International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also receive updates via:

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

16:17 [Pub][ePrint] On the Design of LIL Tests for (Pseudo) Random Generators and Some Experimental Results, by Yongge Wang

  Random numbers have been one of the most useful

objects in statistics, computer science, cryptography, modeling,

simulation, and other applications though it is very dicult to

construct true randomness. Many solutions (e.g., cryptographic

pseudorandom generators) have been proposed to harness or

simulate randomness and many statistical testing techniques have

been proposed to determine whether a pseudorandom generator

produces high quality randomness. NIST SP800-22 (2010) proposes

the state of art testing suite for (pseudo) random generators

to detect deviations of a binary sequence from randomness. On

the one hand, as a counter example to NIST SP800-22 test suite,

it is easy to construct functions that are considered as GOOD

pseudorandom generators by NIST SP800-22 test suite though

the output of these functions are easily distinguishable from the

uniform distribution. Thus these functions are not pseudorandom

generators by definition. On the other hand, NIST SP800-22

does not cover some of the important laws for randomness. Two

fundamental limit theorems about random binary strings are

the central limit theorem and the law of the iterated logarithm

(LIL). Several frequency related tests in NIST SP800-22 cover

the central limit theorem while no NIST SP800-22 test covers


This paper proposes techniques to address the above challenges

that NIST SP800-22 testing suite faces. Firstly, we propose

statistical distance based testing techniques for (pseudo) random

generators to reduce the above mentioned Type II errors in NIST

SP800-22 test suite. Secondly, we propose LIL based statistical

testing techniques, calculate the probabilities, and carry out

experimental tests on widely used pseudorandom generators

by generating around 30TB of pseudorandom sequences. The

experimental results show that for a sample size of 1000 sequences

(2TB), the statistical distance between the generated sequences

and the uniform distribution is around 0.07 (with 0 for statistically

indistinguishable and 1 for completely distinguishable)

and the root-mean-square deviation is around 0.005. Though the

statistical distance 0.07 and RMSD 0.005 are acceptable for some

applications, for a cryptographic \"random oracle\", the preferred

statistical distance should be smaller than 0.03 and RMSD be

smaller than 0.001 at the sample size 1000. These results justify

the importance of LIL testing techniques designed in this paper.

The experimental results in this paper are reproducible and the

raw experimental data are available at author\'s website.

16:17 [Pub][ePrint] Scale-Invariant Fully Homomorphic Encryption over the Integers, by Jean-Sébastien Coron and Tancrède Lepoint and Mehdi Tibouchi

  At Crypto 2012, Brakerski constructed a scale-invariant fully homomorphic encryption scheme based on the LWE problem, in which the same modulus is used throughout the evaluation process, instead of a ladder of moduli when doing \"modulus switching\". In this paper we describe a variant of the van Dijk et al. FHE scheme over the integers with the same scale-invariant property. Our scheme has a single secret modulus whose size is linear in the multiplicative depth of the circuit to be homomorphically evaluated, instead of exponential; we therefore construct a leveled fully homomorphic encryption scheme. This scheme can be transformed into a pure fully homomorphic encryption scheme using bootstrapping, and its security is still based on the Approximate-GCD problem.

We also describe an implementation of the homomorphic evaluation of the full AES encryption circuit, and obtain significantly improved performance compared to previous implementations: about 23 seconds (resp. 3 minutes) per AES block at the 72-bit (resp. 80-bit) security level on a mid-range workstation.

Finally, we prove the equivalence between the (error-free) decisional Approximate-GCD problem introduced by Cheon et al. (Eurocrypt 2013) and the classical computational Approximate-GCD problem. This equivalence allows to get rid of the additional noise in all the integer-based FHE schemes described so far, and therefore to simplify their security proof.

16:17 [Pub][ePrint] Lattice-based Group Signature Scheme with Verifier-local Revocation, by Adeline Langlois and San Ling and Khoa Nguyen and Huaxiong Wang

  Support of membership revocation is a desirable functionality for any group signature scheme. Among the known revocation approaches, verifier-local revocation (VLR) seems to be the most flexible one, because it only requires the verifiers to possess some up-to-date revocation information, but not the signers. All of the contemporary VLR group signatures operate in the bilinear map setting, and all of them will be insecure once quantum computers become a reality. In this work, we introduce the first lattice-based VLR group signature, and thus, the first such scheme that is believed to be quantum-resistant. In comparison with existing lattice-based group signatures, our scheme has several noticeable advantages: support of membership revocation, logarithmic-size signatures, and weaker security assumption. In the random oracle model, our scheme is proved to be secure based on the hardness of the SIVP_soft-O(n^{1.5}) problem in general lattices - an assumption that is as weak as those of state-of-the-art lattice-based standard signatures. Moreover, our construction works without relying on encryption schemes, which is an intriguing feature for group signatures.

16:17 [Pub][ePrint] Authenticated Encryption with SPECK, by Chase Manny

  In this paper, we provide performance measures for software implementations of the NSA-designed Speck128 block cipher together with various existing authenticated encryption modes. We investigated Speck128 using GCM, CCM, EAX, OCB3, COPA, and PAEAD-1, and we briefly discuss performance advantages and disadvantages of each mode. Our results indicate that Speck128 is capable of performing extremely fast authenticated encryption, as fast as 3.4 cycles/byte on a modern x86-based 64-bit processor.

17:28 [Event][New] DASec 2014: The First International Workshop on Big Data Analytics for Security

  Submission: 10 February 2014
Notification: 14 March 2014
From June 30 to July 3
Location: Madrid, Spain
More Information:

10:17 [Pub][ePrint] Studying Potential Side Channel Leakages on an Embedded Biometric Comparison System, by Maël Berthier and Yves Bocktaels and Julien Bringer and Hervé Chabanne and Taoufik Chouta and Jean-Luc Danger

  We study in this work the potential side channel leakages of a hardware biometric comparison system that has been designed for fingerprints.

An embedded biometric system for comparison aims at comparing a stored biometric data with a freshly acquired one without the need to send the stored biometric data outside the system. Here one may try to retrieve the stored data via side channel, similarly as for embedded cryptographic modules where one may try to exploit side channel for attacking the modules.

On one hand, we show that we can find partial information by the means of simple Side Channel Analysis that may help to retrieve the stored fingerprint. On the other hand, we illustrate that reconstructing the fingerprint remains not trivial and we give some simple countermeasures to protect further the comparison algorithm.

10:17 [Pub][ePrint] Twisting Edwards curves with isogenies, by Mike Hamburg

  Edwards\' elliptic curve form is popular in modern cryptographic implementations thanks to their fast, strongly unified addition formulas. Twisted Edwards curves with a = −1 are slightly faster, but their addition formulas are not complete over Fp where p ≡ 3 (mod 4). In this short note, we propose that designers specify Edwards curves, but implement scalar multiplications and the like using an isogenous twisted Edwards curve.

16:56 [Event][New] AsiaCCS-SCC: The Second International Workshop on Security in Cloud Computing

  Submission: 1 March 2014
Notification: 22 March 2014
From June 3 to June 3
Location: Kyoto, Japan
More Information:

16:56 [Event][New] ASIAPKC 2014: 2nd ACM ASIA Public-Key Cryptography Workshop

  Submission: 10 February 2014
Notification: 10 March 2014
From June 3 to June 3
Location: Kyoto, Japan
More Information:

19:17 [Pub][ePrint] Lazy Modulus Switching for the BKW Algorithm on LWE, by Martin R. Albrecht and Jean-Charles Faugère and Robert Fitzpatrick and Ludovic Perret

  Some recent constructions based on LWE do not sample the secret uniformly at random but rather from some distribution which produces small entries. The most prominent of these is the binary-LWE problem where the secret vector is sampled from {0, 1}∗ or {−1, 0, 1}∗. We present a variant of the BKW algorithm for binary-LWE and other small secret variants and show that this variant reduces the complexity for solving binary-LWE. We also give estimates for the cost of solving binary-LWE instances in this setting and demonstrate the advantage of this BKW variant over standard BKW and lattice reduction techniques applied to the SIS problem. Our variant can be seen as a combination of the BKW algorithm with a lazy variant of modulus switching which might be of independent interest.

19:17 [Pub][ePrint] (De-)Constructing TLS, by Markulf Kohlweiss and Ueli Maurer and Cristina Onete and Bjoern Tackmann and Daniele Venturi

  One of the most important applications of cryptography is the establishment of secure communication channels between two entities (e.g. a client and a server), and the protocol most widely used for this purpose is TLS.

A key goal of research in cryptography is to provide security proofs for cryptographic protocols. This task is particularly difficult if the considered protocol has not been designed with provable security in mind, as is the case for TLS.

Results on provable security differ with respect to (1) the assumptions made and (2) the statement that is proved to follow from the assumptions. It is important that the proved statement is of a form that allows for both comparisons of protocol performance, and for direct use in the proof of a higher-level protocol. Security statements should thus be exact (as opposed to asymptotic), giving precise upper bounds for the security level guaranteed by a protocol. Furthermore, a key to analyzing and designing cryptographic protocols is a modularization in which the role of each cryptographic primitive (e.g. encryption) or mechanism (e.g. nonce exchange) is made explicit, and the security of its application is proved in isolation, once and for all. The constructive cryptography framework provides a sound instantiation of this approach. A modular step constructs a specific resource from certain (assumed) resources, and the overall protocol is the composition of several such construction steps. The security proof for the overall protocol follows directly from the composition theorem as well as the individual (reasonably simple) security proofs for the modules. Moreover, the actual security statement for the overall protocol is of a standardized form, in terms of a resource, which makes it straight-forward to use the protocol in a higher-level context, with the overall security proof again following from the composition theorem.

In this paper, we provide such a constructive treatment of TLS. We provide a deconstruction of TLS into modular steps and a security proof for each step which, compared to previous work, results in the above mentioned advantages. For the key-exchange step in particular, we analyze the RSA-based and both Diffie-Hellman-based variants (with static and ephemeral server key) under a non-randomizability assumption for RSA-PKCS and the Gap Diffie-Hellman assumption, respectively; in all cases we make use of random oracles. In general, since the design of TLS is not modular, the constructive decomposition is less fine-grained than one might wish to have and than it is for a modular design. This paper therefore also suggests new insights into the intrinsic problems incurred by a non-modular protocol design such as that of TLS.