International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also receive updates via:

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

22:17 [Pub][ePrint] Beyond Modes: Building a Secure Record Protocol from a Cryptographic Sponge Permutation, by Markku-Juhani O. Saarinen

  BLINKER is a light-weight cryptographic suite and record protocol built from a single permutation. Its design is based on the Sponge construction used by the SHA-3 algorithm KECCAK. We examine the SpongeWrap authenticated encryption mode and expand its padding mechanism to offer explicit domain separation and enhanced security for our specific requirements: shared secret half-duplex keying, encryption, and a MAC-and-continue mode. We motivate these enhancements by showing that unlike legacy protocols, the resulting record protocol is secure against a two-channel synchronization attack while also having a significantly smaller implementation footprint. The design facilitates security proofs directly from a single cryptographic primitive (a single security assumption) rather than via idealization of multitude of algorithms, paddings and modes of operation. The protocol is also uniquely suitable for an autonomous or semi-autonomous hardware implementation of protocols where the secrets never leave the module, making it attractive for smart card and HSM designs.

22:17 [Pub][ePrint] CBEAM: Efficient Authenticated Encryption from Feebly One-Way $\\phi$ Functions, by Markku-Juhani O. Saarinen

  We show how efficient and secure cryptographic mixing functions can be constructed from low-degree rotation-invariant $\\phi$ functions rather than conventional S-Boxes. These novel functions have surprising properties; many exhibit inherent feeble (Boolean circuit) one-wayness and offer speed/area tradeoffs unobtainable with traditional constructs. Recent theoretical results indicate that even if the inverse is not explicitly computed in an implementation, its degree plays a fundamental role to the security of the iterated composition. To illustrate these properties, we present CBEAM, a Cryptographic Sponge Permutation based on a single $5 \\times 1$-bit Boolean function. This simple nonlinear function is used to construct a 16-bit rotation-invariant$\\phi$ function of Degree 4 (but with a very complex Degree 11 inverse), which in turn is expanded into an efficient 256-bit mixing function. In addition to flexible tradeoffs in hardware we show that efficient implementation strategies exist for software platforms ranging from low-end microcontrollers to the very latest x86-64 AVX2 instruction set. A rotational bit-sliced software implementation offers not only comparable speeds to AES but also increased security against cache side channel attacks. Our construction supports Sponge-based Authenticated Encryption, Hashing, and PRF/PRNG modes and is highly useful as a compact ``all-in-one\'\' primitive for pervasive security.

22:17 [Pub][ePrint] Multi-Input Functional Encryption, by S. Dov Gordon and Jonathan Katz and Feng-Hao Liu and Elaine Shi and Hong-Sheng Zhou

  \\emph{Functional encryption} (FE) is a powerful primitive enabling fine-grained access to encrypted data. In an FE scheme, secret keys (``tokens\'\') correspond to functions; a user in possession of a

ciphertext $\\ct = \\enc(x)$ and a token $\\tkf$ for the function~$f$

can compute $f(x)$ but learn nothing else about~$x$. An active area of research over the past few years has focused on the development of ever more expressive FE schemes.

In this work we introduce the notion of \\emph{multi-input} functional encryption. Here, informally, a user in possession of a token $\\tkf$ for an $n$-ary function $f$ and \\emph{multiple} ciphertexts $\\ct_1=\\enc(x_1)$, \\ldots, $\\ct_n=\\enc(x_n)$ can compute $f(x_1, \\ldots, x_n)$ but nothing else about the~$\\{x_i\\}$.

Besides introducing the notion, we explore the feasibility of multi-input FE in the public-key and symmetric-key settings, with respect to both indistinguishability-based and simulation-based definitions of security.

22:17 [Pub][ePrint] Differential Cryptanalysis and Linear Distinguisher of Full-Round Zorro, by Yanfeng Wang, Wenling Wu, Zhiyuan Guo and Xiaoli Yu

  Zorro is an AES-like lightweight block cipher proposed in CHES 2013, which only uses 4 S-boxes per round. The designers showed the resistance of the cipher against various attacks and concluded the cipher has a large security margin. Recently, Guo et. al have given a key recovery attack on full-round Zorro by using the internal differential characteristics. However, the attack only works for $2^{64}$ out of $2^{128}$ keys. In this paper, the secret key selected randomly from the whole key space can be recovered with a time complexity of $2^{108}$ full-round Zorro encryptions and a data complexity of $2^{112.4}$ chosen plaintexts. We first observe that the fourth power of the MDS matrix used in Zorro equals to the identity matrix. Moveover, several iterated differential characteristics and iterated linear trails are found due to the interesting property. We select three characteristics with the largest probability to give a key recovery attack on Zorro and a linear trail with the largest correlation to show a a linear distinguishing attack with $2^{105.3}$ known plaintexts. The results show that the security of Zorro against linear and differential cryptanalysis evaluated by designers is insufficient and the block cipher Zorro is far from a random permutation.

22:17 [Pub][ePrint] Location Leakage in Distance Bounding: Why Location Privacy does not Work, by Aikaterini Mitrokotsa and Cristina Onete and Serge Vaudenay

  In many cases, we can only have access to a service by proving we are sufficiently close to a particular location (e.g. in automobile or building access control). In these cases, proximity can be guaranteed through signal attenuation. However, by using additional transmitters an attacker can relay signals between the prover and the verifier. Distance-bounding protocols are the main countermeasure against such attacks; however, such protocols may leak information regarding the location of the prover and/or the verifier who run the distance-bounding protocol.

In this paper, we consider a formal model for location privacy in the context of distance-bounding. In particular, our contributions are threefold: we first define a security game for location privacy in distance-bounding; secondly, we define an adversarial model for this game, with two adversary classes; finally, we assess the feasibility of attaining location privacy for distance-bounding protocols. Concretely, we prove that for protocols with a beginning or a termination, it is theoretically impossible to achieve location privacy for either of the two adversary classes, in the sense that there always exists a polynomially bounded adversary that wins the security game. However, for so-called limited adversaries, which cannot see the location of arbitrary provers, carefully chosen parameters do, in practice, enable computational location privacy.

22:17 [Pub][ePrint] Construction of Multiplicative Monotone Span Program, by Yuenai Chen and Chunming Tang

  Multiplicative monotone span program is one of the important tools to realize secure multiparty computation. It is essential to construct multiplicative monotone span programs for secure multiparty computations. For any access structure, Cramer et al. gave a method to construct multiplicative monotone span programs, but its row size became double, and the column size also increased. In this paper, we propose a new construction which can get a multiplicative monotone span program with the row size less than double without changing the column size.

22:17 [Pub][ePrint] Multi-Stage Fault Attacks on Block Ciphers, by Philipp Jovanovic and Martin Kreuzer and Ilia Polian

  This paper introduces Multi-Stage Fault Attacks, which allow Differential Fault Analysis of block ciphers having independent subkeys. Besides the specification of an algorithm implementing the technique, we show concrete applications to LED-128 and PRINCE and demonstrate that in both cases approximately 3 to 4 fault-injections are enough to reconstruct the full 128-bit key.

22:17 [Pub][ePrint] Distributed Group Authentication for RFID Supply Management, by Mike Burmester and Jorge Munilla

  We investigate an application of Radio Frequency Identification (RFID) referred to in the literature as group scanning, in which an RFID reader device interrogates several RFID tags to establish \"simultaneous\" presence of a group of tags. Our goal is to study the group scanning problem in strong adversarial settings and show how group scanning can be used in distributed applications for supply chain management.

We present a security framework for group scanning and give a formal description of the attending security requirements. Our model is based on the Universal Composability framework and supports re-usability

(through modularity of security guarantees). We propose two novel protocols that realize group scanning in this security model, based on off-the-shelf components such as low-cost (highly optimized) pseudorandom functions, and show how these can be integrated into RFID supply-chain management systems

22:17 [Pub][ePrint] A Distinguish attack on Rabbit Stream Cipher Based on Multiple Cube Tester, by Nasser Ramazani Darmian

  Rabbit stream cipher is one of the finalists of eSTREAM

project which uses 128-bit secret keys. Prior to us, the attacks on Rabbit

has been all focused on the bias analysis and the best result showed the

distinguishing attack with complexity 2136. Our analysis in this paper,

is based on chosen IV analysis on reduced N-S round of Rabbit though

using multi cube tester. For this purpose we show for a mature cube

we could easily identify weak subcubes which increase the probability of

distinguishing for an unknown secret key. We also represent with 225

complexity, using one iteration of next state function the keystream is

completely distinguishable from random.

22:17 [Pub][ePrint] Obfuscation from Semantically-Secure Multi-linear Encodings, by Rafael Pass and Sidharth Telang and Karn Seth

  We define a notion of semantic security of multi-linear

(a.k.a. graded) encoding schemes: roughly speaking, we require that if

an algebraic attacker (obeying the multi-linear restrictions) cannot tell

apart two constant-length sequences $\\vec{m}_0$, $\\vec{m}_1$ in the

presence of some other elements $\\vec{z}$, then

encodings of these sequences should be indistinguishable.

Assuming the existence of semantically secure multi-linear encodings

and the LWE assumption, we demonstrate the existence of

indistinguishability obfuscators for all polynomial-size circuits.

Additionally, if we assume an strengthening of

semantic security, our construction yields extractatability

obfuscators for all polynomial-size circuits.

We rely on the beautiful candidate obfuscation constructions

of Garg et al (FOCS\'13), Brakerski and Rothblum (TCC\'14) and Barak et

al (ePrint\'13) that were proven secure only in idealized generic

multilinear encoding models,

and develop new techniques for demonstrating security in the standard model, based only on

semantical security of multi-linear encoding (which trivially holds in

the generic multilinear encoding model).

22:17 [Pub][ePrint] How Did Dread Pirate Roberts Acquire and Protect His Bitcoin Wealth?, by Dorit Ron and Adi Shamir

  The Bitcoin scheme is one of the most popular and talked about alternative payment schemes. It was conceived in 2008 by the mysterious Satoshi Nakamoto, whose real identity remains unknown even

though his bitcoin holdings are believed to be worth several hundred

million dollars. One of the most active parts of the Bitcoin ecosystem was the Silk Road marketplace, in which highly illegal substances and services were traded. It was run by another mysterious person who called himself Dread Pirate Roberts (DPR), whose bitcoin holdings are also estimated to be worth hundreds of millions of dollars at today\'s exchange rate. On October 1-st 2013, the FBI arrested a 29 year old person named Ross William Ulbricht, claiming that he is DPR, and seizing a small fraction of his bitcoin wealth. In this paper we use the publicly available record to trace the evolution of his holdings in order to find how he acquired and how he tried to hide them from the authorities. For example, we show that all his income from the months of May, June and September 2013, along with numerous other amounts, were not seized by the FBI. One of the most surprising discoveries we made during our analysis was the existence of a recent substantial transfer (which was worth more than 60,000 dollars when made on March 20-th 2013, and close to a million dollars at today\'s exchange rate) which may link these two mysterious figures.