International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also receive updates via:

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

16:17 [Pub][ePrint] How to Keep a Secret: Leakage Deterring Public-key Cryptography, by Aggelos Kiayias and Qiang Tang

  How is it possible to prevent the sharing of cryptographic

functions? This question appears to be fundamentally hard to address

since in this setting the owner of the key {\\em is} the adversary:

she wishes to share a program or device that (potentially only

partly) implements her main cryptographic functionality. Given that

she possesses the cryptographic key, it is impossible for her to be

{\\em prevented} from writing code or building a device that uses

that key. She may though be {\\em deterred} from doing so.

We introduce {\\em leakage-deterring} public-key cryptographic

primitives to address this problem. Such primitives have the feature

of enabling the embedding of owner-specific private data into the

owner\'s public-key so that given access to {\\em any} (even

partially functional) implementation of the primitive, the recovery

of the data can be facilitated. We formalize the notion of

leakage-deterring in the context of encryption, signature, and

identification and we provide efficient generic constructions that

facilitate the recoverability of the hidden data while retaining

privacy as long as no sharing takes place.

16:17 [Pub][ePrint] A new attack on RSA with a composed decryption exponent, by Abderrahmane Nitaj and Mohamed Ould Douh

  In this paper, we consider an RSA modulus $N=pq$, where the prime factors $p$, $q$ are of the same size. We present an attack on RSA when the decryption exponent $d$ is in the form $d=Md_1+d_0$ where $M$ is a given positive integer and $d_1$ and $d_0$ are two suitably small unknown integers. In 1999, Boneh and Durfee~\\cite{BODU} presented an attack on RSA when $d

16:17 [Pub][ePrint] Ultralightweight cryptography for passive RFID system, by Umar Mujahid, M.Najam-ul-islam, Jameel Ahmed

  RFID (Radio Frequency Identification) is one of the most growing technologies among the pervasive systems. Non line of sight capability makes RFID systems much faster than its other contending systems such as barcodes and magnetic taps etc. But there are some allied security apprehensions with RFID systems. RFID security has been acquired a lot of attention in last few years as evinced by the large number of publications (over 2000).

In this paper, a brief survey of eminent ultralightweight authentication protocols has been presented & then a four-layer security model, which comprises of various passive and active attacks, has been proposed. Cryptanalysis of these protocols has also been performed under the implications of the proposed security model

16:17 [Pub][ePrint] Weakness of Several Identity-based Tripartite Authenticated Key Agreement Protocols, by Xi-Jun Lin and Lin Sun

  Key agreement allows multi-parties exchanging public information to create a common secret key that is known only to those entities over an insecure network. In recent years, several identity-based authenticated key agreement protocols have been proposed. In this study, we analyze three identity-based tripartite authenticated key agreement protocols.

After the analysis, we found that these protocols do not possess the desirable security attributes.

16:17 [Pub][ePrint] Pushing the Limit of Non-Profiling DPA using Multivariate Leakage Model, by Suvadeep Hajra and Debdeep Mukhopadhyay

  Profiling power attacks like Template attack and Stochastic attack optimize their performance by jointly evaluating the leakages of multiple sample points. However, such multivariate approaches are rare among non-profiling Differential Power Analysis (DPA) attacks, since integration of the leakage of a higher SNR sample point with the leakage of lower SNR sample point might result in a decrease in the overall performance. One of the few successful multivariate approaches is the application of Principal Component Analysis (PCA) for non-profiling DPA. However, PCA also performs sub-optimally in the presence of high noise. In this paper, a multivariate model for an FPGA platform is introduced for improving the performances of non-profiling DPA attacks. The introduction of the proposed model

greatly increases the success rate of DPA attacks in the presence of high noise. The experimental results on both simulated power traces and real power traces are also provided as an evidence.

16:17 [Pub][ePrint] Secure Floating-Point Arithmetic and Private Satellite Collision Analysis, by Liina Kamm and Jan Willemson

  In this paper we show that it is possible and, indeed, feasible to use secure multiparty computation for calculating the probability of a collision between two satellites. For this purpose, we first describe basic floating-point arithmetic operators (addition and multiplication) for multiparty computations. The operators are implemented on the SHAREMIND secure multiparty computation engine. We discuss the implementation details, provide methods for evaluating example elementary functions (inverse, square root, exponentiation of e, error function). Using these primitives, we implement a satellite conjunction analysis algorithm and give benchmark results for the primitives as well as the conjunction analysis itself.

16:17 [Pub][ePrint] Power and Timing Side Channels for PUFs and their Efficient Exploitation, by Ulrich Rührmair and Xiaolin Xu and Jan Sölter and Ahmed Mahmoud and Farinaz Koushanfar and Wayne Burleson

  This paper discusses combined modeling and side

channel attacks on Strong Physical Unclonable Functions (Strong

PUFs). We illustrate our method by the example of the two

currently most secure (CCS 2010, IEEE T-IFS 2013) electrical

Strong PUFs, so-called XOR Arbiter PUFs and Lightweight

PUFs, and successfully attack them at sizes and complexities

far beyond the reach of pure modeling techniques (CCS 2010,

IEEE T-IFS 2013).

Our approach makes use of the first power and timing

side channels on PUFs reported in the literature. Both provide

information on the single outputs of the many parallel Arbiter

PUFs inside an XOR Arbiter PUF or Lightweight PUF, and

indicate how many of these single outputs (in sum) were equal

to one (and how many were equal to zero) before they entered

the final XOR gate. Taken for itself, this side channel information

is of little value. But if combined with suitably adapted machine

learning techniques, it substantially changes attack performance:

It reduces the empirically estimated complexities for modeling the

above two PUFs from exponential (CCS 2010, IEEE T-IFS) to

low degree polynomial.

The practical viability of our attacks is firstly demonstrated

by SPICE simulations, and by subsequent ML experiments on

numerically simulated CRPs. We thereby confirm attacks on the

two above PUFs for up to 16 XORs and challenge bitlengths

of up to 512. Secondly, we execute a full experimental proof-ofconcept

for our timing side channel, successfully attacking FPGA implementations of the two above PUF types for 8, 12, and 16

XORs, and bitlengths 64, 128, 256 and 512. We implement these

sizes for the first time in the literature in silicon, and subsequently attack them successfully by our new methods. We remark that in recent works (CCS 2010, IEEE T-IFS 2013), 8 XOR architectures

with bitlength 512 had been explicitly suggested as secure and

beyond the reach of current attacks.

Finally, we discuss efficient countermeasures against our power

and timing side channels. They could and should be used to secure

future Arbiter PUF generations against the latter.

16:17 [Pub][ePrint] Improved Boomerang Attacks on Round-Reduced SM3 and BLAKE-256, by Dongxia Bai and Hongbo Yu and Gaoli Wang and Xiaoyun Wang

  In this paper we study the security of hash functions SM3 and BLAKE-256 against boomerang attack. SM3 is designed by X. Wang et al. and published by Chinese Commercial Cryptography Administration Office for the use of electronic certification service system in China. BLAKE is one of the five finalists of the NIST SHA-3 competition submitted by J.-P. Aumasson et al. For SM3, we present boomerang distinguishers for the compression function reduced to 34/35/36/37/38 steps out of 64 steps, with time complexities $2^{31.4}$, $2^{33.6}$, $2^{73.4}$, $2^{93}$ and $2^{192}$ respectively. Then we show some incompatible problems existed in the previous boomerang attacks on SM3. Meanwhile, we launch boomerang attacks on up to 7 and 8 rounds keyed permutation of BLAKE-256 which are the first valid $7$-round and $8$-round boomerangs for BLAKE-256. Especially, since our distinguishers on 34/35-step compression function of SM3 and 7-round keyed permutation of BLAKE-256 are practical, we are able to obtain boomerang quartets of these attacks. As far as we know, these are the best results against round-reduced SM3 and BLAKE-256.

22:17 [Pub][ePrint] Identity-Based Key-Encapsulation Mechanism from Multilinear Maps, by Hao Wang and Lei Wu Zhihua Zheng

  We construct an Identity-Based Key Encapsulation Mechanism (IB-KEM) in a generic \"leveled\" multilinear map setting and make it translated to the GGH framework, which defined an \"approximate\" version of a multilinear group family from ideal lattices. Then, we prove their security in the selective-ID model.

22:17 [Pub][ePrint] Fair Two-Party Computations via the BitCoin Deposits, by Marcin Andrychowicz and Stefan Dziembowski and Daniel Malinowski and Łukasz Mazurek


22:17 [Pub][ePrint] An improved compression technique for signatures based on learning with errors, by Shi Bai and Steven D. Galbraith

  We present a new approach to the compression technique of Lyubashevsky et al for lattice-based signatures based on learning with errors (LWE).

Our ideas seem to be particularly suitable for signature schemes whose security, in the random oracle model, is based on standard worst-case computational assumptions. Our signatures are shorter than any previous proposal for provably-secure signatures based on standard lattice problems: at the 128-bit level we improve signature size from (more than) 16500 bits to around 9000 to 12000 bits.