rangan and S. Sharmila Deva Selvi and S. Sree Vivek and Vivek

  Certificateless Public key Cryptography is a widely studied paradigm due to its advantages of not

having the key-escrow problem and the lack of use of certificates. Online-Offline signature schemes are

extremely relevant today because of their great practical applications. In an online-offline signature

scheme all the heavy computation is done on powerful processors and stored securely in the offline

phase, and the online component requires only light computation. Hence, it is widely used in several

low-resource devices like mobile phones, etc. Revocation is another important problem of wide interest

as it helps to keep a check on misbehaving users. Currently, there are very few revocable certificateless

signature schemes in the literature. We have addressed some of the limitations of the previously existing

schemes and designed a new model for the same that involves periodic time generated keys. We present

a revocable online-offline certificateless signature scheme without pairing. Pairing, though a very useful

mathematical function, comes at the cost of heavy computation. Our scheme is proved secure in the

random oracle model using a tight security reduction to the computational Diffie-Hellman problem.